CISSP Answer Explanation

CISSP Practice Exam
Score Report Prepared For
David Senabre
03/01/2024
CISSP Practice Exam Score Report
Score Summary
Your overall score is 64.0%. This is not a passing

result. You should continue preparing for the exam.
Domain Subscores
Domain Score Result
1. Security and Risk Management 67 Near proficiency
2. Asset Security 60 Near proficiency
3. Security Architecture and Engineering 54 Below proficiency
4. Communications and Network Security 57 Below proficiency
5. Identity and Access Management 67 Near proficiency
6. Security Assessment and Testing 58 Below proficiency
7. Security Operations 77 Above proficiency
8. Software Development Security 73 Near proficiency
Copyright 2024, CertMike.com. Prepared for the exclusive use of David Senabre
Incorrect Answer Summary

The table below provides a summary of the questions that you answered
incorrectly, broken out by domain. You may use this as a quick reference
when reviewing your exam results.
Domain Incorrect Answers
1. Security and Risk Management 5, 8, 35, 42, 55
2. Asset Security 13, 44, 45, 77
3. Security Architecture and Engineering 1, 12, 26, 41, 47, 69
4. Communications and Network Security 14, 29, 43, 86, 87, 92
5. Identity and Access Management 4, 59, 67, 78
6. Security Assessment and Testing 6, 18, 22, 25, 84
7. Security Operations 19, 65, 97
8. Software Development Security 16, 28, 90
Question 1
In an infrastructure-as-a-service (IaaS) cloud model, who bears primary responsibility for securing
physical and information assets?
A. Responsibility primarily rests with the customer

B. Responsibility primarily rests with the provider
C. Responsibility is shared between the customer and provider
D. Responsibility primarily rests with the cloud access security broker
Your answer was B.
You answered this question incorrectly.
The correct answer was C.
Explanation
The shared responsibility model of cloud computing states that vendors and their customers must
both share responsibility for securing physical and information assets used with the service
offering.
The exact division of responsibility will depend upon the nature of the service and the agreement
between the customer and service provider, but both organizations will always have some
responsibility for maintaining security.
Question 2
You are implementing a new firewall for your organization and are writing rules that allow a web
server to be reachable by anyone in the world. In a typical firewall deployment, what network
zone would be most appropriate for this server?
A. DMZ
B. Intranet
C. Extranet
D. Internet
Your Answer was A.
You answered this question correctly!
Explanation
This question is testing whether you are familiar with the typical three-zone firewall deployment
methodology. In that approach, the firewall has three network interfaces. One is connected to
the Internet to allow traffic in and out of the network to the public Internet. There are not normally
any internal systems in that zone because they would not be protected by the firewall. The
second zone is the intranet, which typically contains internal systems that are not publicly
accessible, so we would not place our web server there. Web servers, and any server that is
accessible from the Internet, are placed in the demilitarized zone (DMZ). Extranets are used to
allow partners, such as vendors and contractors, limited access to internal systems.
Question 3
Nick is conducting an audit of an organization's endpoint security program to ensure that it is

meeting the control objective of locking down system security configurations. Which one of the
following actions would he least likely take as part of this process?
A. Review the endpoint security policy

B. Examine the configuration settings in the centralized configuration management system
C. Review the security configuration of a randomly selected set of endpoints
D. Perform a penetration test to verify endpoints are secure
Your Answer was D.
Explanation
The important thing to do when scoping an audit is to carefully examine the audit objective. In
this case, the objective is to ensure that system configurations are being locked down. This type
of audit could certainly involve work that includes reviewing the endpoint security policy,
examining the configuration settings in the centralized configuration management system, and
reviewing the security configuration of a randomly selected set of endpoints.
Performing a penetration test goes beyond the stated objective of the audit. It is evaluating
whether systems are protected against different types of attack. While that is certainly a valid test
to perform, it is not within the scope of this particular audit.
Question 4
In a federated identity access management solution, what task is most commonly handled by the
identity provider (IdP)?
A. Identification
B. Authorization
C. Provisioning
D. Authentication
Your answer was C.
The correct answer was D.
Explanation
In a federated identity management solution, the identity provider (IdP) is responsible for
authenticating users based upon their home organization's authentication system. This allows the
user to provide evidence of authentication to a service provider that they wish to access. It is the
responsibility of the service provider to perform authorization and provisioning tasks. The user
themselves performs identification by making an initial claim of identity, such as by providing a
username.
Question 5
You are working with a team of software and hardware developers on the creation of a new
product that will deploy sensors to factory floors and then analyze the data from those sensors
using a back-end SaaS solution. Before you develop the software, you would like to understand
the potential paths that an attacker could take to undermine the security of the system. What
activity would best provide you with this perspective?
A. Threat hunting
B. Threat modeling
C. Penetration testing
D. Vulnerability scanning
Your answer was C.
The correct answer was B.
Explanation
Threat modeling examines a situation and identifies the stages of a potential attack. That is
exactly what is described in this question.
Threat hunting searches for the presence of existing infiltrations on a network. That would take
place after the system is deployed.
Penetration testing is a technique that uses attack tools to probe a system for vulnerabilities that
might be exploited by an attacker and then seeks to exploit those vulnerabilities as a proof of
concept.
Vulnerability scanning uses automated probes to identify and evaluate existing vulnerabilities in
target systems.
Question 6
You recently performed a vulnerability assessment and found hundreds of vulnerabilities in your
organization's infrastructure. It will take months to address all of these issues. What factors
should you use to prioritize these vulnerabilities?
A. Likelihood and probability

B. Impact and exploitability
C. Impact and CVSS score
D. Likelihood and impact
Your answer was C.
Explanation
The two factors used to evaluate the severity of a risk (and, therefore, its remediation priority) are
the likelihood that a risk will occur and the impact of the risk if it does occur.
Probability is simply another word that also means likelihood. The CVSS score is a measure of
the impact of a vulnerability.
Question 7
You recently completed a vulnerability assessment and identified a moderate level risk that will
require a significant investment to remediate. You wish to take the cost of that remediation and
compare it to a value from your business impact assessment (BIA) to determine if you should
perform the remediation. Which value would provide the best comparison?
A. ARO
B. AV
C. EF
D. ALE
Your Answer was D.
Explanation
The best metric to use when comparing different risks is the annualized loss expectancy (ALE).
This provides you with the expected loss from a given risk over the course of a year.
The annualized rate of occurrence (ARO) provides you only with frequency/likelihood information
and does not take into account the impact of a risk.
The asset value (AV) and exposure factor (EF) get at the impact of a risk but do not incorporate
frequency.
The ALE combines use of the single loss expectancy (SLE) (calculated by multiplying AV by EF)
and the ARO to come up with a risk measure that combines both likelihood and impact.
Question 8
Fred is helping his organization conduct a Business Impact Analysis (BIA). Which one of the
following is typically NOT a goal of a BIA?
A. To identify critical business processes

B. To implement new security controls
C. To identify threats to the organization's information assets
D. To assess the likelihood and impact of risks
Your answer was C.
Explanation
The Business Impact Analysis (BIA) identifies the business processes and tasks that are critical
to an organization's ongoing viability and the threats posed to those resources. It also assesses
the likelihood that each threat will occur and the impact those occurrences will have on the
business. The results of the BIA provide you with quantitative measures that can help you
prioritize the commitment of business continuity resources to the various local, regional, and
global risk exposures facing your organization.
While a business impact analysis may identify the need for new security controls, it would not
actually design or implement those controls.
Question 9
You recently completed a risk assessment and determined that an unpatched vulnerability in a
web server operated by your organization poses an unacceptable level of risk to your
organization. You would like to mitigate this risk. Which one of the following would be the best
example of a risk mitigation strategy?
A. Shutting down the web server

B. Patching the web server
C. Purchasing cybersecurity insurance
D. Continuing to operate the web server in an unpatched state
Your Answer was B.
Explanation
Reducing risk, or risk mitigation, is the implementation of safeguards, security controls, and
countermeasures to reduce and/or eliminate vulnerabilities or block threats. In this case, patching
the web server would mitigate the risk of its compromise.
Shutting down the web server is a drastic action that is an example of risk avoidance: changing
the organization's operating environment to make a risk irrelevant.
Purchasing cybersecurity insurance is an example of risk transference because it shifts the

financial impact of the risk from the organization to an insurance carrier.
Continuing to operate the web server in an unpatched state is an example of risk acceptance:
moving forward with operations without taking any other action to address a known risk.
Question 10
You are attempting to secure a wired network belonging to your organization. You would like to
deploy technology that limits network access to authorized users. Which one of the following
technologies would best meet that need?
A. WiFi Protected Access v2 (WPA2)

B. WiFi Protected Access v3 (WPA3)
C. IEEE 802.1x
D. MAC filtering
Your Answer was C.
Explanation
In this question, we need a careful understanding of the differences between wireless security
technologies. Specifically, we are looking for a solution that limits access to authorized users.
WiFi Protected Access (WPA) is an encryption standard for wireless networks. While it may be
used to limit access to a wireless network, it would not apply to wired network connections.
MAC filtering is a method to limit network access to authorized devices by their hardware
address, but there are two problems with this answer. First, MAC filtering would limit access by
device, not by user. Second, MAC filtering is easily bypassed by spoofing hardware addresses.
The best approach is to use 802.1x authentication, which adds user-level authentication to all
network connection attempts.
Question 11
Xavier is reviewing an organization's security program status using the Capability Maturity Model
(CMM). He finds that the program operates according to a formal, documented process but does
not use quantitative measures to understand that process. What level of the CMM should he
assess this organization at?
A. Defined
B. Repeatable
C. Managed
D. Optimizing
Your Answer was A.
Explanation
The five levels of the CMM, in order, are Initial, Repeatable, Defined, Managed, and Optimizing.
Xavier should find the highest level that best describes the situation. Organizations at Level 3
(Defined) operate according to a set of formal, defined processes, which is the situation here.
Organizations at Level 4 (Managed) use quantitative measures to understand their processes,
which is not occurring in this instance. Therefore, Xavier should rate this organization at the
Defined level of the CMM.
Question 12
Which one of the following components is found in many modern end-user devices and allows the
secure storage of encryption keys?
A. HSM
B. CPU
C. TPM
D. GPU
Your answer was A.
Explanation
The Trusted Platform Module (TPM) is a chip that resides on the motherboard of the
device.TheTPM serves a number of purposes, including the storage and management of keys
used for full-disk encryption (FDE) solutions.TheTPM provides the operating system with access
to the keys only if the user successfully authenticates.This prevents someone from removing the
drive from one device and inserting it into another device to access the drive's data.
Hardware Security Modules (HSM) store encryption keys but are high-end network devices that
serve an entire enterprise and are not found in end user systems. The central processing unit
(CPU) and graphics processing unit (GPU) are processors and do not store encryption keys.
Question 13
You have recently been assigned data ownership responsibility for a subset of your organization's
information. Which one of the following responsibilities is least likely to be associated with this
role?
A. Decide who has access to the information

B. Configure security controls to protect the information
C. Establish rules for appropriate use of the information
D. Provide input into security requirements for the information
Your answer was D.
Explanation
Data ownership is a senior-level business role that is normally assumed by an executive within
the functional area of a business that is responsible for the data in question. Deciding who has
access to that information is one of the primary roles of the data owner. Data owners also
establish rules for appropriate use of the information and provide input into security requirements
for the information.
It would not be normal for a data owner to be personally involved in configuring security controls.
This type of technical work is normally performed by data custodians.
Question 14
A user connected a device to your network and, when they open their web browser, are
redirected to a website advising them that they have been placed on an isolation network
because their system does not meet the organization's security requirements. They are unable to
access any network resources until they remediate their device to comply with the organization's
security policy. What type of security solution is in use on this network?
A. Intrusion Prevention System (IPS)

B. Configuration Management (CM) platform
C. Network Access Control (NAC)
D. Endpoint Detection and Response (EDR) platform
Your answer was D.
Explanation
This is a classic example of a network access control (NAC) platform's capabilities. NAC
platforms analyze the state of an endpoint device and place it on a separate quarantine network if
it does not meet security requirements. Users may then correct any deficiencies and will then be
moved to their normal network.
Intrusion prevention systems (IPS) watch networks for signs of potentially malicious traffic and
block that traffic.
Configuration management (CM) systems may identify misconfigured systems that have security
vulnerabilities but they would only be able to report this issue or attempt to automatically
remediate it. They do not have the isolation capabilities of a NAC solution.
Endpoint detection and response (EDR) platforms perform automated incident response and are
useful when a system has been compromised. They do not perform proactive configuration
management and isolation of noncompliant systems.
Question 15
You have been asked to assist in the investigation of a security incident that took place in your
organization. You are handed a laptop computer that is powered off and asked to analyze the
data contained on its hard drive. What action should you take first?
A. Remove the hard drive from the device

B. Power on the laptop
C. Connect to the hard drive with a forensic software package
D. Connect a write blocker to the device
Your Answer was A.
Explanation
This question is a little challenging because it is asking you to choose from among a few actions
that you should take. When you receive a laptop in this condition, you should never attempt to
access the data on the drive while it is still connected to the device. You should first remove the
drive from the device. Next, you should connect a write blocker to the device to prevent it from
being altered and only then should you make a forensic copy of the drive. You should then put
the original drive aside as evidence and perform all of your analysis on the forensic copy.
Question 16
Carla is conducting an assessment of an organization using the Software Assurance Maturity

Model (SAMM). She notes that the organization seems to have difficulty with defect management
and will be reporting that finding. Which business function of SAMM includes defect
management?
A. Implementation
B. Governance
C. Verification
D. Operations
Your answer was D.
The correct answer was A.
Explanation
The implementation business function covers the process of building and deploying software
components and managing flaws in those components. The implementation function includes the
secure build, secure deployment, and defect management practices. The governance business
function includes the activities an organization undertakes to manage its software development
process. The governance function includes practices for strategy, metrics, policy, compliance,
education, and guidance. The verification business function includes the set of activities
undertaken by the organization to confirm that code meets business and security requirements.
The verification function includes architecture assessment, requirements-driven testing, and
security testing. The operations business function includes the actions taken by an organization
to maintain security throughout the software lifecycle after code is released. The operations
function includes incident management, environment management, and operational
management.
Question 17
You are reviewing a suspicious entry in the logs of your web server and find a request to the URL:
https://yourapplication.com/index.asp?name=Mike';%20DELETE%20*%20FROM%20accounts;%
20--
What type of attack has been attempted?
A. SQL injection
B. Cross-site scripting (XSS)
C. Cross-site request forgery (CSRF)
D. Server-side request forgery (SSRF)
Your Answer was A.
Explanation
This is a clear example of a SQL injection attack. The web log entry contains a URL-encoded
version of the SQL command:
DELETE *
FROM accounts
Embedding this type of SQL command in input passed to a database-driven web application is an
example of a SQL injection attack.
Question 18
You are working with the team developing a new web application and you would like to perform a
test that evaluates whether the application is able to successfully handle malicious input that it
receives through that interface. Which one of the following activities would best meet this need?
A. Input validation
B. Parameterized queries
C. Stored procedures
D. Fuzz testing
Your answer was A.
Explanation
Fuzz testing is a specialized dynamic testing technique that provides many different types of input
to software to stress its limits and find previously undetected flaws. Fuzz testing software supplies
invalid input to the software, either randomly generated or specially crafted to trigger known
software vulnerabilities. The fuzz tester then monitors the performance of the application,
watching for software crashes, buffer overflows, or other undesirable and/or unpredictable
outcomes.
Input validation, stored procedures, and parameterized queries are used to protect web
applications from malicious input but they are not testing techniques used to evaluate application
security.
Question 19
What is the primary goal of change management in an organization?
A. Reducing the likelihood of service disruptions

B. Communicating to all affected stakeholders
C. Creating an auditable record
D. Organizing the work associated with a change
Your answer was C.
Explanation
This is a very tricky question because it is presenting you with four options that are all very strong
reasons to perform change management. To answer this question, you must think broadly, from
the perspective of an IT leader. The primary purpose of change management is to reduce
disruptions to services that might be created by changes that are not carefully controlled. The
other benefits listed here are all indeed benefits of a change management program, but they are
not the primary benefit.
Question 20
Vivek is the chief information security officer (CISO) for a large organization. She would like to
conduct an assessment that will provide her with an accurate view of how an attacker might target
her organization. What type of assessment would best meet her needs?
A. Vulnerability assessment
B. External audit
C. Internal audit
D. Penetration test
Your Answer was D.
Explanation
Penetration tests actually attempt to exploit systems, probing them for vulnerabilities with a true
hacker perspective. This type of test matches the objectives outlined by the CISO in the
scenario.
The other types of tests listed here: vulnerability assessments and internal/external audits, may
all provide valuable information but they stop short of providing an actual attacker's perspective
on the security of Vivek's organization.
Question 21
You are conducting a risk assessment of a new cloud service that will be used by your
organization. In this offering, your developers will provide code to the cloud service. The service
will execute that code every time a user uploads a new image to a shared storage location. What
term best describes this offering?
A. Platform as a Service (PaaS)

B. Software as a Service (SaaS)
C. Infrastructure as a Service (IaaS)
D. Security as a Service (SecaaS)
Your Answer was A.
Explanation
This is an example of a Platform-as-a-Service (PaaS) offering, where the cloud vendor executes
code that is provided by the customer. In a Software-as-a-Service (SaaS) offering, the vendor
would also provide the application code. In an Infrastructure-as-a-Service (IaaS) offering, the
customer would also have to build and manage the environment where the code is executed.
There is no indication that this is a security offering, so it would not qualify as
Security-as-a-Service (SecaaS)
Question 22
You are developing an information security continuous monitoring (ISCM) program and are
evaluating the types of security process data that should be collected to support this work. Which
of the following information types is LEAST likely to be useful in this work?
A. Backup verification data

B. Disaster recovery data
C. Key risk indicators
D. Software documentation
Your answer was A.
Explanation
The major categories of security process data that should be collected as part of a security
monitoring program include account management data, management review and approval data,
key performance indicators (KPIs), key risk indicators (KRIs), backup verification data, training
and awareness data, disaster recovery (DR) data, and business continuity (BC) data. These are
taken directly from CISSP objective 6.3.
While software documentation is important, it is not one of the elements normally collected as part
of a continuous monitoring program.
Question 23
Amy's organization uses quite a bit of open source software in their custom development work
and she is concerned about the security impact of that use. What program can she deploy to
help track the use of this software and identify outdated components?
A. Software Configuration Management (SCM)

B. Software as a Service (SaaS)
C. Commericial-off-the-Shelf (COTS)
D. Security Orchestration, Automation, and Response (SOAR)
Your Answer was A.
Explanation
Software Configuration Management (SCM) programs are designed to record and monitor the
status of software components used throughout the organization and would be ideal for tracking
the use of open source libraries. Commercial-off-the-shelf (COTS) software is simply software
purchased from a vendor and is not relevant here. Software as a Service (SaaS) is a
cloud-based software delivery model. Security orchestration, automation, and response (SOAR)
platforms are designed to automatically respond to security incidents, not to track the versions of
software in use in an organziation.
Question 24
Paul works for an organization that publishes informational articles on a variety of websites which
are supported by advertising revenue. He recently discovered that unauthorized individuals are
copying the content from one of his organization's sites and are publishing it on their own site
without permission. What type of intellectual property protection would be best suited to protect
this content?
A. Trade secret
B. Copyright
C. Patent
D. Trademark
Your Answer was B.
Explanation
Copyrights are the appropriate type of intellectual property protection to use for creative works,
such as the content of a website. Trademarks are used to protect words and symbols that
represent a brand in commerce. Patents and trade secrets are used to protect ideas and
inventions.
Question 25
Which one of the following individuals or groups would be the most likely direct recipient of an
audit report performed by an external auditor?
A. Chief Information Security Officer (CISO)

B. Chief Information Officer (CIO)
C. Chief Financial Officer (CFO)
D. Board of Directors
Your answer was B.
Explanation
External audits are significant undertakings normally performed to prove that controls are in place
and operating effectively. These audits are typically done at the request of an organization's
governing body -- a Board of Directors.
While anyone may request an external audit, it is far less common for this to be done by an
internal customer, such as the CISO, CIO, or CFO. It is far more likely that the work of these
groups would be the target of an audit. If any of these executives wanted assurance themselves,
they would likely use an internal audit group or hire an outside consultant to perform a less formal
assessment instead of an audit.
Question 26
You are encrypting a message that you plan to send to your supervisor using asymmetric
encryption. Your goal is to protect the confidentiality of the message while it is in transit. What
key should you use to encrypt the message?
A. Your supervisor's private key

B. Your own public key
C. Your supervisor's public key
D. Your own private key
Your answer was D.
Explanation
This question requires that you understand an essential fact about asymmetric cryptography: that
messages are encrypted with the recipient's public key and then are decrypted by the recipient
with that person's private key.
Therefore, in this scenario, you would encrypt the message with your supervisor's public key.
Your supervisor could then decrypt the message with their own private key.
Question 27
What is the primary purpose of conducting an IT audit?
A. To identify opportunities for improving security controls

B. To evaluate the performance of the security team
C. To provide a standardized score for the organization's security maturity
D. To verify that the organization is achieving its IT control objectives
Your Answer was D.
Explanation
The primary purpose of an IT audit is to verify that the organization is achieving its IT control
objectives. It may also identify opportunities for improving security, evaluate the performance of
the security team and/or provide a standardized score for the organization's security maturity but
if it does any of those, it is as a secondary objective.
Question 28
Rob is helping to conduct a risk assessment of a new web application that will shortly be
deployed to production in his organization. To assist with his process, he sets up a web
application scanning tool that will probe a test instance of the application overnight so that he can
review the results in the morning. What term best describes the type of test that Rob is
performing?
A. Dynamic Application Security Testing (DAST)

B. Interactive Application Security Testing (IAST)
C. Static Application Security Testing (SAST)
D. Code review
Your answer was C.
Explanation
We can rule out two answer choices immediately. Code reviews and static application security
testing (SAST) do not interact with a live application. They perform manual and automated
reviews, respectively, of the application code without executing it. The two remaining test types,
dynamic and interactive application security testing do involve executing the code. Dynamic
testing is highly automated and may run without a tester's attention, which is the scenario
described here. Interactive testing involves hands-on work by the tester during the test.
Question 29
You are reviewing the security controls around your organization's WiFi network and want to
ensure that only authorized users are able to access the network and that they are able to do so
in a seamless manner. Which one of the following approaches would best meet this
requirement?
A. WPA2 with PSK authentication

B. WPA2 with WPS enabled
C. WPA2 with enterprise authenticaiton
D. WPA2 with a captive portal
Your answer was A.
Explanation
Here you are being asked to choose between three different ways that you might implement a
WPA2 network. WPA2 is a secure wireless encryption standard, so there is no issue there. We
can then analyze each of these options.
Using WiFi Protected Setup (WPS) is an insecure configuration option due to weaknesses in the
WPS algorithm. It is not suitable for use in this scenario.
Captive portals require the user to interact with a web page before gaining access to the wireless
network and preshared key (PSK) authentication requires the user to find and type in a password
to access the network. Both of these approaches fail the requirement that the solution be
seamless. In addition, the use of a PSK means that you cannot uniquely identify each user and
anyone who obtains the key will be able to access the network. This fails to meet the requirement
that only authorized users be granted access.
The best solution here is to use enterprise authentication. In this approach, each user logs onto
the network with their standard username and password for the organization. This allows you to
restrict access to authorized users and also works seamlessly for end users.
Question 30
You are helping your organization select an alternate processing facility for use in the event of a
disaster. Your organization processes critical transactions and requires that downtime be as low
as possible. Which one of the following options would best meet your requirements?
A. Hot site
B. Mobile site
C. Warm site
D. Cold site
Your Answer was A.
Explanation
Here, you need to understand the benefits of the different types of alternate processing facilities.
Hot sites are the best option available because they are already up and running, ready to take
over at a moment's notice. This makes them the best option in this scenario.
However, they are also the most expensive choice. Warm sites and cold sites require more time
to activate than hot sites and would not be appropriate. Mobile sites are also a viable option. but
they are less effective than hot sites because they require time to deploy.
Question 31
Your organization is considering hiring an external firm to assist with processing credit card
payments. You would like to verify that the firm has appropriate confidentiality controls in place to
protect sensitive information and would like a report that verifies that those controls are
functioning properly over a period of time. What type of Service Organization Controls (SOC)
report should you request?
A. SOC 2 Type I
B. SOC 1 Type I
C. SOC 1 Type II
D. SOC 2 Type II
Your Answer was D.
Explanation
The first thing we should do here is identify the appropriate category of SOC audit.
SOC 1 engagements assess the organization's controls that might impact the accuracy of
financial reporting. That is not the objective here, so we can eliminate SOC 1 answers.
SOC 2 engagements assess the organization's controls that affect the security (confidentiality,
integrity, and availability) and privacy of information stored in a system. SOC 2 audit results are
confidential and are normally only shared outside the organization under an NDA. SOC 3
engagements perform similar testing but are intended for public disclosure. Either one of these
might be appropriate in this scenario, but there are no SOC 3 answer options, so we know that
we need a SOC 2 audit.
Next, we need to identify the appropriate report type. Type I reports provide the auditor's opinion
on the description provided by management and the suitability of the design of the controls. Type
II reports go further and also provide the auditor's opinion on the operating effectiveness of the
controls over a period of time.
This leads us to our correct answer: a SOC 2 Type II report.
Question 32
You are designing an access control system for your organization. The primary requirement is
that individuals who are managing projects should be able to grant permissions to others in the
organization to access information about those projects without going through a bureaucratic
process. What access control model would best match this requirement?
A. MAC
B. RBAC
C. DAC
D. ABAC
Your Answer was C.
Explanation
The core requirement for this access control system is that users must be able to grant
permissions to each other. This is the defining feature of a discretionary access control (DAC)
system.
Other types of access control system, including mandatory access control (MAC), role-based
access control (RBAC), and attribute based access control (ABAC) do not necessarily permit
users to grant access to other users.
Question 33
You are designing a security control system that will be used in a highly classified military
environment. Your primary concern is ensuring that individuals do not gain access to information
that they are not cleared to see. What security model best meets this requirement?
A. Biba
B. Clark-Wilson
C. Bell-LaPadula
D. Star Model
Your Answer was C.
Explanation
This question is asking about the various security models that you must understand when taking
the exam. The key here is recognizing that you are trying to prevent unauthorized individuals
from reading information. This is a confidentiality concern and is the core principle behind the
Bell-LaPadula model.
The Biba model and Clark-Wilson model are concerned with data integrity, which is not
mentioned in this scenario. There is no "Star Model" but there is a *-rule that is a corollary to the
Bell-LaPadula model that says individuals should not be able to write information above their
security levels.
Question 34
You are deploying a voice over Internet Protocol (VoIP) telephone system that will be used by
your organization in all of your facilities. Where would be the best network location for these
phones?
A. On the VLANs where users are normally assigned according to their roles
B. On a physically isolated network dedicated to voice traffic
C. On a separate VLAN dedicated to voice traffic
D. On the guest network
Your Answer was C.
Explanation
VoIP devices may be vulnerable to eavesdropping and other attacks. They may also provide an
attacker with a starting point for launching an attack on other networked devices. Therefore, best
practice suggests that these devices should be separated from other networked systems.
It would be inappropriate to place VoIP devices on a guest network, where untrusted users might
access them. It would also be inappropriate to place them on a normal user VLAN because they
might present a risk to other systems on that network.
Placing VoIP devices on a physically isolated network would meet the security objectives here,
but remember that this is the CISSP exam and you need to think like a manager! Building a
completely separate network is very expensive!
The best solution is to place the VoIP devices on a separate VLAN where they can be carefully
controlled. This VLAN can use the same hardware as other data networks and depend upon the
security isolation functionality of switches to protect against attacks.
Question 35
What is the most common standard of evidence used in a criminal investigation?
A. Preponderance of the evidence

B. Beyond a reasonable doubt
C. Beyond a shadow of a doubt
D. Clear and convincing evidence
Your answer was D.
Explanation
Most criminal cases must meet the beyond a reasonable doubt standard of evidence. Following
this standard, the prosecution must demonstrate that the defendant committed the crime by
presenting facts from which there are no other logical conclusions. For this reason, criminal
investigations must follow strict evidence collection and preservation processes.
Most civil cases do not follow the beyond a reasonable doubt standard of proof. Instead, they use
the weaker preponderance of the evidence standard. Meeting this standard simply requires that
the evidence demonstrate that the outcome of the case is more likely than not. For this reason,
evidence collection standards for civil investigations are not as rigorous as those used in criminal
investigations.
Question 36
You are interviewing business leaders as part of a business impact assessment (BIA) of an
enterprise resource planning (ERP) system. The goal of these conversations is to determine how
long each business function can operate effectively during an incident that disrupts access to the
ERP. What term describes the output of these conversations?
A. MTD
B. RTO
C. RPO
D. AV
Your Answer was A.
Explanation
These interviews are designed to determine the maximum tolerable downtime (MTD) for the
system. This is the amount of time that the system can be down without causing business
disruption. The recovery time objective (RTO) is a related metric that documents the goal time for
restoring service operation in the event of a disruption. The recovery point objective (RPO)
documents the amount of data that may be lost during a recovery. The asset value (AV) is the
estimated financial value of the system.
Question 37
What is the final stage of the disaster recovery process?
A. Lessons learned
B. Restoration of service
C. Deployment to an alternate site
D. Incident identification
Your Answer was A.
Explanation
The disaster recovery process draws to a close once you resume operations at your primary
facility. That marks the end of the response effort, but it is not the final stage of the process.
After the disaster is over, you should conduct a lessons learned session to review the incident
and improve your controls and procedures. The identification of an incident and deployment to an
alternate site occur earlier in the process, while the disaster is still underway.
Question 38
Your organization's system administrators are complaining that they do not want to have separate
accounts for their routine work and their administrative activity. What technology could you use to
allow administrators to assume their administrative roles from within their current accounts only
when they need to perform privileged actions?
A. ssh
B. Nmap
C. Kerberos
D. sudo
Your Answer was D.
Explanation
Administrators with root privileges can grant permission to any user to run the sudo command, by
adding them to the sudo group. This is similar to adding a user to the administrators group on
Windows systems. When users are added to the sudo group, they don't need the password to the
root account but instead use their own credentials. Once logged in, the user can prefix commands
with sudo to run the command as root. Logs will record any commands using sudo with the user's
account.
The secure shell (ssh) command is used to establish a connection to a remote system.
The Nmap command is a network mapping tool used to perform port scans and other network
discovery.
Kerberos is a single-sign on (SSO) platform used to perform user authentication and

authorization.
Question 39
You are working in your organization's security operations center (SOC) and receive an alert of
an active malware infection on one of your organization's servers. What action should you take
next as part of the incident response process?
A. Disconnect the affected system from the network

B. Power down the affected system
C. Determine the type of malware on the device
D. Identify the source of the malware
Your Answer was A.
Explanation
All of the actions described here may be taken at some point during an incident response, but this
question is asking you which of these actions should be taken first. Once you detect a security
incident, your first response should be aimed at containing the damage caused by the incident.
You might do this by powering down the affected system, but that might cause the loss of
valuable forensic data. Your best action would be to disconnect the system from the network,
limiting the damage caused by the malware infection by preventing its spread to other systems.
After you do this, you may proceed with other investigatory steps.
Question 40
You are troubleshooting a network connectivity problem and, upon inspecting the network cable,
discover that the pins are damaged. At what layer of the OSI model does the problem reside?
A. Datalink layer
B. Network layer
C. Physical layer
D. Transport layer
Your Answer was C.
Explanation
This question is asking you to relate the situation at hand to the OSI model. The situation is that
a cable has suffered damage. The problem exists at the lowest possible layer of the OSI model -
the physical layer. This layer is where cabling issues reside.
Question 41
You are sending an important message to a client and would like to ensure that you can achieve
the goal of non-repudiation through the use of a digital signature. What encryption key should
you use to create the digital signature?
A. Your own public key

B. Your client's public key
C. Your own private key
D. Your client's private key
Your answer was B.
Explanation
Digital signatures must be created using asymmetric encryption algorithms. When doing so, you
want the signature operation to be something that only the individual signing the message could
possibly perform and then you want anyone to be able to verify that signature.
To achieve this, the sender of a message digitally signs it by encrypting a message digest with
the sender's private key. Anyone who wishes to verify the digital signature may then decrypt the
signature using the sender's public key and then compare that decrypted signature to a message
digest they calculate themselves. If the two digests match, the signature is authentic.
Question 42
Francis is an identity and access management professional at a very large corporation. She is
reviewing her organization's process for revoking access assigned to terminated employees.
What action would BEST protect the organization against the risks associated with a terminated
employee's account?
A. Delete the account

B. Disable the account
C. Revoke all permissions from the account
D. Change the account's password
Your answer was C.
Explanation
Fran's process should take immediate action to ensure that a terminated user is unable to access
resources. All of the possible answer choices here would achieve this goal to some degree, but
we are looking for the BEST solution.
Deleting the account would definitely remove a terminated user's access and is the most drastic
option. However, it is not a good idea because it might also remove critical data needed by other
areas of the organization and it is an irrevocable action.
Changing the account's password would prevent a user from opening new sessions with the
account, but it would leave the organization vulnerable if the user has an open authenticated
session or access that does not require use of the password, such as through an API key.
Revoking permissions from the account would be effective, but it is difficult to do this in a manner
that ensures that all permissions from all systems have been revoked, so it creates the potential
for error.
The best solution is to disable the account so that it may no longer be used. This preserves any
resources associated with the account but prevents anyone from using the account to access
corporate resources. It may also be undone if necessary.
Question 43
Your organization recently experienced a distributed denial of service (DDoS) attack that crippled
the organization's public-facing website for several hours. You are concerned about this recurring
and want to select a control that will help ensure the website's continued availability in the face of
a future attack. Which one of the following controls would best serve this purpose?
A. CASB
B. IPS
C. CDN
D. NGFW
Your answer was D.
Explanation
This question is asking us to identify controls that could be useful in defending against a DDoS
attack that uses significant amounts of traffic.
We can begin by immediately eliminating cloud access security broker (CASB) as an option
because CASB solutions are intended to enforce security policies and do not help defend against
DDoS attacks.
The remaining solutions may all block some DDoS attack traffic. The biggest difference is the
location where they reside. Next-generation firewalls (NGFW) and intrusion prevention systems
(IPS) would reside on your own network and, while they would filter the traffic heading to the web
server, they would not be able to mitigate the effects of the traffic surge.
Content distribution networks (CDNs) are designed to handle large surges in traffic by using an
external network of distribution servers. They are quite effective in defending against DDoS
attacks.
Question 44
You are concerned about the proliferation of cloud services in your organization and would like to
find a centralized solution that you can use to deploy and enforce security policies across a
variety of different cloud services. Which one of the following technologies would best meet this
need?
A. DLP
B. CASB
C. DRM
D. IPS
Your answer was D.
Explanation
Cloud Access Security Brokers (CASB) are products designed specifically to enforce an
organization's security policy across different cloud services. This is not a capability offered by
Data Loss Prevention (DLP) systems, Intrusion Prevention Systems (IPS) or Digital Rights
Management (DRM) platforms.
Question 45
You are creating a series of handling requirements for sensitive information processed by your
organization and would like to document the specific encryption algorithms authorized for use in
the organization. Which one of the following document types would be the best place to include
these requirements?
A. Policy
B. Standard
C. Guideline
D. Procedure
Your answer was A.
Explanation
The first thing we can do when answering this question is note that the scenario says that you
want to document the algorithms that are authorized for use. This implies that any algorithm not
listed in the document is not authorized and, therefore, implies that compliance with this
document is mandatory. Therefore, we can rule out guidelines, which are normally not
mandatory.
Next, we note that this document is a list of algorithms and not a sequence of steps or
instructions. Therefore, it is also not a procedure.
That leaves us with policies and standards. Both of these would be acceptable options for listing
approved encryption algorithms. However, the best practice is to write policies that contain
high-level requirements and then save technical details for standards. Therefore, the best place
to document these algorithms would be in a standard.
Question 46
Which layer of the OSI model is primarily concerned with MAC addresses?
A. Application layer
B. Presentation layer
C. Datalink layer
D. Transport layer
Your Answer was C.
Explanation
This question is straightforward because it is simply asking you to recall a fact about the OSI
model. Ethernet communications, which use MAC addresses, take place at the datalink layer of
the OSI model.
Question 47
You are responsible for the security of a database that contains sensitive personal information
about your employees, including their Social Security Numbers (SSN). You would like to select a
data protection technique that replaces SSNs with an alternative identifier and offers a lookup
table to authorized users who need to retrieve the actual SSN. What data protection technique
would best meet this need?
A. Masking
B. Encryption
C. Tokenization
D. Hashing
Your answer was A.
Explanation
Tokenization is the use of a token, typically a random string of characters, to replace other data. It
is often used with credit card transactions. When using tokenization, the system maintains a
lookup table that allows authorized individuals to retrieve the original sensitive information
associated with a token.
Masking swaps data in individual data columns so that records no longer represent the actual
data. Encryption uses cryptography to render data unreadable to anyone without the decryption
key. Hashing also uses cryptography but replaces values with a cryptographic hash that is not
reversible.
Question 48
Which one of the following activities should take place before trying to determine the asset values
for an organization's information resources?
A. Identify an asset replacement strategy

B. Create an asset inventory
C. Implement compensating controls
D. Mitigate all foreseeable risks
Your Answer was B.
Explanation
As you conduct your business impact analysis, you must develop an inventory of your assets
before you can determine the asset values. This inventory lists all of the assets used by your
organization and can be the starting point for your valuation process.
You would not identify an asset replacement strategy until you move beyond the business impact
analysis and are deep into your disaster recovery planning.
You would not begin implementing any type of control until you are in the risk management stage
of your process. During that process, you may implement a set of controls to mitigate some risks,
but you would never be able to mitigate all foreseeable risks, as you must make cost/benefit
trade-off decisions.
Question 49
You are upgrading servers in your organization to use the latest version of the TLS protocol in
conjunction with approved cipher suites. What type of data will this control best protect?
A. Data in use
B. Data in transit
C. Data at rest
D. Data in memory
Your Answer was B.
Explanation
Transport Layer Security (TLS) is a protocol designed to add encryption to data that is in transit
over a network. It does not protect data in other situations, such as when it is at rest on a disk, in
use by a CPU, or stored in memory on a server or other system.
Question 50
You are deploying a new web service that will provide consumers with insight into their calendars.
You will support several major calendaring services and want to find a solution that allows
consumers to grant your service access to view their accounts without requiring that you collect
the user's password. What solution would best meet your needs?
A. TLS
B. TACACS+
C. IEEE 802.1x
D. OAuth2
Your Answer was D.
Explanation
OAuth2 is an open authorization standard that many companies on the Internet use to share
account information with third-party websites. It is designed specifically for situations like the one
described in this scenario.
Transport Layer Security (TLS) is used to encrypt data in transit over a network. TACACS+ is
used for authenticating user sessions. 802.1x is a network authentication technology. None of
these technologies are used to grant access to information or systems and would not be helpful in
this scenario.
Question 51
After conducting a security review of an organization, the assessor notes the fact that the
organization does not have an information security policy. What is the most important reason that
an organization should have such a policy?
A. To address the assessor's report

B. To establish the foundation for security governance
C. To increase security awareness
D. To provide consequences for insecure actions
Your Answer was B.
Explanation
The primary purpose of a security policy is to establish the foundation for security governance. It
does this by defining the scope of security needed by the organization and discussing the assets
that require protection. It defines the strategic security objectives, vision, and goals.
Security policies may provide consequences for individuals who violate the policy, but this is not
their primary purpose. They may certainly be written to address a finding in an audit or security
assessment, but, again, this is not the reason that an organization should have a policy. It is
merely an event that might prompt the organization to create one. Security policies do not create
awareness themselves. Awareness programs are designed to bring attention to security policies.
Question 52
What would be the most appropriate location to store application programming interface (API)
keys?
A. Secrets management system

B. Code repository
C. Laptop hard drives
D. Hardcoded into applications
Your Answer was A.
Explanation
API keys are sensitive information that allow code to access remote web services and they
should be carefully protected. The ideal way to achieve this is by storing the keys in a secrets
management platform. API keys should not be sent to code repositories or hard-coded into
applications to avoid unauthorized exposure. They should not be stored on individual laptops due
to the risk of loss.
Question 53
You are reviewing the report from a penetration test performed against one of your organization's
web applications. The report includes a finding that the application is vulnerable to a cross-site
request forgery (CSRF/XSRF) attack. Which one of the following controls would best defend
against this type of attack?
A. Secure tokens
B. Stored procedures
C. Parameterized queries
D. Input validation
Your Answer was A.
Explanation
Cross-site request forgery (CSRF/XSRF) attacks work by making the reasonable assumption that
users are often logged into many different websites at the same time. Attackers then embed code
in one website that sends a command to a second website. When the user clicks the link on the
first site, they are unknowingly sending a command to the second site. If the user happens to be
logged into that second site, the command may succeed. Defending against these attacks
requires the use of secure, synchronized tokens to protect authenticated sessions. Input
validation is a very effective control against any type of attack that uses user-supplied input to
exploit an application. It is effective against cross-site scripting (XSS) and SQL injection attacks,
but would not be effective against a CSRF attack because CSRF attacks do not rely upon
user-supplied input. Parameterized queries and stored procedures are effective defenses against
SQL injection attacks, which seek to send unauthorized commands to a database.
Question 54
You would like to enhance your security assessment and testing program by including automated
techniques that seek to exploit security vulnerabilities and report on discovered deficiencies.
Which of the following assessment techniques would best meet this need?
A. Red team exercise

B. Penetration test
C. Vulnerability scan
D. Breach and attack simulation (BAS)
Your Answer was D.
Explanation
Breach and attack simulation (BAS) platforms seek to automate some aspects of penetration
testing.These systems are designed to inject threat indicators onto systems and networks in an
effort to trigger other security controls. For example, a BAS platform might place a suspicious file
on a server, send beaconing packets over a network, or probe systems for known vulnerabilities.
In a well-functioning security program, detection and prevention controls would immediately

detect and/or block this traffic as potentially malicious.The BAS platform is not actually waging
attacks, but it is conducting automated testing of those security controls to identify deficiencies
that may indicate the need for control updates or enhancements.
Penetration tests and red team exercises might also attempt to exploit vulnerabilities, but these
are manual efforts, not automated ones. Vulnerability scans are automated, but they only seek to
identify vulnerabilities and do not actually exploit them.
Question 55
Carla is the security compliance officer for a large chain of retail stores. As part of her PCI DSS
compliance work, Carla discovers that the organization routinely sends cardholder data to a
service provider who helps detect fraudulent transactions. Under PCI DSS, what is Carla
obligated to do?
A. Perform an annual penetration test of the service provider

B. Verify that the service provider appears on the list of validated service providers
C. Perform quarterly vulnerability scanning of the service provider
D. Review the results of an external audit of the service provider and ensure any critical
findings are remediated
Your answer was D.
Explanation
The Payment Card Industry Data Security Standard (PCI DSS) governs the security of credit card
information and is enforced through the terms of a merchant agreement between a business that
accepts credit cards and the bank that processes the business's transactions.
In the case of an organization that uses service providers to handle payment card data, the
primary obligation of the merchant is to verify that the service provider appears on the list of
validated service providers. This ensures that they have been audited and found in compliance
with the PCI DSS standard. The merchant does not need to take any other steps to verify
compliance or review the results of the audit themselves, although they may choose to do so.
Question 56
Christine is designing a new service where her organization's customers will receive risk scores
when they create new accounts. Those with high risk scores will be asked to answer a series of
security questions drawn from their credit report before they are granted accounts. What term
best describes this activity?
A. Provisioning
B. Deprovisioning
C. Accountability
D. Identity proofing
Your Answer was D.
Explanation
In this scenario, Christine is adding controls to improve the strength of identity proofing performed
by her organization. These measures will require that the user take extra steps to confirm their
identity in high-risk situations.
Identity proofing is normally a part of the provisioning process, but we are looking for the term
here that BEST describes this activity. Identity proofing is more specific than provisioning and is,
therefore, a better answer.
The use of identity proofing improves accountability by strengthening the organization's

confidence that someone is who they claim to be, but the act of identity proofing is not itself
accountability.
Identity proofing would normally be performed when creating a new account (provisioning) and
not when removing an existing account (deprovisioning).
Question 57
You are working with business leaders to design a process that will protect against the fraudulent
use of cloud services through your organization's accounts. You are implementing a process
where engineers who request cloud services are not able to approve invoices for those services.
What term best describes this control?
A. Least privilege
B. Defense in depth
C. Separation of duties
D. Privacy by design
Your Answer was C.
Explanation
Separation of duties is an important security practice that takes the steps required to perform a
sensitive action and divides them so that no single person can carry out all of those steps. In this
case, the engineer has the ability to request a new service but does not have the ability to
approve invoices for those services, marking a separation of duties.
Least privilege is a related principle but is more general in scope, saying that individuals should
only have the permissions necessary to carry out their job functions. While you could argue that
this scenario describes least privilege, separation of duties is a better answer and we are looking
for the term that BEST describes the control.
Defense in depth is the use of multiple, overlapping security controls to meet the same objective.
That is not described in this scenario.
Privacy by design is a strategy that integrates privacy concerns into the system design process.
There is no mention of privacy issues in this scenario.
Question 58
You are concerned about the impact of a component failure in your networked servers causing a
loss of power to the device. Which one of the following solutions would best address this risk?
A. Implementing a secondary power source from a power company

B. Deploying a diesel backup generator
C. Placing redundant power supplies in the server
D. Installing an uninterruptible power supply (UPS)
Your Answer was C.
Explanation
All of the solutions listed here will help with power issues, so it is important to read the question
carefully and identify the requirement. The question is specifically looking for a solution that will
address a component failure inside the server.
Of the choices listed here, only the server's own power supply is a component of the server.
Adding redundancy here ensures that the server can continue operating if a single power supply
fails.
Secondary power sources, uninterruptible power supplies, and backup generators are all external
components. They improve the reliability of the power supplied to the server, but they cannot
help if the failure is inside the server.
Question 59
In an organization's identity management (IdM) program, which one of the following technologies
is commonly used as an authorization mechanism for internal users?
A. Multifactor authentication (MFA)

B. Passwords
C. OAuth2
D. Access control list (ACL)
Your answer was A.
Explanation
Access control lists (ACLs) are used to list out the specific permissions, or authorizations, that are
granted to a user or group of users. This is clearly an authorization technology.
OAuth2 is also an authorization technology but it is generally used for web-based authorization
and not for internal systems.
Passwords and multifactor authentication (MFA) are authentication technologies and not
authorization technologies.
Question 60
You are developing a set of security controls designed to support a remote workforce and must
have a variety of solutions in place to support different types of users and applications. Which
one of the following approaches would be the LEAST appropriate for use?
A. Transport Layer Security (TLS)

B. Advanced Encryption Standard (AES)
C. Secure Sockets Layer (SSL)
D. Internet Protocol Security (IPsec)
Your Answer was C.
Explanation
While this question poses a scenario, you actually don't need all of the details presented to
answer this question. Instead, you simply need knowledge of which security technologies are
current and secure and which are outdated.
The Secure Sockets Layer (SSL) is an outdated standard that has fundamental flaws and should
no longer be used. Therefore, that is our correct answer.
The other technologies mentioned: Transport Layer Security (TLS), Internet Protocol Security
(IPsec) and the Advanced Encryption Standard (AES) are all current, secure technologies.
Question 61
Tayo and his team are designing a new software development process. The developers who will
work with this process are frustrated with the amount of bureaucratic overhead associated with
their current approach and would like a collaborative development approach that focuses on
frequently delivering working software and face-to-face communication. What methodology
would best meet their needs?
A. Agile
B. Waterfall
C. Modified waterfall
D. Spiral
Your Answer was A.
Explanation
The scenario here clearly calls for an agile approach to software development. This approach
discards many of the formal approaches to development used by the waterfall and spiral model
and embraces four core values. These are that agile values individuals and interactions over
processes and tools, working software over comprehensive documentation, customer
collaboration over contract negotiation, and responding to change over following a plan
Question 62
You recently received a request from a user in the sales department to have access to records of
past employees for use in developing business leads. This type of access has never been
granted in the past. What would be the best course of action for you to take?
A. Refuse the request because it violates past precedent

B. Refer the request to the data owner
C. Grant the request because it aligns with business objectives
D. Refer the request to the CISO
Your Answer was B.
Explanation
One of the primary responsibilities of the data owner is to make access decisions about the
information under their care. Therefore, it would be appropriate for you to refer this new access
request to the data owner for a decision. It would then be up to the data owner to determine
whether the request aligns with compliance requirements and business objectives.
As a cybersecurity professional, you should typically not be making these authorization decisions
yourself and it would not be appropriate for you to grant or reject the access without consulting
with the data steward. This is true for any cybersecurity professional, including the chief
information security officer (CISO).
Question 63
What is the access control model typically implemented by a network firewall?
A. Role Based Access Control

B. Mandatory Access Control
C. Discretionary Access Control
D. Rule-based Access Control
Your Answer was D.
Explanation
A key characteristic of the rule-based access control model is that it applies global rules to all
subjects. As an example, a firewall uses rules that allow or block traffic to all users equally. Rules
within the rule-based access control model are sometimes referred to as restrictions or filters.
Firewalls do not follow the mandatory access control (MAC) model, which requires that each
object be labeled with a security level. They also do not allow individual users to modify
permissions, which is the discretionary access control (DAC) model.
Some firewalls may incorporate user identity into access control decisions, which would give them
elements of role-based access control (RBAC), but this is not the primary operating model of the
firewall. The firewall is primarily a rule-based access control system.
Question 64
When assigning a classification level to an information system, what factor is most important to
consider?
A. The typical level of classification of information processed by the system

B. The highest level of classification of information processed by the system
C. The highest level of security clearance held by users of the system
D. The typical level of security clearance held by users of the system
Your Answer was B.
Explanation
You assign a classification level to an IT system by considering the classification of the

information that the system will store process and transmit. The security clearance of an
individual user can be used to help make access decisions, but it is not used to assign the
classification to a system.
The classification level you assign to a system should be consistent with the highest level of
information processed by that system. For example, if a system normally processes information
classified Secret but occasionally handles Top Secret information, the system should be classified
as Top Secret to accommodate that occasional processing.
Question 65
Kara is worried about the risk that a single employee may authorize a fraudulent cash transfer
from her organization's bank accounts. To mitigate this risk, she contacts the bank and asks
them to require that both an employee and their manager sign off on any transfers exceeding
$10,000. What term best describes this arrangement?
A. Two-person control
B. Separation of duties
C. Need-to-know
D. Least privilege
Your answer was B.
Explanation
The policy Kara implemented requires that two different people authorize the same action. This is
a clear example of two-person control. Separation of duties limits the ability of a person to
perform two different steps, such as requesting a transfer and approving a transfer. Separation of
duties and two-person control are both ways of building a least privilege environment, but the
term two-person control beter describes this scenario. The scenario is not referring to access to
information, so need-to-know is not relevant here.
Question 66
You are concerned about the risk of data loss associated with the theft of laptops and mobile
devices. You decide to deploy full disk encryption (FDE) technology to mitigate this risk. What
control category best describes the use of this technology in this situation?
A. Detective
B. Preventive
C. Corrective
D. Compensating
Your Answer was B.
Explanation
Full disk encryption is designed to stop an attacker from gaining access to the data stored on a
device that is lost or stolen. This makes it a preventive control.
Detective controls are designed to identify an attack that is in progress. Full disk encryption
would not identify an attack, so it is not a detective control.
Corrective controls are designed to restore normal service after a security incident. This is not
the role played by full disk encryption.
Compensating controls are designed to fill a control gap left by the absence of another control.
There is no indication in the scenario that full disk encryption is being used for this purpose.
Question 67
You are designing a back-end authentication system for your company and would like to choose
an approach that allows you to implement single sign-on (SSO) and directly integrates with the
Windows and Linux systems you have in place. Which one of the following technologies would
best meet this need?
A. OAuth2
B. RADIUS
C. Kerberos
D. IEEE 802.1x
Your answer was A.
Explanation
Kerberos is a well-known single-sign on (SSO) technology that is built-in to Windows and Linux
systems and is widely used in modern enterprises. RADIUS is an authentication technology that
is often used as the back-end for VPNs and other network authentication systems but does not
provide robust SSO. OAuth2 is primarily used for authorizing web access and does not provide
generalized SSO capability. 802.1x is a network authentication protocol and not a generalized
SSO solution.
Question 68
Vincent's organization recently experienced an adverse situation where a customer who

submitted an order by email later claimed that they did not actually send that email. Vincent
believes that the customer did actually send the order but is not able to prove that fact. What
security principle was most directly violated?
A. Confidentiality
B. Nonrepudiation
C. Integrity
D. Availability
Your Answer was B.
Explanation
Nonrepudiation ensures that the subject of an activity or who caused an event cannot deny that
the event occurred. Nonrepudiation prevents a subject from claiming not to have sent a message,
not to have performed an action, or not to have been the cause of an event. That exactly
describes the scenario here -- a customer is claiming to have not sent an email.
Confidentiality protects information from unauthorized access. Integrity protects information from
unauthorized modification. Availability ensures that authorized individuals retain their legitimate
access to information.
Question 69
You are assisting with the design of a new data center and are considering different fire
suppression strategies. Which one of the following systems would be most appropriate for use in
a data center?
A. Wet pipe sprinklers

B. Dry pipe sprinklers
C. Inert gas
D. Fire extinguishers
Your answer was B.
Explanation
All of these options are possibilities for fire suppression. Each has the ability to extinguish a fire.
However, we are looking for the most appropriate one to use in a data center.
We can rule out both dry pipe and wet pipe sprinklers because they use water to extinguish a fire
and this water could destroy all of the equipment in the data center.
The best option would be to use an inert gas system that removes the oxygen from the room,
causing the fire to go out without damaging equipment.
Fire extinguishers are not a practical option because they require a human to operate. They
should be available in case the fire suppression system fails, but they should not be relied upon
for primary coverage.
Question 70
You are reviewing the security controls for a banking website and would like to ensure that the
site is protected against man-in-the-middle (MITM) attacks. Which one of the following security
controls would best protect against this type of attack?
A. SSL
B. SSH
C. TLS
D. AES
Your Answer was C.
Explanation
We can tackle this question through the process of elimination. First, the Advanced Encryption
Standard (AES) is an encryption algorithm and not an application of encryption to protecting
network communications.
We can also eliminate the secure shell (SSH) protocol because it is used for secure
command-line interfaces to remote systems and not to protect web traffic.
That leaves us with two technologies that are used to secure web traffic: the Secure Sockets
Layer (SSL) and Transport Layer Security (TLS). However, SSL is no longer considered secure
and should not longer be used. This makes the correct answer here TLS.
Question 71
Norm is a CISSP-certified individual who recently completed a consulting engagement with a

client. During the scope of that engagement, he obtained sensitive information from his client and
sold it to one of their competitors, violating a non-disclosure agreement. This would appear to
violate Canon II of the Code of Ethics: "Act honorably, honestly, justly, responsibly, and legally."
Who is eligible to file a complaint about Norm's behavior with (ISC)2?
A. Any member of the public

B. Only the client who was harmed
C. Only Norm's actual employer
D. Any certified or licensed professional
Your Answer was A.
Explanation
This question requires that you understand the complaint procedures for the (ISC)2 code of
ethics. The question tells you that the accusation is made under Canon II. Any member of the
general public may file a complaint under both Canons I and II. Only an employer or someone
with a contracting relationship may file a complaint under Canon III. Any licensed or certified
professional who subscribes to a code of ethics may file a complaint under Canon IV.
Question 72
Your organization uses an access control system that allows any user who creates a file to
manage the access that other users have to those files. What type of access control model is
being used?
A. Mandatory Access Control (MAC)

B. Role Based Access Control (RBAC)
C. Attribute Based Access Control (ABAC)
D. Discretionary Access Control (DAC)
Your Answer was D.
Explanation
A key characteristic of the Discretionary Access Control (DAC) model is that every object has an
owner and the owner can grant or deny access to any other subjects. That is the situation
described in this scenario.
Mandatory Access Control (MAC) systems apply labels to users and objects and prevent a user
from accessing any object for which they are not cleared. Role-based access control systems
(RBAC) grant users permission to objects based upon each user's role(s) within the organization.
Attribute-based access control systems (ABAC) grants users access to objects based upon
attributes embedded in the object and the user's identity.
Question 73
You are evaluating possible upgrades to a physical data center used by your organization. Your
primary concern is ensuring that the facility is able to continue operating during an extended
power outage. What control would best meet this goal?
A. Uninterruptible power supply

B. Power conditioning
C. Backup generator
D. Alternate processing facility
Your Answer was C.
Explanation
To answer this question, you must understand the use of different power controls. First,
recognize that this situation is asking for uninterrupted operation in the facility. While an alternate
processing facility might allow uninterrupted operation if it is configured as a hot site, this does not
meet the requirement of having the original facility continue to operate. So, we need some sort of
control at the primary facility that will provide power during an extended outage.
Uninterruptible power supplies (UPS) provide short-term coverage of power for brief interruptions.
You might need a UPS to avoid any "blips" in power, but a UPS will not provide the long-term
coverage required here.
Power conditioning makes sure that the power provided to systems is "clean", free of spikes,
sags, and other conditions that might cause issues for electronic equipment. It does not provide
power when none is available.
Generators are the best choice here. A backup generator uses a diesel engine or other
independent source to generate power during a long-term outage.
Question 74
Which one of the following is the most common role for an IT professional to hold in an
organization's data management program?
A. Data steward
B. Data custodian
C. Data owner
D. Data processor
Your Answer was B.
Explanation
IT professionals are most commonly responsible for implementing and monitoring security
controls around sensitive information. This is the role of the data custodian.
The data owner bears ultimate responsibility for a portion of the organization's data and is
normally a senior business leader from the functional area responsible for that data. Data owners
commonly delegate some of their authority to data stewards who handle the day-to-day work of
data ownership.
Data processors are third-party organizations that store, process, or transmit information. Internal
employees would not be in a data processor role.
Question 75
Shirley was recently asked to participate in a test of her organization's disaster recovery plan.
During the test, the team activated the alternate processing facility to ensure that equipment was
working properly, but they did not shut down their primary site to avoid a disruption to business.
What type of test took place?
A. Parallel test
B. Full interruption test
C. Simulation
D. Walkthrough
Your Answer was A.
Explanation
Two types of test involve the actual activation of the alternate processing facility - a full
interruption test and a parallel test. Parallel tests simply activate the site without switching over
operations, which is the case in this scenario. Full interruption tests shut down the primary site to
perform a complete test of the backup site. Simulations and walkthroughs do not actually activate
the primary site.
Question 76
Tina is documenting a step-by-step process that help desk personnel in her organization must
follow when they are assisting a user with resetting a forgotten password. The purpose of this
process is to make sure that attackers do not abuse the process to gain unauthorized access to
an account. What type of document is Tina most likely creating?
A. Guideline
B. Procedure
C. Policy
D. Standard
Your Answer was B.
Explanation
This is a great example of a security procedure. The key to recognizing that is noting that it is
offering step-by-step instructions and that a procedure is a detailed, step-by-step how-to
document that describes the exact actions necessary to implement a specific security
mechanism, control, or solution.
Policies are high level governance documents and would not contain detailed instructions.
Standards define technology requirements and would be more appropriately used to define
acceptable encryption algorithms, security tools, and similar controls. Guidelines are not
mandatory and offer advice on security matters.
Question 77
Which one of the following events should be considered the final deadline for discontinuing the
use of an IT product or service in an organization?
A. EOL
B. EOS
C. ETA
D. ELA
Your answer was A.
Explanation
Organizations should discontinue using an IT product or service when the vendor has reached
the End of Support (EOS) date for the product. At that point, users should no longer make use of
the product because there will be no security updates available.
It is common to continue using software beyond the End of Life (EOL) date when the vendor has
stopped selling the product but is continuing to offer support. ETA and ELA are distractors here
and are not dates related to product support.
Question 78
Which one of the following is an open standard for exchanging authentication and authorization
information between different parties?
A. OAuth2
B. OpenID
C. Active Directory
D. SAML
Your answer was B.
Explanation
The best way to tackle this question is by process of elimination.
OAuth2 is an important access control technology, but it only performs authorization and does not
perform authentication.
OpenID has the opposite problem -- it is an authentication technology but it does not provide for
authorization.
Active Directory does perform both authentication and authorization, but it is the proprietary
technology of Microsoft and is not an open standard.
The Security Assertion Markup Language (SAML) is an open XML-based standard commonly
used to exchange authentication and authorization information between federated organizations.
That makes SAML the correct answer here.
Question 79
You are trying to determine the appropriate security controls to apply to a file server that stores
sensitive information. Which one of the following data elements would be most useful to you in
making this determination?
A. Operating system configuration

B. Data classification
C. Application configuration
D. User identity
Your Answer was B.
Explanation
When you select security controls for a server, you should choose them based upon the criticality
of the server to your organization and the sensitivity of the information it contains. This
information is summarized by the data classification level.
The identity of the users who access a server is not relevant to the level of control, unless the fact
that certain users handle more sensitive information. In that case, the sensitivity would still be
reflected in the data classification.
The configuration of the operating system and applications on the server may influence how the
control objectives are met, but would determine the controls that are applied.
Question 80
You are assisting with the design of a new data center and would like to build in a control that
protects against piggybacking AND tailgating attacks. Which one of the following controls would
best address this need?
A. Biometric authentication
B. Physical intrusion detection system
C. Mantrap
D. Multifactor authentication
Your Answer was C.
Explanation
Piggybacking and tailgating attacks occur when someone attempts to enter a secure area based
upon the permission granted to another person. In a piggybacking attack, the attacker simply
asks someone to let them into the secure area. In a tailgating attack, they attempt to slip in a
door or past another access control mechanism when someone opens it without that person's
knowledge.
Either of these attacks is best defended against with a mantrap (also known as an access control
vestibule). This is a double set of doors that is often protected by a guard or some other physical
layout that prevents piggybacking and tailgating and can trap individuals at the discretion of
security personnel.
Biometric and other multifactor authentication techniques would improve the security of the
access control system but would not prevent piggybacking or tailgating attacks.
A physical intrusion detection system (i.e. a burglar alarm) might be able to detect this type of
attack but these systems are generally not designed for that purpose and would not be able to
prevent piggybacking or tailgating.
Question 81
You are evaluating your organization's supply chain and determine that your dependence upon a
sole SaaS provider poses an operational risk. Outages of the system could disrupt your business
activity. Which one of the following agreements would best protect your organization against this
risk?
A. NDA
B. SLA
C. MOU
D. NCA
Your Answer was B.
Explanation
Service level agreements (SLAs) are used to document the required parameters of delivering a
service and provide consequences for vendors who fail to meet those requirements. This would
be the appropriate tool for mitigating the supply chain risk described in this scenario.
A memorandum of understanding (MOU) documents the relationship between two parties, but it
would not normally contain the detailed service requirements found in an SLA.
A nondisclosure agreement (NDA) describes requirements around the sharing of confidential

information.
Noncompete agreements (NCA) restrict the ability of individuals and/or organizations to work with
or for the competitors of their employer or client.
Question 82
Which one of the following combinations of controls would NOT qualify as multifactor
authentication?
A. Facial recognition and an access card

B. Passphrase and a smartphone token
C. Password and a PIN
D. Fingerprint recognition and a password
Your Answer was C.
Explanation
Multifactor authentication requires choosing security controls from two different categories. The
possible categories are something you know, something you have, and something you are.
Facial recognition and fingerprint recognition are both examples of something you are. Access
cards and smartphone tokens are both examples of something you have. Passwords, PINs, and
passphrases are all examples of something you know.
Of the combinations presented here, all combine two different factors except for a password and
PIN, which are both examples of something you know.
Question 83
You are concerned about the prevalence of privilege creep within your organization and would
like to implement a process that will reduce this activity. Which one of the following would best
meet your need?
A. Privilege escalation
B. Secure identity proofing
C. Single Sign On (SSO)
D. User access reviews
Your Answer was D.
Explanation
Privilege creep involves a user account accumulating additional privileges over time as job roles
and assigned tasks change. As an example, imagine Karen is working in the accounting
department and transfers to the sales department. She has privileges in the accounting
department, and when she transfers to sales, she's granted the privileges needed in the sales
department. If administrators don't remove her rights and permissions in accounting, she retains
excessive privileges. This violates the basic security principle of least privilege, and account
reviews are effective at discovering these problems.
Identity proofing and single sign on (SSO) may strengthen an access control system but they will
not do anything to detect or remediate privilege creep.
Privilege escalation is a penetration testing technique used to gain administrative permissions

using a normal user account.
Question 84
You are reviewing a website that you use regularly and you discover a serious vulnerability that
may compromise user information. You sent a notice to the company's contact address
describing the vulnerability but have heard no response after two weeks. Under the principle of
ethical disclosure, what action should you take next?
A. Report the vulnerability to law enforcement

B. Disclose the vulnerability publicly
C. You have fulfilled your ethical responsibility and should take no further action
D. Send another notice to the company with a deadline
Your answer was A.
Explanation
The security community embraces the concept of ethical disclosure.This principle says that
security professionals who detect a vulnerability have a responsibility to report that vulnerability to
the vendor, providing them with an opportunity to develop a patch or other remediation to protect
their customers.
This disclosure should first be made privately to the vendor, allowing them to correct the problem
before it becomes public knowledge. However, the ethical disclosure principle also suggests that
those reporting a vulnerability should provide the vendor with a reasonable amount of time to
correct the vulnerability and, if it is not corrected, then publicly disclose the vulnerability so that
other security professionals may make informed decisions about their future use of the product.
Question 85
You are deploying a redundant array of inexpensive disks (RAID) to improve the redundancy of
your storage system. You have chosen to implement RAID level 5. What is the minimum number
of disks that you must use to implement this solution?
A. 2
B. 5
C. 3
D. 1
Your Answer was C.
Explanation
This is a straightforward question about RAID technology. To answer this question correctly, you
must know that RAID level 5 uses disk striping with parity. It uses three or more disks with the
equivalent of one disk holding parity information. This parity information allows the reconstruction
of data through mathematical calculations if a single disk is lost. If any single disk fails, the RAID
array will continue to operate, though it will be slower.
Question 86
You are developing a security standard for laptop computers that will be used by a new division
within your organization. The employees in that division will travel constantly and require access
to sensitive information. Which one of the following components is least likely to be part of this
division's endpoint security strategy?
A. Full disk encryption

B. Host-based firewalls
C. Containerization
D. Endpoint detection and response
Your answer was D.
Explanation
Containerization is a virtualized computing capability that is commonly used to move workloads

between different operating systems. It is normally found in data center environments (whether
on-premises or in the cloud) and not on endpoint devices.
Host-based firewalls, full-disk encryption and endpoint detection & response solutions are all
common security controls used on laptops and other endpoint devices.
Question 87
Your organization recently signed a contract with a service provider who will be maintaining
manufacturing equipment at a variety of field sites. The provider requires access to some of your
internal systems in order to view and update work orders so you are establishing connectivity to
your network for them. The connection will be an always-on virtual private network (VPN)
between your locations. What is the most appropriate location on your network to terminate the
connection?
A. Intranet
B. Internet
C. Extranet
D. Demilitarized Zone (DMZ) network
Your answer was D.
Explanation
This question is asking to to select the appropriate location to place a VPN. This might tempt you
to immediately jump to the answer of placing the VPN in the demilitarized zone (DMZ) network
because that is the normal location for a VPN server. However, this is not the correct answer in
this case.
The scenario describes a unique use case where you are working with another organization that
will need access to some of your internal systems. While the DMZ is a reasonable place to
terminate the VPN connection, the extranet would be a better location because these networks
are specifically designed for this scenario -- an external partner that requires access to internal
systems.
It would not be appropriate to place this connection on the Internet because that would offer no
benefit over the supplier simply accessing systems directly from their own network. It would also
be inappropriate to place the connection on an intranet because that network would offer too
much access for this scenario and should be reserved for employees.
Question 88
You are concerned about the security of encrypted information stored by your organization and
are increasing the length and complexity of the password used to protect that data. What type of
attack is most likely to be thwarted by this added security?
A. Pass-the-hash
B. Man-in-the-middle
C. Brute force
D. Kerberoasting
Your Answer was C.
Explanation
Brute force attacks try to guess the decryption key used for encrypted information. The longer the
key, the more resistant it is to a brute force attack. The other attack techniques listed here do not
depend upon the length of the key. Pass-the-hash and Kerberoasting attacks exploit deficiencies
in the Kerberos authentication system. Man-in-the-middle attacks intercept the setup of an
encrypted session and monitor the traffic sent through it.
Question 89
Your organization is considering adopting a new tool that allows developers to write, test, and
deploy code from a single graphical interface. What term best describes this tool?
A. Integrated Development Environment (IDE)

B. Continuous Integration and Continuous Delivery (CI/CD)
C. Compiler
D. Software Configuration Management (SCM)
Your Answer was A.
Explanation
This is an example of an Integrated Development Environment (IDE). IDEs provide developers

with a graphical interface where they can write, test, debug, and deploy code from a single
application. A compiler is used only to create machine code from source code and does not
provide these other capabilities. A continuous integration and continuous delivery (CI/CD)
pipeline allows the efficient movement of code through an organization but is not a development
environment itself. Software Configuration Management (SCM) tools are used to manage the
deployed base of software in an organization but are not tools used to create code.
Question 90
As the Chief Information Security Officer (CISO) of a large organization, Justin is concerned that
his team is unable to rapidly respond to many smaller incidents. He would like to have runbooks
that automatically respond to simple events that occur on endpoints, network devices, and
applications. What technology platform would best meet his needs?
A. Security orchestration, automation, and response (SOAR)

B. Security information and event management (SIEM)
C. Endpoint detection and response (EDR)
D. Managed detection and response (MDR)
Your answer was B.
Explanation
Security orchestration, automation, and response (SOAR) platforms serve exactly this purpose.
They allow administrators to define automated playbook responses to common security incidents
that occur across a wide range of devices. Endpoint detection and response (EDR) platforms
also provide this capability but they are limited to working with endpoint devices. Managed
detection and response (MDR) services outsource the management of an incident response
program but do not necessarily provide automation. Security information and event management
(SIEM) systems do perform security information correlation and management of security incidents
but they do not have the automated response capabilities of SOAR platforms.
Question 91
Brianna's organization recently suffered an attack where the attacker was able to break into the
organization's website and change the contact email address published on the page. What
cybersecurity principle does this attack most directly violate?
A. Non-repudiation
B. Integrity
C. Confidentiality
D. Availability
Your Answer was B.
Explanation
This question is testing your knowledge of a core information security concept - the CIA triad.
Confidentiality, integrity, and availability are the three primary goals of information security.
Nonrepudiation is a goal of cryptography but not a core cybersecurity goal.
In this example, the attacker performed the unauthorized modification of information. This is an
integrity violation. If the attacker had stolen information, that would be a confidentiality violation.
If the attacker had deleted or destroyed information, that would be an availability violation.
Question 92
You are deploying a virtual private network (VPN) to support remote users who will be
telecommuting but require access to internal resources. Where would be the most appropriate
location to place the VPN server?
A. Internal network
B. Outside the firewall on the public Internet
C. Demilitarized zone (DMZ) network
D. Data center network
Your answer was A.
Explanation
To answer this question correctly, you must identify the type of device being discussed and then
determine the appropriate network placement.
A VPN server is designed to accept external connections and, therefore, should be placed in a
zone where it is accessible from the Internet. Systems that are located on a data center network
or an internal network should never have direct exposure on the Internet, so those are not viable
options.
Organizations should never place systems directly on the Internet without the benefit of any
firewall protection either, as this allows outsiders unrestricted access to the system.
The best location for this device is in a demilitarized zone (DMZ) network (also known as a
screened subnet) where it can be protected by the firewall but it is also screened off from access
to other internal systems.
Question 93
Which one of the following is the best example of a security awareness activity that might be used
as part of an organization's information security program?
A. Mandatory computer-based training

B. Posters in the hallway
C. Specialized training for security administrators
D. Optional classroom training
Your Answer was B.
Explanation
Security awareness programs include the activities that serve to refresh the memories of
individuals who have already been trained on cybersecurity matters. A poster in the hallway is an
excellent example of an awareness activity.
Training activities seek to impart new knowledge. Computer-based training, classroom training,
and specialized training for security administrators all fit into this category and would not be
considered awareness activities.
Question 94
You are responsible for managing your organization's firewall and require remote command-line
access to the device. Which one of the following tools will best meet this requirement?
A. HTTPS
B. IPsec
C. SSH
D. Telnet
Your Answer was C.
Explanation
As we examine this question, we can rule out some options for different reasons.
First, we can immediately eliminate telnet as an option. Telnet is an insecure protocol that does
not provide encryption and should almost never be used on a modern network.
Next, we can eliminate IPsec. IPsec is a virtual private network (VPN) protocol that can be used
to establish secure remote connections, but it does not provide the ability to connect to a
command-line interface.
That leaves us with HTTPS and SSH. Both of these protocols could be used to manage a
firewall. The key distinguishing factor is that the question asks us to find a solution that supports
command-line access. SSH is a secure command-line utility that would be appropriate for this
task. HTTPS could provide access to a secure web administration portal, but the question is not
asking for web-based management.
Question 95
Tom is designing an entry system for a remote facility that contains sensitive equipment. Staff
often visit this facility by themselves and Tom is concerned that someone might lay in wait for an
employee to visit and then force them to enter the access code to enter the facility. Which one of
the following controls would best detect this type of attack?
A. Duress code
B. Multifactor authentication
C. Time delay lock
D. Burglar alarm
Your Answer was A.
Explanation
To answer this question correctly, focus on the question in the last sentence -- you are being
asked to identify a control that will DETECT the attack. This means that other staff would be
alerted to the fact that someone is being forced to open the facility. Duress codes are designed
for this purpose. They are an alternate PIN that employees may use to enter a facility while
triggering a silent alarm. Multifactor authentication and time delay locks may make entering the
facility more difficult, but the intruder could simply force the employee to use those controls. A
burglar alarm may detect an unauthorized entry, but it is not likely to trigger on what appears to
be an authorized entry by an employee.
Question 96
You are working with system administrators in your organization and identify a shared library
used for encryption that contains a serious security vulnerability. This library is used in many
different applications used by your organization. Which one of the following would be the BEST
approach to addressing this problem?
A. Patch the library

B. Switch to a different library
C. Disable the use of encryption temporarily
D. Take no action at this time
Your Answer was A.
Explanation
In this case, you're being asked to handle a situation where the organization depends upon a
library for encryption and that library has a security vulnerability. You should definitely take some
action to resolve this issue, so taking no action is not a viable option. The remaining three
options would all resolve the vulnerability, so we're looking for the best solution here. Disabling
the use of encryption would present a new security issue so it is not a good choice. Switching to
a different library would be complex and require a lot of work from software developers. Patching
the library would likely resolve the security issue completely and require far less work than
switching libraries, so it is the best option.
Question 97
Kaiden is concerned about the massive amount of data flowing into his organization's security
operations center (SOC) on a daily basis. The SOC team is not able to analyze it all and would
like to implement a technology that can assist with the correlation and analysis of records arriving
from many different sources. What technology would best meet his needs?
A. Security information and event management (SIEM) platform

B. Intrusion detection system (IDS)
C. Managed security service provider (MSSP)
D. User and entity behavior analysis (UEBA) system
Your answer was D.
Explanation
Security information and event management (SIEM) technology is designed specifically for the
use case described in this question -- correlating the log entries arriving from many different
source and analyzing them in that context. Intrusion detection systems (IDS) also are able to
analyze some security information but they do not perform the correlation and deep analysis that
is possible with a SIEM. User and entity behavior analysis (UEBA) systems play an important
role in assessing the security status of your network but their scope is limited to user and device
behavior. Managed security service providers (MSSP) may offer services that help with SOC
operations but they are a managed service, not a technology solution.
Question 98
You are a consultant analyzing the security of a supervisory control and data acquisition (SCADA)
system used in a utility plant. Following industry best practices, what would be the best network
posture for this system?
A. Connected to the Internet

B. Placed on a demilitarized zone (DMZ) network
C. Placed on an isolated network
D. Placed on a restricted back office network
Your Answer was C.
Explanation
Supervisory control and data acquisition (SCADA) systems perform sensitive functions within
industrial environments and should be carefully safeguarded. The best practice is to take these
systems and place them on a completely isolated network where they are not able to
communicate with other systems.
Placing the SCADA system on a network with restricted access, such as a back office network or
DMZ, would provide some degree of security, but it would not be as effective as placing the
systems on an isolated network. Placing the SCADA system on the Internet would present an
unacceptable level of risk.
Question 99
You are evaluating the effectiveness of your organization's security awareness program and
would like to put a key performance indicator (KPI) in place for the program. Which one of the
following would best meet this need?
A. Number of security incidents

B. Number of security audits
C. Number of security team members
D. Number of successful phishing attacks
Your Answer was D.
Explanation
Any of these metrics could be used as key performance indicators (KPIs) for the organization.
But we are looking for the BEST KPI to use to evaluate the effectiveness of a security awareness
campaign.
Phishing attacks are one of the key types of attacks covered in these campaigns and improper
user activity directly correlates to an increased number of attacks. Therefore, the number of
successful phishing attacks is a strong KPI for an awareness campaign.
It might also be possible to use the number of security incidents as a measure of the awareness
campaign's success, but this is not as strong a KPI because there are many other factors that
may influence the number of incidents that have nothing to do with user behavior and would not
be influenced by an awareness campaign.
The number of security audits performed and the number of security team members could also be
metrics used for the security program but they are not related to user awareness campaigns.
Question 100
When designing physical security controls, which one of the following objectives should be
considered first when planning a sequence of overlapping security controls?
A. Deter
B. Deny
C. Detect
D. Delay
Your Answer was A.
Explanation
The standard order of operations for physical security controls is Deter, Deny, Detect, Delay,
Determine, and Decide. Security controls should be deployed so that initial attempts to access
physical assets are deterred (boundary restrictions accomplish this). If deterrence fails, then
direct access to physical assets should be denied (for example, locked vault doors). If denial fails,
your system needs to detect intrusion (for example, using motion sensors). If the breach is
successful, then the intruder should be delayed sufficiently in their access attempts to enable
authorities to respond (for example, a cable lock on the asset). Security staff or legal authorities
should determine the cause of the incident or assess the situation to understand what is
occurring. Then based on that assessment, they should decide on the response to implement,
such as apprehending the intruder or collecting evidence for further investigation.

CISSP Answer Explanation

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP Answer Explanation

Uploaded by

Copyright:

Available Formats

CISSP Practice Exam

Score Report Prepared For

Your overall score is 64.0%. This is not a passing

Domain Score Result

1. Security and Risk Management 67 Near proficiency

2. Asset Security 60 Near proficiency

3. Security Architecture and Engineering 54 Below proficiency

4. Communications and Network Security 57 Below proficiency

5. Identity and Access Management 67 Near proficiency

6. Security Assessment and Testing 58 Below proficiency

7. Security Operations 77 Above proficiency

8. Software Development Security 73 Near proficiency

Incorrect Answer Summary

Domain Incorrect Answers

1. Security and Risk Management 5, 8, 35, 42, 55

2. Asset Security 13, 44, 45, 77

3. Security Architecture and Engineering 1, 12, 26, 41, 47, 69

4. Communications and Network Security 14, 29, 43, 86, 87, 92

5. Identity and Access Management 4, 59, 67, 78

6. Security Assessment and Testing 6, 18, 22, 25, 84

7. Security Operations 19, 65, 97

8. Software Development Security 16, 28, 90

A. Responsibility primarily rests with the customer

Your answer was B.

You answered this question incorrectly.

The correct answer was C.

Your Answer was A.

You answered this question correctly!

Nick is conducting an audit of an organization's endpoint security program to ensure that it is

A. Review the endpoint security policy

Your Answer was D.

You answered this question correctly!

Your answer was C.

You answered this question incorrectly.

The correct answer was D.

Your answer was C.

You answered this question incorrectly.

The correct answer was B.

A. Likelihood and probability

Your answer was C.

You answered this question incorrectly.

The correct answer was D.

Your Answer was D.

You answered this question correctly!

A. To identify critical business processes

Your answer was C.

You answered this question incorrectly.

The correct answer was B.

A. Shutting down the web server

Your Answer was B.

You answered this question correctly!

Purchasing cybersecurity insurance is an example of risk transference because it shifts the

A. WiFi Protected Access v2 (WPA2)

Your Answer was C.

You answered this question correctly!

Your Answer was A.

You answered this question correctly!

Your answer was A.

You answered this question incorrectly.

The correct answer was C.

A. Decide who has access to the information

Your answer was D.

You answered this question incorrectly.

The correct answer was B.