CISSP Official Practice Tests (2021)

Name: CISSP Official Practice Tests (2021)
Brand: Academic Documents Platform
Price: 14.99 USD
Availability: InStock
Author: Emma Thompson

CISSP Official Practice Tests (2021) is your shortcut to certification success—start preparing today!

Emma Thompson

Contributor

4.5

109

about 2 months ago

Preview (31 of 499)

Loading page 4...

Loading page 5...

Loading page 6...

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada and the United Kingdom
ISBN: 978-1-119-78763-1
ISBN: 978-1-119-79315-1 (ebk.)
ISBN: 978-1-119-78764-8 (ebk.)
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections
107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or
authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood
Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)
748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing
this book, they make no representations or warranties with respect to the accuracy or completeness of the contents
of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose.
No warranty may be created or extended by sales representatives or written sales materials. The advice and
strategies contained herein may not be suitable for your situation. You should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages,
including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or to obtain technical support, please contact our
Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317)
572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be
available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress Control Number: 2021935480
TRADEMARKS: WILEY and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc.
and/or its affiliates, in the United States and other countries, and may not be used without written permission. (ISC)2
and CISSP are registered trademarks of International Information Systems Security Certification Consortium, Inc.
All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any
product or vendor mentioned in this book.
Cover image(s): © Getty Images Inc./Jeremy Woodhouse
Cover design: Wiley

Loading page 7...

Acknowledgments
The authors would like to thank the many people who made this book possible. Jim Minatel
at Wiley Publishing helped us extend the Sybex CISSP franchise to include this title and has
continued to champion with the International Information Systems Security Certification
Consortium (ISC)2 . Carole Jelen, our agent, tackles all the back-end magic for our writing
efforts and worked on both the logistical details and the business side of the book with her
usual grace and commitment to excellence. Ben Malisow and Jerry Rayome, our technical
editors, pointed out many opportunities to improve our work and deliver a high-quality
final product. Caroline Define served as our project manager and made sure everything fit
together. Many other people we’ll never meet worked behind the scenes to make this book
a success, and we really appreciate their time and talents to make this next edition come
together.

Loading page 8...

Loading page 9...

About the Authors
Mike Chapple, PhD, CISSP, is an author of the best-selling CISSP (ISC)2 Certified
Information Systems Security Professional Official Study Guide (Sybex, 2021), now in its
ninth edition. He is an information security professional with two decades of experience in
higher education, the private sector, and government.
Mike currently serves as Teaching Professor of IT, Analytics, and Operations at the
University of Notre Dame’s Mendoza College of Business. He previously served as Senior
Director for IT Service Delivery at Notre Dame, where he oversaw the information secu-
rity, data governance, IT architecture, project management, strategic planning, and product
management functions for the university.
Before returning to Notre Dame, Mike served as Executive Vice President and Chief
Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also
spent four years in the information security research group at the National Security Agency
and served as an active duty intelligence officer in the U.S. Air Force.
He is a technical editor for Information Security Magazine and has written 20 books,
including Cyberwarfare: Information Operations in a Connected World (Jones & Bartlett,
2015), CompTIA Security+ Training Kit (Microsoft Press, 2013), and CompTIA Cybersecu-
rity Analyst+ (CySA+) Study Guide (Wiley, 2017) and Practice Tests (Wiley, 2018).
Mike earned both his BS and PhD degrees from Notre Dame in computer science and
engineering. He also holds an MS in computer science from the University of Idaho and an
MBA from Auburn University. His IT certifications include the CISSP, Security+, CySA+,
CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials.
Mike provides books, video-based training, and free study groups for a wide variety of IT
certifications at his website, CertMike.com.
David Seidl, CISSP, is Vice President for Information Technology and CIO at Miami Uni-
versity. During his IT career, he has served in a variety of technical and information security
roles including serving at the Senior Director for Campus Technology Services at the Uni-
versity of Notre Dame where he co-led Notre Dame’s move to the cloud, and oversaw cloud
operations, ERP, databases, identity management, and a broad range of other technologies
and service. He also served as Notre Dame’s Director of Information Security and led Notre
Dame’s information security program. He has taught information security and networking
undergraduate courses as an instructor for Notre Dame’s Mendoza College of Business and
has written books on security certification and cyberwarfare, including co-authoring the
previous editions of CISSP (ISC)2 Official Practice Tests (Sybex 2018) as well as CompTIA
CySA+ Study Guide: Exam CS0-002, CompTIA CySA+ Practice Tests: Exam CS0-002,
CompTIA Security+ Study Guide: Exam SY0-601, and CompTIA Security+ Practice Tests:
Exam SY0-601 as well as other certification guides and books on information security.
David holds a bachelor’s degree in communication technology and a master’s degree in
information security from Eastern Michigan University, as well as CISSP, CySA+, Pentest+,
GPEN, and GCIH certifications.

Loading page 10...

Loading page 11...

About the Technical Editors
Ben Malisow is a consultant and writer with more than 25 years of experience in the fields
of information, security, and information security. He teaches SSCP, CISSP, and CCSP prepa-
ration courses for (ISC)2 and has written the Official (ISC)2 CCSP Study Guide and the Offi-
cial (ISC)2 Practice Tests books, among other titles; his latest works include CCSK Practice
Tests and Exposed: How Revealing Your Data and Eliminating Privacy Increases Trust and
Liberates Humanity. He and his partner Robin Cabe host the weekly podcast, “The
Sensuous Sounds of INFOSEC,” from his website www.securityzed.com.
Jerry Rayome, BS/MS Computer Science, CISSP, employed as a member of the Cyber
Security Program at Lawrence Livermore National Laboratory for over 20 years providing
cyber security services that include software development, penetrative testing, incident
response, firewall implementation/administration, firewall auditing, honey net deployment/
monitoring, cyber forensic investigations, NIST 900-53 control implementation/assessment,
cloud risk assessment, and cloud security auditing.

Loading page 12...

Loading page 13...

Contents at a Glance
Introduction xv
Chapter 1 Security and Risk Management (Domain 1) 1
Chapter 2 Asset Security (Domain 2) 25
Chapter 3 Security Architecture and Engineering (Domain 3) 49
Chapter 4 Communication and Network Security (Domain 4) 73
Chapter 5 Identity and Access Management (Domain 5) 97
Chapter 6 Security Assessment and Testing (Domain 6) 121
Chapter 7 Security Operations (Domain 7) 145
Chapter 8 Software Development Security (Domain 8) 169
Chapter 9 Practice Test 1 195
Chapter 10 Practice Test 2 225
Chapter 11 Practice Test 3 253
Chapter 12 Practice Test 4 283
Appendix Answers 311
Index 457

Loading page 14...

Loading page 15...

Contents
Introduction xv
Chapter 1 Security and Risk Management (Domain 1) 1
Chapter 2 Asset Security (Domain 2) 25
Chapter 3 Security Architecture and Engineering (Domain 3) 49
Chapter 4 Communication and Network Security (Domain 4) 73
Chapter 5 Identity and Access Management (Domain 5) 97
Chapter 6 Security Assessment and Testing (Domain 6) 121
Chapter 7 Security Operations (Domain 7) 145
Chapter 8 Software Development Security (Domain 8) 169
Chapter 9 Practice Test 1 195
Chapter 10 Practice Test 2 225
Chapter 11 Practice Test 3 253
Chapter 12 Practice Test 4 283
Appendix Answers 311
Chapter 1: Security and Risk Management (Domain 1) 312
Chapter 2: Asset Security (Domain 2) 321
Chapter 3: Security Architecture and Engineering (Domain 3) 333
Chapter 4: Communication and Network Security (Domain 4) 342
Chapter 5: Identity and Access Management (Domain 5) 353
Chapter 6: Security Assessment and Testing (Domain 6) 365
Chapter 7: Security Operations (Domain 7) 377
Chapter 8: Software Development Security (Domain 8) 389
Chapter 9: Practice Test 1 400
Chapter 10: Practice Test 2 414
Chapter 11: Practice Test 3 428
Chapter 12: Practice Test 4 441
Index 457

Loading page 16...

Loading page 17...

Introduction
(ISC)2 ® CISSP ® Certified Information Systems Security Professional Official Practice Tests
is a companion volume to (ISC)2 CISSP Certified Information Systems Security Professional
Official Study Guide. It includes questions that cover content from the CISSP Detailed
Content Outline and exam that became effective on May 1, 2021. If you’re looking to test
your knowledge before you take the CISSP exam, this book will help you by providing more
than 1,300 questions that cover the CISSP Common Body of Knowledge and easy-to-under-
stand explanations of both right and wrong answers.
If you’re just starting to prepare for the CISSP exam, we highly recommend that you use
(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide to
help you learn about each of the domains covered by the CISSP exam. Once you’re ready to
test your knowledge, use this book to help find places where you may need to study more or
to practice for the exam itself.
Since this is a companion to CISSP Study Guide, this book is designed to be similar to
taking the CISSP exam. It contains multipart scenarios as well as standard multiple-choice
and matching questions similar to those you may encounter on the certification exam. The
book is broken up into 12 chapters: 8 domain-centric chapters with 100 or more questions
about each domain, and 4 chapters that contain 125-question practice tests to simulate tak-
ing the exam.
CISSP Certification
The CISSP certification is offered by the International Information System Security
Certification Consortium, or (ISC)2
, a global nonprofit organization. The mission of (ISC)2
is to support and provide members and constituents with credentials, resources, and leader-
ship to address cyber, information, software, and infrastructure security to deliver value to
society. (ISC)2 achieves this mission by delivering the world’s leading information security
certification program, the CISSP. (ISC)2 also offered five additional certifications including:
(ISC)2 also offered five additional certifications including:
■■ Systems Security Certified Practitioner (SSCP)
■■ Certified Authorization Professional (CAP)
■■ Certified Secure Software Lifecycle Professional (CSSLP)
■■ HealthCare Information Security and Privacy Practitioner (HCISPP)
■■ Certified Cloud Security Professional (CSP)

Loading page 18...

xvi Introduction
There are also three advanced CISSP certifications for those who want to move on from
the base credential to demonstrate advanced expertise in a domain of information security.
■■ Information Systems Security Architecture Professional (CISSP-ISSAP)
■■ Information Systems Security Engineering Professional (CISSP-ISSEP)
■■ Information Systems Security Management Professional (CISSP-ISSMP)
The CISSP certification covers eight domains of information security knowledge. These
domains are meant to serve as the broad knowledge foundation required to succeed in the
information security profession.
■■ Security and Risk Management
■■ Asset Security
■■ Security Architecture and Engineering
■■ Communication and Network Security
■■ Identity and Access Management (IAM)
■■ Security Assessment and Testing
■■ Security Operations
■■ Software Development Security
The CISSP domains are periodically updated by (ISC) 2 . The most recent revision May 1,
2021 slightly modified the weighting for Communication and Network security from 14
percent to 13 percent while increasing the focus on Software Development Security from
10 percent to 11 percent. It also added or expanded coverage of topics such as the data
management lifecycle, microservices, containerization, serverless computing, quantum com-
puting, 5G networking, and modern security controls.
Complete details on the CISSP Common Body of Knowledge (CBK) are contained in the
Exam Outline. It includes a full outline of exam topics, can be found on the (ISC)2 website at
www.isc2.org.
Taking the CISSP Exam
The English version of the CISSP exam uses a technology called computer adaptive testing
(CAT). With this format, you will face an exam containing between 100 to 150 questions
with a three-hour time limit. You will not have the opportunity to skip back and forth
because the computer selects the next questions that it asks you based upon your answers
to previous questions. If you’re doing well on the exam, it will get more difficult as you
progress. Don’t let that unnerve you!
Other versions of the exam in French, German, Brazilian Portuguese, Spanish, Japanese,
Simplified Chinese, and Korean use a traditional linear format. The linear format exam

Loading page 19...

Introduction xvii
includes 250 questions with a six-hour time limit. For either version of the exam, passing
requires achieving a score of at least 700 out of 1,000 points. It’s important to understand
that this is a scaled score, meaning that not every question is worth the same number of
points. Questions of differing difficulty may factor into your score more or less heavily, and
adaptive exams adjust to the test taker.
That said, as you work through these practice exams, you might want to use 70 percent
as a goal to help you get a sense of whether you’re ready to sit for the actual exam. When
you’re ready, you can schedule an exam at a location near you through the (ISC)2 website.
Questions on the CISSP exam are provided in both multiple-choice form and what (ISC)2
calls advanced innovative questions, which are drag-and-drop and hotspot questions, both of
which are offered in computer-based testing environments. Innovative questions are scored
the same as traditional multiple-choice questions and have only one right answer.
(ISC)² exam policies are subject to change. Please be sure to check isc2.org
for the current policies before you register and take the exam.
Computer-Based Testing Environment
CISSP exams are now administered in a computer-based testing (CBT) format. You’ll register
for the exam through the Pearson Vue website and may take the exam in the language of
your choice. It is offered in English, French, German, Portuguese, Spanish, Japanese, Simpli-
fied Chinese, Korean, and a visually impaired format.
You’ll take the exam in a computer-based testing center located near your home or office.
The centers administer many different exams, so you may find yourself sitting in the same
room as a student taking a school entrance examination and a healthcare professional earn-
ing a medical certification. If you’d like to become more familiar with the testing environ-
ment, the Pearson Vue website offers a virtual tour of a testing center.
home.pearsonvue.com/test-taker/Pearson-Professional-Center-Tour.aspx
When you take the exam, you’ll be seated at a computer that has the exam software
already loaded and running. It’s a pretty straightforward interface that allows you to nav-
igate through the exam. You can download a practice exam and tutorial from the Pearson
Vue website.
http://www.vue.com/athena/athena.asp
At the time this book went to press, (ISC)2 was conducting a pilot test
of at-home computer-based exams for CISSP candidates in the United
States. It is possible that this pilot will be extended to a permanent prod-
uct and may become available in additional countries. Check the (ISC)2
website for more information.

Loading page 20...

xviii Introduction
Exam Retake Policy
If you don’t pass the CISSP exam, you shouldn’t panic. Many individuals don’t reach the bar
on their first attempt, but gain valuable experience that helps them succeed the second time
around. When you retake the exam, you’ll have the benefit of familiarity with the CBT envi-
ronment and CISSP exam format. You’ll also have time to study the areas where you felt less
confident.
After your first exam attempt, you must wait 30 days before retaking the computer-based
exam. If you’re not successful on that attempt, you may re-test after 60 days. If you don't pass
after your third attempt, you can re-test after 90 days for that and any subsequent attempts.
You can’t take the test more than 4 times within a single calendar year. You can obtain more
information about (ISC)2 and its other certifications from its website at www.isc2.org.
Work Experience Requirement
Candidates who want to earn the CISSP credential must not only pass the exam but also
demonstrate that they have at least five years of work experience in the information security
field. Your work experience must cover activities in at least two of the eight domains of the
CISSP program and must be paid, full-time employment. Volunteer experiences or part-time
duties are not acceptable to meet the CISSP experience requirement.
You may be eligible to waive one of the five years of the work experience requirement
based upon your educational achievements. If you hold a bachelor’s degree or four-year
equivalent, you may be eligible for a degree waiver that covers one of those years. Similarly,
if you hold one of the information security certifications on the current (ISC)2 credential
waiver list (www.isc2.org/credential_waiver/default.aspx), you may also waive a
year of the experience requirement. You may not combine these two programs. Holders of
both a certification and an undergraduate degree must still demonstrate at least four years of
experience.
If you haven’t yet completed your work experience requirement, you may still attempt the
CISSP exam. Individuals who pass the exam are designated Associates of (ISC)2 and have six
years to complete the work experience requirement.
Recertification Requirements
Once you’ve earned your CISSP credential, you’ll need to maintain your certification by
paying maintenance fees and participating in continuing professional education (CPE). As
long as you maintain your certification in good standing, you will not need to retake the
CISSP exam.

Loading page 21...

Introduction xix
Currently, the annual maintenance fees for the CISSP credential are $125 per year. This
fee covers the renewal for all (ISC)2 certifications held by an individual.
The CISSP CPE requirement mandates earning at least 120 CPE credits during each three-
year renewal cycle. Associates of (ISC)2 must earn at least 15 CPE credits each year. (ISC)2
provides an online portal where certificate holders may submit CPE completion for review
and approval. The portal also tracks annual maintenance fee payments and progress toward
recertification.
Using This Book to Practice
This book is composed of 12 chapters. Each of the first eight chapters covers a domain, with
a variety of questions that can help you test your knowledge of real-world, scenario, and
best-practice security knowledge. The final four chapters are complete practice exams that
can serve as timed practice tests to help determine whether you’re ready for the CISSP exam.
We recommend taking the first practice exam to help identify where you may need to
spend more study time and then using the domain-specific chapters to test your domain
knowledge where it is weak. Once you’re ready, take the other practice exams to make sure
you’ve covered all the material and are ready to attempt the CISSP exam.
Using the Online Practice Tests
All the questions in this book are also available in Sybex’s online practice test tool. To get
access to this online format, go to www.wiley.com/go/sybextestprep and start by registering
your book. You’ll receive a PIN code and instructions on where to create an online test bank
account. Once you have access, you can use the online version to create your own sets of
practice tests from the book questions and practice in a timed and graded setting.

Loading page 22...

Loading page 23...

Security and Risk
Management
(Domain 1)
SUBDOMAINS
1.1 Understand, adhere to, and promote professional ethics
1.2 Understand and apply security concepts
1.3 Evaluate and apply security governance principles
1.4 Determine compliance and other requirements
1.5 Understand legal and regulatory issues that pertain to
information security in a holistic context
1.6 Understand requirements for investigation types (i.e.,
administrative, criminal, civil, regulatory, industry
standards)
1.7 Develop, document, and implement security policy,
standards, procedures, and guidelines
1.8 Identify, analyze, and prioritize Business Continuity (BC)
requirements
1.9 Contribute to and enforce personnel security policies and
procedures
1.10 Understand and apply risk management concepts
1.11 Understand and apply threat modeling concepts and
methodologies
1.12 Apply Supply Chain Risk Management (SCRM) concepts
1.13 Establish and maintain a security awareness, education,
and training program
Chapter
1

Loading page 24...

2 Chapter 1 ■ Security and Risk Management (Domain 1)
1. Alyssa is responsible for her organization’s security awareness program. She is concerned that
changes in technology may make the content outdated. What control can she put in place to
protect against this risk?
A. Gamification
B. Computer-based training
C. Content reviews
D. Live training
2. Gavin is creating a report to management on the results of his most recent risk assessment.
In his report, he would like to identify the remaining level of risk to the organization after
adopting security controls. What term best describes this current level of risk?
A. Inherent risk
B. Residual risk
C. Control risk
D. Mitigated risk
3. Francine is a security specialist for an online service provider in the United States. She
recently received a claim from a copyright holder that a user is storing information on her
service that violates the third party’s copyright. What law governs the actions that Francine
must take?
A. Copyright Act
B. Lanham Act
C. Digital Millennium Copyright Act
D. Gramm Leach Bliley Act
4. FlyAway Travel has offices in both the European Union (EU) and the United States and
transfers personal information between those offices regularly. They have recently received a
request from an EU customer requesting that their account be terminated. Under the General
Data Protection Regulation (GDPR), which requirement for processing personal information
states that individuals may request that their data no longer be disseminated or processed?
A. The right to access
B. Privacy by design
C. The right to be forgotten
D. The right of data portability
5. After conducting a qualitative risk assessment of her organization, Sally recommends
purchasing cybersecurity breach insurance. What type of risk response behavior is she
recommending?
A. Accept
B. Transfer
C. Reduce
D. Reject

Loading page 25...

Chapter 1 ■ Security and Risk Management (Domain 1) 3
6. Which one of the following elements of information is not considered personally identifiable
information that would trigger most United States (U.S.) state data breach laws?
A. Student identification number
B. Social Security number
C. Driver’s license number
D. Credit card number
7. Renee is speaking to her board of directors about their responsibilities to review cyberse-
curity controls. What rule requires that senior executives take personal responsibility for
information security matters?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule
8. Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this
process, Henry disclosed confidential information about the content of the exam, in violation
of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring
ethics charges against Henry for this violation?
A. Anyone may bring charges.
B. Any certified or licensed professional may bring charges.
C. Only Henry’s employer may bring charges.
D. Only the affected employee may bring charges.
9. Wanda is working with one of her organization’s European Union business partners to facil-
itate the exchange of customer information. Wanda’s organization is located in the United
States. What would be the best method for Wanda to use to ensure GDPR compliance?
A. Binding corporate rules
B. Privacy Shield
C. Standard contractual clauses
D. Safe harbor
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy
requirements related to customer checking accounts. Which one of the following laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA

Loading page 26...

4 Chapter 1 ■ Security and Risk Management (Domain 1)
11. Tim’s organization recently received a contract to conduct sponsored research as a
government contractor. What law now likely applies to the information systems involved
in this contract?
A. FISMA
B. PCI DSS
C. HIPAA
D. GISRA
12. Chris is advising travelers from his organization who will be visiting many different countries
overseas. He is concerned about compliance with export control laws. Which of the follow-
ing technologies is most likely to trigger these regulations?
A. Memory chips
B. Office productivity applications
C. Hard drives
D. Encryption software
13. Bobbi is investigating a security incident and discovers that an attacker began with a normal
user account but managed to exploit a system vulnerability to provide that account with
administrative rights. What type of attack took place under the STRIDE threat model?
A. Spoofing
B. Repudiation
C. Tampering
D. Elevation of privilege
14. You are completing your business continuity planning effort and have decided that you want
to accept one of the risks. What should you do next?
A. Implement new security controls to reduce the risk level.
B. Design a disaster recovery plan.
C. Repeat the business impact assessment.
D. Document your decision-making process.
15. You are completing a review of the controls used to protect a media storage facility in your
organization and would like to properly categorize each control that is currently in place.
Which of the following control categories accurately describe a fence around a facility?
(Select all that apply.)
A. Physical
B. Detective
C. Deterrent
D. Preventive

Loading page 27...

Chapter 1 ■ Security and Risk Management (Domain 1) 5
16. Tony is developing a business continuity plan and is having difficulty prioritizing resources
because of the difficulty of combining information about tangible and intangible assets. What
would be the most effective risk assessment approach for him to use?
A. Quantitative risk assessment
B. Qualitative risk assessment
C. Neither quantitative nor qualitative risk assessment
D. Combination of quantitative and qualitative risk assessment
17. Vincent believes that a former employee took trade secret information from his firm and
brought it with him to a competitor. He wants to pursue legal action. Under what law could
he pursue charges?
A. Copyright law
B. Lanham Act
C. Glass-Steagall Act
D. Economic Espionage Act
18. Which one of the following principles imposes a standard of care upon an individual that
is broad and equivalent to what one would expect from a reasonable person under the cir-
cumstances?
A. Due diligence
B. Separation of duties
C. Due care
D. Least privilege
19. Brenda’s organization recently completed the acquisition of a competitor firm. Which one
of the following tasks would be LEAST likely to be part of the organizational processes
addressed during the acquisition?
A. Consolidation of security functions
B. Integration of security tools
C. Protection of intellectual property
D. Documentation of security policies
20. Kelly believes that an employee engaged in the unauthorized use of computing resources for
a side business. After consulting with management, she decides to launch an administrative
investigation. What is the burden of proof that she must meet in this investigation?
A. Preponderance of the evidence
B. Beyond a reasonable doubt
C. Beyond the shadow of a doubt
D. There is no standard

Loading page 28...

6 Chapter 1 ■ Security and Risk Management (Domain 1)
21. Keenan Systems recently developed a new manufacturing process for microprocessors. The
company wants to license the technology to other companies for use but wants to prevent
unauthorized use of the technology. What type of intellectual property protection is best
suited for this situation?
A. Patent
B. Trade secret
C. Copyright
D. Trademark
22. Which one of the following actions might be taken as part of a business continuity plan?
A. Restoring from backup tapes
B. Implementing RAID
C. Relocating to a cold site
D. Restarting business operations
23. When developing a business impact analysis, the team should first create a list of assets. What
should happen next?
A. Identify vulnerabilities in each asset.
B. Determine the risks facing the asset.
C. Develop a value for each asset.
D. Identify threats facing each asset.
24. Mike recently implemented an intrusion prevention system designed to block common
network attacks from affecting his organization. What type of risk management strategy is
Mike pursuing?
A. Risk acceptance
B. Risk avoidance
C. Risk mitigation
D. Risk transference
25. Laura has been asked to perform an SCA. What type of organization is she most likely in?
A. Higher education
B. Banking
C. Government
D. Healthcare
26. Carl is a federal agent investigating a computer crime case. He identified an attacker who
engaged in illegal conduct and wants to pursue a case against that individual that will lead to
imprisonment. What standard of proof must Carl meet?
A. Beyond the shadow of a doubt
B. Preponderance of the evidence

Loading page 29...

Chapter 1 ■ Security and Risk Management (Domain 1) 7
C. Beyond a reasonable doubt
D. Majority of the evidence
27. The International Information Systems Security Certification Consortium uses the logo
shown here to represent itself online and in a variety of forums. What type of intellectual
property protection may it use to protect its rights in this logo?
A. Copyright
B. Patent
C. Trade secret
D. Trademark
28. Mary is helping a computer user who sees the following message appear on his computer
screen. What type of attack has occurred?

Loading page 30...

8 Chapter 1 ■ Security and Risk Management (Domain 1)
A. Availability
B. Confidentiality
C. Disclosure
D. Distributed
29. Which one of the following organizations would not be automatically subject to the privacy
and security requirements of HIPAA if they engage in electronic transactions?
A. Healthcare provider
B. Health and fitness application developer
C. Health information clearinghouse
D. Health insurance plan
30. John’s network begins to experience symptoms of slowness. Upon investigation, he realizes
that the network is being bombarded with TCP SYN packets and believes that his organi-
zation is the victim of a denial-of-service attack. What principle of information security is
being violated?
A. Availability
B. Integrity
C. Confidentiality
D. Denial
31. Renee is designing the long-term security plan for her organization and has a three- to
five-year planning horizon. Her primary goal is to align the security function with the
broader plans and objectives of the business. What type of plan is she developing?
A. Operational
B. Tactical
C. Summary
D. Strategic
32. Gina is working to protect a logo that her company will use for a new product they are
launching. She has questions about the intellectual property protection process for this logo.
What U.S. government agency would be best able to answer her questions?
A. USPTO
B. Library of Congress
C. NSA
D. NIST
33. The Acme Widgets Company is putting new controls in place for its accounting department.
Management is concerned that a rogue accountant may be able to create a new false vendor
and then issue checks to that vendor as payment for services that were never rendered. What
security control can best help prevent this situation?
A. Mandatory vacation
B. Separation of duties
C. Defense in depth
D. Job rotation

Loading page 31...

30 more pages available. Scroll down to load them.

Preview Mode

100%

Study Now!

XY-Copilot AI

Unlimited Access

Secure Payment

Instant Access

24/7 Support

AI Assistant

Document Details

Subject

Certified Information Systems Security Professional

CISSP Official Practice Tests (2021)

Study Now!

Document Details

Related Documents

CISSP All-in-One Exam Guide (2021)

ISC2 Cissp Certified Information Systems Security Professional Official Practice Tests (2021)

The Official ISC2 CISSP CBK Reference (2021)

All in One CISSP Exam Guide (2022)

Official ISC2 Guide to the CISSP CBK (2019)

CISSP Official Study Guide (2021)

CISSP Cert Guide (2022)

CISSP® Study Guide (2023)

CISSP Exam Cram, 5th Edition (2021)