Visit here for our full ISC CISSP exam dumps and practice test questions.
Question 1
Which of the following best exemplifies a preventive security control within an enterprise information security programme?
A) Conducting penetration testing every quarter to identify vulnerabilities
B) Keeping system logs and audit trails for forensic investigation after an incident
C) Requiring multi-factor authentication (MFA) for remote access to critical systems
D) Performing a root-cause analysis after a major security breach
Answer: C) Requiring multi-factor authentication (MFA) for remote access to critical systems
Explanation:
In the realm of security management, controls are typically classified into three broad categories: preventive, detective, and corrective. Preventive controls are designed to stop an unwanted or unauthorized event from occurring in the first place. They act as proactive measures that reduce the likelihood of a security incident. For example, requiring multi-factor authentication (MFA) for remote access, as described in Option C, qualifies as a preventive control. By adding an additional layer of verification, MFA creates a barrier that makes it significantly more difficult for unauthorized users to gain access to systems or sensitive data, effectively preventing a potential breach before it happens.
On the other hand, detective controls are intended to identify and alert on events that have already occurred or are in progress. Option A, which involves penetration testing, is primarily a detective control. Penetration testing involves simulating attacks on systems to uncover vulnerabilities and weaknesses. While the process can indirectly contribute to prevention—by allowing organizations to remediate discovered vulnerabilities before they are exploited—it does not, in itself, stop an event from occurring. Instead, it provides visibility and awareness of potential security gaps that need to be addressed.
In summary, preventive controls proactively block security threats (like MFA), detective controls identify or reveal incidents (like penetration testing), and corrective controls focus on mitigating the impact and restoring normalcy after an incident occurs. Understanding these distinctions is critical for designing a comprehensive security strategy that balances proactive defense with monitoring and response capabilities.
Question 2
An organisation needs to ensure the integrity of data transmitted between its main site and a branch office over a public network. Which cryptographic mechanism is most appropriate to achieve this objective?
A) Symmetric encryption with a shared key only
B) A cryptographic hash function appended to the data
C) Public key infrastructure (PKI) using digital signatures
D) Transport Layer Security (TLS) without certificate validation
Answer: C) Public key infrastructure (PKI) using digital signatures
Explanation:
Data integrity refers to the assurance that data remains accurate, complete, and unaltered during storage, processing, or transmission. Ensuring integrity means that any unauthorized modification, corruption, or tampering can be detected and addressed. A cryptographic hash function, as described in option B, supports integrity by generating a unique fingerprint or digest of the data. If even a single bit of the data changes, the hash value will differ, signaling potential tampering. However, a hash function alone does not authenticate the sender or provide non-repudiation; to fully guarantee both integrity and authenticity, it must be combined with mechanisms like digital signatures.
Symmetric encryption, represented by option A, primarily provides confidentiality by keeping data unreadable to unauthorized parties. While it protects privacy, it does not inherently verify that the data has remained unchanged or confirm the sender’s identity unless paired with a message authentication code (MAC) or similar mechanism.
TLS without certificate validation, as in option D, breaks the trust model. Without validating certificates, data could be intercepted or altered by an attacker without detection, meaning integrity cannot be reliably assured. Proper certificate verification is essential to ensure that transmitted data is both authentic and unmodified.
Understanding the distinction between confidentiality, integrity, and authenticity is critical in the CISSP domain, particularly when selecting cryptographic controls to meet security objectives.
Question 3
Which of the following is the most significant risk when an organisation allows employees to use their personal mobile devices (BYOD) to access corporate resources without a formal mobile device management (MDM) policy?
A) Devices may run low on battery and interrupt workflow
B) Employees may install unapproved applications that introduce vulnerabilities
C) The cost of device procurement is borne by employees
D) Personal devices may have brighter screens than corporate devices
Answer: B) Employees may install unapproved applications that introduce vulnerabilities
Explanation:
Bringing Your Own Device (BYOD) programs introduce a range of potential risks to an organization. While concerns such as battery life or cost allocation (options A and C) may be practical considerations, they do not represent major security threats. Similarly, option D, depending on its context, is generally trivial from a security perspective.
The most significant risk in a BYOD environment stems from the possibility that employees may download or install unapproved or malicious applications, or connect to unsecured networks. These actions can expose corporate resources to malware, data leakage, and other vulnerabilities. Without a Mobile Device Management (MDM) policy in place, an organization has limited control over critical aspects such as device configuration, software patching, application sandboxing, and the ability to remotely wipe compromised devices.
CISSP professionals are trained to evaluate and prioritize risks in such scenarios. In BYOD-related questions, the key is to identify which threat poses the greatest security impact rather than focusing on minor operational inconveniences. In this context, uncontrolled device usage and unmonitored applications represent the highest risk to the organization’s security posture.
Question 4
During a business continuity planning exercise, a senior executive asks: “Why do we perform a business impact analysis (BIA) rather than just rely on our disaster recovery plan?” What is the best response?
A) A BIA is merely a financial audit of our recovery resources
B) A BIA identifies and quantifies the impact of disruptions, while the recovery plan defines the actions to recover
C) The disaster recovery plan eliminates the need for a BIA because it handles everything
D) A BIA is only required for regulatory compliance and adds little value
Answer: B) A BIA identifies and quantifies the impact of disruptions, while the recovery plan defines the actions to recover
Explanation:
In continuity and resilience planning, the Business Impact Analysis (BIA) is a foundational element that helps organizations understand the potential consequences of business disruptions. Its primary purpose is to analyse and quantify operational, financial, regulatory, and reputational impacts, providing a clear picture of which systems, processes, and functions are most critical. The data collected through the BIA informs key decisions, including setting Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs), prioritising recovery efforts, and allocating resources effectively to ensure continuity of operations.
The Disaster Recovery Plan (DRP) builds upon the insights provided by the BIA, outlining the specific strategies, procedures, and resources required to restore operations following a disruption. Option A misrepresents the purpose of the BIA, while option C incorrectly suggests redundancy between the BIA and DRP. Option D undervalues the strategic role of the BIA in guiding recovery priorities and planning.
Within the CISSP domain of business continuity and disaster recovery, it is essential to differentiate between the BIA and the DRP. The BIA focuses on assessing impacts and establishing priorities, whereas the DRP translates those priorities into concrete recovery actions. Understanding this distinction ensures that continuity planning is both strategically informed and operationally executable, enabling organizations to respond effectively to disruptions while minimizing negative consequences.
Question 5
An organisation must comply with a privacy regulation requiring data minimisation and ensuring that personal data retained is only what is necessary. Which principle of privacy is being addressed?
A) Consent
B) Accuracy
C) Retention limitation
D) Access
Answer: C) Retention limitation
Explanation:
Privacy regulations typically include several key principles, such as notice, choice, access, accuracy, security, retention limitation, and accountability. In this scenario, the emphasis is on ensuring that only the data necessary for a specific purpose is retained, which directly corresponds to the principle of retention limitation. This principle mandates that personal data should be kept only for as long as required to fulfill its intended purpose, thereby minimizing unnecessary storage and reducing exposure to potential privacy and security risks.
Option A, consent, relates to obtaining user permission before collecting or processing personal data. Option B, accuracy, ensures that personal data is correct, complete, and up to date. Option D, access, grants individuals the ability to view, correct, or request deletion of their data. Understanding how each privacy principle maps to control objectives is essential in the CISSP domain, particularly within legal, risk, and compliance. Being able to correctly identify which principle applies in a given scenario helps professionals design and implement privacy controls that meet regulatory requirements and protect sensitive information effectively.
Question 6
Which of the following situations demonstrates an effective application of the principle of separation of duties in an organisation’s change management process?
A) A developer writes code, tests it, and deploys it all in a single shift
B) A junior employee approves changes after reviewing them independently
C) One person submits a change request and another different person approves and implements it
D) A contractor does all change activities unsupervised
Answer: C) One person submits a change request and another different person approves and implements it
Explanation:
Separation of duties (SoD) is a core internal control principle aimed at reducing the risk of errors, fraud, or misuse by ensuring that critical tasks are divided among multiple individuals. This approach prevents any single person from having complete control over a sensitive process, thereby introducing checks and balances that improve accountability and reduce the likelihood of unauthorized actions going undetected.
Option C represents the best implementation of SoD in a change management context. Here, the roles of requester, approver, and implementer are clearly separated, ensuring that no single individual can both authorize and execute changes. This separation enhances oversight, minimizes risk, and helps maintain the integrity of the process. Option A is the opposite of SoD, granting a single person full control over all aspects of the process, which significantly increases the potential for errors or malicious activity. Option B shows partial separation but remains inadequate if one person still implements changes or if proper oversight is missing. Option D is weak from a control perspective and fails to sufficiently mitigate risks inherent in change management processes.
In the CISSP domains of governance, risk management, and security operations, correctly applying separation of duties is critical. It strengthens internal controls, ensures process integrity, supports regulatory and compliance requirements, and contributes to a robust organizational security posture. Understanding and evaluating SoD in different scenarios is a frequent component of exam questions and practical security management.
Question 7
A system administrator configured access control lists (ACLs) on a network switch to permit only designated workstations to access a critical server. Which type of access control model is being employed?
A) Mandatory Access Control (MAC)
B) Role-Based Access Control (RBAC)
C) Discretionary Access Control (DAC)
D) Rule-Based Access Control (RBAC variant)
Answer: D) Rule-Based Access Control (RBAC variant)
Explanation:
Access control models commonly include DAC (Discretionary Access Control), MAC (Mandatory Access Control), and RBAC (Role-Based Access Control). DAC allows the data owner to make access decisions, giving them discretion over who can access their resources. MAC is based on fixed classifications and labels, such as in military or government systems, where access is determined by clearance levels and data sensitivity. RBAC assigns permissions based on the roles users hold within an organization, rather than individual identity.
In the scenario described, Access Control List (ACL) rules are configured on a network switch to permit specific workstations to access a critical server. This setup does not align neatly with DAC, MAC, or traditional RBAC. Users are not assigned roles, nor does a data owner exercise discretionary control over access. Instead, access is governed by predefined rules that explicitly define which devices or network endpoints can communicate with the server. Some literature distinguishes “rule-based” access control from role-based access, and in this case, the ACL configuration represents a rule-based variant of access control. It enforces security policies through explicit rules applied to devices or network addresses, rather than through roles or discretionary decisions, providing a focused mechanism to control system access at the network layer.
Understanding the differences between these access control models is critical in the CISSP domain, as candidates are often tested on their ability to identify the appropriate model based on scenario-specific implementation details.
Question 8
In a risk assessment exercise, an organisation assigns the following values to a threat scenario: likelihood = 0.4, asset value = 500,000 USD, vulnerability factor = 0.6. Using the simplified risk formula Risk = Likelihood × Asset Value × Vulnerability, what is the calculated risk exposure?
A) 120,000 USD
B) 150,000 USD
C) 200,000 USD
D) 300,000 USD
Answer: A) 120,000 USD
Explanation:
The simplified quantitative risk formula is expressed as: Risk = Likelihood × Asset Value × Vulnerability. Applying the provided values, the calculation can be broken down step by step: 0.4 (likelihood) × 500,000 (asset value) × 0.6 (vulnerability) = 0.4 × 300,000 = 120,000 USD. This figure represents an estimate of the potential financial impact if the identified risk were to materialize, combining both the probability of occurrence and the severity of its effect on the asset.
While the CISSP exam may lean more toward conceptual understanding rather than purely numeric calculations, being comfortable with this type of formula demonstrates a candidate’s ability to quantify and evaluate risk in a structured way. It helps security professionals assess which assets are most critical, which vulnerabilities pose the highest risk, and how likely incidents are to occur. This quantitative perspective informs risk treatment decisions, such as where to invest in controls, whether to transfer or mitigate a risk, or accept a calculated level of exposure. Understanding and applying this formula also supports clear communication of risk to business stakeholders, enabling informed decisions and prioritization of security efforts within an organization’s overall risk management program.
Question 9
Which of these is considered a detective security control rather than preventive or corrective?
A) Installing endpoint protection software before devices are deployed
B) Implementing security logging and monitoring to detect abnormal activity
C) Immediately applying software patches to remove known vulnerabilities
D) Restricting physical access to the server room using badge entry
Answer: B) Implementing security logging and monitoring to detect abnormal activity
Explanation:
Detective controls are designed to identify, reveal, or alert on unwanted events after they have occurred or while they are in progress. Their primary purpose is to provide visibility into security incidents, enabling timely response and mitigation. Option B, which involves security logging and monitoring, exemplifies a detective control because it allows organizations to track activities, detect anomalies, recognize policy violations, and uncover potential intrusions that may bypass preventive measures. By collecting and analyzing logs from systems, applications, and network devices, security teams can correlate events, identify patterns of suspicious behavior, and take appropriate actions to limit damage.
In contrast, Option A represents a preventive control. Endpoint protection solutions, firewalls, access controls, and other preventive measures are implemented proactively to stop incidents from occurring in the first place. Option C is a corrective control, which becomes relevant after a security event has occurred. Corrective actions include patching vulnerabilities, restoring systems from backups, or remediating exploited weaknesses to prevent recurrence. Option D is also preventive, as restricting physical access helps stop unauthorized personnel from entering secure areas, thus preventing potential incidents before they happen.
Understanding the classification of controls—preventive, detective, or corrective—is critical in the CISSP security and risk management domain. Effective security programs rely on layered defenses, often referred to as defense-in-depth, where preventive measures reduce the likelihood of incidents, detective measures identify events that occur despite preventive efforts, and corrective controls remediate and restore systems. Professionals must be able to distinguish these control types to design comprehensive security strategies, prioritize investments, and ensure that each control aligns with the organization’s risk management objectives. Moreover, in real-world operations, detective controls often feed intelligence into incident response and continuous improvement processes, making them a vital component of an organization’s overall security posture.
Question 10
A company is subject to a regulatory requirement that mandates certain types of data must be encrypted both at rest and in transit. The company stores and transmits this data accordingly. Which of the following is this most closely aligned with?
A) Integrity
B) Availability
C) Confidentiality
D) Non-repudiation
Answer: C) Confidentiality
Explanation:
The CIA triad—Confidentiality, Integrity, and Availability—serves as the cornerstone of information security and provides the framework for understanding how various controls protect data and systems. Encryption, whether applied to data in transit or at rest, is primarily designed to maintain confidentiality by preventing unauthorized individuals from accessing or reading sensitive information. This ensures that only authorized users or systems with the correct decryption keys can view the protected data.
While encryption can also play a secondary role in supporting integrity (for example, when combined with message authentication codes or digital signatures to detect tampering) and contribute to non-repudiation (by verifying the sender’s identity in digital signing), its primary purpose in most implementations is to ensure that data remains private and inaccessible to unauthorized entities.
Availability, on the other hand, pertains to ensuring that information and resources are accessible when needed by authorized users, while integrity guarantees that data remains accurate, consistent, and unaltered during storage, processing, or transmission. Non-repudiation ensures that a party cannot deny its involvement in a communication or transaction.
In the CISSP context, understanding which component of the CIA triad a particular control addresses is essential. Exam scenarios often test your ability to distinguish between these elements. In this case, since the question focuses on preventing unauthorized access or disclosure of data, confidentiality is the correct and most relevant objective.
Question 11
Which of the following best describes the principle of least privilege when applied to access control?
A) Giving every user administrative rights because they might need elevated access
B) Giving a user the absolute minimum rights required to perform their job and no more
C) Removing all access rights and only granting upon manual request each time
D) Granting all users read-only access to every system
Answer: B) Giving a user the absolute minimum rights required to perform their job and no more
Explanation:
The principle of least privilege dictates that users, processes, or systems should be granted only the minimum level of access necessary to perform their specific job functions or tasks—no more and no less. By restricting privileges to only what is required, organizations reduce the likelihood of both accidental and deliberate misuse of data, systems, or network resources. This approach helps contain potential damage from insider threats, compromised accounts, or software vulnerabilities by minimizing the scope of what any single entity can do if exploited.
Option A violates this principle by granting excessive privileges that go beyond operational necessity, increasing the potential attack surface. Option C, while highly restrictive, may impede productivity or legitimate business operations—highlighting that least privilege requires a balance between security and usability. Option D provides unnecessarily broad read access, which still constitutes excessive privilege and fails to align with the principle’s intent of strictly defined, need-based permissions.
Within the CISSP domains of Access Control, Security Architecture, and Risk Management, applying least privilege is a cornerstone of secure system design and governance. It underpins access control mechanisms such as role-based access control (RBAC), separation of duties (SoD), and privileged access management (PAM). On the exam, candidates are often tested on their ability to recognize when privileges should be limited, how to balance operational efficiency with risk reduction, and how this principle integrates into broader security controls and compliance frameworks.
Question 12
During an audit, you discover that a service provider has access to your organisation’s sensitive customer data and retains backup copies off-site. You evaluate the risk and determine you need to address it. Which risk treatment option is best after identifying this outsourcing exposure?
A) Accept the risk because the provider is large and reputable
B) Transfer the risk by purchasing insurance covering data exposure
C) Mitigate the risk by implementing contractual requirements and regular audits of the provider
D) Ignore it because the provider signed a non-disclosure agreement (NDA)
Answer: C) Mitigate the risk by implementing contractual requirements and regular audits of the provider
Explanation:
Once a risk has been identified, an organization can respond using one of four primary treatment strategies: avoid, transfer, mitigate, or accept. In the outsourcing scenario, relying solely on the provider to manage the risk (option A) is ill-advised—even a reputable vendor cannot fully eliminate exposure, especially when sensitive data is involved. Simply accepting the risk without additional controls may leave the organization vulnerable to significant data loss or reputational damage. Transferring the risk through insurance (option B) only addresses potential financial consequences and does not reduce the underlying likelihood or operational impact of the event. Ignoring the risk because a non-disclosure agreement (option D) is in place is insufficient, as legal agreements alone do not enforce technical or procedural safeguards such as encryption, monitoring, or audit rights.
Mitigation (option C) represents the most appropriate and balanced approach in this case. By mitigating the risk, the organization maintains accountability for protecting data while ensuring that the provider implements appropriate controls. This can include strong contractual clauses—such as service-level agreements, audit provisions, incident reporting requirements, and security certifications—along with technical measures like encryption, secure communication channels, and access control. Ongoing oversight, periodic assessments, and governance reviews further strengthen this approach by continuously verifying that the provider meets the organization’s security expectations.
In the CISSP domain of Risk Management, understanding how to apply these four treatment strategies is essential. Exam questions often test the candidate’s ability to evaluate scenarios and identify which approach most effectively balances risk reduction with business objectives. Mitigation is frequently the preferred option when the organization cannot feasibly avoid or transfer the risk but can implement layered controls to reduce its impact and likelihood to acceptable levels.
Question 13
Which of the following best describes an organisation’s attack surface in the context of information security?
A) The total number of employees with access to the network
B) The sum of all vulnerabilities in the code base
C) The collection of points where an unauthorized actor can attempt to enter or extract data from the system
D) The replacement cost of all hardware assets
Answer: C) The collection of points where an unauthorized actor can attempt to enter or extract data from the system
Explanation:
The attack surface represents the total sum of all possible points where an attacker could attempt to enter, manipulate, or extract data from a system. It encompasses every potential exposure, including network interfaces, APIs, open ports, web applications, third-party integrations, cloud environments, mobile devices, and even misconfigured services. The larger and more complex an organization’s infrastructure, the broader its attack surface—making comprehensive visibility and management essential to effective security.
Option A is overly narrow, focusing only on employees and neglecting technical and systemic exposures. Option B limits the scope to software vulnerabilities in code, omitting other critical vectors such as network and configuration weaknesses. Option D is irrelevant, as the monetary value of an asset does not determine its exposure points or risk level.
In the CISSP domain of Security and Risk Management, understanding the concept of attack surface reduction (ASR) is vital. ASR strategies aim to minimize the number of exploitable points by disabling unnecessary services, closing unused ports, segmenting networks, enforcing least privilege, and hardening configurations. Additionally, maintaining continuous monitoring and applying patch management help ensure that the attack surface remains as small and controlled as possible. Exam questions often test whether candidates can apply this concept holistically—recognizing that the attack surface spans people, processes, and technology rather than just software vulnerabilities.
Question 14
What kind of test is it when an organisation obtains consent from its users and then simulates an attack by having ethical hackers attempt to exploit vulnerabilities in production systems?
A) Vulnerability scan
B) Penetration test
C) Security audit
D) Configuration review
Answer: B) Penetration test
Explanation:
A penetration test (pen-test) is an authorized and controlled simulation of a cyber-attack conducted to evaluate the effectiveness of an organization’s security posture. It goes beyond simple identification of vulnerabilities by actively attempting to exploit them in a real-world context, helping to assess how attackers might gain unauthorized access, escalate privileges, or exfiltrate data. Penetration tests are typically carried out in production or closely replicated environments with explicit consent and defined rules of engagement to ensure safety and compliance. The goal is to validate the effectiveness of existing defenses and identify gaps that automated tools or audits might miss.
In contrast, a vulnerability scan (option A) is generally an automated process that identifies known security weaknesses without attempting to exploit them, offering a broad but less in-depth view of security exposure. A security audit (option C) focuses on reviewing documentation, policies, procedures, and compliance with standards or regulatory frameworks—its emphasis is on governance rather than technical exploitation. A configuration review (option D) is a focused assessment of system and device settings, patch levels, and security baselines to ensure they align with best practices.
Within the CISSP domain of Security Assessment and Testing, it is crucial to understand these distinctions. Exam questions often assess whether candidates can correctly differentiate between passive assessments (like vulnerability scanning or audits), active testing (such as penetration testing), and configuration validation activities. Mastery of these concepts ensures that professionals can select the right testing approach to meet organizational objectives and risk tolerance.
Question 15
An organisation uses cloud-based services and wants to ensure that they can recover from a provider outage in a timely manner. They define a recovery point objective (RPO) of one hour and a recovery time objective (RTO) of four hours. Which statement is correct about RPO and RTO in that context?
A) RPO refers to how long the system can be down; RTO refers to how much data loss is acceptable
B) RPO refers to how much data loss is acceptable; RTO refers to how long the system can be down
C) RPO and RTO are interchangeable and mean the same thing
D) RPO refers to encryption of backups; RTO refers to the restore process
Answer: B) RPO refers to how much data loss is acceptable; RTO refers to how long the system can be down
Explanation:
In business continuity and disaster recovery planning, the two key metrics are:
Recovery Point Objective (RPO): the maximum tolerable period during which data might be lost due to an incident (i.e., how far back you’ll restore from).
Recovery Time Objective (RTO): the maximum tolerable time that a system can be unavailable before operations are critically impacted (i.e., how long it takes to restore).
In the scenario given, the organisation is saying: “We can tolerate losing up to one hour of data (RPO = one hour) and we need systems back up within four hours (RTO = four hours).” Option B correctly describes the definitions. Option A reverses them. Option C is incorrect because they are not the same. Option D misstates their meaning entirely. These concepts are fundamental in continuity planning and often appear in CISSP questions.
Question 16
Which of the following is an example of social engineering rather than purely a technical attack vector?
A) An attacker uses SQL injection to extract data from a database
B) A malicious actor sends a phishing email that tricks an employee into disclosing credentials
C) A worm spreads across the network exploiting a buffer overflow vulnerability
D) A brute-force attack attempts to guess a user’s password over SSH
Answer: B) A malicious actor sends a phishing email that tricks an employee into disclosing credentials
Explanation:
Social engineering refers to manipulation techniques that exploit human psychology, trust, or social behavior rather than technical vulnerabilities. Option B, a phishing email, exemplifies this approach: an attacker deceives an employee into disclosing credentials, clicking a malicious link, or executing an unsafe action that bypasses established security controls. These attacks succeed not because of flaws in technology, but because of predictable human tendencies such as curiosity, fear, or compliance with authority.
In contrast, Option A (SQL injection), Option C (worm exploitation), and Option D (brute-force attack) are technical attack vectors that exploit software or system weaknesses rather than human interaction.
In the CISSP domain of Security Operations and Threat Modeling, understanding social engineering is vital. Security professionals must recognize that people are often the weakest link in the security chain and must implement layered defenses to mitigate this risk. Effective countermeasures include comprehensive user awareness and training programs, multi-factor authentication, strong identity verification procedures, and organizational policies that promote a culture of security mindfulness. By combining human education with technical safeguards, organizations can significantly reduce their susceptibility to social engineering attacks.
Question 17
You are designing a network segmentation strategy. Which of the following best describes the security benefit of implementing a demilitarised zone (DMZ) in an enterprise architecture?
A) It guarantees that internal threats cannot access external resources
B) It ensures all internet traffic is encrypted end-to-end
C) It isolates publicly accessible services from the internal trusted network, limiting exposure if compromised
D) It allows unrestricted inbound access to internal systems for convenience
Answer: C) It isolates publicly accessible services from the internal trusted network, limiting exposure if compromised
Explanation:
A DMZ (demilitarized zone) is a network segment designed to host systems and services that must be accessible from the internet—such as web servers, DNS servers, or email gateways—while keeping them isolated from the internal, trusted network. The primary security benefit of a DMZ is containment: if an external-facing server is compromised, segmentation and layered defenses prevent or significantly limit an attacker’s ability to move laterally into sensitive internal systems. Option C accurately represents this function by highlighting the importance of isolation and controlled exposure.
Option A is inaccurate because segmentation mitigates but does not completely eliminate internal threats. Option B is unrelated, as encryption protects data confidentiality during transmission rather than serving as a network segmentation mechanism. Option D is inherently insecure, as it would expose internal systems directly to the internet without appropriate isolation.
In the CISSP domain of communication and network security, understanding the purpose and configuration of DMZs is essential. Effective DMZ design typically involves firewalls, intrusion detection or prevention systems, and strict access control lists to manage traffic between external, DMZ, and internal networks. Exam questions in this area often assess your ability to identify how segmentation, zoning, and layered security contribute to minimizing attack surfaces while maintaining necessary external service availability.
Question 18
In an incident response process, after detecting and containing a security event, the next phase involves determining the root cause and deriving lessons learned. This phase is known as:
A) Preparation
B) Eradication
C) Recovery
D) Post-incident review
Answer: D) Post-incident review
Explanation:
The standard incident response lifecycle typically includes the following phases: Preparation, Detection and Analysis, Containment/Eradication, Recovery, and Post-Incident Activities (often referred to as “lessons learned”). After an incident has been detected, contained, eradicated, and systems have been successfully restored to operational status, the final phase is the post-incident review. This stage is critical for organizational learning—it focuses on analyzing what went wrong, assessing how effectively the incident was handled, evaluating the performance of existing controls, and identifying improvements to strengthen response capabilities and reduce the likelihood or impact of similar future incidents. Option D correctly represents this stage.
Option A, Preparation, occurs before any incident and involves establishing and maintaining incident response policies, procedures, communication plans, and technical tools to ensure readiness. Option B, Eradication, involves completely removing the threat or malicious components from affected systems to ensure they are clean before restoration. Option C, Recovery, focuses on restoring affected systems and returning operations to normal functionality, often with enhanced monitoring to verify stability and confirm that no residual threats remain.
In the CISSP domain of Security Operations, understanding the sequence, purpose, and interdependencies of these phases is essential. The exam often tests a candidate’s ability to correctly map specific activities—such as containment actions, lessons learned sessions, or system restoration—to their appropriate phase within the incident response process. Mastery of this lifecycle ensures that a security professional can both respond effectively in real-world incidents and design robust response programs aligned with best practices such as NIST SP 800-61.
Question 19
Which of these authentication factors is considered the strongest in terms of resisting spoofing and impersonation?
A) Something you know (e.g., password)
B) Something you have (e.g., smart card)
C) Something you are (e.g., biometric fingerprint)
D) Something you do (e.g., gesture-based pattern)
Answer: C) Something you are (e.g., biometric fingerprint)
Explanation:
In authentication, there are three primary factor types: knowledge (something you know, such as a password or PIN), possession (something you have, such as a security token, smart card, or mobile authenticator), and inherence (something you are, such as a fingerprint, retina scan, or facial recognition). Biometric factors, which fall under inherence, are generally considered stronger against spoofing or impersonation because they rely on unique physical characteristics that are difficult to replicate, steal, or share, unlike knowledge-based or possession-based factors.
Option D, “something you do,” refers to behavioral biometrics, which can include patterns like typing rhythm, mouse movements, gait, or voice inflection. While these behavioral factors can provide an additional layer of security and may be used as part of continuous authentication, they are less standardized, more variable, and often less reliable than inherence-based biometrics.
Understanding these authentication factor types is critical in the CISSP domain, particularly in the Security and Risk Management and Identity and Access Management areas. Exam questions frequently test your ability to distinguish between factor types, assess their relative strengths, and apply them appropriately in multi-factor authentication schemes. Strong authentication practices often combine factors from multiple categories—knowledge, possession, and inherence—to enhance security while maintaining usability.
Question 20
A company needs to dispose of its old tape-backups containing classified information. Which method provides the highest assurance that the data cannot be recovered?
A) Deleting the index file pointing to the tape backup
B) Overwriting the tape with zeros once
C) Physically shredding or incinerating the tape media
D) Reformatting the tape and reusing it for non-sensitive data
Answer: C) Physically shredding or incinerating the tape media
Explanation:
When disposing of highly sensitive media, physically destroying the media itself provides the highest level of assurance that the data cannot be recovered. Physical destruction methods, such as shredding, incinerating, pulverizing, or disintegrating tape cartridges, hard drives, or optical media, ensure that the information becomes completely irretrievable, even through advanced forensic recovery techniques. This approach is particularly critical for classified, regulated, or sensitive data where any residual information could result in significant legal, financial, or reputational consequences.
Overwriting the tape or disk (option B) may offer a degree of protection by replacing existing data with random patterns or zeroes, but its effectiveness depends on the media format, storage density, and the quality of the overwrite procedure. Even after multiple passes, residual magnetic traces could theoretically be exploited by sophisticated attackers, making it insufficient for highly sensitive or classified information. Deleting an index file (option A) is essentially ineffective because the actual data remains intact on the media; attackers with basic forensic tools could easily reconstruct it. Reformatting and reusing media for non-sensitive purposes (option D) similarly does not guarantee the complete removal of residual data and is therefore inadequate for media containing sensitive information.
In the CISSP domain covering asset security, data lifecycle management, and physical protection, understanding and correctly applying media sanitization techniques—commonly categorized as clear, purge, and destroy—is essential. Clear operations may involve overwriting or degaussing for lower-sensitivity data, purge methods remove data more securely for moderate classifications, and destroy methods provide ultimate assurance for highly sensitive or classified data. Organizations must align the chosen method with regulatory requirements, internal policies, and data classification levels to minimize the risk of data leakage and maintain compliance. By systematically applying these practices, organizations can confidently retire media without leaving sensitive information exposed to potential compromise, thereby protecting both the organization and its stakeholders.
