ISC2 CISSP Certified Information Systems Security Professional Exam Practice Test

Answer : D

The description that best describes centralized identity management is that service providers perform as both the credential and identity provider (IdP). Identity management is a type of process that involves defining, verifying, and managing the identity or the information of the users or the entities that access or use a system or a network, or a service or an application, using various methods, such as credentials, identifiers, or attributes. Identity management can provide various benefits, such as enhancing the security, functionality, or usability of the system or the network, or of the service or the application, and ensuring the compliance or alignment with the standards or regulations. Identity management can be classified into various types, such as centralized, decentralized, or federated. Centralized identity management is a type of identity management that involves using or applying a single or a central authority or entity, such as a server or a database, to control and manage the identity or the information of the users or the entities, and to provide or grant the access or the authorization to the users or the entities, for accessing or using the system or the network, or the service or the application. Centralized identity management can provide various benefits, such as simplicity, consistency, or scalability. Centralized identity management can also include various roles or functions, such as:

Credential provider: The role or the function that involves creating and issuing the credentials, such as passwords, tokens, or certificates, to the users or the entities, for authenticating or verifying the identity or the information of the users or the entities, and for accessing or using the system or the network, or the service or the application.

Identity provider (IdP): The role or the function that involves storing and managing the identifiers, such as usernames, email addresses, or phone numbers, and the attributes, such as names, roles, or preferences, of the users or the entities, and providing or sharing the identifiers and the attributes of the users or the entities, with the system or the network, or with the service or the application, for identifying or recognizing the users or the entities, and for accessing or using the system or the network, or the service or the application.

Service provider: The role or the function that involves offering or delivering the system or the network, or the service or the application, to the users or the entities, and requesting or receiving the credentials, the identifiers, or the attributes of the users or the entities, from the credential provider or the identity provider, for authenticating, authorizing, or personalizing the users or the entities, and for accessing or using the system or the network, or the service or the application.

Answer : B

The opening of a mechanical lock without the proper key by carefully aligning the pins in the lock is defined as lock picking. A mechanical lock is a device that secures an entry point, such as a door, a window, or a cabinet, by using a physical mechanism, such as a pin tumbler, a wafer, or a disc detainer. A mechanical lock requires a proper key to unlock it, which matches the configuration of the mechanism. Lock picking is a technique of manipulating the mechanism of the lock without the proper key, usually by using tools, such as picks, tension wrenches, or rakes. Lock picking can exploit the flaws or weaknesses of the lock, such as the variations, tolerances, or defects of the pins or the cylinder. Lock picking can be used for legitimate purposes, such as locksmithing, hobby, or sport, or for illegitimate purposes, such as burglary, espionage, or sabotage. Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, p. 136;Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Engineering, p. 297.

Answer : A

The required step to determine classification and ownership is to ensure that the system and data resources are properly identified. Identification is the process of assigning unique names or labels to the system and data resources, such as hardware, software, files, databases, or networks. Identification helps to distinguish the system and data resources from each other, and to associate them with their respective owners, custodians, or users. Identification is a prerequisite for classification and ownership, which are the processes of assigning the value, sensitivity, and criticality of the system and data resources, and the roles and responsibilities of the parties involved in their protection and management. Logging and auditing access violations, identifying and linking data file references, and integrating system security controls are not required steps to determine classification and ownership, as they are related to the implementation and monitoring of the security policies and measures, not the identification of the system and data resources.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 39.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 52.

Answer : B

Role-Based Access Control (RBAC) is an access control method that assigns permissions to users based on their roles or functions within an organization. RBAC requires a consistent set of rules for controlling and limiting access, as each role is defined by a set of access rights that correspond to the level of authority and responsibility of the role. RBAC can simplify access management, enforce the principle of least privilege, improve security and compliance, and reduce administrative overhead. Reference:

Access Control Models and Methods

What Are the Different Types of Access Control?

3 Types of Access Control: IT Security Models Explained

Answer : B

Network Access Control (NAC) is a technology that enforces security policies and controls on the devices that attempt to access a network. NAC can verify the identity and compliance of the devices, and grant or deny access based on predefined rules and criteria. NAC can also place the devices into different domains or segments, depending on their security posture and role. One of the domains that NAC can create is the isolated domain, which is a restricted network segment that isolates the devices that do not meet the security requirements or pose a potential threat to the network. The devices in the isolated domain have limited or no access to the network resources, and are subject to remediation actions. Remediation is the process of fixing or improving the security status of the devices, by applying the necessary updates, patches, configurations, or software. Remediation can be performed automatically by the NAC system, or manually by the device owner or administrator. Therefore, the best thing that can be done on a device that is placed into an isolated domain by NAC is to apply remediation's according to the security requirements, which can restore the device's compliance and enable it to access the network normally.

Answer : C

The best person to consult for a data retention policy requirement is the privacy officer, who is responsible for ensuring that the organization complies with the applicable privacy laws, regulations, and standards. A data retention policy defines the criteria and procedures for retaining, storing, and disposing of data, especially personal data, in accordance with the legal and business requirements. The privacy officer can advise on the data retention policy by identifying the relevant privacy mandates, assessing the data types and categories, determining the retention periods and disposal methods, and implementing the appropriate controls and measures. The other options are not the best person to consult, but rather stakeholders or contributors to the data retention policy. An application manager is responsible for managing the development, maintenance, and operation of applications, but not the data retention policy. A database administrator is responsible for managing the design, implementation, and performance of databases, but not the data retention policy. A finance manager is responsible for managing the financial resources and activities of the organization, but not the data retention policy.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, p. 118;Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, p. 292;CISSP practice exam questions and answers, Question 8.

Answer : C

The transport layer is the OSI model layer that will discard a segment with a bad checksum in the UDP header. The transport layer is responsible for providing end-to-end data transmission and reliability between the source and destination hosts. The transport layer uses protocols such as TCP (transmission control protocol) or UDP (user datagram protocol) to segment, encapsulate, and deliver the data. The transport layer also performs error detection and correction using checksums, which are values calculated from the data and added to the header of each segment. The checksums are verified at the destination host to ensure the integrity of the data. If the checksum in the UDP header does not match the expected value, the transport layer will discard the segment as corrupted. The other options are not OSI model layers that will discard a segment with a bad checksum in the UDP header, as they either do not use checksums, do not operate on segments, or do not handle UDP.Reference:CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.1 Implement secure design principles in network architectures, 4.1.1 Apply secure design principles to network architecture, 4.1.1.1 OSI and TCP/IP models;CISSP Exam Outline, Domain 4. Communication and Network Security, 4.1 Implement secure design principles in network architectures, 4.1.1 Apply secure design principles to network architecture, 4.1.1.1 OSI and TCP/IP models