ISC2 Certified Information Systems Security Professional CISSP Exam Questions

Page: 1 / 14
Total 1486 questions
Question 1

An organization has been collecting a large amount of redundant and unusable data and filling up the storage area network (SAN). Management has requested the identification of a solution that will address ongoing storage problems. Which is the BEST technical solution?



Answer : A

Deduplication is a technique of eliminating redundant or duplicate data from a storage system, such as a storage area network (SAN). Deduplication can reduce the amount of storage space required, improve the performance and efficiency of the storage system, and lower the cost and complexity of data management. Deduplication can be performed at different levels, such as file-level, block-level, or byte-level, and at different locations, such as source-side, target-side, or inline. Compression is a technique of reducing the size of data by using algorithms that remove or replace unnecessary or repetitive bits or symbols. Compression can also reduce the amount of storage space required, but it may not be as effective as deduplication in eliminating redundant or unusable data. Replication is a technique of creating and maintaining copies of data across multiple storage devices or locations, such as disks, servers, or sites. Replication can improve the availability, reliability, and accessibility of data, but it does not reduce the amount of storage space required. In fact, replication can increase the amount of storage space required, as well as the network bandwidth and the complexity of data synchronization. Caching is a technique of storing frequently accessed or recently used data in a fast and temporary storage device or location, such as memory, disk, or server. Caching can improve the performance and responsiveness of the storage system, but it does not reduce the amount of storage space required. Caching only stores a subset of the data, and it does not eliminate redundant or unusable data.Reference: [CISSP CBK Reference, 5th Edition, Chapter 3, page 153]; [CISSP All-in-One Exam Guide, 8th Edition, Chapter 3, page 121]


Question 2

Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?



Answer : A

The type of disaster recovery plan (DRP) testing that carries the most operational risk is cutover. DRP testing is the process of verifying and validating the effectiveness and readiness of the DRP, which is a plan that defines the procedures and resources for restoring the critical business functions and systems after a disaster or an outage. DRP testing can be performed using different methods, such as:

Cutover: This method involves switching the entire production environment to the backup or recovery site, and testing the functionality and performance of the systems and processes at the recovery site. This method provides the most realistic and comprehensive test of the DRP, but it also carries the most operational risk, as it may disrupt the normal business operations, cause data loss or inconsistency, or introduce errors or failures in the systems or processes.

Walkthrough: This method involves reviewing and discussing the DRP with the relevant stakeholders, such as the management, the staff, or the vendors, and identifying any gaps, issues, or improvements in the plan. This method provides the least realistic and comprehensive test of the DRP, but it also carries the least operational risk, as it does not involve any actual execution or switching of the systems or processes.

Tabletop: This method involves simulating a disaster scenario and testing the DRP with a selected group of participants, such as the DRP team, the business owners, or the auditors, and evaluating the roles, responsibilities, and actions of the participants. This method provides a moderate level of realism and comprehensiveness in testing the DRP, but it also carries a moderate level of operational risk, as it may require some preparation, coordination, or documentation of the simulation and the results.

Parallel: This method involves running the systems and processes at both the production and the recovery sites simultaneously, and comparing the outputs and outcomes of the sites. This method provides a high level of realism and comprehensiveness in testing the DRP, but it also carries a high level of operational risk, as it may consume more resources, cause data synchronization or duplication issues, or create conflicts or confusion between the sites.


Question 3

Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections?



Answer : D

Fuzzing is a technique that is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. Fuzzing is a type of testing that involves sending random, malformed, or unexpected input to the system or application, and observing its behavior and response. Fuzzing can help to identify resource exhaustion problems, such as memory leaks, buffer overflows, or connection timeouts, which can affect the availability, functionality, or security of the system or application. Fuzzing can also help to discover other types of vulnerabilities, such as logic errors, input validation errors, or exception handling errors. Automated dynamic analysis, automated static analysis, and manual code review are not techniques that are known to be effective in spotting resource exhaustion problems, although they may be used for other types of testing or analysis.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 1001;Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 7: Software Development Security, page 923.


Question 4

Mandatory Access Controls (MAC) are based on:



Answer : A

Mandatory Access Controls (MAC) are based on security classification and security clearance. MAC is a type of access control model that assigns permissions to subjects and objects based on their security labels, which indicate their level of sensitivity or trustworthiness. MAC is enforced by the system or the network, rather than by the owner or the creator of the object, and it cannot be modified or overridden by the subjects. MAC can provide some benefits for security, such as enhancing the confidentiality and the integrity of the data, preventing unauthorized access or disclosure, and supporting the audit and compliance activities. MAC is commonly used in military or government environments, where the data is classified according to its level of sensitivity, such as top secret, secret, confidential, or unclassified. The subjects are granted security clearance based on their level of trustworthiness, such as their background, their role, or their need to know. The subjects can only access the objects that have the same or lower security classification than their security clearance, and the objects can only be accessed by the subjects that have the same or higher security clearance than their security classification. This is based on the concept of no read up and no write down, which requires that a subject can only read data of lower or equal sensitivity level, and can only write data of higher or equal sensitivity level. Data segmentation and data classification, data labels and user access permissions, and user roles and data encryption are not the bases of MAC, although they may be related or useful concepts or techniques. Data segmentation and data classification are techniques that involve dividing and organizing the data into smaller and more manageable units, and assigning them different categories or levels based on their characteristics or requirements, such as their type, their value, their sensitivity, or their usage. Data segmentation and data classification can provide some benefits for security, such as enhancing the visibility and the control of the data, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities. However, data segmentation and data classification are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as discretionary access control (DAC) or role-based access control (RBAC). Data labels and user access permissions are concepts that involve attaching metadata or tags to the data and the users, and specifying the rules or the criteria for accessing the data and the users. Data labels and user access permissions can provide some benefits for security, such as enhancing the identification and the authentication of the data and the users, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities. However, data labels and user access permissions are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as DAC or RBAC. User roles and data encryption are techniques that involve defining and assigning the functions or the responsibilities of the users, and transforming the data into an unreadable form that can only be accessed by authorized parties who possess the correct key. User roles and data encryption can provide some benefits for security, such as enhancing the authorization and the confidentiality of the data and the users, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities. However, user roles and data encryption are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as DAC or RBAC.


Question 5

A software development company found odd behavior in some recently developed software, creating a need for a more thorough code review. What is the MOST effective argument for a more thorough code review?



Answer : D

The most effective argument for a more thorough code review is that it will reduce the potential for vulnerabilities. A code review is a process of examining and evaluating the source code of a software program to identify and correct any errors, defects, or weaknesses that may affect its functionality, quality, security, or performance. A more thorough code review will increase the chances of finding and fixing the vulnerabilities in the code, such as logic flaws, buffer overflows, input validation errors, or insecure coding practices. A more thorough code review will also improve the security posture of the software, as it will reduce the attack surface, mitigate the risks, and comply with the standards and regulations. A more thorough code review may also provide other benefits, such as increasing the flexibility, accountability, or efficiency of the software development process, but these are not the most effective or persuasive arguments for a more thorough code review, as they may not be directly related to the security objectives or requirements of the software.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21: Software Development Security, page 2010.


Question 6

An organization's information security strategic plan MUST be reviewed



Answer : C

An organization's information security strategic plan must be reviewed whenever there are major changes to the business, such as mergers, acquisitions, divestitures, new products or services, new markets, new regulations, or new threats. These changes can affect the organization's risk profile, security objectives, policies, procedures, and controls.Therefore, the information security strategic plan must be updated to align with the current business environment and ensure the protection of the organization's information assets124.Reference:

Building an Effective Information Security Strategy, Section: For effective cybersecurity, build a complete, defensible program

Information Security Strategy in Organisations: Review, Discussion and Future Research Directions, Section: Introduction

How Often Should You Review Your Policies and Procedures?, Section: Policy Review Frequency


Question 7

A user's credential for an application is stored in a relational database. Which control protects the confidentiality of the credential while it is stored?



Answer : C

A salted cryptographic hash of the password is a control that protects the confidentiality of the credential while it is stored in a relational database. A salt is a random value that is added to the password before hashing it, to make it more resistant to brute-force attacks and rainbow tables. A hash is a one-way function that transforms the password into a fixed-length output that is difficult to reverse. A salted hash makes it harder for an attacker to guess or crack the password, even if they have access to the database.Reference:CISSP All-in-One Exam Guide, Chapter 5: Identity and Access Management, Section: Password Management, pp. 381-382.


Page:    1 / 14   
Total 1486 questions