ISC2 Certified Information Systems Security Professional CISSP Exam Practice Test

Page: 1 / 14
Total 1486 questions
Question 1
Question 2
Question 3
Question 4

In which of the following programs is it MOST important to include the collection of security process data?



Answer : B

Security continuous monitoring is the program in which it is most important to include the collection of security process data. Security process data is the data that reflects the performance, effectiveness, and compliance of the security processes, such as the security policies, standards, procedures, and guidelines. Security process data can include metrics, indicators, logs, reports, and assessments. Security process data can provide several benefits, such as:

Improving the security and risk management of the system by providing the visibility and awareness of the security posture, vulnerabilities, and threats

Enhancing the security and decision making of the system by providing the evidence and information for the security analysis, evaluation, and reporting

Increasing the security and improvement of the system by providing the feedback and input for the security response, remediation, and optimization

Security continuous monitoring is the program in which it is most important to include the collection of security process data, because it is the program that involves maintaining the ongoing awareness of the security status, events, and activities of the system. Security continuous monitoring can enable the system to detect and respond to any security issues or incidents in a timely and effective manner, and to adjust and improve the security controls and processes accordingly. Security continuous monitoring can also help the system to comply with the security requirements and standards from the internal or external authorities or frameworks.

The other options are not the programs in which it is most important to include the collection of security process data, but rather programs that have other objectives or scopes. Quarterly access reviews are programs that involve reviewing and verifying the user accounts and access rights on a quarterly basis. Quarterly access reviews can ensure that the user accounts and access rights are valid, authorized, and up to date, and that any inactive, expired, or unauthorized accounts or rights are removed or revoked. However, quarterly access reviews are not the programs in which it is most important to include the collection of security process data, because they are not focused on the security status, events, and activities of the system, but rather on the user accounts and access rights. Business continuity testing is a program that involves testing and validating the business continuity plan (BCP) and the disaster recovery plan (DRP) of the system. Business continuity testing can ensure that the system can continue or resume its critical functions and operations in case of a disruption or disaster, and that the system can meet the recovery objectives and requirements. However, business continuity testing is not the program in which it is most important to include the collection of security process data, because it is not focused on the security status, events, and activities of the system, but rather on the continuity and recovery of the system. Annual security training is a program that involves providing and updating the security knowledge and skills of the system users and staff on an annual basis. Annual security training can increase the security awareness and competence of the system users and staff, and reduce the human errors or risks that might compromise the system security. However, annual security training is not the program in which it is most important to include the collection of security process data, because it is not focused on the security status, events, and activities of the system, but rather on the security education and training of the system users and staff.


Question 5

Which of the following controls is the most for a system identified as critical in terms of data and function to the organization?



Answer : A

Preventive controls are the most suitable for a system identified as critical in terms of data and function to the organization, because they aim to prevent or deter threats from compromising the system's confidentiality, integrity, and availability. Examples of preventive controls include encryption, authentication, access control, firewalls, antivirus software, and backup systems. Monitoring, cost, and compensating controls are not as effective as preventive controls for protecting critical systems, because they either detect, measure, or mitigate the impact of threats after they have occurred, rather than preventing them in the first place. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 22. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 35.


Question 6
Question 7

The World Trade Organization's (WTO) agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) requires authors of computer software to be given the



Answer : A

The World Trade Organization's (WTO) agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) requires authors of computer software to be given the right to refuse or permit commercial rentals. TRIPS is an international treaty that sets the minimum standards and rules for the protection and enforcement of intellectual property rights, such as patents, trademarks, or copyrights. TRIPS requires authors of computer software to be given the right to refuse or permit commercial rentals, which means that they can control whether their software can be rented or leased to others for profit. This right is intended to prevent the unauthorized copying or distribution of the software, and to ensure that the authors receive fair compensation for their work. The other options are not the rights that TRIPS requires authors of computer software to be given, but rather different or irrelevant concepts. The right to disguise the software's geographic origin is not a right, but rather a violation, of TRIPS, as it can mislead or deceive the consumers or authorities about the source or quality of the software. The ability to tailor security parameters based on location is not a right, but rather a feature, of some software, such as encryption or authentication software, that can adjust the security settings or functions according to the location or jurisdiction of the user or device. The ability to confirm license authenticity of their works is not a right, but rather a benefit, of some software, such as digital rights management or anti-piracy software, that can verify or validate the license or ownership of the software.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, p. 40;Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, p. 302.


Page:    1 / 14   
Total 1486 questions