ISC2 Certified Information Systems Security Professional CISSP Exam Questions

Answer : A

The main reason an organization conducts a security authorization process is to force the organization to make conscious risk decisions. A security authorization process is a process that evaluates and approves the security of an information system or a product before it is deployed or used. A security authorization process involves three steps: security categorization, security assessment, and security authorization. Security categorization is the step of determining the impact level of the information system or product on the confidentiality, integrity, and availability of the information and assets. Security assessment is the step of testing and verifying the security controls and measures implemented on the information system or product. Security authorization is the step of granting or denying the permission to operate or use the information system or product based on the security assessment results and the risk acceptance criteria. The security authorization process forces the organization to make conscious risk decisions, as it requires the organization to identify, analyze, and evaluate the risks associated with the information system or product, and to decide whether to accept, reject, mitigate, or transfer the risks. The other options are not the main reasons, but rather the benefits or outcomes of a security authorization process. Assuring the effectiveness of security controls is a benefit of a security authorization process, as it provides an objective and independent evaluation of the security controls and measures. Assuring the correct security organization exists is an outcome of a security authorization process, as it establishes the roles and responsibilities of the security personnel and stakeholders. Forcing the organization to enlist management support is an outcome of a security authorization process, as it involves the management in the risk decision making and approval process.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, p. 419;Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, p. 150.

Answer : C

The most effective method to mitigate future infections caused by connecting a Universal Serial Bus (USB) storage device is to implement centralized technical control of USB port connections. USB port connections are the physical interfaces that allow USB devices, such as flash drives, keyboards, or mice, to connect to a computer or a network. USB port connections can pose a security risk, as they can be used to introduce or spread malware, to steal or leak data, or to bypass other security controls. Centralized technical control of USB port connections is a technique that uses a centralized system or a policy to monitor, restrict, or disable the USB port connections on the computers or the network. Centralized technical control of USB port connections can prevent or limit future infections caused by connecting a USB storage device, as it can block or allow the USB devices based on various criteria, such as the device type, the device ID, the user ID, the time, or the location. Centralized technical control of USB port connections can also provide some benefits for web security, such as enhancing the visibility and the auditability of the USB activities, enforcing the compliance and the consistency of the USB policies, and reducing the reliance and the burden on the end users. Develop a written organizational policy prohibiting unauthorized USB devices, train users on the dangers of transferring data in USB devices, and encrypt removable USB devices containing data at rest are not the most effective methods to mitigate future infections caused by connecting a USB storage device, although they may be related or useful techniques. Develop a written organizational policy prohibiting unauthorized USB devices is a technique that uses a formal document to define and communicate the rules and the expectations regarding the usage of USB devices on the computers or the network. Develop a written organizational policy prohibiting unauthorized USB devices can provide some benefits for web security, such as raising the awareness and the responsibility of the parties, establishing the standards and the guidelines for the USB activities, and providing the basis and the justification for the enforcement and the sanctions of the USB policies. However, develop a written organizational policy prohibiting unauthorized USB devices is not sufficient to prevent or limit future infections caused by connecting a USB storage device, as the policy may not be effectively implemented, communicated, or followed by the parties, and it may not be able to address the dynamic and the complex nature of the USB threats. Train users on the dangers of transferring data in USB devices is a technique that uses education and awareness programs to inform and instruct the users about the risks and the best practices of using USB devices on the computers or the network. Train users on the dangers of transferring data in USB devices can provide some benefits for web security, such as improving the knowledge and the skills of the users, changing the attitudes and the behaviors of the users, and empowering the users to make informed and secure decisions regarding the USB activities.

Answer : C

Access to a network is the ability or permission of a user or device to connect to or communicate with the network and its resources, such as servers, applications, or data. Access to a network should be controlled and restricted based on the principle of least privilege, which states that a user or device should only have the minimum level of access that is necessary to perform their legitimate tasks or functions. Therefore, the best way to determine the individual access to a network is based on the business need. The business need is the justification or rationale for the user or device to access the network and its resources, based on their role, responsibility, or function within the organization. The business need can help to define the access criteria, rules, or policies for the user or device, as well as to monitor, review, or revoke the access when needed. The business need can also help to balance the security and usability of the network and its resources, and to align the access control with the organization's objectives and needs. Risk matrix, value of the data, or data classification are not the best ways to determine the individual access to a network, as they are more related to risk assessment, data security, or data management.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 14: Access Control, page 831;CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 5: Identity and Access Management, Question 5.8, page 220.

Answer : D

Data tokenization is a method of protecting PII by replacing the sensitive data element with a non-sensitive equivalent, called a token, that has no extrinsic or exploitable meaning or value1. The token is then mapped back to the original data element in a secure database. This way, the PII is not exposed in the data processing or storage, and only authorized parties can access the original data element. Data tokenization is different from encryption, which transforms the data element into a ciphertext that can be decrypted with a key.Data tokenization does not require a key, and the token cannot be reversed to reveal the original data element2.Reference:1: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 2812: CISSP For Dummies, 7th Edition, Chapter 10, page 289.

Answer : A

The best method of demonstrating a company's security level to potential customers is a report from an external auditor, who is an independent and qualified third party that evaluates the company's security policies, procedures, controls, and practices against a set of standards or criteria, such as ISO 27001, NIST, or COBIT. A report from an external auditor provides an objective and credible assessment of the company's security posture, and may also include recommendations for improvement or certification .Reference: : CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 47. : CISSP For Dummies, 7th Edition, Chapter 1, page 29.

Answer : C

The action that must be performed when using Secure Multipurpose Internet Mail Extension (S/MIME) before sending an encrypted message to a recipient is to obtain the recipient's digital certificate. S/MIME is a standard that enables the secure transmission of email messages over the Internet, using encryption and digital signatures. To encrypt a message using S/MIME, the sender needs to obtain the recipient's digital certificate, which contains the recipient's public key and identity information. The sender can then use the recipient's public key to encrypt the message, ensuring that only the recipient can decrypt it with their private key. The recipient's digital certificate can be obtained from a trusted source, such as a certificate authority, a directory service, or a previous message from the recipient. Obtaining the recipient's digital certificate is a prerequisite for sending an encrypted message using S/MIME. Reference: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Engineering, page 132; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3: Security Engineering, page 194]

Answer : D

The security related statement that should be considered in the decision-making process of migrating to Session Initiation Protocol (SIP) is that given the behavior of SIP traffic, additional security controls would be required. SIP is a protocol that enables the initiation, modification, or termination of multimedia sessions over the internet, such as voice, video, or chat. SIP can help to save on telephony expenses, as it can reduce the cost of communication, equipment, or maintenance, and it can provide more features, flexibility, or scalability. However, SIP also poses security challenges, as it is vulnerable to various threats or attacks, such as eavesdropping, spoofing, denial of service, or toll fraud. Given the behavior of SIP traffic, which is dynamic, complex, or unpredictable, additional security controls would be required to protect the SIP communication, such as encryption, authentication, firewall, or proxy. Cloud telephony is less secure and more expensive than digital telephony services, SIP services are more secure when used with multi-layer security proxies, or H.323 media gateways must be used to ensure end-to-end security tunnels are not the security related statements that should be considered in the decision-making process of migrating to SIP, as they are not true or relevant. Cloud telephony is a service that provides voice or data communication over the internet, and that is hosted or managed by a cloud provider. Cloud telephony is not necessarily less secure or more expensive than digital telephony services, as it depends on the security measures and the pricing models of the cloud provider. SIP services are not more secure when used with multi-layer security proxies, as this is not a valid or recommended security practice. Multi-layer security proxies are proxies that apply multiple layers of security controls or policies to the SIP communication, such as encryption, authentication, or filtering. Multi-layer security proxies may introduce more complexity, overhead, or latency to the SIP communication, and they may degrade the quality, performance, or reliability of the SIP communication. H.323 media gateways are not required to ensure end-to-end security tunnels for the SIP communication, as this is not a valid or compatible security solution. H.323 is another protocol that enables the initiation, modification, or termination of multimedia sessions over the internet, but it is different and incompatible with SIP. H.323 media gateways are devices that convert or translate the H.323 communication to other protocols or formats, such as SIP, PSTN, or ISDN. H.323 media gateways do not provide end-to-end security tunnels for the SIP communication, as they do not encrypt or authenticate the SIP communication, and they may expose or compromise the SIP communication during the conversion or translation process.Reference:Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 315.