ISC2 CISSP Certified Information Systems Security Professional Exam Practice Test

Page: 1 / 14
Total 1486 questions
Question 1
Question 2

When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases?



Answer : D

The high-level audit phase that is represented by the option D is planning. An audit is a systematic and independent examination and evaluation of the evidence, records, or activities of an entity, such as a process, a system, or an organization, to determine the compliance, effectiveness, or efficiency of the entity, and to provide assurance, recommendations, or improvements for the entity. The audit process consists of several phases, such as planning, execution, reporting, and follow-up. The planning phase is the first and the most important phase of the audit process, as it involves defining the objectives, scope, and criteria of the audit, and determining the roles, responsibilities, and resources of the audit team. The planning phase also involves conducting the preliminary risk assessment, the background research, and the stakeholder analysis of the audit entity, and developing the audit plan, the audit checklist, and the audit schedule .Reference: [CISSP CBK, Fifth Edition, Chapter 6, page 572]; [100 CISSP Questions, Answers and Explanations, Question 19].


Question 3

What is the correct order of execution for security architecture?



Answer : A

Security architecture is the design and implementation of the security controls, mechanisms, and processes that protect the confidentiality, integrity, and availability of the information and systems of an organization. Security architecture is aligned with the business goals, objectives, and requirements of the organization, and supports the security policies, standards, and guidelines of the organization. Security architecture follows a systematic and structured approach, which consists of the following phases or steps:

Governance: Establish the security vision, mission, principles, and policies of the organization, and define the roles, responsibilities, and authorities of the security stakeholders and functions.

Strategy and program management: Develop the security strategy and objectives of the organization, and plan, coordinate, and manage the security projects and initiatives that support the security strategy and objectives.

Project delivery: Design, implement, and integrate the security solutions and components that meet the security requirements and specifications of the organization, and deliver the expected security outcomes and benefits.

Operations: Operate, monitor, and maintain the security solutions and components, and ensure their optimal performance and functionality. Also, identify, analyze, and respond to the security incidents, events, or changes that may affect the security posture or risk level of the organization. The correct order of execution for security architecture is governance, strategy and program management, project delivery, and operations, as each phase builds on the previous one and provides the input and feedback for the next one.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Architecture and Engineering, page 219.Official (ISC) CISSP CBK Reference, Fifth Edition, Domain 3: Security Architecture and Engineering, page 375.


Question 4

Refer to the information below to answer the question.

During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.

Aside from the potential records which may have been viewed, which of the following should be the PRIMARY concern regarding the database information?



Answer : A

The primary concern regarding the database information, aside from the potential records which may have been viewed, is the unauthorized database changes. The unauthorized database changes are the modifications or the alterations of the database information or structure, such as the data values, the data types, the data formats, the data relationships, or the data schemas, by an unauthorized individual or a malicious actor, such as the one who accessed the system hosting the database. The unauthorized database changes can compromise the integrity, the accuracy, the consistency, and the reliability of the database information, and can cause serious damage or harm to the organization's operations, decisions, or reputation. The unauthorized database changes can also affect the availability, the performance, or the functionality of the database, and can create or exploit the vulnerabilities or the weaknesses of the database. Integrity of security logs, availability of the database, and confidentiality of the incident are not the primary concerns regarding the database information, aside from the potential records which may have been viewed, as they are related to the evidence, the accessibility, or the secrecy of the security incident, not the modification or the alteration of the database information.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 865.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 881.


Question 5

Which of the following is the BEST reason for the use of security metrics?



Answer : D

The best reason for the use of security metrics is to quantify the effectiveness of security processes. Security metrics are measurable indicators that provide information about the performance, efficiency, and quality of security activities, controls, and outcomes. Security metrics can help to evaluate the current state of security, identify strengths and weaknesses, monitor progress and trends, and support decision making and improvement. Security metrics can also help to demonstrate the value and return on investment of security to the stakeholders, and to communicate the security objectives and expectations to the users. Security metrics can be based on various criteria, such as compliance, risk, cost, time, or customer satisfaction. Security metrics can be classified into different types, such as implementation metrics, effectiveness/efficiency metrics, and impact metrics. Security metrics can be collected, analyzed, and reported using various methods and tools, such as surveys, audits, logs, dashboards, or scorecards. Ensuring that the organization meets its security objectives, providing an appropriate framework for IT governance, and speeding up the process of quantitative risk assessment are all possible benefits or uses of security metrics, but they are not the best reason for the use of security metrics. Security metrics are not the only means to ensure that the organization meets its security objectives, as security objectives can also be influenced by other factors, such as policies, standards, procedures, or culture. Security metrics are not the only component of IT governance, as IT governance also involves other elements, such as leadership, strategy, structure, processes, or roles. Security metrics are not the only factor that can speed up the process of quantitative risk assessment, as quantitative risk assessment also depends on other inputs, such as asset value, threat frequency, vulnerability severity, or control effectiveness.


Question 6
Question 7
Page:    1 / 14   
Total 1486 questions