What security risk does the role-based access approach mitigate MOST effectively?

Excessive access rights to systems and data

Segregation of duties conflicts within business applications

Lack of system administrator activity monitoring

Which of the following questions can be answered using user and group entitlement reporting?

Where does a particular user have access within the network

When a particular file was last accessed by a user

Change control activities for a particular group of users

The number of failed login attempts for a particular user

Where does a particular user have access within the network

A network scan found 50% of the systems with one or more critical vulnerabilities. Which of the following represents the BEST action?

Assess vulnerability risk and business impact.

Assess vulnerability risk and program effectiveness.

Assess vulnerability risk and business impact.

Disconnect all systems with critical vulnerabilities.

Disconnect systems with the most number of vulnerabilities.

An organization has hired a security services firm to conduct a penetration test. Which of the following will the organization provide to the tester?

Limits and scope of the testing.

Physical location of server room and wiring closet.

Logical location of filters and concentrators.

Employee directory and organizational chart.

When planning a penetration test, the tester will be MOST interested in which information?

Exploits that can attack weaknesses

Job application handouts and tours

Exploits that can attack weaknesses

After acquiring the latest security updates, what must be done before deploying to production systems?

Install the patches on a test system

Use tools to detect missing system patches

Install the patches on a test system

Subscribe to notifications for vulnerabilities

Assess the severity of the situation

Which of the following BEST describes the purpose of performing security certification?

To formalize the confirmation of compliance to security policies and standards

To identify system threats, vulnerabilities, and acceptable level of risk

To formalize the confirmation of compliance to security policies and standards

To formalize the confirmation of completed risk mitigation and risk analysis

To verify that system architecture and interconnections with other systems are effectively implemented

Are companies legally required to report all data breaches?

No, different jurisdictions have different rules.

No, not if the data is encrypted.

No, companies' codes of ethics don't require it.

No, only if the breach had a material impact.

What is the PRIMARY difference between security policies and security procedures?

Policies are generic in nature, and procedures contain operational details

Policies are used to enforce violations, and procedures create penalties

Policies point to guidelines, and procedures are more contractual in nature

Policies are included in awareness training, and procedures give guidance

Policies are generic in nature, and procedures contain operational details

For privacy protected data, which of the following roles has the highest authority for establishing dissemination rules for the data?

Information Systems Security Officer

Which of the following BEST avoids data remanence disclosure for cloud hosted resources?

Strong encryption and deletion of the keys after data is deleted.

Strong encryption and deletion of the virtual host after data is deleted.

Software based encryption with two factor authentication.

Hardware based encryption on dedicated physical servers.

What is the MOST efficient way to secure a production program and its data?

Harden the application and encrypt the data

Disable default accounts and implement access control lists (ACL)

Harden the application and encrypt the data

Disable unused services and implement tunneling

Harden the servers and backup the data

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)?

A data flow diagram for the application and attack surface analysis

Application interface entry and endpoints

The likelihood and impact of a vulnerability

Countermeasures and mitigations for vulnerabilities

A data flow diagram for the application and attack surface analysis

Which of the following secures web transactions at the Transport Layer?

Secure HyperText Transfer Protocol (S-HTTP)

Which of the following is the MOST effective method of mitigating data theft from an active user workstation?

Disable use of portable devices

Enable multifactor authentication

Disable use of portable devices

The BEST method to mitigate the risk of a dictionary attack on a system is to

encrypt the access control list (ACL).

Which of the following is an advantage of on-premise Credential Management Systems?

Control over system configuration

Improved credential interoperability

Control over system configuration

Lower infrastructure capital costs

Reduced administrative overhead

Which of the following prevents improper aggregation of privileges in Role Based Access Control (RBAC)?

The Clark-Wilson security model

The Bell-LaPadula security model

Which of the following is the BEST method to assess the effectiveness of an organization's vulnerability management program?

Periodic third party vulnerability assessment

Review automated patch deployment reports

Periodic third party vulnerability assessment

Automated vulnerability scanning

Perform vulnerability scan by security team

Which of the following is most helpful in applying the principle of LEAST privilege?

Establishing a sandboxing environment

Setting up a Virtual Private Network (VPN) tunnel

Monitoring and reviewing privileged sessions

Introducing a job rotation program

Which of the following explains why record destruction requirements are included in a data retention policy?

To comply with legal and business requirements

To save cost for storage and backup

What should happen when an emergency change to a system must be performed?

Testing and approvals must be performed quickly.

The change must be given priority at the next meeting of the change control board.

Testing and approvals must be performed quickly.

The change must be performed immediately and then submitted to the change board.

The change is performed and a notation is made in the system log.

Which of the following is the BEST approach to take in order to effectively incorporate the concepts of business continuity into the organization?

Develop training and awareness programs that involve all stakeholders

Ensure end users are aware of the planning activities

Validate all regulatory requirements are known and fully documented

Develop training and awareness programs that involve all stakeholders

Ensure plans do not violate the organization's cultural objectives and goals

Which of the following has the GREATEST impact on an organization's security posture?

International and country-specific compliance requirements

Security violations by employees and contractors

Resource constraints due to increasing costs of supporting security

Audit findings related to employee access and permissions process

In order for a security policy to be effective within an organization, it MUST include

disciplinary measures for non compliance.

strong statements that clearly define the problem.

a list of all standards that apply to the policy.

owner information and date of last revision.

disciplinary measures for non compliance.

What type of encryption is used to protect sensitive data in transit over a network?

Payload encryption and transport encryption

Keyed-Hashing for Message Authentication

Point-to-Point Encryption (P2PE)

Which of the following is a recommended alternative to an integrated email encryption system?

Encrypt sensitive data separately in attachments

Sign emails containing sensitive data

Send sensitive data in separate emails

Encrypt sensitive data separately in attachments

Store sensitive information to be sent in encrypted drives

ISC CISSP Practice Test 10 - Free Online Exam Prep & Questions

Which of the following could elicit a Denial of Service (DoS) attack against a credential management system?

Delayed revocation or destruction of credentials

Modification of Certificate Revocation List

Unauthorized renewal or re-issuance

Token use after decommissioning

Comment (0)

ISC CISSP Practice Test 10

Question

ISC CISSP Practice Tests

Practice Tests