An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause?

Insufficient Service Level Agreement (SLA)

Absence of a Business Intelligence (BI) solution

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

What is the PRIMARY reason for implementing change management?

Ensure accountability for changes to the environment

Certify and approve releases to the environment

Provide version rollbacks for system changes

Ensure that all applications are approved

Ensure accountability for changes to the environment

Which of the following is a PRIMARY advantage of using a third-party identity service?

Consolidation of multiple providers

With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions?

Before and after each change of the control

Continuously without exception for all security controls

Before and after each change of the control

At a rate concurrent with the volatility of the security control

Only during system implementation and decommissioning

What should be the FIRST action to protect the chain of evidence when a desktop computer is involved?

Take the computer to a forensic lab

What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application?

Isolate the system from the network

Disable all unnecessary services

Prepare another backup of the system

Isolate the system from the network

A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following?

Protection from loss of organization resources

Guaranteed recovery of all business functions

Minimization of the need decision making during a crisis

Insurance against litigation following a disaster

Protection from loss of organization resources

When is a Business Continuity Plan (BCP) considered to be valid?

When it has been validated by realistic exercises

When it has been validated by the Business Continuity (BC) manager

When it has been validated by the board of directors

When it has been validated by all threat scenarios

When it has been validated by realistic exercises

Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following?

Cost/benefit analysis and business objectives

Hardware and software compatibility issues

Applications' critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Which of the following is the FIRST step in the incident response process?

Investigate all symptoms to confirm the incident

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

A continuous information security monitoring program can BEST reduce risk through which of the following?

Facilitating system-wide visibility into the activities of critical user accounts

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

Which of the following is the PRIMARY risk with using open source software in a commercial software construction?

Costs associated with support of the software

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be defined?

After the business functional analysis and the data security categorization have been performed

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Which of the following is the BEST method to prevent malware from being introduced into a production environment?

Test all new software in a segregated environment

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?

System acquisition and development

System operations and maintenance

What is the BEST approach to addressing security issues in legacy web applications?

Protect the legacy application with a web application firewall

Migrate to newer, supported applications where possible

Protect the legacy application with a web application firewall

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs?

Test for the security patch level of the environment

Check arguments in function calls

Test for the security patch level of the environment

Digitally sign each application module

Which of the following methods protects Personally Identifiable Information (PII) by use of a full replacement of the data element?

Transparent Database Encryption (TDE)

Column level database encryption

Which of the following elements MUST a compliant EU-US Safe Harbor Privacy Policy contain?

An of who can be contacted at the organization collecting the information if corrections are required by the data subject.

An of how long the data subject's collected information will be retained for and how it will be eventually disposed.

An of who can be contacted at the organization collecting the information if corrections are required by the data subject.

An of the regulatory frameworks and compliance standards the information collecting organization adheres to.

An of all the technologies employed by the collecting organization in gathering information on the data subject.

What is the MOST effective countermeasure to a malicious code attack against a mobile system?

Public-Key Infrastructure (PKI)

Which of the following is the BEST mitigation from phishing attacks?

Corporate policy and procedures

Strong file and directory permissions

Which of the following is a physical security control that protects Automated Teller Machines (ATM) from skimming?

Intrusion Prevention System (IPS)

Which of the following is an essential element of a privileged identity lifecycle management?

Regularly perform account re-validation and approval

Account provisioning based on multi-factor authentication

Frequently review performed activities and request justification

Account information to be provided by supervisor or line manager

Which Hyper Text Markup Language 5 (HTML5) option presents a security challenge for network data leakage prevention and/or monitoring?

Cross Origin Resource Sharing (CORS)

Document Object Model (DOM) trees

Web Interface Definition Language (IDL)

Which of the following statements is TRUE of black box testing?

Only the functional specifications are known to the test planner.

Only the source code and the design documents are known to the test planner.

Only the source code and functional specifications are known to the test planner.

Only the design documents and the functional specifications are known to the test planner.

Which of the following is a limitation of the Common Vulnerability Scoring System (CVSS) as it relates to conducting code review?

It aims to calculate the risk of published vulnerabilities.

It has normalized severity ratings.

It has many worksheets and practices to implement.

It aims to calculate the risk of published vulnerabilities.

It requires a robust risk management framework to be put in place.

Which of the following is the MOST important consideration when storing and processing Personally Identifiable Information (PII)?

Adherence to collection limitation laws and regulations.

Encrypt and hash all PII to avoid disclosure and tampering.

Store PII for no more than one year.

Avoid storing PII in a Cloud Service Provider.

Adherence to collection limitation laws and regulations.

Which of the following assessment metrics is BEST used to understand a system's vulnerability to potential exploits?

Identifying the number of security flaws within the system

Determining the probability that the system functions safely during any time period

Quantifying the system's available services

Identifying the number of security flaws within the system

Measuring the system's integrity in the presence of failure

Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment?

Identification of data location

Integration with organizational directory services for authentication

Accommodation of hybrid deployment models

Identification of data location

When transmitting information over public networks, the decision to encrypt it should be based on

the level of confidentiality of the information.

the estimated monetary value of the information.

whether there are transient nodes relaying the transmission.

the level of confidentiality of the information.

Logical access control programs are MOST effective when they are

made part of the operating system.

combined with security token technology.

maintained by computer security officers.

made part of the operating system.

ISC CISSP Practice Test 2 - Free Online Exam Prep & Questions

Question 1 / 40

Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Comment (0)

ISC CISSP Practice Test 2

Question

ISC CISSP Practice Tests

Practice Tests