CISSP - Mock Questions with all domains

An attacker is using brute force on a user accounts password to gain access to our systems. We have not implemented clipping levels yet. Which of these other countermeasures could help mitigate brute force attacks?

Options are :

  • Rainbow tables.
  • Minimum password age.
  • Key stretching. (Correct)
  • Password complexity.

Answer : Key stretching.

Explanation Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Brute Force attacks uses the entire keyspace (every possible key), with enough time any plaintext can be decrypted. Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

CISSP-ISSAP Information Systems Security Architecture Exam Set 1

When we add salting to our hashed password, what would that possibly protect us against?

Options are :

  • Brute force.
  • Physical access.
  • Rainbow tables. (Correct)
  • Smurf attacks.

Answer : Rainbow tables.

Explanation Salt (salting): Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack.

When we swipe an access card, it is using which technology?

Options are :

  • Magnetic stripe. (Correct)
  • Contactless cards.
  • Contact cards.
  • HOTP tokens.

Answer : Magnetic stripe.

Explanation Magnetic Stripe Cards: Swiped through a reader, no circuit. Very easy to duplicate.

After we have implemented biometrics in our organization, we are having issues with too high rejection rate of authorized employees. Which of these is the false rejection rate?


Options are :

  • A
  • B
  • C (Correct)

Answer : C

Explanation FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.

CISSP Security Engineering Certification Practical Exam Set 10

Which of these countermeasures would be the LEAST effective against brute force attacks?

Options are :

  • Salting. (Correct)
  • Key stretching.
  • Limit number of wrong logins.
  • Strong password requirements.

Answer : Salting.

Explanation Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks. Key stretching and limited login attempts are good countermeasures, complex passwords can help, but will eventually be broken.

We are using our username and password online. What can we add to that to get multifactor authentication?

Options are :

  • PINs.
  • Passphrases.
  • Challenge response.
  • Cookies. (Correct)

Answer : Cookies.

Explanation The cookie is a possession factor, we still have multifactor authentication with the username, password and cookie. Username and password are knowledge factors just like PINs, passphrases and challenge response.

Looking at the authentication methods we use, which type is expected to be something you memorize?

Options are :

  • Type 1. (Correct)
  • Type 2.
  • Type 3.
  • Type 0.

Answer : Type 1.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors.

CISSP Security Engineering Certification Practice Exam Set 4

Storing passwords in plaintext on a server is obviously a big security vulnerability. Why would an organization choose to do that?

Options are :

  • Because plaintext is more secure than encrypted.
  • Because the server is secure enough to not need the password encryption.
  • Access controls are only used on critical systems.
  • It is slightly faster than having to decrypt or check the password hash when the user tries to log in. (Correct)

Answer : It is slightly faster than having to decrypt or check the password hash when the user tries to log in.

Explanation It can take a second or two on older systems to authenticate if the passwords are hashed or encrypted. We should, however, never leave passwords in plaintext to save a second or two.

Within our organization, it is important that we have a layered defense strategy. Which of these would be an example of a recovery access control?

Options are :

  • Encryption.
  • Alarms
  • Backups. (Correct)
  • Patches.

Answer : Backups.

Explanation Recovery: Controls that help us Recover after an attack – DR Environment, Backups, HA Environments .

CISSP-ISSEP Information Systems Security Engineering Exam Set 1

In our risk analysis, we are looking at the total risk of a vulnerability. What would we look at to find the total risk?

Options are :

  • Threat + vulnerability.
  • Threat * vulnerability.
  • Threat * vulnerability * asset value. (Correct)
  • (threat * vulnerability * asset value) - countermeasures.

Answer : Threat * vulnerability * asset value.

Explanation Total Risk = Threat * Vulnerability * Asset Value.

We are looking at the different classifications for access controls. Which of these is a type of detective access control?

Options are :

  • Encryption.
  • Backups.
  • Patches.
  • Intrusion detection systems. (Correct)

Answer : Intrusion detection systems.

Explanation IDSs (Intrusion Detection Systems) on our network to capture and alert traffic seen as malicious. They can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.

Looking at the governance of our organization, our standards could be described by which of these?

Options are :

  • Non-specific, but can contain patches, updates, strong encryption.
  • Specific: all laptops are W10, 64-bit, 8GB memory. (Correct)
  • Low level step-by-step guides.
  • Recommendations.

Answer : Specific: all laptops are W10, 64-bit, 8GB memory.

Explanation Standards – Mandatory. Describes a specific use of technology (All laptops are W10, 64-bit, 8GB memory, etc.)

CISSP Security Engineering Certification Practice Exam Set 8

In our quantitative risk analysis, we are looking at the ARO. What does that tell us?

Options are :

  • How many times it happens per year. (Correct)
  • How much many percent of the asset is lost.
  • What will it cost us it if happens once.
  • What will it cost us per year if we do nothing.

Answer : How many times it happens per year.

Explanation Annual Rate of Occurrence (ARO) – How often will this happen each year?

Where would be a good place for us to NOT implement defense in depth?

Options are :

  • Our data centers.
  • Nowhere. (Correct)
  • Our call center.
  • Our VPNs

Answer : Nowhere.

Explanation We would implement defense in depth everywhere. We would not implement it "no where", the double negative would cancel each other out. Remember this is also an exam in the English language assuming you take it in English, it does intend to trick you at times.

We are in criminal court and the defendant says we used enticement. In this setting, enticement is which of these?

Options are :

  • A solid legal defense strategy.
  • Not a solid legal defense strategy. (Correct)
  • Something we can do without consulting our legal department.
  • Legal and unethical.

Answer : Not a solid legal defense strategy.

Explanation Enticement (Legal and ethical): Making committing a crime more enticing, but the person has already broken the law or at least has decided to do so. Honeypots can be a good way to use enticement. Have open ports or services on a server that can be attacked. Enticement is not a valid defense.

CISSP-ISSAP Information Systems Security Architecture Exam Set 6

One of our senior VPs calls you up to explain a term he heard at a conference. He heard about cybersquatting and wants to know more. Which of these is TRUE about it?

Options are :

  • Always illegal.
  • Potentially illegal.
  • Legal. (Correct)
  • Never profitable.

Answer : Legal.

Explanation Cybersquatting – Buying an URL you know someone else will need (To sell at huge profit – not illegal).

As an IT Security professional, you are expected to perform due care. What does this mean?

Options are :

  • Researching and acquiring the knowledge to do your job right.
  • Do what is right in the situation and your job. Act on the knowledge. (Correct)
  • Continue the security practices of your company.
  • Apply patches annually.

Answer : Do what is right in the situation and your job. Act on the knowledge.

Explanation Due Care – Prudent person rule – What would a prudent person do in this situation? Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify affected users (Follow the Security Policies to the letter).

Senior management is looking at the ISO27799 standard. What is it focused around?

Options are :

  • ITSM.
  • Protecting PHI. (Correct)
  • Risk management.
  • PCI-DSS.

Answer : Protecting PHI.

Explanation ISO 27799: Directives on how to protect PHI (Personal Health Information).

CISSP Security Engineering Certification Practical Exam Set 3

We are working on our risk management and we are doing quantitative risk analysis. What does the ALE tell us?

Options are :

  • How many times it happens per year.
  • How much many percent of the asset is lost.
  • What will it cost us if it happens once.
  • What will it cost us per year if we do nothing. (Correct)

Answer : What will it cost us per year if we do nothing.

Explanation Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.

With the CIA triad in mind, when we choose to have too much integrity, which other control will MOST LIKELY suffer?

Options are :

  • Confidentiality.
  • Availability. (Correct)
  • Identity.
  • Accountability.

Answer : Availability.

Explanation Finding the right mix of Confidentiality, Integrity and Availability is a balancing act. This is really the cornerstone of IT Security – finding the RIGHT mix for your organization. Too much Integrity and the Availability can suffer.

Which of these would NOT be a factor we would consider to protect our availability?

Options are :

  • Patch management.
  • Redundant hardware.
  • SLA's.
  • Non-redundant hardware. (Correct)

Answer : Non-redundant hardware.

Explanation To ensure availability we use: IPS/IDS. Patch Management. Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more. SLA’s – How high uptime to we want (99.9%?) – (ROI).

CISSP Security Engineering Certification Practice Exam Set 1

We are looking at our risk responses. We are considering buying insurance to cover the gaps we have. Which type of response would that be?

Options are :

  • Risk transference. (Correct)
  • Risk rejection.
  • Risk avoidance.
  • Risk mitigation.

Answer : Risk transference.

Explanation Transfer the Risk – The Insurance Risk approach – We could get flooding insurance for the Data Center, the flooding will still happen, we will still lose 15% of the infrastructure, but we are insured for cost.

Jane has suggested we implement full disk encryption on our laptops. Our organization, on average, loses 25 laptops per year, and currently it costs us $10,000 per laptop. The laptop itself costs $1,000, as well as $9,000 in losses from non-encrypted data being exposed. We want to keep using laptops, and have our ARO (Annualized Rate of Occurrence) stay the same. How much can the countermeasures we implement cost, for us to break even??

Options are :

  • 2250000
  • 225000 (Correct)
  • 250000
  • 22500

Answer : 225000

Explanation If we implemented full disk encryption, the break even point would be $225,000. We would still lose the 25 laptops per year ($1,000 per), and the cost of that loss is $25,000 per year from that ,regardless of encryption. What we would save is the 25 * $9,000 ($225,000) from the non-encrypted data exposure. This is what we can use for the encryption.

Laws, regulations, and standards should not be confused. Which of these are NOT a law?

Options are :

  • HIPAA.
  • PCI-DSS. (Correct)
  • Homeland security act.
  • Gramm-Leach-Bliley act.

Answer : PCI-DSS.

Explanation Payment Card Industry Data Security Standard (PCI-DSS) – Technically not a law. Created by the payment card industry. The standard applies to cardholder data for both credit and debit cards. Requires merchants and others to meet a minimum set of security requirements. Mandates security policy, devices, control techniques, and monitoring.

CISSP Security Engineering Certification Practice Exam Set 6

When we are authenticating our employees, which of these would NOT be considered useful?

Options are :

  • Something you are.
  • Something you know.
  • Something you believe. (Correct)
  • Something you have.

Answer : Something you believe.

Explanation Something you know - Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.). Somewhere you are - Type 4 Authentication (IP/MAC Address). Something you do - Type 5 Authentication (Signature, Pattern unlock).

Which type of companies are subject to the Sarbanes-Oxley act (SOX)?

Options are :

  • Private companies.
  • Publicly traded companies. (Correct)
  • Healthcare companies.
  • Startup companies.

Answer : Publicly traded companies.

Explanation Sarbanes-Oxley Act of 2002 (SOX): Directly related to the accounting scandals in the late 90’s. Regulatory compliance mandated standards for financial reporting of publicly traded companies. Intentional violations can result in criminal penalties.

We are looking at lowering our risk profile and we are doing our quantitative risk analysis. What would EF tell us?

Options are :

  • How many times it happens per year.
  • How much many percent of the asset is lost. (Correct)
  • What will it cost us if it happens once.
  • What will it cost us per year if we do nothing.

Answer : How much many percent of the asset is lost.

Explanation Exposure factor (EF) – Percentage of Asset Value lost?

CISSP Security Engineering Certification Practice Exam Set 6

We are in a court where the evidence must be "the majority of the proof." Which type of law does that relate to?

Options are :

  • Civil law. (Correct)
  • Criminal law.
  • Administrative law.
  • Private regulations.

Answer : Civil law.

Explanation Civil Law (Tort Law): Individuals, groups or organizations are the victims and proof must be ?the Majority of Proof?. Financial fines to “Compensate the Victim(s)?.

Our organization has a lot of different and diverse leadership. Who is responsible for the day-to-day leadership?

Options are :

  • The CEO. (Correct)
  • The CFO
  • The CIO.
  • The CSO.

Answer : The CEO.

Explanation The Chief Executive Officer is responsible for the day to day leadership of the organization, the board may provide the direction.

What would we do during the e-discovery process?

Options are :

  • Discover all the electronic files we have in our organization.
  • Produce electronic information to our internal legal team who will present it in court. (Correct)
  • Make sure we keep data long enough in our retention policies for us to fulfil the legal requirements for our state and sector.
  • Delete data that has been requested if the retention period has expired.

Answer : Produce electronic information to our internal legal team who will present it in court.

Explanation e-Discovery or Discovery of electronically stored information (ESI) is the process of producing all relevant documentation to our legal council, who will then present it in court or or external attorneys in a legal proceeding.

CISSP - Security Operations Mock Questions

Looking at the data classifications classes of the US government: data that, if disclosed, won't cause any harm to national security, would be classified as?

Options are :

  • Unclassified. (Correct)
  • Unregulated.
  • Secret.
  • Common knowledge.

Answer : Unclassified.

Explanation Unclassified information isn't sensitive, and unauthorized disclosure won't cause any harm to national security.

Which of these is a COMMON attack against data at rest?

Options are :

  • Stealing unencrypted laptops. (Correct)
  • MITM.
  • Screen scrapers.
  • Keyloggers.

Answer : Stealing unencrypted laptops.

Explanation If we do not encrypt our laptops which uses the data from our database, it is a very good attack vector for someone wanting to steal our data.

In designing our data retention policy, which of these should NOT be a consideration?

Options are :

  • Which data do we keep?
  • How long do we keep the data?
  • Where do we keep the backup data?
  • How to safely destroy the data after the retention has expired? (Correct)

Answer : How to safely destroy the data after the retention has expired?

Explanation A data destruction policy would address how we deal with data no longer needed, the retention policy would only deal with what, how long, where and similar topics.

CISSP Security Engineering Certification Practical Exam Set 5

We have many policies we need to adhere to in our organization. Which of these would be part of our clean desk policy?

Options are :

  • Minimal use of paper copies and only used while at the desk and in use. (Correct)
  • Cleaning your desk of all the clutter.
  • Shred all paper copies everything.
  • Picking up anything you print as soon as you print it.

Answer : Minimal use of paper copies and only used while at the desk and in use.

Explanation As part of a clean desk policy we should only use paper copies of sensitive data when strictly needed.

What are we trying to get rid of with when we do our data disposal?

Options are :

  • Data remanence. (Correct)
  • How long we keep the data.
  • The data content.
  • The data in use.

Answer : Data remanence.

Explanation When we dispose of our data media we are making sure there is no data remanence on our hard disks, tapes, etc.

Which of these is a personally identifiable indicator protected under the HIPAA rules?

Options are :

  • Name.
  • Zip code.
  • License plate.
  • All of these. (Correct)

Answer : All of these.

Explanation Under the US Health Insurance Portability and Accountability Act (HIPAA), PHI that is linked based on the following list of 18 identifiers must be treated with special care: 1 Names. 2 All geographical identifiers smaller than a state. 3 Dates (other than year). 4 Phone numbers. 5 Fax numbers. 6 Email addresses. 7 Social Security numbers. 8 Medical record numbers. 9 Health insurance beneficiary numbers. 10 Account numbers. 11 Certificate/license numbers. 12 Vehicle identifiers and serial numbers, including license plate numbers. 13 Device identifiers and serial numbers. 14 Web Uniform Resource Locators (URLs). 15 Internet Protocol (IP) address numbers. 16 Biometric identifiers, including finger, retinal and voice prints. 17 Full face photographic images and any comparable images. 18 Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data.

CISSP-ISSEP Information Systems Security Engineering Exam Set 1

In our technology refresh cycle we need to dispose of old hardware. What would we do for proper data disposal of SSD drives if we need to keep the drives intact?

Options are :

  • Degaussing.
  • Formatting.
  • Deleting all files.
  • Overwriting. (Correct)

Answer : Overwriting.

Explanation SSD drives can't be degaussed and formatting or deleting the files only removes the file structure, most if not all files are recoverable. We would need to overwrite all the data with random 0s and 1s.

When a system has been certified, what does that mean?

Options are :

  • It has met the data owners security requirements. (Correct)
  • It has met the data stewards security requirements.
  • The data owner has accepted the certification and the residual risk, which is required before the system is put into production.
  • The data steward has accepted the certification and the residual risk, which is required before the system is put into production.

Answer : It has met the data owners security requirements.

Explanation Certification is when a system has been certified to meet the security requirements of the data owner. Certification considers the system, the security measures taken to protect the system, and the residual risk represented by the system.

What would we encrypt, when we are dealing with sensitive data?

Options are :

  • USB drives.
  • Wireless access points.
  • Laptops.
  • All of these. (Correct)

Answer : All of these.

Explanation When dealing with sensitive data we want to encrypt as much as possible while still keeping data availability acceptable.

CISSP - Mock Questions with all domains

We need to ensure proper security measures in place when we are dealing with Personally identifiable information (PII). Which of these is NOT considered PII?

Options are :

  • Address.
  • Birthday.
  • Marital status.
  • Cookies on your PC. (Correct)

Answer : Cookies on your PC.

Explanation Personally identifiable information (PII) is any information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Which of these would NOT have any data remanence after the system has been completely disconnected from power for 10 minutes?

Options are :

  • Hard disks.
  • Read only memory.
  • Random access memory. (Correct)
  • Tapes.

Answer : Random access memory.

Explanation RAM (Random access memory) would lose its data remanence after a few seconds to a few minutes after the loss of power.

Which security principle is Bell-LaPadula based on?

Options are :

  • Integrity.
  • Confidentiality. (Correct)
  • Availability.
  • Authentication.

Answer : Confidentiality.

Explanation Bell-LaPadula: (Confidentiality) (Mandatory Access Control): Simple Security Property “No Read UP?. Subjects with Secret clearance can’t read Top Secret data. * Security Property: “No Write DOWN?. Subjects with Top Secret clearance can’t write Top Secret information to Secret folders. Strong * Property: “No Read or Write UP and DOWN?. Subjects can ONLY access data on their own level.

CISSP Security and Risk Management Certified Practice Exam Set 2

How many keys would we have if we had 100 users using symmetric encryption?

Options are :

  • 200
  • 100
  • 4950 (Correct)
  • 2000

Answer : 4950

Explanation Symmetric: n(n-1)/2 users, with 100 users we would need 100(100-1)/2 or (100x99)/2 = 4950 keys.

Which of these is NOT part of our server hardening?

Options are :

  • Blocking ports not required by the server.
  • Applying all patches.
  • Disabling default user accounts.
  • Enable the USB drives on the servers. (Correct)

Answer : Enable the USB drives on the servers.

Explanation Hardware Hardening: On our servers - we harden the server. Apply all patches, block ports not needed, delete default users, … most places are good about this.

We are designing a new data center. Which of these if installed should ALWAYS prevent power fluctuations?

Options are :

  • PDU.
  • UPS. (Correct)
  • CPU.
  • Batteries.

Answer : UPS.

Explanation UPSs (Uninterruptible Power Supplies): Ensure constant clean power to the systems. Have large battery banks that take over in the event of a power outage; they also act as surge protectors.

CISSP - Software Development Security Mock Questions

We are designing a new data center. At a presentation to senior management and the board of directors, you are asked: "Why do we need to keep the humidity controlled in the data center?" What should your reply be?

Options are :

  • To keep it nice in there for employees.
  • To prevent corrosion on our equipment.
  • To ensure the data is safe. (Correct)
  • To prevent EMI.

Answer : To ensure the data is safe.

Explanation To ensure the data is safe: We want to keep the humidity between 40 and 60% rH (Relative Humidity), too low humidity will cause static electricity and high humidity will corrode metals (electronics). While "Prevent corrosion" is correct, "Keep data safe" is more correct.

When we are replacing memory sticks in a server, we should use which of these to prevent damage to hardware when handling it?

Options are :

  • A dark data center.
  • Proper humidity.
  • A sharp screwdriver.
  • Antistatic equipment. (Correct)

Answer : Antistatic equipment.

Explanation Static Electricity: Can be mitigated by proper humidity control, grounding all circuits, using antistatic wrist straps and work surfaces. All personnel working with internal computer equipment (motherboards, insert cards, memory sticks, hard disks) should ground themselves before working with the hardware.

We have smoke photoelectric detectors installed in our data center. What do they detect?

Options are :

  • The infrared light emitted from a fire.
  • A change in the light indicating higher particle density. (Correct)
  • A rise in temperature indicating a fire.
  • If the light is off in the data center.

Answer : A change in the light indicating higher particle density.

Explanation Smoke Detectors: Photoelectric uses LED (Light Emitting Diode) and a photoelectric sensor that produces a small charge while receiving light. Triggers when smoke or any higher particle density interrupts the light.

CISSP Security Engineering Certification Practice Exam Set 3

We have seen an increasing number of viruses on our systems. As part of our defense in depth, we have implemented multiple overlapping countermeasures to mitigate the issues we have been having with viruses. Which of these are types of viruses? (Select all that apply).

Options are :

  • Boot Sector. (Correct)
  • Polymorphic. (Correct)
  • Logic Bombs.
  • Trojans.
  • Packers.
  • Macro. (Correct)

Answer : Boot Sector. Polymorphic. Macro.

Explanation Viruses - require some sort of human interaction and are often transmitted by USB sticks or other portable devices. When the program is executed, they replicate themselves by inserting their own code into other programs. Macro (document) viruses: Written in Macro Languages; embedded in other documents (Word, Outlook). Boot Sector viruses: infects the PC's boot sector or the Master Boot Record, ensuring it runs every time the PC boots. Stealth Viruses: try to hide themselves from the OS and antivirus software. Polymorphic Viruses: change their signature to avoid the antivirus signature definitions. Well-written polymorphic viruses have no parts that remain identical between infections, making it very difficult to detect directly using antivirus signatures. Multipart (Multipartite) Viruses: spread across multiple vectors. They are often hard to get rid of because even if you clean the file infections, the virus may still be in the boot sector and vice-versa.

In newer computer architecture, we have split the bus into a north and a south bridge. The north bridge is much faster than the south bridge. Which of these is the north bridge?


Options are :

  • A
  • B (Correct)
  • C

Answer : B

Explanation The Northbridge (Host bridge) is connected to the CPU, the RAM, GPU and the south bridge. The south bridge is connected to the peripherals and the north bridge. There are no North/Southbridge standards, but they must be able to work with each other.

What is the MOST important to secure the safety of FIRST in an emergency?

Options are :

  • Staff. (Correct)
  • Critical servers.
  • The building.
  • Backups.

Answer : Staff.

Explanation Remember people are always more important to protect than stuff.

CISSP Security Engineering Certification Practical Exam Set 9

Halon is by far the best fire suppression. It can keep hardware, employees, and our building safer by putting the fires out more efficiently. Why is it we no longer use Halon in our fire suppression systems?

Options are :

  • It is too expensive.
  • It is not very good at putting fires out.
  • It depletes the ozone layer. (Correct)
  • It damages hardware.

Answer : It depletes the ozone layer.

Explanation Halon 1301 has been the industry standard for protecting high-value assets from fire since the mid-1960s. It has many benefits: it is fast-acting, safe for assets, and requires little storage space. It is no longer used widely because it depletes atmospheric ozone and is potentially harmful to humans. In some countries, legislation requires the systems to be removed; in others, it is OK to use them still (with recycled Halon); however, systems have not been installed since 1994 (The Montreal Accord). The Montreal Accord (197 countries) banned the use and production of new Halon. A few exceptions for "essential uses“ include things like inhalers for asthma, and fire suppression systems in submarines and aircraft.

We use different types of fire suppression depending on where it is and what is in that location. Which areas would it be appropriate for us to use CO2 fire suppression?

Options are :

  • In unmanned areas. (Correct)
  • In our data center.
  • In all of our offices.
  • In the bathrooms.

Answer : In unmanned areas.

Explanation CO2: Should only be used in unmanned areas. It is colorless and odorless and causes people in it to pass out and then die. Staff working in an area of their organization where CO2 is used should be properly trained in CO2 safety.

If you are faced with a fire and you need to use a fire extinguisher, which method should you use?

Options are :

  • RACE.
  • PACE.
  • PASS. (Correct)
  • GASS.

Answer : PASS.

Explanation Use the PASS method to extinguish a fire with a portable fire extinguisher: Pull the pin in the handle. Aim at the base of the fire. Squeeze the lever slowly. Sweep from side to side.

CISSP - Security Operations Mock Questions

Which type of fire extinguisher would you use on a metal fire?

Options are :

  • Wet chemical.
  • Dry powder. (Correct)
  • Soda-Acid.
  • Class A.

Answer : Dry powder.

Explanation Dry Powder Extinguishers (sodium chloride, graphite, ternary eutectic chloride). Lowers the temperature and removes oxygen in the area. Primarily used for metal fires (sodium, magnesium, graphite).

If we are using the Bell-LaPadula "simple security property", what can't we do?

Options are :

  • Read down.
  • Read up. (Correct)
  • Write down.
  • Write up.

Answer : Read up.

Explanation Bell-LaPadula: (Confidentiality) (Mandatory Access Control): Simple Security Property “No Read UP?. Subjects with Secret clearance can’t read Top Secret data.

At an all-hands IT meeting in our organization, one of the directors is talking about the intranet. What is he referring to?

Options are :

  • Connected private intranets often between business partners or parent/child companies.
  • An organization's privately owned and operated internal network. (Correct)
  • The global collection of peered WAN networks, often between ISPs or long haul providers.
  • The local area network we have in our home.

Answer : An organization's privately owned and operated internal network.

Explanation An Intranet is an organization's privately owned network, most larger organizations have them.

CISSP - Security Operations Mock Questions

Our networking department is recommending we use a half-duplex solution for an implementation. What is a KEY FEATURE of those?

Options are :

  • One way communication, one system transmits the other receives, direction can't be reversed.
  • Both systems can send and receive at the same time.
  • Only one system on the network can send one signal at a time.
  • One way communication, one system transmits the other receives, direction can be reversed. (Correct)

Answer : One way communication, one system transmits the other receives, direction can be reversed.

Explanation Half-duplex communication sends or receives at one time only (Only one system can transmit at a time).

We have implemented a solution where networking traffic can use DIFFERENT paths. What did we implement?

Options are :

  • Packet switching. (Correct)
  • Circuit switching.
  • Weighted routing tables.
  • Full traffic switching.

Answer : Packet switching.

Explanation Packet switching - Cheap, but no capacity guarantee, very widely used today. Data is sent in packets, but take multiple different paths to the destination. The packets are reassembled at the destination.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions