CISSP Security and Risk Management Certified Practice Exam Set 3

What can best be defined as high-level statements, beliefs, goals and objectives?


Options are :

  • Standards
  • Policies (Correct)
  • Guidelines
  • Procedures

Answer : Policies

CISSP Security Engineering Certification Practice Exam Set 2

Which of the following best allows risk management results to be used knowledgeably?


Options are :

  • An uncertainty analysis (Correct)
  • A likelihood assessment
  • Threat identification
  • A vulnerability analysis

Answer : An uncertainty analysis

Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC


Options are :

  • There must not be personal data record-keeping systems whose very existence is secret.
  • Users should execute responsibilities in a manner consistent with the highest standards of their profession.
  • There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another purpose without their consent.
  • Access to and use of the Internet is a privilege and should be treated as such by all users of the systems. (Correct)

Answer : Access to and use of the Internet is a privilege and should be treated as such by all users of the systems.

An effective information security policy should NOT have which of the following characteristic?


Options are :

  • Include separation of duties
  • Specify areas of responsibility and authority
  • Be designed with a short- to mid-term focus (Correct)
  • Be understandable and supported by all stakeholders

Answer : Be designed with a short- to mid-term focus

CISSP Security Engineering Certification Practice Exam Set 7

Controls are implemented to:


Options are :

  • mitigate risk and eliminate the potential for loss.
  • eliminate risk and eliminate the potential for loss.
  • eliminate risk and reduce the potential for loss.
  • mitigate risk and reduce the potential for loss. (Correct)

Answer : mitigate risk and reduce the potential for loss.

Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?


Options are :

  • Preventive/Technical Pairing
  • Preventive/Administrative Pairing (Correct)
  • Detective/Administrative Pairing
  • Preventive/Physical Pairing

Answer : Preventive/Administrative Pairing

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)?


Options are :

  • Develop a mission statement. (Correct)
  • Identify the company’s critical business functions.
  • Calculate how long these functions can survive without these resources.
  • Calculate the risk for each different business function.

Answer : Develop a mission statement.

CISSP Security Engineering Certification Practice Exam Set 6

In the CIA triad, what does the letter A stand for?


Options are :

  • Authentication
  • Accountability
  • Auditability
  • Availability (Correct)

Answer : Availability

The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system is referred to as?


Options are :

  • Availability (Correct)
  • Integrity
  • Reliability
  • Confidentiality

Answer : Availability

Which of the following would BEST classify as a management control?


Options are :

  • Personnel security
  • Review of security controls (Correct)
  • Physical and environmental protection
  • Documentation

Answer : Review of security controls

CISSP Security Engineering Certification Practical Exam Set 1

Which of the following is an advantage of a qualitative over a quantitative risk analysis?


Options are :

  • .It can easily be automated.
  • It makes a cost-benefit analysis of recommended controls easier.
  • .It provides specific quantifiable measurements of the magnitude of the impacts.
  • It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities. (Correct)

Answer : It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.

Out of the steps listed below, which one is not one of the steps conducted during the Business Impact Analysis (BIA)?


Options are :

  • Select individuals to interview for data gathering
  • Alternate site selection (Correct)
  • Identify the company’s critical business functions
  • Create data-gathering techniques

Answer : Alternate site selection

Which of the following choices is NOT normally part of the questions that would be asked in regards to an organization's information security policy?


Options are :

  • Who is responsible for monitoring compliance to the organization's security policy?
  • What are the actions that need to be performed in case of a disaster? (Correct)
  • Who is involved in establishing the security policy?
  • Where is the organization's security policy defined?

Answer : What are the actions that need to be performed in case of a disaster?

CISSP - Security Operations Mock Questions

What is the main purpose of Corporate Security Policy?


Options are :

  • To provide detailed steps for performing specific actions
  • To communicate management's intentions in regards to information security (Correct)
  • To transfer the responsibility for the information security to all users of the organization
  • To provide a common framework for all development activities

Answer : To communicate management's intentions in regards to information security

What can be described as a measure of the magnitude of loss or impact on the value of an asset?


Options are :

  • Probability
  • Threat
  • Exposure factor (Correct)
  • Vulnerability

Answer : Exposure factor

Qualitative loss resulting from the business interruption does NOT usually include:


Options are :

  • Loss of competitive advantage or market share
  • Loss of market leadership
  • Loss of revenue (Correct)
  • Loss of public confidence and credibility

Answer : Loss of revenue

CISSP Security Engineering Certification Practice Exam Set 1

The scope and focus of the Business continuity plan development depends most on:


Options are :

  • Business Impact Analysis (BIA) (Correct)
  • Directives of Senior Management
  • Scope and Plan Initiation
  • Skills of BCP committee

Answer : Business Impact Analysis (BIA)

At what Orange Book evaluation levels are design specification and verification FIRST required?


Options are :

  • C1 and above.
  • B2 and above.
  • C2 and above.
  • B1 and above. (Correct)

Answer : B1 and above.

Which of the following is NOT a common integrity goal?


Options are :

  • Prevent authorized users from making improper modifications.
  • Prevent paths that could lead to inappropriate disclosure. (Correct)
  • Prevent unauthorized users from making modifications.
  • Maintain internal and external consistency.

Answer : Prevent paths that could lead to inappropriate disclosure.

CISSP - Software Development Security Mock Questions

In an organization, an Information Technology security function should:


Options are :

  • Be independent but report to the Information Systems function.
  • Report directly to a specialized business unit such as legal, corporate security or insurance.
  • Be led by a Chief Security Officer and report directly to the CEO. (Correct)
  • Be a function within the information systems function of an organization.

Answer : Be led by a Chief Security Officer and report directly to the CEO.

Which type of security control is also known as "Logical" control?


Options are :

  • Administrative
  • Technical (Correct)
  • Physical
  • Risk

Answer : Technical

CISSP - Security Operations Mock Questions

Which of the following answers is the BEST example of Risk Transference?


Options are :

  • Results of Cost Benefit Analysis
  • Insurance (Correct)
  • Not hosting the services at all
  • Acceptance

Answer : Insurance

Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff?


Options are :

  • Qualitative Risk Analysis (Correct)
  • .Managerial Risk Assessment
  • Quantitative Risk Analysis
  • Interview Approach to Risk Analysis

Answer : Qualitative Risk Analysis

Step-by-step instructions used to satisfy control requirements are called a:


Options are :

  • standard
  • guideline.
  • policy.
  • procedure. (Correct)

Answer : procedure.

CISSP Security Engineering Certification Practice Exam Set 5

Which of the following exemplifies proper separation of duties?


Options are :

  • Tape operators are permitted to use the system console
  • Console operators are permitted to mount tapes and disks.
  • Operators are not permitted modify the system time (Correct)
  • Programmers are permitted to use the system console.

Answer : Operators are not permitted modify the system time

Which of the following provides enterprise management with a prioritized list of timecritical business processes, and estimates a recovery time objective for each of the time critical processes and the components of the enterprise that support those processes?


Options are :

  • Business Impact Assessment (Correct)
  • Current State Assessment
  • Business Risk Assessment.
  • Risk Mitigation Assessment.

Answer : Business Impact Assessment

Which of the following statements pertaining to a security policy is NOT true?


Options are :

  • It specifies how hardware and software should be used throughout the organization. (Correct)
  • It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective.
  • It must be flexible to the changing environment.
  • Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets.

Answer : It specifies how hardware and software should be used throughout the organization.

CISSP Security Engineering Certification Practice Exam Set 7

An access control policy for a bank teller is an example of the implementation of which of the following?


Options are :

  • Rule-based policy
  • Role-based policy (Correct)
  • .User-based policy
  • .Identity-based policy

Answer : Role-based policy

At which of the Orange Book evaluation levels is configuration management required?


Options are :

  • C2 and above.
  • B2 and above. (Correct)
  • C1 and above.
  • B1 and above.

Answer : B2 and above.

One purpose of a security awareness program is to modify:


Options are :

  • management's approach towards enterprise's security posture.
  • attitudes of employees with sensitive data.
  • corporate attitudes about safeguarding data
  • employee's attitudes and behaviors towards enterprise's security posture. (Correct)

Answer : employee's attitudes and behaviors towards enterprise's security posture.

CISSP - Mock Questions with all domains

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions