CISSP Security and Risk Management Certified Practice Exam Set 4

What is a security policy?


Options are :

  • High level statements on management's expectations that must be met in regards to security (Correct)
  • A statement that focuses on the authorization process for a system
  • A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements.
  • A policy that defines authentication to the network.

Answer : High level statements on management's expectations that must be met in regards to security

Valuable paper insurance coverage does cover damage to which of the following?


Options are :

  • Manuscripts
  • Inscribed, printed and Written documents
  • Money and Securities (Correct)
  • Records

Answer : Money and Securities

This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious?


Options are :

  • Ceiling level
  • Checkpoint level
  • Clipping level (Correct)
  • Threshold level

Answer : Clipping level

Which of the following ensures that security is NOT breached when a system crash or other system failure occurs?


Options are :

  • Secure boot
  • Redundancy
  • Hot swappable
  • Trusted recovery (Correct)

Answer : Trusted recovery

CISSP - Security and Risk Management Pratice Questions

no way to completely abolish or avoid risks, you can only manage them. A risk free environment does not exist. If you have risks that have been identified, understood and evaluated to be acceptable in order to conduct business operations. What is this this approach to risk management called?


Options are :

  • Risk Acceptance (Correct)
  • Risk Transference
  • Risk Avoidance
  • Risk Mitigation

Answer : Risk Acceptance

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor?


Options are :

  • Risk transfer
  • Risk Acceptance
  • Risk Mitigation (Correct)
  • Risk Avoidance

Answer : Risk Mitigation

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?


Options are :

  • Clipping level (Correct)
  • Forgiveness level
  • Acceptance level
  • Logging level

Answer : Clipping level

CISSP - Security Engineering Mock Questions

What is the MAIN objective of proper separation of duties?


Options are :

  • To ensure that audit trails are not tampered with.
  • To prevent employees from disclosing sensitive information.
  • To ensure that no single individual can compromise a system. (Correct)
  • To ensure access controls are in place.

Answer : To ensure that no single individual can compromise a system.

Of the multiple methods of handling risks which we must undertake to carry out business operations, which one involves using controls to reduce the risk?


Options are :

  • Avoidance
  • Transference
  • Acceptance
  • Mitigation (Correct)

Answer : Mitigation

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with:


Options are :

  • detective/administrative (Correct)
  • preventive/physical.
  • detective/physical.
  • detective/technical.

Answer : detective/administrative

CISSP - Security Engineering Mock Questions

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance?


Options are :

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO (Correct)
  • CCTA Risk Analysis and Management Method (CRAMM)
  • BIBA
  • ational Institute of Standards and Technology Special Publication 800-66 (NIST SP 800- 66)

Answer : Committee of Sponsoring Organizations of the Treadway Commission (COSO

CISSP Security Engineering Certification Practice Exam Set 10

The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their company. As part of the external audit they brought in a technology expert, who incidentally was a new CISSP. The auditor's expert asked to see their last risk analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial Officer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial Officer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their financial data were being backed up on site and nowhere else; the Chief Financial Officer accepted the risk of only partial financial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored?


Options are :

  • Only The Technology Manager
  • Both the Chief Financial Officer and Technology Manager
  • Only the Chief Financial Officer (Correct)
  • Only the most Senior Management such as the Chief Executive Officer

Answer : Only the Chief Financial Officer

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)?


Options are :

  • Notifying senior management of the start of the assessment. (Correct)
  • .Identifying critical business functions.
  • Creating data gathering techniques
  • Calculating the risk for each different business function.

Answer : Notifying senior management of the start of the assessment.

The end result of implementing the principle of least privilege means which of the following?


Options are :

  • Users get new privileges added when they change positions.
  • Users can access all systems.
  • Authorization creep.
  • Users would get access to only the info for which they have a need to know (Correct)

Answer : Users would get access to only the info for which they have a need to know

CISSP - Software Development Security Mock Questions

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on:


Options are :

  • Replacement with a new item for the old one regardless of condition of lost item
  • Value of item on the date of loss (Correct)
  • Value of item one month before the loss
  • Value of item on the date of loss plus 10 percent

Answer : Value of item on the date of loss

The preliminary steps to security planning include all of the following EXCEPT which of the following?


Options are :

  • Establish a security audit function. (Correct)
  • Determine alternate courses of action
  • Establish objectives.
  • List planning assumptions.

Answer : Establish a security audit function.

The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:


Options are :

  • detective/administrative.
  • detective/physical.
  • preventive/physical
  • detective/technical. (Correct)

Answer : detective/technical.

CISSP - Security Operations Mock Questions

Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just enough access to information necessary for them to perform their job functions?


Options are :

  • Minimum Privilege Principle
  • Least Privilege Principle (Correct)
  • Mandatory Privilege Requirement
  • Implicit Information Principle

Answer : Least Privilege Principle

You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called?


Options are :

  • Job Rotation (Correct)
  • Separation of Duties
  • Mandatory Vacation
  • Dual Control

Answer : Job Rotation

CISSP-ISSEP Information Systems Security Engineering Exam Set 1

It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security?


Options are :

  • security administrator
  • systems programmer (Correct)
  • systems auditor
  • security analyst

Answer : systems programmer

Which of the following is a CHARACTERISTIC of a decision support system (DSS) in regards to Threats and Risks Analysis?


Options are :

  • DSS emphasizes flexibility in the decision making approach of users. (Correct)
  • DSS is aimed at solving highly structured problems.
  • DSS combines the use of models with non-traditional data access and retrieval functions.
  • DSS supports only structured decision-making tasks.

Answer : DSS emphasizes flexibility in the decision making approach of users.

Which of the following pairings uses technology to enforce access control policies?


Options are :

  • Detective/Administrative
  • Preventive/Physical
  • Preventive/Technical (Correct)
  • Preventive/Administrative

Answer : Preventive/Technical

CISSP - Security and Risk Management Pratice Questions

Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from the workplace for a while?


Options are :

  • Least Privilege Principle
  • Obligatory Separation
  • Mandatory Vacations (Correct)
  • Job Rotation

Answer : Mandatory Vacations

Which of the following rules is LEAST likely to support the concept of least privilege?


Options are :

  • Permissions on tools that are likely to be used by hackers should be as restrictive as possible.
  • .Administrators should use regular accounts when performing routine operations like reading mail.
  • Only data to and from critical systems and applications should be allowed through the firewall. (Correct)
  • The number of administrative accounts should be kept to a minimum.

Answer : Only data to and from critical systems and applications should be allowed through the firewall.

Which of the following is a fraud detection method whereby employees are moved from position to position?


Options are :

  • Mandatory Job Duties
  • Mandatory Rotation
  • Job Rotation (Correct)
  • Mandatory Vacations

Answer : Job Rotation

CISSP Security Engineering Certification Practice Exam Set 8

Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company?


Options are :

  • Risk Mitigation
  • Risk Acceptance
  • Risk Avoidance
  • Risk transfer (Correct)

Answer : Risk transfer

Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks?


Options are :

  • Risk transfer
  • Risk Acceptance (Correct)
  • Risk Avoidance
  • Risk Mitigation

Answer : Risk Acceptance

Complete the following sentence. A message can be encrypted, which provides:


Options are :

  • Authentication
  • Non-Repudiation
  • Integrity
  • Confidentiality (Correct)

Answer : Confidentiality

CISSP Security and Risk Management Certified Practice Exam Set 1

In order to enable users to perform tasks and duties without having to go through extra steps, it is important that the security controls and mechanisms that are in place have a degree of?


Options are :

  • Simplicity
  • Complexity
  • Non-transparency
  • Transparency (Correct)

Answer : Transparency

A message can be encrypted and digitally signed, which provides:


Options are :

  • Confidentiality and Integrity.
  • Confidentiality and Non-repudiation
  • Confidentiality, Authentication, Non-repudiation, and Integrity. (Correct)
  • Confidentiality and Authentication

Answer : Confidentiality, Authentication, Non-repudiation, and Integrity.

Which of the following Confidentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users?


Options are :

  • Accuracy
  • Confidentiality (Correct)
  • Availability
  • Integrity

Answer : Confidentiality

CISSP - Software Development Security Mock Questions

Which type of risk assessment is the formula ALE = ARO x SLE used for?


Options are :

  • Objective Analysis
  • Expected Loss Analysis
  • Quantitative Analysis (Correct)
  • Qualitative Analysis

Answer : Quantitative Analysis

Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle?


Options are :

  • Covert timing assurance
  • Life cycle assurance (Correct)
  • Covert storage assurance
  • Operational assurance

Answer : Life cycle assurance

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?


Options are :

  • Risk Avoidance (Correct)
  • Risk transfer
  • Risk Mitigation
  • Risk Acceptance

Answer : Risk Avoidance

CISSP - Security and Risk Management Pratice Questions

In terms or Risk Analysis and dealing with risk, which of the four common ways listed below seek to eliminate involvement with the risk being evaluated?


Options are :

  • Acceptance
  • Avoidance (Correct)
  • Mitigation
  • Transference

Answer : Avoidance

Which of the following is covered under Crime Insurance Policy Coverage?


Options are :

  • Money and Securities (Correct)
  • Manuscripts
  • Inscribed, printed and Written documents
  • Accounts Receivable

Answer : Money and Securities

There are basic goals of Cryptography. Which of the following most benefits from the process of encryption?


Options are :

  • Integrity
  • Non-Repudiation
  • Authentication
  • Confidentiality (Correct)

Answer : Confidentiality

CISSP Security Engineering Certification Practice Exam Set 5

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:


Options are :

  • preventive/physical.
  • detective/physical. (Correct)
  • detective/administrative.
  • detective/technical

Answer : detective/physical.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions