CISSP Security and Risk Management Certified Practice Exam Set 4

And risk reduction, which of the following responses is best defined as a process that only just enough access to information necessary for them to perform their job functions?


Options are :

  • Principle of Least Privilege
  • Implicit Data Principle
  • The principle of least privilege (Correct)
  • None
  • Required Privilege Requirement

Answer : The principle of least privilege

As a result, the implementation of the principle of least privilege means which of the following?


Options are :

  • None
  • Users will have access to only the information for which they have a need to know (Correct)
  • Users receive new privileges will be added when they change places.
  • The authorization creep.
  • Users can access all the systems.

Answer : Users will have access to only the information for which they have a need to know

Controls are implemented:


Options are :

  • reduce risks and to reduce the potential for loss. (Correct)
  • eliminate risks and reduce potential losses.
  • None
  • reduce risks and eliminate the potential for loss.
  • eliminate the risks and to eliminate the potential for loss.

Answer : reduce risks and to reduce the potential for loss.

Ensuring least privilege does not require:


Options are :

  • .Ensuring that the operator alone is not sufficient to undermine the rights of an important process. (Correct)
  • None
  • In determining the minimum amount of privileges required for a user to perform their duties.
  • By limiting the permissions necessary for the user and nothing else.
  • Identifying what the user is working

Answer : .Ensuring that the operator alone is not sufficient to undermine the rights of an important process.

The organization, the IT department a security function would be:


Options are :

  • Report directly to the specialized business unit, such as legal, safety or insurance company.
  • To pull wide of security and report directly to the CEO. (Correct)
  • None
  • The function within the operation of information systems in the organization.
  • Be independent but reports to the Information Systems function.

Answer : To pull wide of security and report directly to the CEO.

Which of the following is not a general integrity of the target?


Options are :

  • To maintain coherence between the internal and the external.
  • Prevents paths that can lead to inappropriate information. (Correct)
  • Prevent authorized users from making the wrong changes.
  • None
  • Prevents unauthorized users from making changes.

Answer : Prevents paths that can lead to inappropriate information.

What is the maximum amount the company should spend annually counter-measures to protect the asset value of $ 1000000 from the threat, which is the annual frequency of occurrence (ARO), as well as once every five years and the exposure factor (EF) of 30%?


Options are :

  • None
  • . $ 300,000
  • $150,000
  • $60,000 (Correct)
  • $1,500

Answer : $60,000

CISSP - Mock Questions with all domains

Who is responsible for reporting to senior management of the effectiveness of security checks?


Options are :

  • .Information systems security professionals
  • information systems auditors (Correct)
  • None
  • .Data owners
  • data custodians

Answer : information systems auditors

Which of the following statements related to quantitative risk analysis is not true?


Options are :

  • None
  • It requires very little experience to apply (Correct)
  • It involves complex calculations
  • It requires a large amount of information
  • Some of it may be automated

Answer : It requires very little experience to apply

Risk analysis is most useful when applied during the development phase of a system?


Options are :

  • System Design Specification
  • Initiation and Planning Project (Correct)
  • None
  • Functional requirements definition
  • Development and implementation

Answer : Initiation and Planning Project

Access control policy bank teller is an example of implementation, which of the following?


Options are :

  • Rule-based Policy
  • .Identity-based policy
  • .User-based policy
  • Role-based policies (Correct)
  • None

Answer : Role-based policies

The property of a system or system resources are available and accessible on demand entity authorized system, according to the performance specifications for the system are called?


Options are :

  • None
  • confidence
  • integrity
  • Availability (Correct)
  • Reliability

Answer : Availability

CISSP - Software Development Security Mock Questions

Which of the following choices is not normally part of the questions that would be asked regards to the organization's information security policy?


Options are :

  • None
  • What are the steps that have been carried out if a disaster? (Correct)
  • Who is responsible for monitoring the organization's security policy?
  • Which is involved in establishing a security policy?
  • Which is defined by the organization's security policy?

Answer : What are the steps that have been carried out if a disaster?

Every Safety and audit framework has been adopted by some organizations seeking to Sarbanes Oxley compliance with § 404?


Options are :

  • BIBA
  • None
  • CCTA Risk Analysis and Management Method (CRAMM)
  • The Committee of Sponsoring Organizations the Treadway Commission (COSO (Correct)
  • ational Institute of Standards and Technology Special Publication 800-66 (NIST SP 800 66)

Answer : The Committee of Sponsoring Organizations the Treadway Commission (COSO

Valuable paper insurance coverage does not cover damages, which of the following?


Options are :

  • None
  • The engraved, printed or written documents,
  • Money and securities (Correct)
  • manuscripts
  • documentation

Answer : Money and securities

Widget company decided to take their company public, and while they were doing that was the external auditor to come and watch their company. As part of the external audit they brought technology expert, which, incidentally, was the CISSP. The auditor's expert asked to see the final risk analysis technology leader. Technology Management Unit did not get back to him for a few days and then CFO of the inspectors in two pages of a risk assessment signed by both the CFO and Technology. I reviewed it, the auditor noticed that only parts of their financial data were backed up on site and nowhere else; Chief Financial Officer accepted the risk of only partial backup financial data without the rest of the copies available. Who owns the data in terms of risk, which is backed up and where it is stored?


Options are :

  • Only the most senior management, including the CEO
  • None
  • only, Technology
  • only CFO (Correct)
  • Both the CFO and Technology

Answer : only CFO

Where the standard of Orange Book evaluation of configuration management is needed?


Options are :

  • C1 and above.
  • None
  • B2 and above. (Correct)
  • C2 and above.
  • B1 and above.

Answer : B2 and above.

Which of the following provides enterprise management prioritized list of time-critical business processes and evaluates the recovery time objective for each critical processes and components, the company supports those processes?


Options are :

  • Business Impact Assessment (Correct)
  • Business Risk Assessment.
  • Current State Assessment
  • Risk mitigation measures assessment.
  • None

Answer : Business Impact Assessment

CISSP (Information Systems Security) Practice Tests 2019 Set 4

Which of the following steps is not one of the eight detailed instructions is the business impact assessment (BIA)?


Options are :

  • By calculating each of the risk of different business function.
  • .Identifying important functions of the company.
  • Creating a collection of information technology
  • By notifying the start of the evaluation management. (Correct)
  • None

Answer : By notifying the start of the evaluation management.

If property insurance is actual cash valuation (ACV) clause, the damaged property will be credited based on:


Options are :

  • As opposed to the value of loss (Correct)
  • None
  • Replaced by a new item on the fact that the former, regardless of the condition of the lost
  • The value of, a month before the loss of
  • The value of loss as opposed to plus 10 per cent

Answer : As opposed to the value of loss

Step-by-step instructions used to satisfy the requirements of the control is called:


Options are :

  • standard
  • None
  • policy.
  • as a guide.
  • procedure. (Correct)

Answer : procedure.

What are the next steps generally follow the development of documents, such as security policy, standards and procedures?


Options are :

  • .design, development, publishing, coding and testing
  • the initiation, evaluation, development, approval, publishing, implementation and maintenance (Correct)
  • feasibility of the development, approval, implementation and integration of
  • None
  • design, review, approval, publication and implementation of the

Answer : the initiation, evaluation, development, approval, publishing, implementation and maintenance

What are the levels of the Orange Book, the assessment of the design requirements and verification FIRST needed?


Options are :

  • C1 and above.
  • B2 and above.
  • None
  • C2 and above.
  • B1 and above. (Correct)

Answer : B1 and above.

To ensure that the data has not changed unintentionally, accident or malice is:


Options are :

  • auditability
  • Availability
  • None
  • integrity (Correct)
  • Confidence.

Answer : integrity

Qualitative business interruption loss does not usually include:


Options are :

  • Loss of competitive advantage or market share
  • the loss of credibility and public confidence
  • the loss of income (Correct)
  • The loss of market leadership
  • None

Answer : the loss of income

CISSP - Security Operations Mock Questions

CIA triad, what with the letter A stand for?


Options are :

  • accountability
  • auditability
  • None
  • Availability (Correct)
  • Authentication

Answer : Availability

Which of the following tasks is generally not part of the Business Impact Analysis (BIA)?


Options are :

  • Lower the risk of each of the different business function.
  • Identify the company's main business.
  • To develop the idea. (Correct)
  • None
  • Calculate how long these functions can not survive without these resources.

Answer : To develop the idea.

Which of the following best enables the intended use of the results of risk management expertise?


Options are :

  • The vulnerability analysis
  • uncertainty analysis (Correct)
  • Identifying the threat
  • None
  • The likelihood ratio evaluation

Answer : uncertainty analysis

What is the difference between Advisory and Regulatory security policy?


Options are :

  • None
  • regulatory policies are at a high level policy advice while policies are very detailed
  • There is no difference between them
  • Advisory practices not authorized. Regulatory policy should be implemented. (Correct)
  • Advisory policy has the power again Regulatory policy is not

Answer : Advisory practices not authorized. Regulatory policy should be implemented.

Out the instructions below, one of which is not one of those steps carried out during the Business Impact Analysis (BIA)?


Options are :

  • Select people to interview for data collection
  • Create a data collection techniques
  • None
  • Identify the company's main business
  • Alternate site selection (Correct)

Answer : Alternate site selection

What is the main purpose of the Corporate Security Policy?


Options are :

  • To provide detailed instructions to perform specific actions
  • Communicate with management's intentions with regard to information security (Correct)
  • To transfer responsibility for the information security of all users of the organization
  • None
  • Establish a common framework for all development activities

Answer : Communicate with management's intentions with regard to information security

CISSP Security Engineering Certification Practice Exam Set 4

What can be described by measuring the amount of the loss or affect the value of the asset?


Options are :

  • threat
  • Probability
  • susceptibility
  • None
  • exposure factor (Correct)

Answer : exposure factor

Which of the following control pairs are: the organization's policies and procedures, pre-employment background checks, strict hiring practices, employment contracts, termination of employment procedures, vacation scheduling, labeling sensitive materials, increased supervision, safety education, behavior, consciousness, and sign up application procedures for access to information systems and networks ?


Options are :

  • Preventive / Physical Pairing
  • Preventive / Administrative Pairing (Correct)
  • Detective / Administrative Pairing
  • None
  • Preventive / Technical Pairing

Answer : Preventive / Administrative Pairing

What can be best defined as a high-level statements, beliefs, goals and objectives?


Options are :

  • guidelines
  • policy (Correct)
  • None
  • standards
  • procedures

Answer : policy

What is the target for Maintenance Phase common security policy development process?


Options are :

  • write a proposal consistently stated that the policy objectives
  • to submit a document to an acceptance of life
  • publishing organization
  • check the specified change document Date (Correct)
  • None

Answer : check the specified change document Date

The scope and focus of development continuity plan mainly depends on:


Options are :

  • None
  • Business Impact Analysis (BIA) (Correct)
  • The directives of the senior management
  • Skills BCP Committee
  • Scope and Plan Initiation

Answer : Business Impact Analysis (BIA)

Every feature ensures that only the intended recipient can access the data, and no one else?


Options are :

  • Capability
  • None
  • confidence (Correct)
  • Availability
  • integrity

Answer : confidence

CISSP - Software Development Security Mock Questions

Which of the following is the Internet Architecture Board (IAB) Ethics and the Internet (RFC


Options are :

  • Users should perform its duty in a manner which is the highest in the profession.
  • Access to and use of the Internet is a privilege and should be treated as such by all users systems. (Correct)
  • There must be no personal data accounting systems, whose existence is secret.
  • None
  • There must be a way to prevent personal information about them, which were obtained for one purpose, use or made available for any other purpose without their consent.

Answer : Access to and use of the Internet is a privilege and should be treated as such by all users systems.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions