ISC2 CISSP Certified Information Systems Security Professional Official Practice Tests E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editors

Introduction

CISSP Certification

Taking the CISSP Exam

Computer-Based Testing Environment

Exam Retake Policy

Work Experience Requirement

Recertification Requirements

Using This Book to Practice

Using the Online Practice Tests

How to Contact the Publisher

Chapter 1: Security and Risk Management (Domain 1)

Chapter 2: Asset Security (Domain 2)

Chapter 3: Security Architecture and Engineering (Domain 3)

Chapter 4: Communication and Network Security (Domain 4)

Chapter 5: Identity and Access Management (Domain 5)

Chapter 6: Security Assessment and Testing (Domain 6)

Chapter 7: Security Operations (Domain 7)

Chapter 8: Software Development Security (Domain 8)

Chapter 9: Practice Test 1

Chapter 10: Practice Test 2

Chapter 11: Practice Test 3

Chapter 12: Practice Test 4

Appendix: Answers to Review Questions

Chapter 1: Security and Risk Management (Domain 1)

Chapter 2: Asset Security (Domain 2)

Chapter 3: Security Architecture and Engineering (Domain 3)

Chapter 4: Communication and Network Security (Domain 4)

Chapter 5: Identity and Access Management (Domain 5)

Chapter 6: Security Assessment and Testing (Domain 6)

Chapter 7: Security Operations (Domain 7)

Chapter 8: Software Development Security (Domain 8)

Chapter 9: Practice Test 1

Chapter 10: Practice Test 2

Chapter 11: Practice Test 3

Chapter 12: Practice Test 4

Index

End User License Agreement

Guide

Cover

Table of Contents

Title Page

Copyright

Acknowledgments

About the Authors

About the Technical Editors

Introduction

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xiii

xiv

xv

xvi

xvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

ISC2® CISSP® Certified Information Systems Security Professional

Official Practice Tests

Fourth Edition

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394255078 (paperback), 9781394255092 (ePDF), 9781394255085 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. ISC2 and CISSP are trademarks or registered trademarks of ISC2, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993. For product technical support, you can find answers to frequently asked questions or reach us via live chat at https://sybexsupport.wiley.com.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging in Publication data available on request.

Cover image: © Getty Images Inc./Jeremy Woodhouse

Cover design: Wiley

Acknowledgments

The authors would like to thank the many people who made this book possible. Jim Minatel at Wiley Publishing helped us extend the Sybex CISSP franchise to include this title and has continued to champion the International Information System Security Certification Consortium (ISC2). Carole Jelen, our agent, tackles all the back-end magic for our writing efforts and worked on both the logistical details and the business side of the book with her usual grace and commitment to excellence. Aaron Kraus, Shahla Pirnia, and Emily Vandewater, our technical editors, pointed out many opportunities to improve our work and deliver a high-quality final product. Kelly Talbot served as our project manager and made sure everything fit together. Many other people we'll never meet worked behind the scenes to make this book a success, and we really appreciate their time and talents to make this next edition come together.

About the Authors

Mike Chapple, PhD, CISSP, is an author of the best-selling ISC2CISSPCertified Information Systems Security Professional Official Study Guide (Sybex, 2024), now in its 10th edition. He is an information security professional with more than 25 years of experience in higher education, the private sector, and government.

Mike is currently a teaching professor of IT, analytics, and operations at the University of Notre Dame's Mendoza College of Business. He previously was a senior director for IT service delivery at Notre Dame, where he oversaw the information security, data governance, IT architecture, project management, strategic planning, and product management functions for the university.

Before returning to Notre Dame, Mike served as the executive vice president and chief information officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active-duty intelligence officer in the U.S. Air Force.

Mike earned both his BS and PhD degrees from Notre Dame in computer science and engineering. He also holds an MS in computer science from the University of Idaho and an MBA from Auburn University. His IT certifications include the CISSP, Security+, CySA+, CISA, PenTest+, CIPP/US, CISM, CCSP, and PMP credentials.

Mike is the author of more than 100 technology books and video courses focused on security and privacy certifications. He provides books, video-based training, and free study groups for a wide variety of IT certifications at his website, CertMike.com.

David Seidl, CISSP, is the vice president for information technology and CIO at Miami University where he leads a nationally recognized and award-winning IT organization. During his IT career, he has served in a variety of technical and information security roles including as the senior director for Campus Technology Services at the University of Notre Dame where he co-led Notre Dame's move to the cloud and oversaw cloud operations, ERP, databases, identity management, and a broad range of other technologies and services. He also served as Notre Dame's director of information security. He has taught information security and networking undergraduate courses as an instructor for Notre Dame's Mendoza College of Business and has written more than 20 books on security certification and cyberwarfare, including coauthoring the previous editions of CISSP ISC2 Official Practice Tests (Sybex, 2021) as well as CompTIA CySA+ Study Guide: Exam CS0-003, CompTIA CySA+ Practice Tests: Exam CS0-003, CompTIA Security+ Study Guide: Exam SY0-701, and CompTIA Security+ Practice Tests: Exam SY0-701 as well as other certification guides and books on information security.

David holds a bachelor's degree in communication technology and a master's degree in information security from Eastern Michigan University, as well as CISSP, CySA+, PenTest+, GPEN, and GCIH certifications.

About the Technical Editors

Aaron Kraus, CISSP, CCSP, began his career as a security auditor and has gone on to work in security and compliance roles across financial services, insurance, consulting, and tech startups. He is currently a senior consultant at Latacora and runs his own consulting business, with experience ranging from initial implementation to aligning large, multinational organization's security programs to meet evolving compliance needs, respond to emerging threats, and accommodate new and changing business practices. He has been a course author, instructor, and dean of cybersecurity curriculum at Learning Tree International for more than 15 years and has worked on several publications at Wiley. He is the author of The Official ISC2 CCSP CBK Reference, 4th Edition, and coauthor of The Official ISC2 CISSP CBK Reference, 6th Edition, as well as the technical editor for the official CISSP and CCSP study guides and practice test books.

Shahla Pirnia is a freelance technical editor and proofreader with a focus on cybersecurity and certification topics. She currently serves as a technical editor for CertMike.com. Shahla earned BS degrees in computer and information science and Psychology from UMGC and an AA in information systems from Montgomery College, MD. Shahla's IT certifications include CompTIA Security+, Network+, A+, and ISC2 CC.

Emily Vandewater is a senior principal security consultant at Elteni Cybersecurity Consulting and Advisory, where she focuses on building information security programs and providing strategic guidance to mitigate cyber risks and ensure regulatory compliance. With more than 15 years of progressive experience in the tech and cybersecurity sectors, Emily has distinguished herself through key leadership positions, notably as a former director of information security at an IT managed service provider. Beyond her consulting work, Emily applies her expertise as a freelance technical editor and content developer for leading publishers, including Wiley. Her deep understanding of cybersecurity is backed by an array of IT certifications, including ISC2 CISSP and SSCP, CompTIA CASP+, CySA+, Security+ and Cloud+, Azure, and Microsoft Administrator Expert.

Introduction

ISC2CISSP® Certified Information Systems Security Professional Official Practice Tests Fourth Edition is a companion volume to ISC2 CISSP Certified Information Systems Security Professional Official Study Guide, Tenth edition (Sybex, 2024). It includes questions that cover content from the CISSP Detailed Content Outline and exam that became effective on April 15, 2024. If you're looking to test your knowledge before you take the CISSP exam, this book will help you by providing more than 1,300 questions that cover the CISSP Common Body of Knowledge (CBK) and easy-to-understand explanations of both right and wrong answers.

If you're just starting to prepare for the CISSP exam, we highly recommend that you use the ISC2 CISSP Certified Information Systems Security Professional Official Study Guide to help you learn about each of the domains covered by the CISSP exam. Once you're ready to test your knowledge, use this book to help find places where you may need to study more or to practice for the exam itself.

Since this is a companion to the CISSP Study Guide, this book is designed to be similar to taking the CISSP exam. It contains multipart scenarios as well as standard multiple-choice and matching questions like you may encounter on the certification exam. The book is broken up into 12 chapters: 8 domain-centric chapters with 100 or more questions about each domain, and 4 chapters that contain 125-question practice tests to simulate taking the exam.

CISSP Certification

The CISSP certification is offered by the International Information System Security Certification Consortium (ISC2), a global nonprofit organization. ISC2's mission statement says that “ISC2 strengthens the influence, diversity and vitality of the field through advocacy, expertise and workforce empowerment that accelerates cyber safety and security in an interconnected world.” ISC2 achieves this mission by delivering the world's leading information security certification program, the CISSP. ISC2 also offers additional certifications including the following:

Certified in Cybersecurity (CC)

Systems Security Certified Practitioner (SSCP)

Certified Cloud Security Professional (CCSP)

Governance, Risk and Compliance Certification (CGRC)

Certified Secure Software Lifecycle Professional (CSSLP)

Information Systems Security Architecture Professional (ISSAP)

Information Systems Security Engineering Professional (ISSEP)

Information Systems Security Management Professional (ISSMP)

The CISSP certification covers eight domains of information security knowledge. These domains are meant to serve as the broad knowledge foundation required to succeed in the information security profession.

Security and Risk Management

Asset Security

Security Architecture and Engineering

Communication and Network Security

Identity and Access Management (IAM)

Security Assessment and Testing

Security Operations

Software Development Security

The CISSP domains are periodically updated by ISC2. The most recent revision on April 15, 2024, slightly modified the weighting for Security and Risk Management from 15% to 16%, while decreasing the focus on Software Development Security from 11% to 10%. It also added or expanded coverage of topics such as intellectual property, privacy laws and regulations, software bills of materials, end-of-life support, SASE, operational technology, high-performance computing, intermediate distribution frame, Compute Express Link, and a variety of other topics.

Complete details on the CISSP CBK are contained in the 2024 CISSP Detailed Content Outline. It includes a full outline of exam topics, which can be found on the ISC2 website at www.isc2.org.

Taking the CISSP Exam

The English version of the CISSP exam uses a technology called computerized adaptive testing (CAT). With this format, you will face an exam containing between 100 to 150 questions with a three-hour time limit. You will not have the opportunity to skip back and forth because the computer selects the next questions that it asks you based upon your answers to previous questions. If you're doing well on the exam, it will get more difficult as you progress. Don't let that unnerve you!

You can find more information about computerized adaptive testing directly from ISC2 at www.isc2.org/certifications/cissp/cissp-cat.

The computerized adaptive testing version of the exam is offered in English, Chinese, German, Japanese, and Spanish. Unlike earlier versions of the exam, the CISSP exam will no longer be offered in linear exam format after April 15th, 2024.

While it's impossible to directly simulate a CAT exam in book form, as you work through these practice exams you might want to use 80% as a goal to help you get a sense of whether you're ready to sit for the actual exam. When you're ready, you can schedule an exam at a location near you through the ISC2 website.

Questions on the CISSP exam are provided in both multiple-choice form and what ISC2 calls advanced innovative questions, which are drag-and-drop and hotspot questions, both of which are offered in a computer-based testing environment. Innovative questions are scored the same as traditional multiple-choice questions and have only one right answer.

ISC2 exam policies are subject to change. Please be sure to check www.isc2.org for the current policies before you register and take the exam.

Computer-Based Testing Environment

CISSP exams are administered in a computerized adaptive testing (CAT) format. You'll start the registration for your exam through your ISC2 login at www.isc2.org/register-for-exam. You may take the exam at a Pearson VUE authorized center in the language of your choice. It is offered in English, Chinese, German, Japanese, and Spanish.

You'll take the exam in a computer-based testing center located near your home or office. The centers administer many different exams, so you may find yourself sitting in the same room as a student taking a school entrance examination and a healthcare professional earning a medical certification. If you'd like to become more familiar with the testing environment, the Pearson VUE website offers a virtual tour of a testing center.

https://home.pearsonvue.com/Test-takers/Pearson-Professional-Center-tour.aspx

When you take the exam, you'll be seated at a computer that has the exam software already loaded and running. It's a pretty straightforward interface that allows you to navigate through the exam. You can download a practice exam and tutorial from the Pearson VUE website.

https://home.pearsonvue.com

Like all exams, the CISSP certification from ISC2 is updated periodically and may eventually be retired or replaced. At some point after ISC2 is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

Exam Retake Policy

If you don't pass the CISSP exam, you shouldn't panic. Many individuals don't reach the bar on their first attempt but gain valuable experience that helps them succeed the second time around. When you retake the exam, you'll have the benefit of familiarity with the exam environment and CISSP CAT exam format. You'll also have time to study the areas where you felt less confident.

After your first exam attempt, you must wait 30 days before retaking the computer-based exam. If you're not successful on that attempt, you may re-test after 60 days. If you don't pass after your third attempt, you can re-test after 90 days for that and any subsequent attempts. You can't take the test more than 4 times within a 12-month period. You can obtain more information about ISC2 and its other certifications from its website at www.isc2.org.

Work Experience Requirement

Candidates who want to earn the CISSP credential must not only pass the exam but also demonstrate that they have at least five years of work experience in the information security field. Your work experience must cover activities in at least two of the eight domains of the CISSP exam outline and must be paid, full-time or qualified part-time employment or paid or unpaid internship. Volunteer experiences are not acceptable to meet the CISSP experience requirement.

You may be eligible to waive one of the five years of the work experience requirement based upon your educational achievements. If you hold a bachelor's degree or four-year equivalent, you may be eligible for a degree waiver that covers one of those years. Similarly, if you hold one of the information security certifications on the current ISC2 approved credential list (www.isc2.org/certifications/cissp/cissp-experience-requirements), you may also waive a year of the experience requirement. You may not combine these two programs. Holders of both a certification and an undergraduate degree must still demonstrate at least four years of experience.

If you haven't yet completed your work experience requirement, you may still attempt the CISSP exam. Individuals who pass the exam are designated Associates of ISC2 and have six years to complete the work experience requirement.

Recertification Requirements

Once you've earned your CISSP credential, you'll need to maintain your certification by paying maintenance fees and participating in continuing professional education (CPE). As long as you maintain your certification in good standing, you will not need to retake the CISSP exam.

Currently, the annual maintenance fees for the CISSP credential are $135 per year. This fee covers the renewal for all ISC2 certifications held by an individual.

The CISSP CPE requirement mandates earning at least 120 CPE credits during each three-year renewal cycle. Associates of ISC2 must earn at least 15 CPE credits each year. ISC2 provides an online portal where certificate holders may submit CPE completion for review and approval. The portal also tracks annual maintenance fee payments and progress toward recertification.

Using This Book to Practice

This book is composed of 12 chapters. Each of the first eight chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and security best-practices. The final four chapters are complete practice exams that can serve as timed practice tests to help determine whether you're ready for the CISSP exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you're ready, take the other practice exams to make sure you've covered all the material and are ready to attempt the CISSP exam.

Using the Online Practice Tests

All the questions in this book are also available in Sybex's online practice test tool. To get access to this online format, go to www.wiley.com/go/sybextestprep and start by registering your book. You'll receive a PIN and instructions on where to create an online test bank account. Once you have access, you can use the online version to create your own sets of practice tests from the book questions and practice in a timed and graded setting.

How to Contact the Publisher

If you believe you have found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Chapter 1Security and Risk Management (Domain 1)

SUBDOMAINS

1.1 Understand, adhere to, and promote professional ethics

1.2 Understand and apply security concepts

1.3 Evaluate, apply, and sustain security governance principles

1.4 Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context

1.5 Understand requirements for investigation types (i.e., administrative, criminal, civil, regulatory, industry standards)

1.6 Develop, document, and implement security policy, standards, procedures, and guidelines

1.7 Identify, analyze, assess, prioritize, and implement Business Continuity (BC) requirements

1.8 Contribute to and enforce personnel security policies and procedures

1.9 Understand and apply risk management concepts

1.10 Understand and apply threat modeling concepts and methodologies

1.11 Apply Supply Chain Risk Management (SCRM) concepts

1.12 Establish and maintain a security awareness, education, and training program

Alyssa is responsible for her organization's security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?

Gamification

Computer-based training

Content reviews

Live training

Gavin is creating a report for management on the results of his most recent risk assessment. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?

Inherent risk

Residual risk

Control risk

Mitigated risk

Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party's copyright. What law governs the actions that Francine must take?

Copyright Act

Lanham Act

Digital Millennium Copyright Act

Gramm-Leach-Bliley Act

FlyAway Travel has offices in both the European Union (EU) and the United States and transfers personal information between those offices regularly. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

The right to access

Privacy by Design

The right to erasure

The right of data portability

After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

Accept

Transfer

Reduce

Reject

Which one of the following elements of information is not considered personally identifiable information that would trigger most United States state data breach laws?

Student identification number

Social Security number

Driver's license number

Credit card number

Renee is purchasing a new software product and is working with the vendor on the negotiation of a license agreement that will specify customized terms of use and a discounted price. What type of agreement would normally be used to document the results of this negotiation?

Perpetual license

Subscription license

Enterprise license agreement

End-user license agreement

Henry recently assisted one of his co-workers in preparing for the CISSP® exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?

Anyone may bring charges.

Any certified or licensed professional may bring charges.

Only Henry's employer may bring charges.

Only the affected employee may bring charges.

Wanda is working with one of her organization's European Union business partners to facilitate the exchange of customer information. Wanda's organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?

Binding corporate rules

Privacy Shield

Standard contractual clauses

Safe harbor

Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

GLBA

SOX

HIPAA

FERPA

Tim's organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?

FISMA

PCI DSS

HIPAA

GISRA

Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?

Memory chips

Office productivity applications

Hard drives

Encryption software

Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE threat model?

Spoofing

Repudiation

Tampering

Elevation of privilege

You are completing your business continuity planning effort and have decided that you want to accept one of the risks. What should you do next?

Implement new security controls to reduce the risk level.

Design a disaster recovery plan.

Repeat the business impact assessment.

Document your decision-making process.

You are completing a review of the controls used to protect a media storage facility in your organization and would like to properly categorize each control that is currently in place. Which of the following control categories accurately describe a fence around a facility? (Select all that apply.)

Physical

Detection

Deterrent

Preventive

Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?

Quantitative risk assessment

Qualitative risk assessment

Neither quantitative nor qualitative risk assessment

Combination of quantitative and qualitative risk assessment

Vincent believes that a former employee took trade secret information from his firm and brought it with him to a competitor. He wants to pursue legal action. Under what law could he pursue charges?

Copyright law

Lanham Act

Glass-Steagall Act

Economic Espionage Act

Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?

Due diligence

Separation of duties

Due care

Least privilege

Brenda's organization recently completed the acquisition of a competitor firm. Which one of the following tasks would be LEAST likely to be part of the organizational processes addressed during the acquisition?

Consolidation of security functions

Integration of security tools

Protection of intellectual property

Documentation of security policies

Kelly believes that an employee engaged in the unauthorized use of computing resources for a side business. After consulting with management, she decides to launch an administrative investigation. What is the burden of proof that she must meet in this investigation?

Preponderance of the evidence.

Beyond a reasonable doubt.

Beyond the shadow of a doubt.

There is no standard.

Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wants to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?

Patent

Trade secret

Copyright

Trademark

Which one of the following actions might be taken as part of a business continuity plan?

Restoring from backup tapes

Implementing RAID

Relocating to a cold site

Restarting business operations

When developing a business impact analysis, the team should first create a list of assets. What should happen next?

Identify vulnerabilities in each asset.

Determine the risks facing the asset.

Develop a value for each asset.

Identify threats facing each asset.

Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?

Risk acceptance

Risk avoidance

Risk mitigation

Risk transference

Laura has been asked to perform a security controls assessment (SCA). What type of organization is she most likely in?

Higher education

Banking

Government

Healthcare

Carl is a federal agent investigating a computer crime case. He identified an attacker who engaged in illegal conduct and wants to pursue a case against that individual that will lead to imprisonment. What standard of proof must Carl meet?

Beyond the shadow of a doubt

Preponderance of the evidence

Beyond a reasonable doubt

Majority of the evidence

ISC2 uses the logo shown here to represent itself online and in a variety of forums. What type of intellectual property protection can it use to protect its rights in this logo?

Source: ISC2, Inc.

Copyright

Patent

Trade secret

Trademark

Mary is helping a computer user who sees the following message appear on his computer screen. What type of attack has occurred?

Source: CryptoLocker

Availability

Confidentiality

Disclosure

Distributed

Which one of the following organizations would not be automatically subject to the privacy and security requirements of HIPAA if they engage in electronic transactions?

Healthcare provider

Health and fitness application developer

Health information clearinghouse

Health insurance plan

John's network begins to experience symptoms of slowness. Upon investigation, he realizes that the network is being bombarded with TCP SYN packets and believes that his organization is the victim of a denial-of-service attack. What principle of information security is being violated?

Availability

Integrity

Confidentiality

Denial

Renee is designing a long-term security plan for her organization and has a three- to five-year planning horizon. Her primary goal is to align the security function with the broader plans and objectives of the business. What type of plan is she developing?

Operational

Tactical

Summary

Strategic

Gina is working to protect a logo that her company will use for a new product they are launching. She has questions about the intellectual property protection process for this logo. What U.S. government agency would be best able to answer her questions?

USPTO

Library of Congress

NSA

NIST

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

Mandatory vacation

Segregation of duties

Defense in depth

Job rotation

Which one of the following categories of organizations is most likely to be covered by the provisions of FISMA?

Banks

Defense contractors

School districts

Hospitals

Robert is responsible for securing systems used to process credit card information. What security control framework should guide his actions?

HIPAA

PCI DSS

SOX

GLBA

Which one of the following individuals is normally responsible for fulfilling the operational data protection responsibilities delegated by senior management, such as validating data integrity, testing backups, and managing security policies?

Data custodian

Data owner

User

Auditor

Alan works for an e-commerce company that recently had some content stolen by another website and republished without permission. What type of intellectual property protection would best preserve Alan's company's rights?

Trade secret

Copyright

Trademark

Patent

Florian receives a flyer from a U.S. federal government agency announcing that a new administrative law will affect his business operations. Where should he go to find the text of the law?

U.S. Code

Supreme Court rulings

Code of Federal Regulations

Compendium of Laws

Tom enables an application firewall provided by his cloud infrastructure as a service provider that is designed to block many types of application attacks. When viewed from a risk management perspective, what metric is Tom attempting to lower by implementing this countermeasure?

Impact

RPO

MTO

Likelihood

Which one of the following individuals would be the most effective organizational owner for an information security program?

CISSP-certified analyst

Chief information officer (CIO)

Manager of network security

President and CEO

What important function do senior managers normally fill on a business continuity planning team?

Arbitrating disputes about criticality

Evaluating the legal environment

Training staff

Designing failure controls

You are the CISO for a major hospital system and are preparing to sign a contract with a software-as-a-service (SaaS) email vendor. You want to perform a control assessment to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?

SOC 1

FISMA

PCI DSS

SOC 2

Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?

Repudiation

Information disclosure

Tampering

Elevation of privilege

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing?

Integrity

Availability

Confidentiality

Denial

Which one of the following issues is not normally addressed in a service-level agreement (SLA)?

Confidentiality of customer information

Failover time

Uptime

Maximum consecutive downtime

Joan is seeking to protect a piece of computer software that she developed under intellectual property law. Which one of the following avenues of protection would not apply to a piece of software?

Trademark

Copyright

Patent

Trade secret

For questions 47–49, please refer to the following scenario:

Juniper Content is a web content development company with 40 employees located in two offices: one in New York and a smaller office in the San Francisco Bay Area. Each office has a local area network protected by a perimeter firewall. The local area network (LAN) contains modern switch equipment connected to both wired and wireless networks.

Each office has its own file server, and the information technology (IT) team runs software every hour to synchronize files between the two servers, distributing content between the offices. These servers are primarily used to store images and other files related to web content developed by the company. The team also uses a SaaS-based email and document collaboration solution for much of their work.

You are the newly appointed IT manager for Juniper Content, and you are working to augment existing security controls to improve the organization's security.

Users in the two offices would like to access each other's file servers over the internet. What control would provide confidentiality for those communications?

Digital signatures

Virtual private network

Virtual LAN

Digital content management

You are also concerned about the availability of data stored on each office's server. You would like to add technology that would enable continued access to files located on the server even if a hard drive in a server fails. What control allows you to add robustness without adding additional servers?

Server clustering

Load balancing

RAID

Scheduled backups

Finally, there are historical records stored on the server that are extremely important to the business and should never be modified. You would like to add an integrity control that allows you to verify on a periodic basis that the files were not modified. What control can you add?

Hashing

ACLs

Read-only attributes

Firewalls

Beth is a human resources specialist preparing to assist in the termination of an employee. Which of the following is not typically part of a termination process?

An exit interview

Recovery of organizational property

Account termination

Signing an NCA

Frances is reviewing her organization's business continuity plan documentation for completeness. Which one of the following is not normally included in business continuity plan documentation?

Statement of accounts

Statement of importance

Statement of priorities

Statement of organizational responsibility

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

Separation of duties

Least privilege

Defense in depth

Mandatory vacation

Jeff would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?

CMM

SW-CMM

RMM

COBIT

Chris' organization recently suffered an attack that rendered their website inaccessible to paying customers for several hours. Which information security goal was most directly impacted?

Confidentiality

Integrity

Availability

Denial

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing?

Policy

Baseline

Guideline

Procedure

Who should receive initial business continuity plan training in an organization?

Senior executives

Those with specific business continuity roles

Everyone in the organization

First responders

James is conducting a risk assessment for his organization and is attempting to assign an asset value to the servers in his data center. The organization's primary concern is ensuring that it has sufficient funds available to rebuild the data center in the event it is damaged or destroyed. Which one of the following asset valuation methods would be most appropriate in this situation?

Purchase cost

Depreciated cost

Replacement cost

Opportunity cost

Roger's organization suffered a breach of customer credit card records. Under the terms of PCI DSS, what organization may choose to pursue an investigation of this matter?

FBI

Local law enforcement

Bank

PCI SSC

Rick recently engaged critical employees in each of his organization's business units to ask for their assistance with his security awareness program. They will be responsible for sharing security messages with their peers and answering questions about cybersecurity matters. What term best describes this relationship?

Security champion

Security expert

Gamification

Peer review

Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt?

Confidentiality

Integrity

Availability

Denial

Elise is helping her organization prepare to evaluate and adopt a new cloud-based human resource management (HRM) system vendor. What would be the most appropriate minimum security standard for her to require of possible vendors?

Compliance with all laws and regulations

Handling information in the same manner her organization would

Elimination of all identified security risks

Compliance with the vendor's own policies

The following graphic shows the NIST risk management framework with a step missing. What is the missing step?

Assess security controls.

Determine control gaps.

Remediate control gaps.

Evaluate user activity.

HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would be used in amplification DDoS attacks. What type of risk management strategy did HAL pursue with respect to its NTP services?

Risk mitigation

Risk acceptance

Risk transference

Risk avoidance

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data disclosure breach. What principle of information security is Susan trying to enforce?

Availability

Denial

Confidentiality

Integrity

Which one of the following components should be included in an organization's emergency response guidelines?

List of individuals who should be notified of an emergency incident

Long-term business continuity protocols

Activation procedures for the organization's cold sites

Contact information for ordering equipment

Chas recently completed the development of his organization's business continuity plan (BCP). Who is the ideal person to approve an organization's business continuity plan?

Chief information officer

Chief executive officer

Chief information security officer

Chief operating officer

Which one of the following actions is not normally part of the project scope and planning phase of business continuity planning?

Structured analysis of the organization

Review of the legal and regulatory landscape

Creation of a BCP team

Documentation of the plan

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce?

Denial

Confidentiality

Integrity

Availability

Becka recently signed a contract with an alternate data processing facility that will provide her company with space in the event of a disaster. The facility includes HVAC, power, and communications circuits but no hardware. What type of facility is Becka using?

Cold site

Warm site

Hot site

Mobile site

Greg's company recently experienced a significant data breach involving the personal data of many of their customers. The company operates only in the United States and has facilities in several different states. The personal information relates only to residents of the United States. Which breach laws should they review to ensure that they are taking appropriate action?

The breach laws in the state where they are headquartered along with federal breach laws.

The breach laws of states they do business in or where their customers reside along with federal breach laws.

Only federal breach laws.

Breach laws only cover government agencies, not private businesses.

Ben is seeking a control objective framework that is widely accepted around the world and focuses specifically on information security controls. Which one of the following frameworks would best meet his needs?

ITIL

ISO 27002

CMM

PMBOK Guide

Matt works for a telecommunications firm and was approached by a federal agent seeking assistance with wiretapping one of Matt's clients pursuant to a search warrant. Which one of the following laws requires that communications service providers cooperate with law enforcement requests?

ECPA

CALEA

Privacy Act

HITECH Act

Every year, Gary receives privacy notices in the mail from financial institutions where he has accounts. What law requires the institutions to send Gary these notices?

FERPA

GLBA

HIPAA

HITECH

Which one of the following agreements typically requires that a vendor not disclose confidential information learned during the scope of an engagement?

NCA

SLA

NDA

RTO

The ISC2 Code of Ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code?

Protect society, the common good, the necessary public trust and confidence, and the infrastructure.

Disclose breaches of privacy, trust, and ethics.

Provide diligent and competent service to the principals.

Advance and protect the profession.

Which one of the following stakeholders is not typically included on a business continuity planning team?

Core business function leaders

Information technology staff

CEO

Support departments

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve?

Authentication

Authorization

Integrity

Nonrepudiation

What principle of information security states that an organization should implement overlapping security controls whenever possible?

Least privilege

Separation of duties

Defense in depth

Security through obscurity

Ryan is a CISSP-certified cybersecurity professional working in a nonprofit organization. Which of the following ethical obligations apply to his work? (Select all that apply.)

ISC2 Code of Ethics

Organizational code of ethics

Federal code of ethics

RFC 1087

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option?

Purchasing insurance

Encrypting the database contents

Removing the data

Objecting to the exception

The Domer Industries risk assessment team recently conducted a qualitative risk assessment and developed a matrix similar to the one shown here. Which quadrant contains the risks that require the most immediate attention?

I

II

III

IV

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?

Informing other employees of the termination

Retrieving the employee's photo ID

Calculating the final paycheck

Revoking electronic access rights

Rolando is a risk manager with a large-scale enterprise. The firm recently evaluated the risk of California mudslides on its operations in the region and determined that the cost of responding outweighed the benefits of any controls it could implement. The company chose to take no action at this time. What risk management strategy did Rolando's organization pursue?

Risk avoidance

Risk mitigation

Risk transference

Risk acceptance

Helen is the owner of a U.S. website that provides information for middle and high school students preparing for exams. She is writing the site's privacy policy and would like to ensure that it complies with the provisions of the Children's Online Privacy Protection Act (COPPA). What is the cutoff age below which parents must give consent in advance of the collection of personal information from their children under COPPA?

13

15

17

18

Tom is considering locating a business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region, shown here, and determines that the area he is considering lies within a 100-year flood plain. What is the ARO of a flood in this area?

Source: The City of North Miami

100

1

0.1

0.01

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?

Source: The Wireshark Foundation

Integrity

Denial

Availability

Confidentiality

Alan is performing threat modeling and decides that it would be useful to decompose the system into the core elements shown here. What tool is he using?

Vulnerability assessment

Fuzzing

Reduction analysis

Data modeling

Shahla is reviewing the privacy laws that apply to a new enterprise that her company will be launching in South Africa. This is the company's first expansion into that country, and the enterprise will involve handling the personal information of residents of South Africa. What law will likely affect this operation?

PIPL

PCI DSS

PIPEDA

POPIA

Which type of business impact assessment tool is most appropriate when attempting to evaluate the impact of a failure on customer confidence?

Quantitative

Qualitative

Annualized loss expectancy

Reduction

Ryan is a security risk analyst for an insurance company. He is currently examining a scenario in which a malicious hacker might use a SQL injection attack to deface a web server due to a missing patch in the company's web application. In this scenario, what is the threat?

Unpatched web application

Web defacement

Malicious hacker

Operating system

For questions 91–93, please refer to the following scenario:

Henry is the risk manager for Atwood Landing, a resort community in the midwestern United States. The resort's main data center is located in northern Indiana in an area that is prone to tornados. Henry recently undertook a replacement cost analysis and determined that rebuilding and reconfiguring the data center would cost $10 million.

Henry consulted with tornado experts, data center specialists, and structural engineers. Together, they determined that a typical tornado would cause approximately $5 million of damage to the facility. The meteorologists determined that Atwood's facility lies in an area where they are likely to experience a tornado once every 200 years.

Based upon the information in this scenario, what is the exposure factor for the effect of a tornado on Atwood Landing's data center?

10%

25%

50%

75%

Based upon the information in this scenario, what is the annualized rate of occurrence for a tornado at Atwood Landing's data center?

0.0025

0.005

0.01

0.015

Based upon the information in this scenario, what is the annualized loss expectancy for a tornado at Atwood Landing's data center?

$25,000

$50,000

$250,000

$500,000

John is analyzing an attack against his company in which the attacker found comments embedded in HTML code that provided the clues needed to exploit a software vulnerability. Using the STRIDE model, what type of attack did he uncover?

Spoofing

Repudiation

Information disclosure

Elevation of privilege

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?

His supply chain

His vendor contracts

His post-purchase build process

The original equipment manufacturer (OEM)

In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?

Regression testing

Code review

Change management

Fuzz testing

After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95% completion rate he was aiming for. What is this type of measure called?

A KPI

A metric

An awareness control

A return on investment rate

Which of the following is not typically included in a prehire screening process?

A drug test

A background check

Social media review

Fitness evaluation

Which of the following would normally be considered a supply chain risk? (Select all that apply.)

Adversary tampering with hardware prior to being shipped to the end customer

Adversary hacking into a web server run by the organization in an IaaS environment

Adversary using social engineering to compromise an employee of a SaaS vendor to gain access to customer accounts

Adversary conducting a denial-of-service attack using a botnet

Match the following numbered laws or industry standards to their lettered description:

Laws and industry standards:

GLBA

PCI DSS

HIPAA

SOX

Descriptions:

A U.S. law that requires covered financial institutions to provide their customers with a privacy notice on a yearly basis

A U.S. law that requires internal controls assessments, including IT transaction flows for publicly traded companies

An industry standard that covers organizations that handle payment cards

A U.S. law that provides data privacy and security requirements for medical information