CISSP EXAM QUESTIONS AND
ANSWERS WITH SOLUTIONS 2024
CIA Triangle - ANSWER Cornerstone of infosec. Confidentiality, Integrity, Availability
Confidentiality (CIA Triangle) - ANSWER prevention of unauthorized disclosure of information; prevention
of unauthorized read access to data
Integrity (CIA Triangle) - ANSWER prevention of unauthorized modification of data; prevention of
unauthorized write access to data
Availability (CIA Triangle) - ANSWER ensures data is available when needed to authorized users
Opposing forces to CIA - ANSWER DAD: disclosure, alteration, destruction
identification - ANSWER the process by which a subject professes an identity and accountability is initiated;
ex: typing a username, swiping a smart card, waving a proximity device (badging in), speaking a phrase,
etc - always a two step process with authenticating
authentication - ANSWER verification that a person is who they say they are; ex: entering a password or
PIN, biometrics, etc - always a two step process with identifying
authorization - ANSWER verification of a person's access or privileges to applicable data
auditing (monitoring) - ANSWER recording a log of the events and activities related to the system and
subjects
accounting (accountability) - ANSWER reviewing log files to check for compliance and violations in order
to hold subjects accountable for their actions
non-repudiation - ANSWER a user cannot deny having performed a specific action
,subject - ANSWER an entity that performs active functions to a system; usually a person, but can also be
script or program designed to perform actions on data
object - ANSWER any passive data within the system
ISC2 Code of Ethics Canons (4) - ANSWER 1. protect society, commonwealth, infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
strictly applied in order; exam questions in which multiple canons could be the answer, choose the highest
priority per this order
policy - ANSWER mandatory high level management directives; components of policy
1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
procedure - ANSWER low level step by step guide for accomplishing a task
standard - ANSWER describes the specific use of technology applied to hardware or software; mandatory
guideline - ANSWER discretionary recommendations (e.g. not mandatory)
baseline - ANSWER a uniform way of implementing a standard
3 access/security control categories - ANSWER 1. administrative: implemented by creating org policy,
procedure, regulation. user awareness/training also fall here
, 2. technical: implemented using hardware, software, firmware that restricts logical access to a system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - ANSWER prevents actions from occurring by applying
restrictions on what a user can do. example: privilege level
detective access control
(can be administrative, technical, physical) - ANSWER controls that alert during or after a successful attack;
alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - ANSWER repairing a damaged system; often works hand in
hand with detective controls (e.g. antivirus software)
recovery access control
(can be administrative, technical, physical) - ANSWER controls to restore a system after an incident has
occurred;
deterrent access control
(can be administrative, technical, physical) - ANSWER deters users from performing actions on a system
compensating access control
(can be administrative, technical, physical) - ANSWER additional control used to compensate for
weaknesses in other controls as needed
risk formula - ANSWER risk = threat x vulnerability x impact
market approach (for calculating intangible assets) - ANSWER assumes the fair value of an asset reflects
the price which comparable assets have been purchased in transactions under similar circumstances
ANSWERS WITH SOLUTIONS 2024
CIA Triangle - ANSWER Cornerstone of infosec. Confidentiality, Integrity, Availability
Confidentiality (CIA Triangle) - ANSWER prevention of unauthorized disclosure of information; prevention
of unauthorized read access to data
Integrity (CIA Triangle) - ANSWER prevention of unauthorized modification of data; prevention of
unauthorized write access to data
Availability (CIA Triangle) - ANSWER ensures data is available when needed to authorized users
Opposing forces to CIA - ANSWER DAD: disclosure, alteration, destruction
identification - ANSWER the process by which a subject professes an identity and accountability is initiated;
ex: typing a username, swiping a smart card, waving a proximity device (badging in), speaking a phrase,
etc - always a two step process with authenticating
authentication - ANSWER verification that a person is who they say they are; ex: entering a password or
PIN, biometrics, etc - always a two step process with identifying
authorization - ANSWER verification of a person's access or privileges to applicable data
auditing (monitoring) - ANSWER recording a log of the events and activities related to the system and
subjects
accounting (accountability) - ANSWER reviewing log files to check for compliance and violations in order
to hold subjects accountable for their actions
non-repudiation - ANSWER a user cannot deny having performed a specific action
,subject - ANSWER an entity that performs active functions to a system; usually a person, but can also be
script or program designed to perform actions on data
object - ANSWER any passive data within the system
ISC2 Code of Ethics Canons (4) - ANSWER 1. protect society, commonwealth, infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
strictly applied in order; exam questions in which multiple canons could be the answer, choose the highest
priority per this order
policy - ANSWER mandatory high level management directives; components of policy
1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
procedure - ANSWER low level step by step guide for accomplishing a task
standard - ANSWER describes the specific use of technology applied to hardware or software; mandatory
guideline - ANSWER discretionary recommendations (e.g. not mandatory)
baseline - ANSWER a uniform way of implementing a standard
3 access/security control categories - ANSWER 1. administrative: implemented by creating org policy,
procedure, regulation. user awareness/training also fall here
, 2. technical: implemented using hardware, software, firmware that restricts logical access to a system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - ANSWER prevents actions from occurring by applying
restrictions on what a user can do. example: privilege level
detective access control
(can be administrative, technical, physical) - ANSWER controls that alert during or after a successful attack;
alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - ANSWER repairing a damaged system; often works hand in
hand with detective controls (e.g. antivirus software)
recovery access control
(can be administrative, technical, physical) - ANSWER controls to restore a system after an incident has
occurred;
deterrent access control
(can be administrative, technical, physical) - ANSWER deters users from performing actions on a system
compensating access control
(can be administrative, technical, physical) - ANSWER additional control used to compensate for
weaknesses in other controls as needed
risk formula - ANSWER risk = threat x vulnerability x impact
market approach (for calculating intangible assets) - ANSWER assumes the fair value of an asset reflects
the price which comparable assets have been purchased in transactions under similar circumstances
