CISSP OSG QUESTIONS AND ANSWERS
WITH SOLUTIONS 2024
What are the three common types of security evaluation? - ANSWER Risk Assessment, Vulnerability
Assessment and Penetration testing
What is a risk assessment? - ANSWER Risk assessment is the process of identifying assets , threats, and
vulnerabilities, and then using that information to calculate risk
What is a vulnerability assessment? - ANSWER A vulnerability assessment uses automated tools to locate
known security weaknesses, which can be addressed by adding in more defences or adjusting existing
protections
What is penetration testing? - ANSWER Penetration testing uses trusted individuals to stress-test the
security infrastructure to find issues that may not be discovered by other means.
What is confidentiality? - ANSWER Confidentiality is the concept of the measures used to ensure the
protection of the secrecy of data, objects, or resources
What is the goal of confidentiality? - ANSWER Prevent or minimize unauthorized access to data.
Encryption, network traffic padding, strict access control, rigorous authentication procedures data
classification help support what? - ANSWER Confidentiality
What is sensitivity? - ANSWER Sensitivity refers to the quality of information, which could harm or
damage if disclosed
What is discretion? - ANSWER Discretion is an act of decision where an operator can influence or control
disclosure in order to minimise harm or damage
What is criticality? - ANSWER The level to which information is mission critical is its measure of criticality,
the more likely the need to maintain the confidentiality of the information
,What is concealment? - ANSWER Concealment is the act of hiding or preventing disclosure.
What is secrecy? - ANSWER Secrecy is the act of keeping something a secret or preventing the disclosure
of information
What is privacy? - ANSWER Privacy refers to keeping information confidential that is personally
identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed
What is seclusion? - ANSWER Seclusion involves storing something in an out-of-the-way location, likely
with strict access controls
What is isolation? - ANSWER Isolation is the act of keeping something separated from others
What is integrity? - ANSWER Integrity is the concept of protecting the reliability and correctness of data.
What does integrity protection prevent? - ANSWER Integrity protection prevents unauthorised
alterations of data
What are 5 countermeasures to ensure integrity against possible threats? - ANSWER Strict access
controls, rigorous authentication procedures, intrusion detection systems, object/data encryption and
hash verifications
What are the seven aspects of integrity? - ANSWER Accuracy, truthfulness, validity, accountability,
responsibility, completeness and comprehensiveness
What is availability? - ANSWER Availability means authorised subjects are granted timely and
uninterrupted access to objects.
What are 6 threats to availability? - ANSWER Device failure, software errors, environmental issues, DOS
attacks, object destruction and communication interruptions
,What are 6 countermeasures that can ensure availability against possible threats? - ANSWER
Intermediary delivery systems, effective access controls, performance monitoring, firewalls/routers,
redundancy for critical systems and lastly, backups systems.
What are the three aspects of availability? - ANSWER Usability, Accessibility and Timeliness
What is the opposite of the CIA triad? - ANSWER The DAD Triad, Disclosure, Alteration and Destruction
When does disclosure occur? - ANSWER Disclosure occurs when sensitive or confidential material is
accessed by unauthorised entities
When does alteration occur? - ANSWER Alteration occurs when data is either maliciously or accidentally
changed.
When does destruction occur? - ANSWER Destruction occurs when a resource is damaged or made
inaccessible to authorised users.
Overprotecting confidentiality can result in a restriction of _______________ - ANSWER Availability
Overprotecting integrity can result in a restriction of __________ - ANSWER Availability
Over-providing availability can result in a loss of ___________ and ____________ - ANSWER
Confidentiality and Integrity
What is authenticity? - ANSWER Authenticity is the security concept that data is authentic or genuine
and originates from its alleged source.
What does non-repudiation ensure? - ANSWER Non-repudiation ensures that the subject of an activity
or who caused an event cannot deny that the event occurred.
What 5 concepts make non-repudiation possible? - ANSWER Identification, Authentication,
Authorisation, Accountability, and Auditing
, Non-repudiation is an essential part of ____________ - ANSWER Accountability
What does the 3 A's in AAA services mean - ANSWER Authentication, Authorisation and Accounting (or
Auditing)
What are the 5 elements of AAA services? - ANSWER Identification, Authentication, Authorisation,
auditing and accounting.
What is identification? - ANSWER Identification is claiming to be an identity when attempting to access a
secured area or system.
What is authentication? - ANSWER Authentication is proving that you are who you say you are
What is authorisation? - ANSWER Authorisation is defining the permissions of a resource and object
access for a specific identity or subject
What is auditing? - ANSWER Auditing is recording a log of the events and activities relayed to the system
and subjects.
What is accounting? - ANSWER Accounting is reviewing log files to check for compliance and violations in
order to held subjects accountable.
What is defence in depth? - ANSWER Defence in depth, AKA layering, is the use of multiple controls in a
series
What is abstraction? - ANSWER Abstraction is a process of hiding the implementation details and
showing only functionality to the user.
What is abstraction used for? - ANSWER Abstraction is used for efficiency. Similar elements are put into
groups that are assigned security controls/restrictions
WITH SOLUTIONS 2024
What are the three common types of security evaluation? - ANSWER Risk Assessment, Vulnerability
Assessment and Penetration testing
What is a risk assessment? - ANSWER Risk assessment is the process of identifying assets , threats, and
vulnerabilities, and then using that information to calculate risk
What is a vulnerability assessment? - ANSWER A vulnerability assessment uses automated tools to locate
known security weaknesses, which can be addressed by adding in more defences or adjusting existing
protections
What is penetration testing? - ANSWER Penetration testing uses trusted individuals to stress-test the
security infrastructure to find issues that may not be discovered by other means.
What is confidentiality? - ANSWER Confidentiality is the concept of the measures used to ensure the
protection of the secrecy of data, objects, or resources
What is the goal of confidentiality? - ANSWER Prevent or minimize unauthorized access to data.
Encryption, network traffic padding, strict access control, rigorous authentication procedures data
classification help support what? - ANSWER Confidentiality
What is sensitivity? - ANSWER Sensitivity refers to the quality of information, which could harm or
damage if disclosed
What is discretion? - ANSWER Discretion is an act of decision where an operator can influence or control
disclosure in order to minimise harm or damage
What is criticality? - ANSWER The level to which information is mission critical is its measure of criticality,
the more likely the need to maintain the confidentiality of the information
,What is concealment? - ANSWER Concealment is the act of hiding or preventing disclosure.
What is secrecy? - ANSWER Secrecy is the act of keeping something a secret or preventing the disclosure
of information
What is privacy? - ANSWER Privacy refers to keeping information confidential that is personally
identifiable or that might cause harm, embarrassment, or disgrace to someone if revealed
What is seclusion? - ANSWER Seclusion involves storing something in an out-of-the-way location, likely
with strict access controls
What is isolation? - ANSWER Isolation is the act of keeping something separated from others
What is integrity? - ANSWER Integrity is the concept of protecting the reliability and correctness of data.
What does integrity protection prevent? - ANSWER Integrity protection prevents unauthorised
alterations of data
What are 5 countermeasures to ensure integrity against possible threats? - ANSWER Strict access
controls, rigorous authentication procedures, intrusion detection systems, object/data encryption and
hash verifications
What are the seven aspects of integrity? - ANSWER Accuracy, truthfulness, validity, accountability,
responsibility, completeness and comprehensiveness
What is availability? - ANSWER Availability means authorised subjects are granted timely and
uninterrupted access to objects.
What are 6 threats to availability? - ANSWER Device failure, software errors, environmental issues, DOS
attacks, object destruction and communication interruptions
,What are 6 countermeasures that can ensure availability against possible threats? - ANSWER
Intermediary delivery systems, effective access controls, performance monitoring, firewalls/routers,
redundancy for critical systems and lastly, backups systems.
What are the three aspects of availability? - ANSWER Usability, Accessibility and Timeliness
What is the opposite of the CIA triad? - ANSWER The DAD Triad, Disclosure, Alteration and Destruction
When does disclosure occur? - ANSWER Disclosure occurs when sensitive or confidential material is
accessed by unauthorised entities
When does alteration occur? - ANSWER Alteration occurs when data is either maliciously or accidentally
changed.
When does destruction occur? - ANSWER Destruction occurs when a resource is damaged or made
inaccessible to authorised users.
Overprotecting confidentiality can result in a restriction of _______________ - ANSWER Availability
Overprotecting integrity can result in a restriction of __________ - ANSWER Availability
Over-providing availability can result in a loss of ___________ and ____________ - ANSWER
Confidentiality and Integrity
What is authenticity? - ANSWER Authenticity is the security concept that data is authentic or genuine
and originates from its alleged source.
What does non-repudiation ensure? - ANSWER Non-repudiation ensures that the subject of an activity
or who caused an event cannot deny that the event occurred.
What 5 concepts make non-repudiation possible? - ANSWER Identification, Authentication,
Authorisation, Accountability, and Auditing
, Non-repudiation is an essential part of ____________ - ANSWER Accountability
What does the 3 A's in AAA services mean - ANSWER Authentication, Authorisation and Accounting (or
Auditing)
What are the 5 elements of AAA services? - ANSWER Identification, Authentication, Authorisation,
auditing and accounting.
What is identification? - ANSWER Identification is claiming to be an identity when attempting to access a
secured area or system.
What is authentication? - ANSWER Authentication is proving that you are who you say you are
What is authorisation? - ANSWER Authorisation is defining the permissions of a resource and object
access for a specific identity or subject
What is auditing? - ANSWER Auditing is recording a log of the events and activities relayed to the system
and subjects.
What is accounting? - ANSWER Accounting is reviewing log files to check for compliance and violations in
order to held subjects accountable.
What is defence in depth? - ANSWER Defence in depth, AKA layering, is the use of multiple controls in a
series
What is abstraction? - ANSWER Abstraction is a process of hiding the implementation details and
showing only functionality to the user.
What is abstraction used for? - ANSWER Abstraction is used for efficiency. Similar elements are put into
groups that are assigned security controls/restrictions
