©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
CISSP Official ISC2 practice tests (All
domains) Questions And Correct Answers
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - answer✔D.
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
determine whether the organisation should implement proposed countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an
example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - answer✔A.
Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email
addresses, names, or, in the case of an evil twin attack, SSIDs.
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require
prompt action by an Internet service provider after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
1|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine - answer✔C.
The DMCA states that providers are not responsible for the transitory activities of
their users. Transmission of information over a network would qualify for this exemption. The
other activities listed are all nontransitory actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United States and transfers
personal information between those offices regularly. Which of the seven
requirements for processing personal information states that organizations must inform
individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - answer✔A.
The Notice principle says that organizations must inform individuals of the information the
organization collects about individuals and how the organization will use it. These principles are
based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in
2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing,
processing or transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat modeling techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - answer✔D.
The three common threat modeling techniques are focused on attackers, software,
2|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is not considered personally identifiable
information that would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - answer✔A.
Most state data breach notification laws are modeled after California's law, which
covers Social Security number, driver's license number, state identification card number,
credit/debit card numbers, bank account numbers (in conjunction with a PIN or password),
medical records, and health insurance information.
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to
take personal responsibility for information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule - answer✔C.
The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the same
situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines
applied them to information security matters in 1991.
8. Which one of the following provides an authentication mechanism that would be
appropriate for pairing with a password to achieve multifactor authentication?
A. Username
3|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
B. PIN
C. Security question
D. Fingerprint scan - answer✔D.
A fingerprint scan is an example of a "something you are" factor, which would be
appropriate for pairing with a "something you know" password to achieve multifactor
authentication. A username is not an authentication factor. PINs and security questions are
both "something you know," which would not achieve multifactor
authentication when paired with a password because both methods would come from
the same category, failing the requirement for multifactor authentication.
9. What United States government agency is responsible for administering the terms of safe
harbor agreements between the European Union and the United States under the EU Data
Protection Directive?
A. Department of Defense
B. Department of the Treasury
C. State Department
D. Department of Commerce - answer✔D.
The US Department of Commerce is responsible for implementing the EU-US Safe
Harbor agreement. The validity of this agreement was in legal question in the wake of
the NSA surveillance disclosures.
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues
related to customer checking accounts. Which one of the following laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA - answer✔A.
4|Page
ALL RIGHTS RESERVED.
CISSP Official ISC2 practice tests (All
domains) Questions And Correct Answers
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - answer✔D.
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
determine whether the organisation should implement proposed countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an
example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - answer✔A.
Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email
addresses, names, or, in the case of an evil twin attack, SSIDs.
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require
prompt action by an Internet service provider after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
1|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine - answer✔C.
The DMCA states that providers are not responsible for the transitory activities of
their users. Transmission of information over a network would qualify for this exemption. The
other activities listed are all nontransitory actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United States and transfers
personal information between those offices regularly. Which of the seven
requirements for processing personal information states that organizations must inform
individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - answer✔A.
The Notice principle says that organizations must inform individuals of the information the
organization collects about individuals and how the organization will use it. These principles are
based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in
2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing,
processing or transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat modeling techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - answer✔D.
The three common threat modeling techniques are focused on attackers, software,
2|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is not considered personally identifiable
information that would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - answer✔A.
Most state data breach notification laws are modeled after California's law, which
covers Social Security number, driver's license number, state identification card number,
credit/debit card numbers, bank account numbers (in conjunction with a PIN or password),
medical records, and health insurance information.
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to
take personal responsibility for information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule - answer✔C.
The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the same
situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines
applied them to information security matters in 1991.
8. Which one of the following provides an authentication mechanism that would be
appropriate for pairing with a password to achieve multifactor authentication?
A. Username
3|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
B. PIN
C. Security question
D. Fingerprint scan - answer✔D.
A fingerprint scan is an example of a "something you are" factor, which would be
appropriate for pairing with a "something you know" password to achieve multifactor
authentication. A username is not an authentication factor. PINs and security questions are
both "something you know," which would not achieve multifactor
authentication when paired with a password because both methods would come from
the same category, failing the requirement for multifactor authentication.
9. What United States government agency is responsible for administering the terms of safe
harbor agreements between the European Union and the United States under the EU Data
Protection Directive?
A. Department of Defense
B. Department of the Treasury
C. State Department
D. Department of Commerce - answer✔D.
The US Department of Commerce is responsible for implementing the EU-US Safe
Harbor agreement. The validity of this agreement was in legal question in the wake of
the NSA surveillance disclosures.
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues
related to customer checking accounts. Which one of the following laws is most
likely to apply to this situation?
A. GLBA
B. SOX
C. HIPAA
D. FERPA - answer✔A.
4|Page
