Joshi
CISSP Practice Exam notes Questions with Answers &
Rationales | 2026/2027
All of the following controls are important to specify when
defining a data classification scheme, except:
A)Marking, labeling, and handling procedures
B) Physical security protections
C) Backup and recovery procedures
D)Personnel clearance procedures
D is correct. The clearance of personnel should be conducted independently of the classification of
the data that may be accessed.
Which of the following firewall types keeps track of each ongoing
dialog between internal and external systems?
A)Packet filtering
B) Circuit-level proxy
C)Stateful
D)Application-level proxy
C is correct. Stateful firewalls use state tables to keep track of each step of communication between
systems. This provides a higher level of protection than packet filtering, because it makes access
decisions based on the steps that have already been completed in the dialog.
Which of the following is NOT a recommended procedure to enact
as part of an employee termination process?
A)Immediately disable all of the employee’s accounts and passwords.
B) Ensure the employee surrenders any of the company’s badges and keys in their possession.
1
, Joshi
C)Confiscate all devices in the employee’s possession that contain company data.
D)Ensure the employee leaves immediately upon termination, escorted by a supervisor.
C is correct. While the other procedures listed are reasonable, proper, and within the company’s
purview, it simply may not be possible—or even reasonable—to collect from the employee all devices
which are known to contain company data. Particularly in a bring your own device (BYOD)
environment, it is almost certain that the employee’s personal mobile device contains corporate data,
and such devices most likely will not be surrendered willingly. It may be possible for the company to
remotely wipe some mobile devices, but only if the employee consented in advance to such measures
as part of a signed employment agreement.
Nancy is a new network administrator and has been faced with
decision of implementing either direct access backup systems or
sequential access backup storage devices. Which of the following
does not properly describe these types of technologies?
A)Any point on a Direct Access Storage Device may be promptly reached, whereas every
point in between the current position and the desired position of a Sequential Access
Storage Device must be traversed in order to reach the desired position
B) Any point on a Sequential Access Storage Device may be promptly reached, whereas every
point in between the current position and the desired position of a Direct Access Storage
Device must be traversed in order to reach the desired position
C) Some tape drives have minimal amounts of Direct Access intelligence built in
D)Tape drives are Sequential Access Storage Devices
B is correct. The key distinction between Direct Access and Sequential Access storage devices is that
any point on a Direct Access Storage Device may be promptly reached, whereas every point in
between the current position and the desired position of a Sequential Access Storage Device must be
traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices.
Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack
tape devices that store at specific points on the tape and cache in the tape drive information about
where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track
and a point on the track from which to begin the now much shorter traversal of data from that
indexed point to the desired point. While this makes such tape drives noticeably faster than their
purely sequential peers, the difference in performance between Sequential and Direct Access Storage
Devices is orders of magnitude.
2
, Joshi
There are different types of biometric systems in the industry
today. Some make authentication decisions based on behavior and
some make authentication decisions based on physical attributes.
Which of the following is the best description of their differences?
uses behavior attributes.
B) A system that uses behavior attributes provides more accuracy than one that uses physical
attributes.
C) A fingerprint system is an example of a physical attribute and an iris system is an example of a
behavior system.
D) A voice print system is an example of a behavior and signature dynamics is an example of a
physical attribute.
A is correct. A biometric system can make authentication decisions based on an individual’s
behavior, as in signature dynamics and voice prints, but these can change over time and possibly be
forged. Biometric systems that base authentication decisions on physical attributes (iris, retina,
fingerprint) provide more accuracy, because they do not change as often and are harder to
impersonate.
MSP, PGP, PEM, and S/MIME are examples of which of the
following?
A)Digital signing algorithms
B) E-mail standards
C) Asymmetric cryptography algorithms
D)Hashing standards
B is correct. These are examples of different e-mail standards: MSP (Message Security Protocol)
PGP (Pretty Good Privacy) PEM: (Privacy Enhanced Mail) S/MIME (Secure Multipurpose Internet Mail
Extensions)
3
, Joshi
Tom is setting up computers at a trade show for his company's
booth. The computers will give customers the opportunity to
access a new product but will also take them onto a live network.
Which control would be the best fit to offer the necessary
protection from public users gaining privileged access?
B) Role-based.
C) Discretionary-based.
D)Network segregation.
A is correct. Constrained user interfaces would be the perfect choice for this trade show scenario. The
interface can be physically constrained, as in a kiosk system, or logically constrained through the use
of properly configured profiles, menus, and shells.
Who has the primary responsibility of determining the
classification level for information?
B) Owner
C)User
D)Functional manager
C is correct. A company can have one specific data owner or different data owners who have been
delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes
into protecting this information is properly classifying it.
One mode that triple-DES can work in uses three DES operations
with an encrypt/decrypt/encrypt sequence and three separate
keys. What is this called?
A)Double DES
4
CISSP Practice Exam notes Questions with Answers &
Rationales | 2026/2027
All of the following controls are important to specify when
defining a data classification scheme, except:
A)Marking, labeling, and handling procedures
B) Physical security protections
C) Backup and recovery procedures
D)Personnel clearance procedures
D is correct. The clearance of personnel should be conducted independently of the classification of
the data that may be accessed.
Which of the following firewall types keeps track of each ongoing
dialog between internal and external systems?
A)Packet filtering
B) Circuit-level proxy
C)Stateful
D)Application-level proxy
C is correct. Stateful firewalls use state tables to keep track of each step of communication between
systems. This provides a higher level of protection than packet filtering, because it makes access
decisions based on the steps that have already been completed in the dialog.
Which of the following is NOT a recommended procedure to enact
as part of an employee termination process?
A)Immediately disable all of the employee’s accounts and passwords.
B) Ensure the employee surrenders any of the company’s badges and keys in their possession.
1
, Joshi
C)Confiscate all devices in the employee’s possession that contain company data.
D)Ensure the employee leaves immediately upon termination, escorted by a supervisor.
C is correct. While the other procedures listed are reasonable, proper, and within the company’s
purview, it simply may not be possible—or even reasonable—to collect from the employee all devices
which are known to contain company data. Particularly in a bring your own device (BYOD)
environment, it is almost certain that the employee’s personal mobile device contains corporate data,
and such devices most likely will not be surrendered willingly. It may be possible for the company to
remotely wipe some mobile devices, but only if the employee consented in advance to such measures
as part of a signed employment agreement.
Nancy is a new network administrator and has been faced with
decision of implementing either direct access backup systems or
sequential access backup storage devices. Which of the following
does not properly describe these types of technologies?
A)Any point on a Direct Access Storage Device may be promptly reached, whereas every
point in between the current position and the desired position of a Sequential Access
Storage Device must be traversed in order to reach the desired position
B) Any point on a Sequential Access Storage Device may be promptly reached, whereas every
point in between the current position and the desired position of a Direct Access Storage
Device must be traversed in order to reach the desired position
C) Some tape drives have minimal amounts of Direct Access intelligence built in
D)Tape drives are Sequential Access Storage Devices
B is correct. The key distinction between Direct Access and Sequential Access storage devices is that
any point on a Direct Access Storage Device may be promptly reached, whereas every point in
between the current position and the desired position of a Sequential Access Storage Device must be
traversed in order to reach the desired position. Tape drives are Sequential Access Storage Devices.
Some tape drives have minimal amounts of Direct Access intelligence built in. These include multitrack
tape devices that store at specific points on the tape and cache in the tape drive information about
where major sections of data on the tape begin, allowing the tape drive to more quickly reach a track
and a point on the track from which to begin the now much shorter traversal of data from that
indexed point to the desired point. While this makes such tape drives noticeably faster than their
purely sequential peers, the difference in performance between Sequential and Direct Access Storage
Devices is orders of magnitude.
2
, Joshi
There are different types of biometric systems in the industry
today. Some make authentication decisions based on behavior and
some make authentication decisions based on physical attributes.
Which of the following is the best description of their differences?
uses behavior attributes.
B) A system that uses behavior attributes provides more accuracy than one that uses physical
attributes.
C) A fingerprint system is an example of a physical attribute and an iris system is an example of a
behavior system.
D) A voice print system is an example of a behavior and signature dynamics is an example of a
physical attribute.
A is correct. A biometric system can make authentication decisions based on an individual’s
behavior, as in signature dynamics and voice prints, but these can change over time and possibly be
forged. Biometric systems that base authentication decisions on physical attributes (iris, retina,
fingerprint) provide more accuracy, because they do not change as often and are harder to
impersonate.
MSP, PGP, PEM, and S/MIME are examples of which of the
following?
A)Digital signing algorithms
B) E-mail standards
C) Asymmetric cryptography algorithms
D)Hashing standards
B is correct. These are examples of different e-mail standards: MSP (Message Security Protocol)
PGP (Pretty Good Privacy) PEM: (Privacy Enhanced Mail) S/MIME (Secure Multipurpose Internet Mail
Extensions)
3
, Joshi
Tom is setting up computers at a trade show for his company's
booth. The computers will give customers the opportunity to
access a new product but will also take them onto a live network.
Which control would be the best fit to offer the necessary
protection from public users gaining privileged access?
B) Role-based.
C) Discretionary-based.
D)Network segregation.
A is correct. Constrained user interfaces would be the perfect choice for this trade show scenario. The
interface can be physically constrained, as in a kiosk system, or logically constrained through the use
of properly configured profiles, menus, and shells.
Who has the primary responsibility of determining the
classification level for information?
B) Owner
C)User
D)Functional manager
C is correct. A company can have one specific data owner or different data owners who have been
delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes
into protecting this information is properly classifying it.
One mode that triple-DES can work in uses three DES operations
with an encrypt/decrypt/encrypt sequence and three separate
keys. What is this called?
A)Double DES
4
