©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
CISSP Exam Questions And Correct
Answers
CIA Triangle - answer✔Cornerstone of infosec. Confidentiality, Integrity, Availability
Confidentiality (CIA Triangle) - answer✔prevention of unauthorized disclosure of information;
prevention of unauthorized read access to data
Integrity (CIA Triangle) - answer✔prevention of unauthorized modification of data; prevention
of unauthorized write access to data
Availability (CIA Triangle) - answer✔ensures data is available when needed to authorized users
Opposing forces to CIA - answer✔DAD: disclosure, alteration, destruction
identification - answer✔the process by which a subject professes an identity and accountability
is initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in),
speaking a phrase, etc - always a two step process with authenticating
authentication - answer✔verification that a person is who they say they are; ex: entering a
password or PIN, biometrics, etc - always a two step process with identifying
authorization - answer✔verification of a person's access or privileges to applicable data
auditing (monitoring) - answer✔recording a log of the events and activities related to the
system and subjects
accounting (accountability) - answer✔reviewing log files to check for compliance and violations
in order to hold subjects accountable for their actions
non-repudiation - answer✔a user cannot deny having performed a specific action
subject - answer✔an entity that performs active functions to a system; usually a person, but
can also be script or program designed to perform actions on data
object - answer✔any passive data within the system
1|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
ISC2 Code of Ethics Canons (4) - answer✔1. protect society, commonwealth, infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
strictly applied in order; exam questions in which multiple canons could be the answer, choose
the highest priority per this order
policy - answer✔mandatory high level management directives; components of policy
1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
procedure - answer✔low level step by step guide for accomplishing a task
standard - answer✔describes the specific use of technology applied to hardware or software;
mandatory
guideline - answer✔discretionary recommendations (e.g. not mandatory)
baseline - answer✔a uniform way of implementing a standard
3 access/security control categories - answer✔1. administrative: implemented by creating org
policy, procedure, regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware that restricts logical access to a
system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - answer✔prevents actions from occurring by
applying restrictions on what a user can do. example: privilege level
detective access control
2|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
(can be administrative, technical, physical) - answer✔controls that alert during or after a
successful attack; alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - answer✔repairing a damaged system; often works
hand in hand with detective controls (e.g. antivirus software)
recovery access control
(can be administrative, technical, physical) - answer✔controls to restore a system after an
incident has occurred;
deterrent access control
(can be administrative, technical, physical) - answer✔deters users from performing actions on a
system
compensating access control
(can be administrative, technical, physical) - answer✔additional control used to compensate for
weaknesses in other controls as needed
risk formula - answer✔risk = threat x vulnerability x impact
market approach (for calculating intangible assets) - answer✔assumes the fair value of an asset
reflects the price which comparable assets have been purchased in transactions under similar
circumstances
income approach (for calculating intangible assets) - answer✔the value of an asset is the
present value of the future earning capacity that an asset will generate over the rest of its
lifecycle
cost approach (for calculating intangible assets) - answer✔estimates the fair value based on
cost of replacement
exposure factor (EF) - answer✔percentage of value the asset lost due to incident
single loss expectancy (SLE) - answer✔asset value (AV) times exposure factor
AV x EF = SLE
expressed in a dollar value
annual rate of occurrence (ARO) - answer✔number of losses suffered per year
annualized loss expectancy (ALE) - answer✔yearly cost due to risk
3|Page
ALL RIGHTS RESERVED.
CISSP Exam Questions And Correct
Answers
CIA Triangle - answer✔Cornerstone of infosec. Confidentiality, Integrity, Availability
Confidentiality (CIA Triangle) - answer✔prevention of unauthorized disclosure of information;
prevention of unauthorized read access to data
Integrity (CIA Triangle) - answer✔prevention of unauthorized modification of data; prevention
of unauthorized write access to data
Availability (CIA Triangle) - answer✔ensures data is available when needed to authorized users
Opposing forces to CIA - answer✔DAD: disclosure, alteration, destruction
identification - answer✔the process by which a subject professes an identity and accountability
is initiated; ex: typing a username, swiping a smart card, waving a proximity device (badging in),
speaking a phrase, etc - always a two step process with authenticating
authentication - answer✔verification that a person is who they say they are; ex: entering a
password or PIN, biometrics, etc - always a two step process with identifying
authorization - answer✔verification of a person's access or privileges to applicable data
auditing (monitoring) - answer✔recording a log of the events and activities related to the
system and subjects
accounting (accountability) - answer✔reviewing log files to check for compliance and violations
in order to hold subjects accountable for their actions
non-repudiation - answer✔a user cannot deny having performed a specific action
subject - answer✔an entity that performs active functions to a system; usually a person, but
can also be script or program designed to perform actions on data
object - answer✔any passive data within the system
1|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
ISC2 Code of Ethics Canons (4) - answer✔1. protect society, commonwealth, infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
strictly applied in order; exam questions in which multiple canons could be the answer, choose
the highest priority per this order
policy - answer✔mandatory high level management directives; components of policy
1. purpose: describes the need for policy
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
procedure - answer✔low level step by step guide for accomplishing a task
standard - answer✔describes the specific use of technology applied to hardware or software;
mandatory
guideline - answer✔discretionary recommendations (e.g. not mandatory)
baseline - answer✔a uniform way of implementing a standard
3 access/security control categories - answer✔1. administrative: implemented by creating org
policy, procedure, regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware that restricts logical access to a
system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - answer✔prevents actions from occurring by
applying restrictions on what a user can do. example: privilege level
detective access control
2|Page
, ©BRAINBARTER EXAM SOLUTIONS 2024/2025
ALL RIGHTS RESERVED.
(can be administrative, technical, physical) - answer✔controls that alert during or after a
successful attack; alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - answer✔repairing a damaged system; often works
hand in hand with detective controls (e.g. antivirus software)
recovery access control
(can be administrative, technical, physical) - answer✔controls to restore a system after an
incident has occurred;
deterrent access control
(can be administrative, technical, physical) - answer✔deters users from performing actions on a
system
compensating access control
(can be administrative, technical, physical) - answer✔additional control used to compensate for
weaknesses in other controls as needed
risk formula - answer✔risk = threat x vulnerability x impact
market approach (for calculating intangible assets) - answer✔assumes the fair value of an asset
reflects the price which comparable assets have been purchased in transactions under similar
circumstances
income approach (for calculating intangible assets) - answer✔the value of an asset is the
present value of the future earning capacity that an asset will generate over the rest of its
lifecycle
cost approach (for calculating intangible assets) - answer✔estimates the fair value based on
cost of replacement
exposure factor (EF) - answer✔percentage of value the asset lost due to incident
single loss expectancy (SLE) - answer✔asset value (AV) times exposure factor
AV x EF = SLE
expressed in a dollar value
annual rate of occurrence (ARO) - answer✔number of losses suffered per year
annualized loss expectancy (ALE) - answer✔yearly cost due to risk
3|Page
