CISSP Official ISC2 practice tests (All domains) exam
questions with correct answers
1. |What |is |the |final |step |of |a |quantitative |risk |analysis?
A. |Determine |asset |value.
B. |Assess |the |annualized |rate |of |occurrence.
C. |Derive |the |annualized |loss |expectancy.
D. |Conduct |a |cost.benefit |analysis. |- |CORRECT |ANSWER✔✔-D.
The |final |step |of |a |quantitative |risk |analysis |is |conducting |a |cost/benefit |analysis |to
determine |whether |the |organisation |should |implement |proposed |countermeasure(s).
2. |An |evil |twin |attack |that |broadcasts |a |legitimate |SSID |for |an |unauthorised |network |is |an |
example |of |what |category |of |threat?
A. |Spoofing
B. |Information |disclosure
C. |Repudiation
D. |Tampering |- |CORRECT |ANSWER✔✔-A.
Spoofing |attacks |use |falsified |identities. |Spoofing |attacks |may |use |false |IP |addresses, |email |
addresses, |names, |or, |in |the |case |of |an |evil |twin |attack, |SSIDs.
3. |Under |the |Digital |Millennium |Copyright |Act |(DMCA), |what |type |of |offenses |do |not |require |
prompt |action |by |an |Internet |service |provider |after |it |receives |a |notification |of
infringement |claim |from |a |copyright |holder?
,A. |Storage |of |information |by |a |customer |on |a |provider's |server
B. |Caching |of |information |by |the |provider
C. |Transmission |of |information |over |the |provider's |network |by |a |customer
D. |Caching |of |information |in |a |provider |search |engine |- |CORRECT |ANSWER✔✔-C.
The |DMCA |states |that |providers |are |not |responsible |for |the |transitory |activities |of
their |users. |Transmission |of |information |over |a |network |would |qualify |for |this |exemption. |The |
other |activities |listed |are |all |nontransitory |actions |that |require
remediation |by |the |provider.
4. |FlyAway |Travel |has |offices |in |both |the |European |Union |and |the |United |States |and |transfers |
personal |information |between |those |offices |regularly. |Which |of |the |seven
requirements |for |processing |personal |information |states |that |organizations |must |inform |
individuals |about |how |the |information |they |collect |is |used?
A. |Notice
B. |Choice
C. |Onward |Transfer
D. |Enforcement |- |CORRECT |ANSWER✔✔-A.
The |Notice |principle |says |that |organizations |must |inform |individuals |of |the |information |the |
organization |collects |about |individuals |and |how |the |organization |will |use |it. |These |principles |
are |based |upon |the |Safe |Harbor |Privacy |Principles |issued |by |the |US |Department |of |Commerce
|in |2000 |to |help |US |companies |comply |with |EU |and |Swiss |privacy |laws |when |collecting, |
storing, |processing |or |transmitting |data |on |EU |or
Swiss |citizens.
5. |Which |one |of |the |following |is |not |one |of |the |three |common |threat |modeling |techniques?
A. |Focused |on |assets
,B. |Focused |on |attackers
C. |Focused |on |software
D. |Focused |on |social |engineering |- |CORRECT |ANSWER✔✔-D.
The |three |common |threat |modeling |techniques |are |focused |on |attackers, |software,
and |assets. |Social |engineering |is |a |subset |of |attackers.
6. |Which |one |of |the |following |elements |of |information |is |not |considered |personally |
identifiable |information |that |would |trigger |most |US |state |data |breach |laws?
A. |Student |identification |number
B. |Social |Security |number
C. |Driver's |license |number
D. |Credit |card |number |- |CORRECT |ANSWER✔✔-A.
Most |state |data |breach |notification |laws |are |modeled |after |California's |law, |which
covers |Social |Security |number, |driver's |license |number, |state |identification |card |number, |
credit/debit |card |numbers, |bank |account |numbers |(in |conjunction |with |a |PIN |or |password), |
medical |records, |and |health |insurance |information.
7. |In |1991, |the |federal |sentencing |guidelines |formalized |a |rule |that |requires |senior |executives |
to |take |personal |responsibility |for |information |security |matters. |What |is
the |name |of |this |rule?
A. |Due |diligence |rule
B. |Personal |liability |rule
C. |Prudent |man |rule
D. |Due |process |rule |- |CORRECT |ANSWER✔✔-C.
The |prudent |man |rule |requires |that |senior |executives |take |personal |responsibility
, for |ensuring |the |due |care |that |ordinary, |prudent |individuals |would |exercise |in |the |same |
situation. |The |rule |originally |applied |to |financial |matters, |but |the |Federal |Sentencing |
Guidelines |applied |them |to |information |security |matters |in |1991.
8. |Which |one |of |the |following |provides |an |authentication |mechanism |that |would |be
appropriate |for |pairing |with |a |password |to |achieve |multifactor |authentication?
A. |Username
B. |PIN
C. |Security |question
D. |Fingerprint |scan |- |CORRECT |ANSWER✔✔-D.
A |fingerprint |scan |is |an |example |of |a |"something |you |are" |factor, |which |would |be
appropriate |for |pairing |with |a |"something |you |know" |password |to |achieve |multifactor |
authentication. |A |username |is |not |an |authentication |factor. |PINs |and |security |questions |are |
both |"something |you |know," |which |would |not |achieve |multifactor
authentication |when |paired |with |a |password |because |both |methods |would |come |from
the |same |category, |failing |the |requirement |for |multifactor |authentication.
9. |What |United |States |government |agency |is |responsible |for |administering |the |terms |of |safe |
harbor |agreements |between |the |European |Union |and |the |United |States |under |the |EU |Data |
Protection |Directive?
A. |Department |of |Defense
B. |Department |of |the |Treasury
C. |State |Department
D. |Department |of |Commerce |- |CORRECT |ANSWER✔✔-D.
The |US |Department |of |Commerce |is |responsible |for |implementing |the |EU-US |Safe
Harbor |agreement. |The |validity |of |this |agreement |was |in |legal |question |in |the |wake |of
questions with correct answers
1. |What |is |the |final |step |of |a |quantitative |risk |analysis?
A. |Determine |asset |value.
B. |Assess |the |annualized |rate |of |occurrence.
C. |Derive |the |annualized |loss |expectancy.
D. |Conduct |a |cost.benefit |analysis. |- |CORRECT |ANSWER✔✔-D.
The |final |step |of |a |quantitative |risk |analysis |is |conducting |a |cost/benefit |analysis |to
determine |whether |the |organisation |should |implement |proposed |countermeasure(s).
2. |An |evil |twin |attack |that |broadcasts |a |legitimate |SSID |for |an |unauthorised |network |is |an |
example |of |what |category |of |threat?
A. |Spoofing
B. |Information |disclosure
C. |Repudiation
D. |Tampering |- |CORRECT |ANSWER✔✔-A.
Spoofing |attacks |use |falsified |identities. |Spoofing |attacks |may |use |false |IP |addresses, |email |
addresses, |names, |or, |in |the |case |of |an |evil |twin |attack, |SSIDs.
3. |Under |the |Digital |Millennium |Copyright |Act |(DMCA), |what |type |of |offenses |do |not |require |
prompt |action |by |an |Internet |service |provider |after |it |receives |a |notification |of
infringement |claim |from |a |copyright |holder?
,A. |Storage |of |information |by |a |customer |on |a |provider's |server
B. |Caching |of |information |by |the |provider
C. |Transmission |of |information |over |the |provider's |network |by |a |customer
D. |Caching |of |information |in |a |provider |search |engine |- |CORRECT |ANSWER✔✔-C.
The |DMCA |states |that |providers |are |not |responsible |for |the |transitory |activities |of
their |users. |Transmission |of |information |over |a |network |would |qualify |for |this |exemption. |The |
other |activities |listed |are |all |nontransitory |actions |that |require
remediation |by |the |provider.
4. |FlyAway |Travel |has |offices |in |both |the |European |Union |and |the |United |States |and |transfers |
personal |information |between |those |offices |regularly. |Which |of |the |seven
requirements |for |processing |personal |information |states |that |organizations |must |inform |
individuals |about |how |the |information |they |collect |is |used?
A. |Notice
B. |Choice
C. |Onward |Transfer
D. |Enforcement |- |CORRECT |ANSWER✔✔-A.
The |Notice |principle |says |that |organizations |must |inform |individuals |of |the |information |the |
organization |collects |about |individuals |and |how |the |organization |will |use |it. |These |principles |
are |based |upon |the |Safe |Harbor |Privacy |Principles |issued |by |the |US |Department |of |Commerce
|in |2000 |to |help |US |companies |comply |with |EU |and |Swiss |privacy |laws |when |collecting, |
storing, |processing |or |transmitting |data |on |EU |or
Swiss |citizens.
5. |Which |one |of |the |following |is |not |one |of |the |three |common |threat |modeling |techniques?
A. |Focused |on |assets
,B. |Focused |on |attackers
C. |Focused |on |software
D. |Focused |on |social |engineering |- |CORRECT |ANSWER✔✔-D.
The |three |common |threat |modeling |techniques |are |focused |on |attackers, |software,
and |assets. |Social |engineering |is |a |subset |of |attackers.
6. |Which |one |of |the |following |elements |of |information |is |not |considered |personally |
identifiable |information |that |would |trigger |most |US |state |data |breach |laws?
A. |Student |identification |number
B. |Social |Security |number
C. |Driver's |license |number
D. |Credit |card |number |- |CORRECT |ANSWER✔✔-A.
Most |state |data |breach |notification |laws |are |modeled |after |California's |law, |which
covers |Social |Security |number, |driver's |license |number, |state |identification |card |number, |
credit/debit |card |numbers, |bank |account |numbers |(in |conjunction |with |a |PIN |or |password), |
medical |records, |and |health |insurance |information.
7. |In |1991, |the |federal |sentencing |guidelines |formalized |a |rule |that |requires |senior |executives |
to |take |personal |responsibility |for |information |security |matters. |What |is
the |name |of |this |rule?
A. |Due |diligence |rule
B. |Personal |liability |rule
C. |Prudent |man |rule
D. |Due |process |rule |- |CORRECT |ANSWER✔✔-C.
The |prudent |man |rule |requires |that |senior |executives |take |personal |responsibility
, for |ensuring |the |due |care |that |ordinary, |prudent |individuals |would |exercise |in |the |same |
situation. |The |rule |originally |applied |to |financial |matters, |but |the |Federal |Sentencing |
Guidelines |applied |them |to |information |security |matters |in |1991.
8. |Which |one |of |the |following |provides |an |authentication |mechanism |that |would |be
appropriate |for |pairing |with |a |password |to |achieve |multifactor |authentication?
A. |Username
B. |PIN
C. |Security |question
D. |Fingerprint |scan |- |CORRECT |ANSWER✔✔-D.
A |fingerprint |scan |is |an |example |of |a |"something |you |are" |factor, |which |would |be
appropriate |for |pairing |with |a |"something |you |know" |password |to |achieve |multifactor |
authentication. |A |username |is |not |an |authentication |factor. |PINs |and |security |questions |are |
both |"something |you |know," |which |would |not |achieve |multifactor
authentication |when |paired |with |a |password |because |both |methods |would |come |from
the |same |category, |failing |the |requirement |for |multifactor |authentication.
9. |What |United |States |government |agency |is |responsible |for |administering |the |terms |of |safe |
harbor |agreements |between |the |European |Union |and |the |United |States |under |the |EU |Data |
Protection |Directive?
A. |Department |of |Defense
B. |Department |of |the |Treasury
C. |State |Department
D. |Department |of |Commerce |- |CORRECT |ANSWER✔✔-D.
The |US |Department |of |Commerce |is |responsible |for |implementing |the |EU-US |Safe
Harbor |agreement. |The |validity |of |this |agreement |was |in |legal |question |in |the |wake |of
