Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CISSPFree trial

By isc

Verified

25Q per page

Question 76

Building blocks for software-defined networks (SDN) require which of the following?

A: The SDN is composed entirely of client-server pairs.
B: Random-access memory (RAM) is used in preference to virtual memory.
C: The SDN is mostly composed of virtual machines (VM).
D: Virtual memory is used in preference to random-access memory (RAM).

—

Question 77

What is the MINIMUM standard for testing a disaster recovery plan (DRP)?

A: Quarterly or more frequently depending upon the advice of the information security manager
B: As often as necessary depending upon the stability of the environment and business requirements
C: Annually or less frequently depending upon audit department requirements
D: Semi-annually and in alignment with a fiscal half-year business cycle

—

Question 78

Which security audit standard provides the BEST way for an organization to understand a vendor's Information Systems (IS) in relation to confidentiality, integrity, and availability?

A: Service Organization Control (SOC) 2
B: Statement on Standards for Attestation Engagements (SSAE) 18
C: Statement on Auditing Standards (SAS) 70
D: Service Organization Control (SOC) 1

—

Question 79

An organization is looking to include mobile devices in its asset management system for better tracking. In which system tier of the reference architecture would mobile devices be tracked?

A: 0
B: 1
C: 2
D: 3

—

Question 80

An application team is running tests to ensure that user entry fields will not accept invalid input of any length. What type of negative testing is this an example of?

A: Allowed number of characters
B: Population of required fields
C: Reasonable data
D: Session testing

—

Question 81

An organization is considering partnering with a third-party supplier of cloud services. The organization will only be providing the data and the third-party supplier will be providing the security controls. Which of the following BEST describes this service offering?

A: Platform as a Service (PaaS)
B: Anything as a Service (XaaS)
C: Infrastructure as a Service (IaaS)
D: Software as a Service (SaaS)

—

Question 82

Which of the following factors should be considered characteristics of Attribute Based Access Control (ABAC) in terms of the attributes used?

A: Mandatory Access Control (MAC) and Discretionary Access Control (DAC)
B: Discretionary Access Control (DAC) and Access Control List (ACL)
C: Role Based Access Control (RBAC) and Mandatory Access Control (MAC)
D: Role Based Access Control (RBAC) and Access Control List (ACL)

—

Question 83

Which of the following is the MOST significant key management problem due to the number of keys created?

A: Exponential growth when using symmetric keys
B: Exponential growth when using asymmetric keys
C: Storage of the keys require increased security
D: Keys are more difficult to provision and revoke

—

Question 84

Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to perform a vulnerability assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never performed this before. According to the (ISC)
Code of Professional Ethics, which of the following should the CISSP do?

A: Inform the CISO that they are unable to perform the task because they should render only those services for which they are fully competent and qualified
B: Since they are CISSP certified, they have enough knowledge to assist with the request, but will need assistance in order to complete it in a timely manner
C: Review the CISSP guidelines for performing a vulnerability assessment before proceeding to complete it
D: Review the PCI requirements before performing the vulnerability assessment

—

Question 85

While performing a security review for a new product, an information security professional discovers that the organization's product development team is proposing to collect government-issued identification (ID) numbers from customers to use as unique customer identifiers. Which of the following recommendations should be made to the product development team?

A: Customer identifiers should be a variant of the user's government-issued ID number.
B: Customer identifiers should be a cryptographic hash of the user's government-issued ID number.
C: Customer identifiers that do not resemble the user's government-issued ID number should be used.
D: Customer identifiers should be a variant of the user's name, for example, "jdoe" or "john.doe."

—

Question 86

The development team has been tasked with collecting data from biometric devices. The application will support a variety of collection data streams. During the testing phase, the team utilizes data from an old production database in a secure testing environment. What principle has the team taken into consideration?

A: Biometric data cannot be changed.
B: The biometric devices are unknown.
C: Biometric data must be protected from disclosure.
D: Separate biometric data streams require increased security.

—

Question 87

Information security practitioners are in the midst of implementing a new firewall. Which of the following failure methods would BEST prioritize security in the event of failure?

A: Failover
B: Fail-Closed
C: Fail-Safe
D: Fail-Open

—

Question 88

Which of the following services can be deployed via a cloud service or on-premises to integrate with Identity as a Service (IDaaS) as the authoritative source of user identities?

A: Multi-factor authentication (MFA)
B: Directory
C: User database
D: Single sign-on (SSO)

—

Question 89

Which of the following statements is TRUE about Secure Shell (SSH)?

A: SSH supports port forwarding, which can be used to protect less secured protocols.
B: SSH does not protect against man-in-the-middle (MITM) attacks.
C: SSH is easy to deploy because it requires a Web browser only.
D: SSH can be used with almost any application because it is concerned with maintaining a circuit.

—

Question 90

Which of the following is the BEST way to protect an organization's data assets?

A: Encrypt data in transit and at rest using up-to-date cryptographic algorithms.
B: Monitor and enforce adherence to security policies.
C: Require Multi-Factor Authentication (MFA) and Separation of Duties (SoD).
D: Create the Demilitarized Zone (DMZ) with proxies, firewalls and hardened bastion hosts.

—

Question 91

What is considered a compensating control for not having electrical surge protectors installed?

A: Having dual lines to network service providers built to the site
B: Having a hot disaster recovery (DR) environment for the site
C: Having network equipment in active-active clusters at the site
D: Having backup diesel generators installed to the site

—

Question 92

What is the FIRST step in risk management?

A: Identify the factors that have potential to impact business.
B: Establish the scope and actions required.
C: Identify existing controls in the environment.
D: Establish the expectations of stakeholder involvement.

—

Question 93

Which of the following is the PRIMARY goal of logical access controls?

A: Restrict access to an information asset.
B: Ensure availability of an information asset.
C: Restrict physical access to an information asset.
D: Ensure integrity of an information asset.

—

Question 94

Which of the following is a covert channel type?

A: Pipe
B: Memory
C: Storage
D: Monitoring

—

Question 95

A software developer wishes to write code that will execute safely and only as intended. Which of the following programming language types is MOST likely to achieve this goal?

A: Weakly typed
B: Dynamically typed
C: Strongly typed
D: Statically typed

—

Question 96

Which of the following roles is responsible for ensuring that important datasets are developed, maintained, and are accessible within their defined specifications?

A: Data Custodian
B: Data Reviewer
C: Data User
D: Data Owner

—

Question 97

What is static analysis intended to do when analyzing an executable file?

A: Search the documents and files associated with the executable file.
B: Analyze the position of the file in the file system and the executable file's libraries.
C: Collect evidence of the executable file's usage, including dates of creation and last use.
D: Disassemble the file to gather information about the executable file's function.

—

That’s the end of your free questions

You’ve reached the preview limit for CISSP

Consider upgrading to gain full access!

Page 4 of 20 • Questions 76-100 of 484

←

2 3 4 5 6

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!