CISSP Practice Test Questions Updated 1533 Questions [Q290-Q309]

Share

CISSP Practice Test Questions Updated 1533 Questions

ISC CISSP Dumps - Secret To Pass in First Attempt

NEW QUESTION # 290
The process of mutual authentication involves a computer system authenticating a user and authenticating the

  • A. user to the audit process.
  • B. computer system to the user.
  • C. user's access to all authorized objects.
  • D. computer system to the audit process.

Answer: B


NEW QUESTION # 291
Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?

  • A. Management teams will understand the testing objectives and reputational risk to the organization
  • B. Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken
  • C. Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability
  • D. Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Answer: D

Explanation:
Section: Security Assessment and Testing


NEW QUESTION # 292
What is the MAIN purpose of a security assessment plan?

  • A. Provide technical information to executives to help them understand information security postures and secure funding.
  • B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
  • C. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures
  • D. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation

Answer: B

Explanation:
The main purpose of a security assessment plan is to provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments. A security assessment plan defines the scope, criteria, methods, roles, and responsibilities of the security assessment process, which is the process of evaluating and testing the effectiveness and compliance of the security and privacy controls implemented in an information system. A security assessment plan helps to ensure that the security assessment process is consistent, systematic, and comprehensive. A security assessment plan does not provide guidance on security requirements, as this is the role of a security requirements analysis or a security architecture design. A security assessment plan does not provide technical information to executives, as this is the role of a security report or a security briefing. A security assessment plan does not provide education to employees, as this is the role of a security awareness or a security training program.


NEW QUESTION # 293
What kind of encryption is realized in the S/MIME-standard?

  • A. Elliptic curve based encryption
  • B. Public key based, hybrid encryption scheme
  • C. Password based encryption scheme
  • D. Asymmetric encryption scheme

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. S/MIME extends the MIME standard by allowing for the encryption of e-mail and attachments. The encryption and hashing algorithms can be specified by the user of the mail package, instead of having it dictated to them. S/MIME follows the Public Key Cryptography Standards (PKCS). S/ MIME provides confidentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certificates, and nonrepudiation through cryptographically signed message digests.
A user that sends a message with confidential information can keep the contents private while it travels to its destination by using message encryption. For message encryption, a symmetric algorithm (DES, 3DES, or in older implementations RC2) is used to encrypt the message data. The key used for this process is a one-time bulk key generated at the email client. The recipient of the encrypted message needs the same symmetric key to decrypt the data, so the key needs to be communicated to the recipient in a secure manner. To accomplish that, an asymmetric key algorithm (RSA or Diffie-Hellman) is used to encrypt and securely exchange the symmetric key. The key used for this part of the message encryption process is the recipient's public key. When the recipient receives the encrypted message, he will use his private key to decrypt the symmetric key, which in turn is used to decrypt the message data.
As you can see, this type of message encryption uses a hybrid system, which means it uses both symmetric and asymmetric algorithms. The reason for not using the public key system to encrypt the data directly is that it requires a lot of CPU resources; symmetric encryption is much faster than asymmetric encryption. Only the content of a message is encrypted; the header of the message is not encrypted so mail gateways can read addressing information and forward the message accordingly.
Incorrect Answers:
A: The S/MIME-standard does not use asymmetric encryption to encrypt the message; for message encryption, a symmetric algorithm is used. Asymmetric encryption is used to encrypt the symmetric key.
B: The S/MIME-standard does not use a password based encryption scheme.
D: The S/MIME-standard does not use Elliptic curve based encryption.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 850
http://www.techexams.net/technotes/securityplus/emailsecurity.shtml


NEW QUESTION # 294
For an organization considering two-factor authentication for secure network access, which of the following is MOST secure?

  • A. Smart card and biometrics
  • B. Challenge response and private key
  • C. Tokens and passphrase
  • D. Digital certificates and Single Sign-On (SSO)

Answer: A

Explanation:
For an organization considering two-factor authentication for secure network access, the most secure option is smart card and biometrics. A smart card is a physical device that contains a microchip or a magnetic stripe that stores information, such as a digital certificate, a private key, or a personal identification number (PIN). A biometric is a physical or behavioral characteristic of a user that can be measured and compared, such as a fingerprint, a retina scan, a voice print, or a facial recognition. Smart card and biometrics are two different types of factors that can provide strong and reliable authentication for network access. A smart card can prove that the user has a valid credential or key, while a biometric can prove that the user is who they claim to be. Smart card and biometrics can prevent unauthorized or fraudulent access, as they are difficult to forge, copy, or share


NEW QUESTION # 295
Which of the following statements BEST describes least privilege principle in a cloud environment?

  • A. Routing configurations are regularly updated with the latest routes.
  • B. Internet traffic is inspected for all incoming and outgoing packets.
  • C. A single cloud administrator is configured to access core functions.
  • D. Network segments remain private if unneeded to access the internet.

Answer: D


NEW QUESTION # 296
Which of the following is a characteristic of the independent testing of a program?

  • A. Independent testing teams help decrease the cost of creating test data and system design specification.
  • B. Independent testing teams help identify functional requirements and Service Level Agreements (SLA)
  • C. Independent testing increases the likelihood that a test will expose the effect of a hidden feature.
  • D. Independent testing decreases the likelihood that a test will expose the effect of a hidden feature.

Answer: C

Explanation:
Independent testing is a type of testing that is performed by a third-party or external entity that is not involved in the development or operation of the program. Independent testing has several advantages, such as reducing bias, increasing objectivity, and improving quality. One of the characteristics of independent testing is that it increases the likelihood that a test will expose the effect of a hidden feature. A hidden feature is a functionality or behavior of the program that is not documented or specified, and may be intentional or unintentional. Independent testing can reveal the effect of a hidden feature by using different test cases, techniques, or perspectives than the ones used by the developers or operators of the program.


NEW QUESTION # 297
A financial organization that works according to agile principles has developed a new application for their external customer base to request a line of credit. A security analyst has been asked to assess the security risk of the minimum viable product (MVP). Which is the MOST important activity the analyst should assess?

  • A. The software has the correct functionality.
  • B. The software had been branded according to corporate standards,
  • C. The software has been signed off for release by the product owner.
  • D. The software has been code reviewed.

Answer: D

Explanation:
The most important activity that the analyst should assess for the security risk of the MVP of a new application is that the software has been code reviewed. A MVP is a type of product development strategy that involves creating and delivering a product that has the minimum or the essential features or functions that are needed or desired by the customer or the user, and that can provide the maximum or the optimal value or benefit for the customer or the user. A MVP can provide various benefits, such as validating the product idea, testing the product market, obtaining the customer feedback, or reducing the product cost or time. A code review is a type of software quality assurance activity that involves examining and evaluating the source code of a software application, using various methods, such as manual, automated, or peer review, to identify and resolve any errors, defects, or vulnerabilities in the source code. A code review can provide various benefits, such as improving the software quality, functionality, or security, and enhancing the software performance, reliability, or maintainability. The most important activity that the analyst should assess for the security risk of the MVP of a new application is that the software has been code reviewed, as it can ensure that the software meets the security requirements and standards, and that the software does not introduce or expose any security risks or issues for the customer or the user.


NEW QUESTION # 298
Which of the following is the weakest form of protection for an application that handles Personally Identifiable Information (PII)?

  • A. Security Assertion Markup Language (SAML)
  • B. Transport Layer Security (TLS)
  • C. Multifactor authentication
  • D. Ron Rivest Cipher 4 (RC4) encryption

Answer: D

Explanation:
Ron Rivest Cipher 4 (RC4) encryption is the weakest form of protection for an application that handles Personally Identifiable Information (PII). RC4 is a stream cipher that uses a variable- length key to generate a pseudorandom keystream that is XORed with the plaintext. RC4 has been found to have several vulnerabilities, such as biases in the keystream, weak keys, and plaintext recovery attacks. RC4 is no longer considered secure and has been deprecated by many standards and protocols, such as TLS and WPA.


NEW QUESTION # 299
What balance MUST be considered when web application developers determine how informative application error messages should be constructed?

  • A. Risk versus benefit
  • B. Confidentiality versus integrity
  • C. Performance versus user satisfaction
  • D. Availability versus auditability

Answer: A


NEW QUESTION # 300
A DMZ is located:

  • A. right behind your first network active firewall
  • B. right behind your first Internet facing firewall
  • C. right in front of your first Internet facing firewall
  • D. right behind your first network passive Internet http firewall

Answer: B

Explanation:
Explanation/Reference:
Explanation:
A demilitarized zone is shielded by two firewalls: one right behind the first Internet facing the Internet, and one facing the private network.
Incorrect Answers:
B: A demilitarized zone is shielded by the Internet facing firewall. It is not placed outside this firewall.
C: A demilitarized zone is placed behind the first Internet facing firewall, not behind the first network active firewall.
D: A demilitarized zone does not need to be placed behind a network passive Internet http firewall. It just needs to be place behind the first Internet facing firewall.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 629


NEW QUESTION # 301
Which of the following is an example of discretionary access control?

  • A. Identity-based access control
  • B. Role-based access control
  • C. Rule-based access control
  • D. Task-based access control

Answer: A

Explanation:
Explanation/Reference:
Explanation:
Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject.
Incorrect Answers:
B: Task-based access control is a non-discretionary access control model, which is based on the tasks each subject must perform.
C: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned.
D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object, not on their security labels.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 220-228


NEW QUESTION # 302
Which of the following techniques evaluates the secure design principles of network OF software architectures?

  • A. Waterfall method
  • B. Risk modeling
  • C. Fuzzing
  • D. Threat modeling

Answer: D

Explanation:
Threat modeling is a technique that evaluates the security risks and vulnerabilities of a network or software architecture, by identifying the potential threats, their likelihood, and their impact. Threat modeling can help design secure systems by applying the appropriate countermeasures and controls. Risk modeling is a similar technique, but it focuses on the overall business risks and their mitigation strategies, rather than the specific security threats. Fuzzing is a technique that tests the robustness and security of software by sending random or malformed inputs to trigger errors or crashes. Waterfall method is a software development methodology that follows a sequential and linear process, but it does not evaluate the security design principles of the architecture.


NEW QUESTION # 303
Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP)?

  • A. UDP is useful for longer messages, rather than TCP.
  • B. UDP provides for Error Correction, TCP does not.
  • C. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.
  • D. TCP is connection-oriented, UDP is not.

Answer: D

Explanation:
TCP is a reliable connection-oriented transport for guaranteed delivery of data.
Protocols represent certain rules and regulations that are essential in order to have data communication between two entities. Internet Protocols work in sending and receiving data packets. This type of communication may be either connection-less or connection-oriented.
In a connection-oriented scenario, an acknowledgement is being received by the sender from the receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback is being forwarded to the sender after delivery and the data transfer have taken place or not. Though, it's not a guaranteed method, but, once a connection is established, UDP works much faster than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.
The following answers are incorrect:
UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while TCP does.
UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its connectionless nature.
TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is true.
References Used for this question:
http://www.cyberciti.biz/faq/key-differences-between-tcp-and-udp-protocols/
http://www.skullbox.net/tcpudp.php
James's TCP-IP FAQ - Understanding Port Numbers.


NEW QUESTION # 304
Which of the following service is not provided by a public key infrastructure (PKI)?

  • A. Integrity
  • B. Authentication
  • C. Access control
  • D. Reliability

Answer: D

Explanation:
Explanation/Reference:
Explanation:
PKI provides the confidentiality, access control, integrity, authentication, and nonrepudiation security services. Reliability is not included.
Incorrect Options:
A, B, & C: Access control, integrity, and authentication are security services provided by public key infrastructure (PKI)
Reference:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 840


NEW QUESTION # 305
Which of the following is an effective method for avoiding magnetic media data remanence?

  • A. Degaussing
  • B. Authentication
  • C. Encryption
  • D. Data Loss Prevention (DLP)

Answer: A

Explanation:
Degaussing is an effective method for avoiding magnetic media data remanence, which is the residual representation of data that remains on a storage device after it has been erased or overwritten. Degaussing is a process of applying a strong magnetic field to the storage device, such as a hard disk or a tape, to erase the data and destroy the magnetic alignment of the media.
Degaussing can ensure that the data is unrecoverable, even by forensic tools or techniques.
Encryption, DLP, and authentication are not methods for avoiding magnetic media data remanence, as they do not erase the data from the storage device, but rather protect it from unauthorized access or disclosure.


NEW QUESTION # 306
Which of the following would NOT violate the Due Diligence concept?

  • A. Latest security patches for servers being installed as per the Patch Management process
  • B. Network administrator not taking mandatory two-week vacation as planned
  • C. Data owners not laying out the foundation of data protection
  • D. Security policy being outdated

Answer: A

Explanation:
To be effective a patch management program must be in place (due diligence) and
detailed procedures would specify how and when the patches are applied properly (Due Care).
Remember, the question asked for NOT a violation of Due Diligence, in this case, applying
patches demonstrates due care and the patch management process in place demonstrates due
diligence.
Due diligence is the act of investigating and understanding the risks the company faces. A
company practices by developing and implementing security policies, procedures, and standards.
Detecting risks would be based on standards such as ISO 2700, Best Practices, and other
published standards such as NIST standards for example.
Due Diligence is understanding the current threats and risks. Due diligence is practiced by
activities that make sure that the protection mechanisms are continually maintained and
operational where risks are constantly being evaluated and reviewed. The security policy being
outdated would be an example of violating the due diligence concept.
Due Care is implementing countermeasures to provide protection from those threats. Due care is
when the necessary steps to help protect the company and its resources from possible risks that
have been identifed. If the information owner does not lay out the foundation of data protection
(doing something about it) and ensure that the directives are being enforced (actually being done
and kept at an acceptable level), this would violate the due care concept.
If a company does not practice due care and due diligence pertaining to the security of its assets,
it can be legally charged with negligence and held accountable for any ramifications of that
negligence. Liability is usually established based on Due Diligence and Due Care or the lack of
either.
A good way to remember this is using the first letter of both words within Due Diligence (DD) and
Due Care (DC).
Due Diligence = Due Detect
Steps you take to identify risks based on best practices and standards.
Due Care = Due Correct.
Action you take to bring the risk level down to an acceptable level and maintaining that level over
time.
The Following answer were wrong:
Security policy being outdated:
While having and enforcing a security policy is the right thing to do (due care), if it is outdated, you
are not doing it the right way (due diligence). This questions violates due diligence and not due
care.
Data owners not laying out the foundation for data protection:
Data owners are not recognizing the "right thing" to do. They don't have a security policy.
Network administrator not taking mandatory two week vacation:
The two week vacation is the "right thing" to do, but not taking the vacation violates due diligence
(not doing the right thing the right way)
Reference(s) used for this question:
Shon Harris, CISSP All In One, Version 5, Chapter 3, pg 110


NEW QUESTION # 307
Which disaster recovery/emergency management plan testing type
below is considered the most cost-effective and efficient way to identify areas of overlap in the plan before conducting more demanding training exercises?

  • A. Evacuation drill
  • B. Table-top exercise test
  • C. Full-scale exercise
  • D. Walk-through drill

Answer: B

Explanation:
In a table-top exercise, members of the emergency management
group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios. Disaster recovery/emergency management plan testing scenarios have several levels, and can be called different things. The primary hierarchy
of disaster/emergency testing plan types is shown below.
Checklist review. Plan is distributed and reviewed by business
units for its thoroughness and effectiveness.
Table-top exercise or structured walk-through test. Members of
the emergency management group meet in a conference room
setting to discuss their responsibilities and how they would
react to emergency scenarios by stepping through the plan.
Walk-through drill or simulation test. The emergency management
group and response teams actually perform their emergency
response functions by walking through the test, without
actually initiating recovery procedures. More thorough than the
table-top exercise.
Functional drills. Test specific functions such as medical
response, emergency notifications, warning and communications
procedures, and equipment, although not necessarily all
at once. Also includes evacuation drills, where personnel walk
the evacuation route to a designated area where procedures for
accounting for the personnel are tested.
Parallel test or full-scale exercise. A real-life emergency situation
is simulated as closely as possible. Involves all of the participants
that would be responding to the real emergency, including
community and external organizations. The test may
involve ceasing some real production processing.
Source: Emergency Management Guide for Business and Industry,
Federal Emergency Management Agency, August 1998 and
Computer Security Basics, by Deborah Russell and G.T. Gangemi, Sr.
(OReilly, 1992).


NEW QUESTION # 308
Which of the following is the MOST common method of memory protection?

  • A. Segmentation
  • B. Virtual Local Area Network (VLAN) tagging
  • C. Error correction
  • D. Compartmentalization

Answer: A


NEW QUESTION # 309
......

ISC CISSP Exam Dumps [2026] Practice Valid Exam Dumps Question: https://www.testkingpdf.com/CISSP-testking-pdf-torrent.html

CISSP Dumps - Grab Out For [NEW-2026] ISC Exam: https://drive.google.com/open?id=1_90ImfkAXV27CU2qOUmxEyxL_BHQOUy-