CISSP - Question Bank 06

Test your knowledge of CISSP with these multiple choice questions. Each Question Bank includes 20 practice questions that have been designed to measure your knowledge of key ideas.

A key factor to keep in mind is that guessing is better than not answering a question.

Every single question on the CISSP exam is a four-option multiple choice question with a single correct answer. Some are straightforward, such as asking you to select a definition. Some are a bit more involved, such as asking you to select the appropriate concept or best practice. And some questions present you with a scenario or situation and ask you to select the best response.

Start

Q1. Which of the following is the weakest element in any security solution?

A. Software products
B. Internet connections
C. Security policies
D. Humans

View Answer
The Correct Answer is D.
Explanation: Regardless of the specifics of a security solution, humans are the weakest element.
Q2. When seeking to hire new employees, what is the first step?

A. Create a job description.
B. Set position classification.
C. Screen candidates.
D. Request resumes.

View Answer
The Correct Answer is A.
Explanation: The first step in hiring new employees is to create a job description. Without a job description, there is no consensus on what type of individual needs to be found and hired.
Q3. What is the primary purpose of an exit interview?

A. To return the exiting employee's personal belongings
B. To review the nondisclosure agreement
C. To evaluate the exiting employee's performance
D. To cancel the exiting employee's network access accounts

View Answer
The Correct Answer is B.
Explanation: The primary purpose of an exit interview is to review the nondisclosure agreement (NDA).
Q4. When an employee is to be terminated, which of the following should be done?

A. Inform the employee a few hours before they are officially terminated.
B. Disable the employee's network access just before they are informed of the termination.
C. Send out a broadcast e-mail informing everyone that a specific employee is to be terminated.
D. Wait until you and the employee are the only people remaining in the building before announcing the termination.

View Answer
The Correct Answer is B.
Explanation: You should remove or disable the employee's network user account immediately before or at the same time they are informed of their termination.
Q5. Who is liable for failing to perform prudent due care?

A. Security professionals
B. Data custodian
C. Auditor
D. Senior management

View Answer
The Correct Answer is D.
Explanation: Senior management is liable for failing to perform prudent due care.
Q6. Which of the following is a document that defines the scope of security needed by an organization, lists the assets that need protection, and discusses the extent to which security solutions should go to provide the necessary protection?

A. Security policy
B. Standard
C. Guideline
D. Procedure

View Answer
The Correct Answer is A.
Explanation: The document that defines the scope of an organization's security requirements is called a security policy. The policy lists the assets to be protected and discusses the extent to which security solutions should go to provide the necessary protection.
Q7. Which of the following policies is required when industry or legal standards are applicable to your organization?

A. Advisory
B. Regulatory
C. Baseline
D. Informative

View Answer
The Correct Answer is B.
Explanation: A regulatory policy is required when industry or legal standards are applicable to your organization. This policy discusses the rules that must be followed and outlines the procedures that should be used to elicit compliance.
Q8. Which of the following is not an element of the risk analysis process?

A. Analyzing an environment for risks
B. Creating a cost/benefit report for safeguards to present to upper management
C. Selecting appropriate safeguards and implementing them
D. Evaluating each risk as to its likelihood of occurring and cost of the resulting damage

View Answer
The Correct Answer is C.
Explanation: Risk analysis includes analyzing an environment for risks, evaluating each risk as to its likelihood of occurring and the cost of the damage it would cause, assessing the cost of various countermeasures for each risk, and creating a cost/benefit report for safeguards to present to upper management. Selecting safeguards is a task of upper management based on the results of risk analysis. It is a task that falls under risk management, but it is not part of the risk analysis process.
Q9. Which of the following would not be considered an asset in a risk analysis?

A. A development process
B. An IT infrastructure
C. A proprietary system resource
D. Users’ personal files

View Answer
The Correct Answer is D.
Explanation: The personal files of users are not assets of the organization and thus not considered in a risk analysis.
Q10. Which of the following represents accidental exploitations of vulnerabilities?

A. Threat events
B. Risks
C. Threat agents
D. Breaches

View Answer
The Correct Answer is A.
Explanation: Threat events are accidental exploitations of vulnerabilities.
Q11. When a safeguard or a countermeasure is not present or is not sufficient, what is created?

A. Vulnerability
B. Exposure
C. Risk
D. Penetration

View Answer
The Correct Answer is A.
Explanation: A vulnerability is the absence or weakness of a safeguard or countermeasure.
Q12. Which of the following is not a valid definition for risk?

A. An assessment of probability, possibility, or chance
B. Anything that removes a vulnerability or protects against one or more specific threats
C. Risk = threat + vulnerability
D. Every instance of exposure

View Answer
The Correct Answer is B.
Explanation: Anything that removes a vulnerability or protects against one or more specific threats is considered a safeguard or a countermeasure, not a risk.
Q13. When evaluating safeguards, what is the rule that should be followed in most cases?

A. Expected annual cost of asset loss should not exceed the annual costs of safeguards.
B. Annual costs of safeguards should equal the value of the asset.
C. Annual costs of safeguards should not exceed the expected annual cost of asset loss.
D. Annual costs of safeguards should not exceed 10 percent of the security budget.

View Answer
The Correct Answer is C.
Explanation: The annual costs of safeguards should not exceed the expected annual cost of asset loss.
Q14. How is single loss expectancy (SLE) calculated?

A. Threat + vulnerability
B. Asset value ($) * exposure factor
C. Annualized rate of occurrence * vulnerability
D. Annualized rate of occurrence * asset value * exposure factor

View Answer
The Correct Answer is B.
Explanation: SLE is calculated using the formula SLE = asset value ($) * exposure factor.
Q15. How is the value of a safeguard to a company calculated?

A. ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard
B. ALE before safeguard * ARO of safeguard
C. ALE after implementing safeguard + annual cost of safeguard – controls gap
D. Total risk – controls gap

View Answer
The Correct Answer is A.
Explanation: The value of a safeguard to an organization is calculated by ALE before safeguard – ALE after implementing the safeguard – annual cost of safeguard.
Q16. What security control is directly focused on preventing collusion?

A. Principle of least privilege
B. Job descriptions
C. Separation of duties
D. Qualitative risk analysis

View Answer
The Correct Answer is C.
Explanation: The likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme is reduced due to the higher risk of detection created by the combination of separation of duties, restricted job responsibilities, and job rotation.
Q17. Which security role is responsible for assigning the sensitivity label to objects?

A. Users
B. Data owner
C. Senior management
D. Data custodian

View Answer
The Correct Answer is B.
Explanation: The data owner is responsible for assigning the sensitivity label to new objects and resources.
Q18. When you are attempting to install a new security mechanism for which there is not a detailed step-by-step guide on how to implement that specific product, which element of the security policy should you turn to?

A. Policies
B. Procedures
C. Standards
D. Guidelines

View Answer
The Correct Answer is D.
Explanation: If no detailed step-by-step instructions or procedures exist, then turn to the guidelines for general principles to follow for the installation.
Q19. While performing a risk analysis, you identify a threat of fire and a vulnerability because there are no fire extinguishers. Based on this information, which of the following is a possible risk?

A. Virus infection
B. Damage to equipment
C. System malfunction
D. Unauthorized access to confidential information

View Answer
The Correct Answer is B.
Explanation: The threat of a fire and the vulnerability of a lack of fire extinguishers leads to the risk of damage to equipment.
Q20. You've performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When re-performing the calculations, which of the following factors will change?

A. Exposure factor
B. Single loss expectancy
C. Asset value
D. Annualized rate of occurrence

View Answer
The Correct Answer is D.
Explanation: A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.

Copyright © 2018 | All Rights Reserved | Designed & Developed by Yeahhub.com