65+ Free CISSP Practice Test Questions to Conquer the Exam

The BIA prioritizes business functions by quantifying the operational and financial impacts of a loss, which is essential for setting recovery objectives like RTO and RPO.

The CA acts as a trusted third party that issues and signs digital certificates, confirming that a specific public key belongs to the entity named in the certificate.

A worm is a standalone piece of malware that exploits network vulnerabilities to replicate and spread itself to other systems autonomously.

A digital signature is created using the sender’s private key on a hash of the message, which can be verified by anyone with the sender’s public key, thus ensuring authenticity, integrity, and non-repudiation.

Bell-LaPadula is primarily concerned with preventing the unauthorized disclosure of information by enforcing rules like ‘no read up’ and ‘no write down’.

PaaS provides a complete development and deployment environment in the cloud, where the provider abstracts away the underlying infrastructure, including the OS and runtime.

DLP solutions inspect data in motion, at rest, and in use to detect and prevent policy violations, such as emailing confidential documents to a personal account.

Due care is the action-oriented component, meaning the organization is actively taking the correct steps to protect itself, sometimes referred to as ‘doing the right thing’.

The goal is to strengthen the ‘human firewall’ by educating staff about threats like phishing, proper data handling, and password security, thereby reducing human error.

This model enforces integrity by ensuring that users can only access data through trusted, certified programs (transformation procedures), not directly.

A black box test simulates an external attacker with no internal information, requiring the tester to discover vulnerabilities from the outside.

A cold site provides only the basic infrastructure (space, power, cooling, connectivity). All IT equipment and data must be brought in, resulting in the longest recovery time.

This occurs when an alert is generated for an event that is not malicious, leading to unnecessary investigation and alert fatigue.

RBAC simplifies administration by assigning permissions to roles (e.g., ‘Accountant,’ ‘Help Desk Technician’) and then assigning users to those roles based on their responsibilities.

Administrative controls are policies, procedures, and practices directed by management, such as personnel security procedures.

A VPN encapsulates network packets in an encrypted wrapper, making them unreadable to anyone eavesdropping on the public network (e.g., public Wi-Fi).

IoT devices are notorious for having default passwords, unpatched vulnerabilities, and a lack of security features, making them a significant weak link in an organization’s security posture.

Typically a senior manager, the data owner has the ultimate organizational responsibility for the data and is accountable for its protection and classification.

This attack involves capturing valid data transmission and maliciously replaying it to impersonate a legitimate user or repeat a transaction.

This refers to the process of managing data through its various phases (e.g., create, store, use, share, archive, destroy) and applying appropriate controls at each stage.

By adding a unique, random salt to each password before hashing, pre-computed hash tables (rainbow tables) are rendered ineffective, and identical passwords produce unique hashes.

ALE is calculated as Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO), representing the total expected yearly cost of a particular risk.

The Simple Integrity Axiom (no read down) prevents subjects from being contaminated by lower-integrity data, and the * (Star) Integrity Axiom (no write up) prevents subjects from corrupting higher-integrity data.

This component ensures that systems and data are accessible to authorized users when needed. A DDoS attack overwhelms a system to make it inaccessible.

An audit log identifies that an action has occurred after the fact, which is the defining characteristic of a detective control.

A hot site is a fully redundant data center with all necessary hardware, software, and real-time data synchronization, allowing for failover in minutes or seconds.

CPTED principles aim to create a physical environment where criminal activity is more difficult, risky, and less likely to occur by leveraging the natural environment and human behavior.

This principle involves implementing multiple, overlapping layers of security controls so that a failure in one layer does not lead to a total system compromise.

Copyright law grants exclusive rights to the creator of an original artistic or literary work, including the right to reproduce, distribute, and display the work.

BYOD is the term for the strategy of permitting employees to bring personally owned mobile devices to their workplace and use those devices to access privileged company information and applications.

Physically destroying the drive (e.g., shredding, incineration) is the most secure method of sanitization but is typically not an option for customers in a shared cloud infrastructure.

IPsec is a suite of protocols that provides security for Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

WPA2 replaced WPA and mandated the use of the stronger CCMP/AES encryption protocol, making it the long-standing secure standard for wireless networks.

RAID 5 uses disk striping with distributed parity, which allows the data on a failed drive to be reconstructed from the parity information on the remaining drives.

This is known as the avalanche effect, where a minor change in the input data results in a drastically different output, making it impossible to deduce the input from the output.

This threat category refers to the unauthorized modification of data, which compromises the principle of integrity.

A SIEM is designed specifically for this purpose: to provide a holistic view of an organization’s security posture by collecting and correlating security event data from numerous sources.

This system requires two separate triggers (e.g., a smoke detector and a sprinkler head heat activation) before releasing water, making it ideal for environments where accidental water discharge must be avoided.

Hardening aims to secure a system by minimizing its vulnerabilities. This is achieved by removing all non-essential software, services, and user accounts.

This is the final phase of the data lifecycle, where data is permanently and securely deleted to ensure it cannot be recovered.

This principle requires that critical tasks be divided among multiple individuals to prevent a single person from having the ability to commit fraud or make a significant error without detection.

This term is used for highly targeted phishing attacks aimed at senior executives or other important individuals, as they are considered ‘big fish’.

A sandbox limits the resources (e.g., memory, network access, file system) that a program can access, preventing it from harming the host system if it is malicious.

A baseline defines a known-good state of configuration settings, installed software, and security controls that serves as a template to ensure consistency and security.

A policy is the most senior type of governance document, setting the strategic direction and is a mandatory directive from senior management.

This is a chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence.

An HSM is a dedicated hardware device designed to protect the entire lifecycle of cryptographic keys, ensuring they are never exposed in a less secure environment like system memory.

This is the broad term for any attack that relies on deceiving or manipulating people to circumvent security controls or gain sensitive information.

The name refers to the fact that the vendor has had ‘zero days’ to develop a defense against the newly discovered flaw.

This approach involves implementing controls or countermeasures to reduce the likelihood or impact of a risk, which is precisely what a WAF does for SQL injection attacks.

NAT allows multiple devices on a private network to share a single public IP address for internet access, which was a key strategy for conserving IPv4 addresses.

This phase focuses on stopping the spread of the incident, eliminating the root cause (e.g., malware, compromised accounts), and then bringing affected services back online.

This is the core distinction: symmetric algorithms rely on a shared secret, while asymmetric (or public-key) algorithms use a mathematically linked key pair.

RTO defines the target time for restoration of service, while RPO defines the maximum acceptable amount of data loss, measured in time.

A digital signature uses asymmetric cryptography (the sender’s private key) to cryptographically bind the sender’s identity to the document, ensuring authenticity, integrity, and non-repudiation.

A DMZ or screened subnet is a perimeter network that exposes an organization’s external-facing services to an untrusted network like the internet while isolating them from the internal network.

Vendor lock-in occurs when an organization becomes so dependent on a specific provider’s unique platform or services that moving away is difficult and expensive, reducing negotiating power.

VLANs allow a network administrator to partition a physical network into distinct broadcast domains at Layer 2, as if they were on separate physical switches.

PCI DSS is an information security standard for organizations that handle branded credit cards from the major card schemes. Its primary purpose is to protect cardholder data.

This is the correct term for an authentication method that uses two or more different types of authentication factors (‘something you know’ and ‘something you have’).

In a public cloud, a provider makes resources such as applications and storage available to the public over the internet, with multiple customers sharing the same underlying hardware.

A SOC is a team of people, processes, and technology dedicated to the operational task of defending against security threats in real-time.

This is the second canon and governs the personal and professional conduct of the member.

A false positive is an error in which a test result incorrectly indicates the presence of a condition (such as a vulnerability) when it is not actually present.

The TCB comprises all components within a system that are responsible for supporting the security policy and the isolation of objects on which the protection is based.

A differential backup saves all files that have changed since the last full backup. To restore, one would only need the last full backup and the most recent differential backup.

This initial phase is where the foundation for security is laid by understanding the system’s purpose, identifying potential threats, and formally documenting security needs.

The AUP sets expectations for user behavior, covering topics like personal use of equipment, prohibited activities, and privacy expectations.