ISC cissp practice test

Exam Title: Certified Information Systems Security Professional Exam

Last update: Aug 11 ,2025
Question 1

What is the MAIN purpose of a security assessment plan?

  • A. Provide guidance on security requirements, to ensure the identified security risks are properly addressed based on the recommendation
  • B. Provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments.
  • C. Provide technical information to executives to help them understand information security postures and secure funding.
  • D. Provide education to employees on security and privacy, to ensure their awareness on policies and procedures
Answer:

B


vote your answer:
A
B
C
D
A 0 B 1 C 0 D 0
Comments
Question 2

What are the first two components of logical access control?

  • A. Confidentiality and authentication
  • B. Authentication and identification
  • C. Identification and confidentiality
  • D. Authentication and availability
Answer:

B


vote your answer:
A
B
C
D
A 0 B 1 C 0 D 0
Comments
Question 3

If traveling abroad and a customs official demands to examine a personal computer, which of the
following should be assumed?

  • A. The hard drive has been stolen.
  • B. The Internet Protocol (IP) address has been copied.
  • C. The hard drive has been copied.
  • D. The Media Access Control (MAC) address was stolen
Answer:

C


vote your answer:
A
B
C
D
A 0 B 0 C 1 D 0
Comments
Question 4

Spyware is BEST described as

  • A. data mining for advertising.
  • B. a form of cyber-terrorism,
  • C. an information gathering technique,
  • D. a web-based attack.
Answer:

B


vote your answer:
A
B
C
D
A 0 B 0 C 1 D 0
Comments
mariodee3
7 months, 3 weeks ago

At its core, spyware is definitely an information gathering technique. Its primary function is to collect data. Cyber-terrorism is typically defined by its intent to cause widespread disruption, fear, or harm with political or ideological motivations. While spyware could be used in a cyber-terrorism campaign (e.g., to gather intelligence for a larger attack), it's not inherently an act of cyber-terrorism itself.

Question 5

a large organization uses biometrics to allow access to its facilities. It adjusts the biometric value for
incorrectly granting or denying access so that the two numbers are the same.
What is this value called?

  • A. False Rejection Rate (FRR)
  • B. Accuracy acceptance threshold
  • C. Equal error rate
  • D. False Acceptance Rate (FAR)
Answer:

C


vote your answer:
A
B
C
D
A 0 B 0 C 1 D 0
Comments
mariodee3
7 months, 3 weeks ago

The EER is the point where the FRR and FAR are equal. It's an important metric for evaluating the overall accuracy of a biometric system.

mariodee3
7 months, 3 weeks ago

The EER is the point where the FRR and FAR are equal. It's an important metric for evaluating the overall accuracy of a biometric system.

Question 6

Which of the following would be considered an incident if reported by a security information and
event management (SIEM) system?

  • A. An administrator is logging in on a server through a virtual private network (VPN).
  • B. A log source has stopped sending data.
  • C. A web resource has reported a 404 error.
  • D. A firewall logs a connection between a client on the Internet and a web server using Transmission Control Protocol (TCP) on port 80.
Answer:

C


vote your answer:
A
B
C
D
A 0 B 0 C 1 D 0
Comments
Question 7

At which phase of the software assurance life cycle should risks associated with software acquisition
strategies be identified?

  • A. Follow-on phase
  • B. Planning phase
  • C. Monitoring and acceptance phase
  • D. Contracting phase
Answer:

C


vote your answer:
A
B
C
D
A 0 B 1 C 0 D 0
Comments
mariodee3
7 months, 3 weeks ago

The risks associated with software acquisition strategies should be identified in the Planning phase of the software assurance life cycle.  
Here's why: Early Identification: Identifying risks early in the process allows for proactive mitigation and informed decision-making. Addressing potential problems upfront is always more efficient and cost-effective than trying to fix them later.  
Foundation for Success: The planning phase sets the stage for the entire acquisition process. By identifying risks associated with different acquisition strategies (e.g., buying off-the-shelf vs. custom development), you can choose the approach that best balances your needs and risk tolerance.   Comprehensive Assessment: A thorough risk assessment in the planning phase should consider various factors, including:
Security Risks: Vulnerabilities, lack of vendor support, potential for backdoors. Legal and Compliance Risks: Licensing issues, intellectual property concerns, data privacy regulations.

Question 8

Which of the following are the B EST characteristics of security metrics?

  • A. They are generalized and provide a broad overview
  • B. They use acronyms and abbreviations to be concise
  • C. They use bar charts and Venn diagrams
  • D. They are consistently measured and quantitatively expressed
Answer:

D


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 9

What is the P R IM A R Y reason criminal law is difficult to enforce when dealing with cyber-crime?

  • A. Extradition treaties are rarely enforced.
  • B. Numerous language barriers exist.
  • C. Law enforcement agencies are understaffed.
  • D. Jurisdiction is hard to define.
Answer:

D


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 10

After the INITIAL input o f a user identification (ID) and password, what is an authentication system
that prompts the user for a different response each time the user logs on?

  • A. Persons Identification Number (PIN)
  • B. Secondary password
  • C. Challenge response
  • D. Voice authentication
Answer:

C


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 11

Which of the following terms BEST describes a system which allows a user to log in and access
multiple related servers and applications?

  • A. Remote Desktop Protocol (RDP)
  • B. Federated identity management (FIM)
  • C. Single sign-on (SSO)
  • D. Multi-factor authentication (MFA)
Answer:

B


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 12

Which of the following MUST the administrator of a security information and event management
(SIEM) system ensure?

  • A. All sources are reporting in the exact same Extensible Markup Language (XML) format.
  • B. Data sources do not contain information infringing upon privacy regulations.
  • C. All sources are synchronized with a common time reference.
  • D. Each source uses the same Internet Protocol (IP) address for reporting.
Answer:

C


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 13

Which of the following addresses requirements of security assessment during software acquisition?

  • A. Software assurance policy
  • B. Continuous monitoring
  • C. Software configuration management (SCM)
  • D. Data loss prevention (DLP) policy
Answer:

B


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 14

A recent information security risk assessment identified weak system access controls on mobile
devices as a high me In order to address this risk and ensure only authorized staff access company
information, which of the following should the organization implement?

  • A. Intrusion prevention system (IPS)
  • B. Multi-factor authentication (MFA)
  • C. Data loss protection (DLP)
  • D. Data at rest encryption
Answer:

B


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Question 15

Which of the following attack types can be used to compromise the integrity of data during
transmission?

  • A. Keylogging
  • B. Packet sniffing
  • C. Synchronization flooding
  • D. Session hijacking
Answer:

B


vote your answer:
A
B
C
D
A 0 B 0 C 0 D 0
Comments
Page 1 out of 99
Viewing questions 1-15 out of 1487
Go To
page 2