2
CISSP Official ISC2 practice tests (All domains) questions
|| || || || || || || ||
with accurate solutions and rationales
|| || || ||
1. What is the final step of a quantitative risk analysis?
|| || || || || || || || || ||
A. Determine asset value.
|| || ||
B. Assess the annualized rate of occurrence.
|| || || || || ||
C. Derive the annualized loss expectancy.
|| || || || ||
D. Conduct a cost.benefit analysis. - correct answer✔✔D.
|| || || || || || ||
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
|| || || || || || || || || || || || ||
determine whether the organisation should implement proposed countermeasure(s).
|| || || || || || ||
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an
|| || || || || || || || || || || || || || || ||
example of what category of threat?
|| || || || ||
A. Spoofing
||
B. Information disclosure
|| ||
C. Repudiation
||
D. Tampering - correct answer✔✔A.
|| || || ||
Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email
|| || || || || || || || || || || || ||
addresses, names, or, in the case of an evil twin attack, SSIDs.
|| || || || || || || || || || ||
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require
|| || || || || || || || || || || || || || ||
prompt action by an Internet service provider after it receives a notification of
|| || || || || || || || || || || ||
infringement claim from a copyright holder? || || || || ||
A. Storage of information by a customer on a provider's server
|| || || || || || || || || ||
,2
B. Caching of information by the provider
|| || || || || ||
C. Transmission of information over the provider's network by a customer
|| || || || || || || || || ||
D. Caching of information in a provider search engine - correct answer✔✔C.
|| || || || || || || || || || ||
The DMCA states that providers are not responsible for the transitory activities of
|| || || || || || || || || || || ||
their users. Transmission of information over a network would qualify for this exemption. The
|| || || || || || || || || || || || || ||
other activities listed are all nontransitory actions that require
|| || || || || || || ||
remediation by the provider. || || ||
4. FlyAway Travel has offices in both the European Union and the United States and transfers
|| || || || || || || || || || || || || || || ||
personal information between those offices regularly. Which of the seven
|| || || || || || || || ||
requirements for processing personal information states that organizations must inform
|| || || || || || || || || ||
individuals about how the information they collect is used?
|| || || || || || || ||
A. Notice
||
B. Choice
||
C. Onward Transfer
|| ||
D. Enforcement - correct answer✔✔A.
|| || || ||
The Notice principle says that organizations must inform individuals of the information the
|| || || || || || || || || || || || ||
organization collects about individuals and how the organization will use it. These principles are
|| || || || || || || || || || || || || ||
based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in
|| || || || || || || || || || || || || || ||
2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing,
|| || || || || || || || || || || || || || ||
processing or transmitting data on EU or || || || || || ||
Swiss citizens. ||
5. Which one of the following is not one of the three common threat modeling techniques?
|| || || || || || || || || || || || || || ||
A. Focused on assets
|| || ||
B. Focused on attackers
|| || ||
C. Focused on software
|| || ||
,2
D. Focused on social engineering - correct answer✔✔D.
|| || || || || || ||
The three common threat modeling techniques are focused on attackers, software,
|| || || || || || || || || ||
and assets. Social engineering is a subset of attackers.
|| || || || || || || ||
6. Which one of the following elements of information is not considered personally identifiable
|| || || || || || || || || || || || || ||
information that would trigger most US state data breach laws? || || || || || || || || ||
A. Student identification number
|| || ||
B. Social Security number
|| || ||
C. Driver's license number
|| || ||
D. Credit card number - correct answer✔✔A.
|| || || || || ||
Most state data breach notification laws are modeled after California's law, which
|| || || || || || || || || || ||
covers Social Security number, driver's license number, state identification card number,
|| || || || || || || || || || ||
credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), || || || || || || || || || || || || ||
medical records, and health insurance information. || || || || ||
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to
|| || || || || || || || || || || || || || ||
take personal responsibility for information security matters. What is
|| || || || || || || ||
the name of this rule?
|| || || ||
A. Due diligence rule
|| || ||
B. Personal liability rule
|| || ||
C. Prudent man rule
|| || ||
D. Due process rule - correct answer✔✔C.
|| || || || || ||
The prudent man rule requires that senior executives take personal responsibility
|| || || || || || || || || ||
for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
|| || || || || || || || || || || || || || ||
The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied
|| || || || || || || || || || || || ||
them to information security matters in 1991.
|| || || || || ||
, 2
8. Which one of the following provides an authentication mechanism that would be
|| || || || || || || || || || || ||
appropriate for pairing with a password to achieve multifactor authentication?
|| || || || || || || || ||
A. Username
||
B. PIN ||
C. Security question
|| ||
D. Fingerprint scan - correct answer✔✔D.
|| || || || ||
A fingerprint scan is an example of a "something you are" factor, which would be
|| || || || || || || || || || || || || ||
appropriate for pairing with a "something you know" password to achieve multifactor
|| || || || || || || || || || || ||
authentication. A username is not an authentication factor. PINs and security questions are both || || || || || || || || || || || || || ||
"something you know," which would not achieve multifactor || || || || || || ||
authentication when paired with a password because both methods would come from || || || || || || || || || || ||
the same category, failing the requirement for multifactor authentication.
|| || || || || || || ||
9. What United States government agency is responsible for administering the terms of safe
|| || || || || || || || || || || || || ||
harbor agreements between the European Union and the United States under the EU Data
|| || || || || || || || || || || || || ||
Protection Directive? ||
A. Department of Defense
|| || ||
B. Department of the Treasury
|| || || ||
C. State Department
|| ||
D. Department of Commerce - correct answer✔✔D.
|| || || || || ||
The US Department of Commerce is responsible for implementing the EU-US Safe
|| || || || || || || || || || ||
Harbor agreement. The validity of this agreement was in legal question in the wake of
|| || || || || || || || || || || || || ||
the NSA surveillance disclosures.
|| || ||
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues
|| || || || || || || || || || || || || || || ||
related to customer checking accounts. Which one of the following laws is most
|| || || || || || || || || || || ||
likely to apply to this situation?
|| || || || ||
CISSP Official ISC2 practice tests (All domains) questions
|| || || || || || || ||
with accurate solutions and rationales
|| || || ||
1. What is the final step of a quantitative risk analysis?
|| || || || || || || || || ||
A. Determine asset value.
|| || ||
B. Assess the annualized rate of occurrence.
|| || || || || ||
C. Derive the annualized loss expectancy.
|| || || || ||
D. Conduct a cost.benefit analysis. - correct answer✔✔D.
|| || || || || || ||
The final step of a quantitative risk analysis is conducting a cost/benefit analysis to
|| || || || || || || || || || || || ||
determine whether the organisation should implement proposed countermeasure(s).
|| || || || || || ||
2. An evil twin attack that broadcasts a legitimate SSID for an unauthorised network is an
|| || || || || || || || || || || || || || || ||
example of what category of threat?
|| || || || ||
A. Spoofing
||
B. Information disclosure
|| ||
C. Repudiation
||
D. Tampering - correct answer✔✔A.
|| || || ||
Spoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email
|| || || || || || || || || || || || ||
addresses, names, or, in the case of an evil twin attack, SSIDs.
|| || || || || || || || || || ||
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require
|| || || || || || || || || || || || || || ||
prompt action by an Internet service provider after it receives a notification of
|| || || || || || || || || || || ||
infringement claim from a copyright holder? || || || || ||
A. Storage of information by a customer on a provider's server
|| || || || || || || || || ||
,2
B. Caching of information by the provider
|| || || || || ||
C. Transmission of information over the provider's network by a customer
|| || || || || || || || || ||
D. Caching of information in a provider search engine - correct answer✔✔C.
|| || || || || || || || || || ||
The DMCA states that providers are not responsible for the transitory activities of
|| || || || || || || || || || || ||
their users. Transmission of information over a network would qualify for this exemption. The
|| || || || || || || || || || || || || ||
other activities listed are all nontransitory actions that require
|| || || || || || || ||
remediation by the provider. || || ||
4. FlyAway Travel has offices in both the European Union and the United States and transfers
|| || || || || || || || || || || || || || || ||
personal information between those offices regularly. Which of the seven
|| || || || || || || || ||
requirements for processing personal information states that organizations must inform
|| || || || || || || || || ||
individuals about how the information they collect is used?
|| || || || || || || ||
A. Notice
||
B. Choice
||
C. Onward Transfer
|| ||
D. Enforcement - correct answer✔✔A.
|| || || ||
The Notice principle says that organizations must inform individuals of the information the
|| || || || || || || || || || || || ||
organization collects about individuals and how the organization will use it. These principles are
|| || || || || || || || || || || || || ||
based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in
|| || || || || || || || || || || || || || ||
2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing,
|| || || || || || || || || || || || || || ||
processing or transmitting data on EU or || || || || || ||
Swiss citizens. ||
5. Which one of the following is not one of the three common threat modeling techniques?
|| || || || || || || || || || || || || || ||
A. Focused on assets
|| || ||
B. Focused on attackers
|| || ||
C. Focused on software
|| || ||
,2
D. Focused on social engineering - correct answer✔✔D.
|| || || || || || ||
The three common threat modeling techniques are focused on attackers, software,
|| || || || || || || || || ||
and assets. Social engineering is a subset of attackers.
|| || || || || || || ||
6. Which one of the following elements of information is not considered personally identifiable
|| || || || || || || || || || || || || ||
information that would trigger most US state data breach laws? || || || || || || || || ||
A. Student identification number
|| || ||
B. Social Security number
|| || ||
C. Driver's license number
|| || ||
D. Credit card number - correct answer✔✔A.
|| || || || || ||
Most state data breach notification laws are modeled after California's law, which
|| || || || || || || || || || ||
covers Social Security number, driver's license number, state identification card number,
|| || || || || || || || || || ||
credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), || || || || || || || || || || || || ||
medical records, and health insurance information. || || || || ||
7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to
|| || || || || || || || || || || || || || ||
take personal responsibility for information security matters. What is
|| || || || || || || ||
the name of this rule?
|| || || ||
A. Due diligence rule
|| || ||
B. Personal liability rule
|| || ||
C. Prudent man rule
|| || ||
D. Due process rule - correct answer✔✔C.
|| || || || || ||
The prudent man rule requires that senior executives take personal responsibility
|| || || || || || || || || ||
for ensuring the due care that ordinary, prudent individuals would exercise in the same situation.
|| || || || || || || || || || || || || || ||
The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied
|| || || || || || || || || || || || ||
them to information security matters in 1991.
|| || || || || ||
, 2
8. Which one of the following provides an authentication mechanism that would be
|| || || || || || || || || || || ||
appropriate for pairing with a password to achieve multifactor authentication?
|| || || || || || || || ||
A. Username
||
B. PIN ||
C. Security question
|| ||
D. Fingerprint scan - correct answer✔✔D.
|| || || || ||
A fingerprint scan is an example of a "something you are" factor, which would be
|| || || || || || || || || || || || || ||
appropriate for pairing with a "something you know" password to achieve multifactor
|| || || || || || || || || || || ||
authentication. A username is not an authentication factor. PINs and security questions are both || || || || || || || || || || || || || ||
"something you know," which would not achieve multifactor || || || || || || ||
authentication when paired with a password because both methods would come from || || || || || || || || || || ||
the same category, failing the requirement for multifactor authentication.
|| || || || || || || ||
9. What United States government agency is responsible for administering the terms of safe
|| || || || || || || || || || || || || ||
harbor agreements between the European Union and the United States under the EU Data
|| || || || || || || || || || || || || ||
Protection Directive? ||
A. Department of Defense
|| || ||
B. Department of the Treasury
|| || || ||
C. State Department
|| ||
D. Department of Commerce - correct answer✔✔D.
|| || || || || ||
The US Department of Commerce is responsible for implementing the EU-US Safe
|| || || || || || || || || || ||
Harbor agreement. The validity of this agreement was in legal question in the wake of
|| || || || || || || || || || || || || ||
the NSA surveillance disclosures.
|| || ||
10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues
|| || || || || || || || || || || || || || || ||
related to customer checking accounts. Which one of the following laws is most
|| || || || || || || || || || || ||
likely to apply to this situation?
|| || || || ||
