CISSP Practice Exam Questions and Correct
Answers (Verified Answers) Plus Rationales
2026 Q&A | Instant Download Pdf
1. Which of the following is the primary goal of information
security?
a) High system availability
b) Confidentiality, integrity, and availability
c) User satisfaction
d) Cost reduction
Answer: Confidentiality, integrity, and availability
Rationale: The CIA triad is the foundation of information security.
Confidentiality protects data from unauthorized access, integrity
ensures data accuracy, and availability ensures timely access to
information.
2. Which of the following best defines risk in information security?
a) A guaranteed threat to assets
b) The likelihood of a threat exploiting a vulnerability
, c) A security policy violation
d) An incident after damage occurs
Answer: The likelihood of a threat exploiting a vulnerability
Rationale: Risk is the combination of a threat and a vulnerability,
along with the probability and potential impact of exploitation.
3. Which security model focuses on enforcing mandatory access
control based on security labels?
a) Bell-LaPadula
b) Biba
c) Clark-Wilson
d) MAC (Mandatory Access Control) model
Answer: MAC (Mandatory Access Control) model
Rationale: MAC assigns classifications to information and users.
Access is determined by comparing these labels, preventing
unauthorized disclosure.
4. What is the primary purpose of a firewall?
a) Encrypt data in transit
b) Filter network traffic based on policy
, c) Detect malware
d) Authenticate users
Answer: Filter network traffic based on policy
Rationale: Firewalls act as a barrier between trusted and untrusted
networks, controlling traffic according to predefined security rules.
5. Which type of attack involves intercepting and altering
communications between two parties?
a) Denial-of-Service
b) Man-in-the-Middle
c) Phishing
d) Brute force
Answer: Man-in-the-Middle
Rationale: A MITM attack occurs when an attacker secretly relays or
modifies communication between two parties without their
knowledge.
6. Which access control model enforces data integrity rather than
confidentiality?
a) Bell-LaPadula
, b) Biba
c) DAC
d) MAC
Answer: Biba
Rationale: The Biba model prevents unauthorized data modification,
focusing on integrity rather than confidentiality.
7. In risk management, residual risk is defined as:
a) The total risk before controls
b) The total potential impact of threats
c) The remaining risk after controls are applied
d) The cost of risk mitigation
Answer: The remaining risk after controls are applied
Rationale: Residual risk is what remains after mitigation, transfer, or
acceptance strategies have been implemented.
8. Which type of malware spreads without user interaction?
a) Virus
b) Trojan
Answers (Verified Answers) Plus Rationales
2026 Q&A | Instant Download Pdf
1. Which of the following is the primary goal of information
security?
a) High system availability
b) Confidentiality, integrity, and availability
c) User satisfaction
d) Cost reduction
Answer: Confidentiality, integrity, and availability
Rationale: The CIA triad is the foundation of information security.
Confidentiality protects data from unauthorized access, integrity
ensures data accuracy, and availability ensures timely access to
information.
2. Which of the following best defines risk in information security?
a) A guaranteed threat to assets
b) The likelihood of a threat exploiting a vulnerability
, c) A security policy violation
d) An incident after damage occurs
Answer: The likelihood of a threat exploiting a vulnerability
Rationale: Risk is the combination of a threat and a vulnerability,
along with the probability and potential impact of exploitation.
3. Which security model focuses on enforcing mandatory access
control based on security labels?
a) Bell-LaPadula
b) Biba
c) Clark-Wilson
d) MAC (Mandatory Access Control) model
Answer: MAC (Mandatory Access Control) model
Rationale: MAC assigns classifications to information and users.
Access is determined by comparing these labels, preventing
unauthorized disclosure.
4. What is the primary purpose of a firewall?
a) Encrypt data in transit
b) Filter network traffic based on policy
, c) Detect malware
d) Authenticate users
Answer: Filter network traffic based on policy
Rationale: Firewalls act as a barrier between trusted and untrusted
networks, controlling traffic according to predefined security rules.
5. Which type of attack involves intercepting and altering
communications between two parties?
a) Denial-of-Service
b) Man-in-the-Middle
c) Phishing
d) Brute force
Answer: Man-in-the-Middle
Rationale: A MITM attack occurs when an attacker secretly relays or
modifies communication between two parties without their
knowledge.
6. Which access control model enforces data integrity rather than
confidentiality?
a) Bell-LaPadula
, b) Biba
c) DAC
d) MAC
Answer: Biba
Rationale: The Biba model prevents unauthorized data modification,
focusing on integrity rather than confidentiality.
7. In risk management, residual risk is defined as:
a) The total risk before controls
b) The total potential impact of threats
c) The remaining risk after controls are applied
d) The cost of risk mitigation
Answer: The remaining risk after controls are applied
Rationale: Residual risk is what remains after mitigation, transfer, or
acceptance strategies have been implemented.
8. Which type of malware spreads without user interaction?
a) Virus
b) Trojan
