CISSP Practice Exam)
1. Which security principle ensures that information is accessible when
needed?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
Rationale: Availability ensures authorized users can access systems and data
when required.
2. What is the primary goal of risk management?
A. Eliminate all risks
B. Reduce risks to acceptable levels
C. Transfer all risks
D. Ignore low risks
Rationale: Risk management aims to reduce risk to an acceptable level based on
organizational objectives.
3. Which access control model is based on labels and classifications?
A. DAC
B. RBAC
C. Rule-Based Access Control
D. MAC
Rationale: Mandatory Access Control uses classifications and labels determined
by administrators.
, 4. What does the principle of least privilege require?
A. Users have full access
B. Managers approve all access
C. Users receive only the access necessary to perform their jobs
D. Users share accounts
Rationale: Least privilege minimizes potential damage from misuse or
compromise.
5. Which type of control is a security awareness training program?
A. Technical
B. Physical
C. Detective
D. Administrative
Rationale: Security awareness training is an administrative control involving
policies and procedures.
6. Which security model focuses on confidentiality?
A. Biba
B. Clark-Wilson
C. Bell-LaPadula
D. Brewer-Nash
Rationale: Bell-LaPadula prevents unauthorized disclosure of information.
7. What is a vulnerability?
A. A threat actor
B. A weakness that can be exploited
C. A safeguard
D. A policy violation
Rationale: Vulnerabilities are weaknesses that threats may exploit.
, 8. Which disaster recovery metric defines maximum tolerable downtime?
A. RPO
B. ALE
C. SLE
D. RTO
Rationale: Recovery Time Objective specifies acceptable downtime.
9. What is the purpose of data classification?
A. Increase storage capacity
B. Reduce bandwidth usage
C. Determine the level of protection required
D. Eliminate backups
Rationale: Classification helps organizations apply appropriate security controls.
10.Which cryptographic algorithm is symmetric?
A. RSA
B. ECC
C. Diffie-Hellman
D. AES
Rationale: AES uses the same key for encryption and decryption.
11.What is defense in depth?
A. Single security layer
B. Outsourcing security
C. Using multiple layers of security controls
D. Eliminating firewalls
Rationale: Multiple layers reduce the chance of a single point of failure.
12.What is the main purpose of a security policy?
1. Which security principle ensures that information is accessible when
needed?
A. Confidentiality
B. Integrity
C. Availability
D. Accountability
Rationale: Availability ensures authorized users can access systems and data
when required.
2. What is the primary goal of risk management?
A. Eliminate all risks
B. Reduce risks to acceptable levels
C. Transfer all risks
D. Ignore low risks
Rationale: Risk management aims to reduce risk to an acceptable level based on
organizational objectives.
3. Which access control model is based on labels and classifications?
A. DAC
B. RBAC
C. Rule-Based Access Control
D. MAC
Rationale: Mandatory Access Control uses classifications and labels determined
by administrators.
, 4. What does the principle of least privilege require?
A. Users have full access
B. Managers approve all access
C. Users receive only the access necessary to perform their jobs
D. Users share accounts
Rationale: Least privilege minimizes potential damage from misuse or
compromise.
5. Which type of control is a security awareness training program?
A. Technical
B. Physical
C. Detective
D. Administrative
Rationale: Security awareness training is an administrative control involving
policies and procedures.
6. Which security model focuses on confidentiality?
A. Biba
B. Clark-Wilson
C. Bell-LaPadula
D. Brewer-Nash
Rationale: Bell-LaPadula prevents unauthorized disclosure of information.
7. What is a vulnerability?
A. A threat actor
B. A weakness that can be exploited
C. A safeguard
D. A policy violation
Rationale: Vulnerabilities are weaknesses that threats may exploit.
, 8. Which disaster recovery metric defines maximum tolerable downtime?
A. RPO
B. ALE
C. SLE
D. RTO
Rationale: Recovery Time Objective specifies acceptable downtime.
9. What is the purpose of data classification?
A. Increase storage capacity
B. Reduce bandwidth usage
C. Determine the level of protection required
D. Eliminate backups
Rationale: Classification helps organizations apply appropriate security controls.
10.Which cryptographic algorithm is symmetric?
A. RSA
B. ECC
C. Diffie-Hellman
D. AES
Rationale: AES uses the same key for encryption and decryption.
11.What is defense in depth?
A. Single security layer
B. Outsourcing security
C. Using multiple layers of security controls
D. Eliminating firewalls
Rationale: Multiple layers reduce the chance of a single point of failure.
12.What is the main purpose of a security policy?
