CISSP CBK Review Final Exam
1. A risk is the likelihood of a threat source taking advantage of a vulnerability to an
information system. Risks left over after implementing safeguards is known as:
A. Leftover risks.
B. Residual risks.
C. Remaining risks.
D. Exposures.
2. Copyright provides what form of protection:
A. Protects an author’s right to distribute his/her works.
B. Protects information that provides a competitive advantage.
C. Protects the right of an author to prevent unauthorized use of his/her works.
D. Protects the right of an author to prevent viewing of his/her works.
3. As an information systems security professional, what is the highest amount would
you recommend to a corporation to invest annually on a countermeasure for
protecting their assets valued at $1 million from a potential threat that has an
annualized rate of occurrence (ARO) of once every five years and an exposure factor
(EF) of 10% :
A. $100,000.
B. $20,000.
C. $200,000.
D. $40,000.
4. Which of the following describes the first step in establishing an encrypted session
using a Data Encryption Standard (DES) key?
A. Key clustering
B. Key compression
C. Key signing
D. Key exchange
5. In a typical information security program, what is the primary responsibility
of information (data) owner?
A. Ensure the validity and accuracy of data.
B. Determine the information sensitivity or classification level.
CISSP CBK Review Page 1
, C. Monitor and audit system users.
D. Ensure availability of data.
6. Which of the following is not a component of “chain of evidence”:
A. Location evidence obtained.
B. Time evidence obtained.
C. Who discovered the evidence.
D. Identification of person who left the evidence.
7. When an employee transfers within an organization …
A. The employee must undergo a new security review.
B. The old system IDs must be disabled.
C. All access permission should be reviewed.
D. The employee must turn in all access devices.
8. A system security engineer is evaluation methods to store user passwords in an
information system, so what may be the best method to store user passwords
and meeting the confidentiality security objective?
A. Password-protected file
B. File restricted to one individual
C. One-way encrypted file
D. Two-way encrypted file
9. What is the inverse of confidentiality, integrity, and availability (C.I.A.) triad in risk
management?
A. misuse, exposure, destruction
B. authorization, non-repudiation, integrity
C. disclosure, alteration, destruction
D. confidentiality, integrity, availability
10. A CISSP may face with an ethical conflict between their company’s policies and the
(ISC)2 Code of Ethics. According to the (ISC)2 Code of Ethics, in which order of
priority should ethical conflicts be resolved?
A. Duty to principals, profession, public safety, and individuals.
CISSP CBK Review Page 2
, B. Duty to public safety, principals, individuals, and profession.
C. Duty to profession, public safety, individuals, and principals.
D. Duty to public safety, profession, individuals, and principals.
11. Company X is planning to implement rule based access control mechanism for
controlling access to its information assets, what type of access control is this usually
related to?
A. Discretionary Access Control
B. Task-initiated Access Control
C. Subject-dependent Access Control
D. Token-oriented Access Control
12. In the Common Criteria Evaluation and Validation Scheme (CCEVS), requirements
for future products are defined by:
A. Protection Profile.
B. Target of Evaluation.
C. Evaluation Assurance Level 3.
D. Evaluation Assurance Level 7.
13. As an information systems security manager (ISSM), how would you explain the
purpose for a system security policy?
A. A definition of the particular settings that have been determined to provide
optimum security
B. A brief, high-level statement defining what is and is not permitted during
the operation of the system
C. A definition of those items that must be excluded on the system
D. A listing of tools and applications that will be used to protect the system
14. Configuration management provides assurance that changes…?
A. to application software cannot bypass system security features.
B. do not adversely affect implementation of the security policy.
C. to the operating system are always subjected to independent validation and
verification.
D. in technical documentation maintain an accurate description of the Trusted
Computer Base.
CISSP CBK Review Page 3
, 15. Under what circumstance might a certification authority (CA) revoke a certificate?
A. The certificate owner has not utilized the certificate for an extended period.
B. The certificate owner public key has been compromised.
C. The certificate owner’ private key has been compromised.
D. The certificate owner has upgraded his/her web browser.
16. Which of the following entity is ultimately responsible for information security
within an organization?
A. IT Security Officer
B. Project Managers
C. Department Directors
D. Senior Management
17. What type of cryptanalytic attack where an adversary has the least amount of
information to work with?
A. Known-plaintext
B. Ciphertext-only
C. Plaintext-only
D. Chosen-ciphertext
18. In business continuity planning, which of the following is an advantage of a “hot site”
over a “cold site”
A. Air Conditioning
B. Cost
C. Short period to become operational
D. A & C
19. Which of the following is the most effective method for reducing security risks
associated with building entrances?
A. Minimize the number of entrances
B. Use solid metal doors and frames
C. Brightly illuminate the entrances
D. Install tamperproof hinges and glass
CISSP CBK Review Page 4
1. A risk is the likelihood of a threat source taking advantage of a vulnerability to an
information system. Risks left over after implementing safeguards is known as:
A. Leftover risks.
B. Residual risks.
C. Remaining risks.
D. Exposures.
2. Copyright provides what form of protection:
A. Protects an author’s right to distribute his/her works.
B. Protects information that provides a competitive advantage.
C. Protects the right of an author to prevent unauthorized use of his/her works.
D. Protects the right of an author to prevent viewing of his/her works.
3. As an information systems security professional, what is the highest amount would
you recommend to a corporation to invest annually on a countermeasure for
protecting their assets valued at $1 million from a potential threat that has an
annualized rate of occurrence (ARO) of once every five years and an exposure factor
(EF) of 10% :
A. $100,000.
B. $20,000.
C. $200,000.
D. $40,000.
4. Which of the following describes the first step in establishing an encrypted session
using a Data Encryption Standard (DES) key?
A. Key clustering
B. Key compression
C. Key signing
D. Key exchange
5. In a typical information security program, what is the primary responsibility
of information (data) owner?
A. Ensure the validity and accuracy of data.
B. Determine the information sensitivity or classification level.
CISSP CBK Review Page 1
, C. Monitor and audit system users.
D. Ensure availability of data.
6. Which of the following is not a component of “chain of evidence”:
A. Location evidence obtained.
B. Time evidence obtained.
C. Who discovered the evidence.
D. Identification of person who left the evidence.
7. When an employee transfers within an organization …
A. The employee must undergo a new security review.
B. The old system IDs must be disabled.
C. All access permission should be reviewed.
D. The employee must turn in all access devices.
8. A system security engineer is evaluation methods to store user passwords in an
information system, so what may be the best method to store user passwords
and meeting the confidentiality security objective?
A. Password-protected file
B. File restricted to one individual
C. One-way encrypted file
D. Two-way encrypted file
9. What is the inverse of confidentiality, integrity, and availability (C.I.A.) triad in risk
management?
A. misuse, exposure, destruction
B. authorization, non-repudiation, integrity
C. disclosure, alteration, destruction
D. confidentiality, integrity, availability
10. A CISSP may face with an ethical conflict between their company’s policies and the
(ISC)2 Code of Ethics. According to the (ISC)2 Code of Ethics, in which order of
priority should ethical conflicts be resolved?
A. Duty to principals, profession, public safety, and individuals.
CISSP CBK Review Page 2
, B. Duty to public safety, principals, individuals, and profession.
C. Duty to profession, public safety, individuals, and principals.
D. Duty to public safety, profession, individuals, and principals.
11. Company X is planning to implement rule based access control mechanism for
controlling access to its information assets, what type of access control is this usually
related to?
A. Discretionary Access Control
B. Task-initiated Access Control
C. Subject-dependent Access Control
D. Token-oriented Access Control
12. In the Common Criteria Evaluation and Validation Scheme (CCEVS), requirements
for future products are defined by:
A. Protection Profile.
B. Target of Evaluation.
C. Evaluation Assurance Level 3.
D. Evaluation Assurance Level 7.
13. As an information systems security manager (ISSM), how would you explain the
purpose for a system security policy?
A. A definition of the particular settings that have been determined to provide
optimum security
B. A brief, high-level statement defining what is and is not permitted during
the operation of the system
C. A definition of those items that must be excluded on the system
D. A listing of tools and applications that will be used to protect the system
14. Configuration management provides assurance that changes…?
A. to application software cannot bypass system security features.
B. do not adversely affect implementation of the security policy.
C. to the operating system are always subjected to independent validation and
verification.
D. in technical documentation maintain an accurate description of the Trusted
Computer Base.
CISSP CBK Review Page 3
, 15. Under what circumstance might a certification authority (CA) revoke a certificate?
A. The certificate owner has not utilized the certificate for an extended period.
B. The certificate owner public key has been compromised.
C. The certificate owner’ private key has been compromised.
D. The certificate owner has upgraded his/her web browser.
16. Which of the following entity is ultimately responsible for information security
within an organization?
A. IT Security Officer
B. Project Managers
C. Department Directors
D. Senior Management
17. What type of cryptanalytic attack where an adversary has the least amount of
information to work with?
A. Known-plaintext
B. Ciphertext-only
C. Plaintext-only
D. Chosen-ciphertext
18. In business continuity planning, which of the following is an advantage of a “hot site”
over a “cold site”
A. Air Conditioning
B. Cost
C. Short period to become operational
D. A & C
19. Which of the following is the most effective method for reducing security risks
associated with building entrances?
A. Minimize the number of entrances
B. Use solid metal doors and frames
C. Brightly illuminate the entrances
D. Install tamperproof hinges and glass
CISSP CBK Review Page 4
