CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - - correct answer ✅D.
The final step of a quantitative risk analysis is conducting a cost/benefit
analysis to
determine whether the organisation should implement proposed
countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID for an
unauthorised network is an example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - - correct answer ✅A.
Spoofing attacks use falsified identities. Spoofing attacks may use false
IP addresses, email addresses, names, or, in the case of an evil twin
attack, SSIDs.
,CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
3. Under the Digital Millennium Copyright Act (DMCA), what type of
offenses do not require prompt action by an Internet service provider
after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a
customer
D. Caching of information in a provider search engine - - correct answer
✅C.
The DMCA states that providers are not responsible for the transitory
activities of
their users. Transmission of information over a network would qualify
for this exemption. The other activities listed are all nontransitory
actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United
States and transfers personal information between those offices
regularly. Which of the seven
requirements for processing personal information states that
organizations must inform individuals about how the information they
collect is used?
,CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - - correct answer ✅A.
The Notice principle says that organizations must inform individuals of
the information the organization collects about individuals and how the
organization will use it. These principles are based upon the Safe Harbor
Privacy Principles issued by the US Department of Commerce in 2000 to
help US companies comply with EU and Swiss privacy laws when
collecting, storing, processing or transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat
modeling techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - - correct answer ✅D.
The three common threat modeling techniques are focused on
attackers, software,
and assets. Social engineering is a subset of attackers.
, CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
6. Which one of the following elements of information is not considered
personally identifiable information that would trigger most US state
data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - - correct answer ✅A.
Most state data breach notification laws are modeled after California's
law, which
covers Social Security number, driver's license number, state
identification card number, credit/debit card numbers, bank account
numbers (in conjunction with a PIN or password), medical records, and
health insurance information.
7. In 1991, the federal sentencing guidelines formalized a rule that
requires senior executives to take personal responsibility for
information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
domains) Exam Questions And Answers
1. What is the final step of a quantitative risk analysis?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost.benefit analysis. - - correct answer ✅D.
The final step of a quantitative risk analysis is conducting a cost/benefit
analysis to
determine whether the organisation should implement proposed
countermeasure(s).
2. An evil twin attack that broadcasts a legitimate SSID for an
unauthorised network is an example of what category of threat?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering - - correct answer ✅A.
Spoofing attacks use falsified identities. Spoofing attacks may use false
IP addresses, email addresses, names, or, in the case of an evil twin
attack, SSIDs.
,CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
3. Under the Digital Millennium Copyright Act (DMCA), what type of
offenses do not require prompt action by an Internet service provider
after it receives a notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a
customer
D. Caching of information in a provider search engine - - correct answer
✅C.
The DMCA states that providers are not responsible for the transitory
activities of
their users. Transmission of information over a network would qualify
for this exemption. The other activities listed are all nontransitory
actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United
States and transfers personal information between those offices
regularly. Which of the seven
requirements for processing personal information states that
organizations must inform individuals about how the information they
collect is used?
,CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement - - correct answer ✅A.
The Notice principle says that organizations must inform individuals of
the information the organization collects about individuals and how the
organization will use it. These principles are based upon the Safe Harbor
Privacy Principles issued by the US Department of Commerce in 2000 to
help US companies comply with EU and Swiss privacy laws when
collecting, storing, processing or transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat
modeling techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering - - correct answer ✅D.
The three common threat modeling techniques are focused on
attackers, software,
and assets. Social engineering is a subset of attackers.
, CISSP Official ISC2 practice tests (All
domains) Exam Questions And Answers
6. Which one of the following elements of information is not considered
personally identifiable information that would trigger most US state
data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number - - correct answer ✅A.
Most state data breach notification laws are modeled after California's
law, which
covers Social Security number, driver's license number, state
identification card number, credit/debit card numbers, bank account
numbers (in conjunction with a PIN or password), medical records, and
health insurance information.
7. In 1991, the federal sentencing guidelines formalized a rule that
requires senior executives to take personal responsibility for
information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
