CISSP OFFICIAL ISC2 PRACTICE
TESTS (ALL DOMAINS) QUESTIONS
AND ANSWERS WITH COMPLETE
SOLUTIONS 100% CORRECT RATED
A+
Question 1: Which of the following represents the concluding step in a quantitative
risk analysis workflow?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost-benefit analysis.
Answer: ✔✔ D. Conduct a cost-benefit analysis.
Explanation: The final phase of a quantitative risk analysis involves performing a
cost-benefit analysis. This process helps the organization evaluate whether the
financial cost of implementing a specific countermeasure or safeguard is justified
by the amount of risk it mitigates.
Question 2: An evil twin attack involves broadcasting a legitimate, trusted SSID
from an unauthorized wireless access point. What category of security threat does
this behavior represent?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
Answer: ✔✔ A. Spoofing
Explanation: Spoofing threats rely on utilizing a falsified or disguised identity to
deceive targets. Depending on the scenario, spoofing can involve mimicking
,legitimate IP addresses, email headers, user names, or—as seen in an evil twin
attack—authorized wireless network names (SSIDs).
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do
not require prompt action by an Internet service provider after it receives a
notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine -ANSWER ✔✔C.
The DMCA states that providers are not responsible for the transitory activities of
their users. Transmission of information over a network would qualify for this
exemption. The other activities listed are all nontransitory actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United States
and transfers personal information between those offices regularly. Which of the
seven
requirements for processing personal information states that organizations must
inform individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement -ANSWER ✔✔A.
The Notice principle says that organizations must inform individuals of the
information the organization collects about individuals and how the organization
,will use it. These principles are based upon the Safe Harbor Privacy Principles
issued by the US Department of Commerce in 2000 to help US companies comply
with EU and Swiss privacy laws when collecting, storing, processing or
transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat modeling
techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering -ANSWER ✔✔D.
The three common threat modeling techniques are focused on attackers, software,
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is not considered personally
identifiable information that would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number -ANSWER ✔✔A.
Most state data breach notification laws are modeled after California's law, which
covers Social Security number, driver's license number, state identification card
number, credit/debit card numbers, bank account numbers (in conjunction with a
PIN or password), medical records, and health insurance information.
, 7. In 1991, the federal sentencing guidelines formalized a rule that requires senior
executives to take personal responsibility for information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule -ANSWER ✔✔C.
The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the
same situation. The rule originally applied to financial matters, but the Federal
Sentencing Guidelines applied them to information security matters in 1991.
8. Which one of the following provides an authentication mechanism that would be
appropriate for pairing with a password to achieve multifactor authentication?
A. Username
B. PIN
C. Security question
D. Fingerprint scan -ANSWER ✔✔D.
A fingerprint scan is an example of a "something you are" factor, which would be
appropriate for pairing with a "something you know" password to achieve
multifactor authentication. A username is not an authentication factor. PINs and
security questions are both "something you know," which would not achieve
multifactor
TESTS (ALL DOMAINS) QUESTIONS
AND ANSWERS WITH COMPLETE
SOLUTIONS 100% CORRECT RATED
A+
Question 1: Which of the following represents the concluding step in a quantitative
risk analysis workflow?
A. Determine asset value.
B. Assess the annualized rate of occurrence.
C. Derive the annualized loss expectancy.
D. Conduct a cost-benefit analysis.
Answer: ✔✔ D. Conduct a cost-benefit analysis.
Explanation: The final phase of a quantitative risk analysis involves performing a
cost-benefit analysis. This process helps the organization evaluate whether the
financial cost of implementing a specific countermeasure or safeguard is justified
by the amount of risk it mitigates.
Question 2: An evil twin attack involves broadcasting a legitimate, trusted SSID
from an unauthorized wireless access point. What category of security threat does
this behavior represent?
A. Spoofing
B. Information disclosure
C. Repudiation
D. Tampering
Answer: ✔✔ A. Spoofing
Explanation: Spoofing threats rely on utilizing a falsified or disguised identity to
deceive targets. Depending on the scenario, spoofing can involve mimicking
,legitimate IP addresses, email headers, user names, or—as seen in an evil twin
attack—authorized wireless network names (SSIDs).
3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do
not require prompt action by an Internet service provider after it receives a
notification of
infringement claim from a copyright holder?
A. Storage of information by a customer on a provider's server
B. Caching of information by the provider
C. Transmission of information over the provider's network by a customer
D. Caching of information in a provider search engine -ANSWER ✔✔C.
The DMCA states that providers are not responsible for the transitory activities of
their users. Transmission of information over a network would qualify for this
exemption. The other activities listed are all nontransitory actions that require
remediation by the provider.
4. FlyAway Travel has offices in both the European Union and the United States
and transfers personal information between those offices regularly. Which of the
seven
requirements for processing personal information states that organizations must
inform individuals about how the information they collect is used?
A. Notice
B. Choice
C. Onward Transfer
D. Enforcement -ANSWER ✔✔A.
The Notice principle says that organizations must inform individuals of the
information the organization collects about individuals and how the organization
,will use it. These principles are based upon the Safe Harbor Privacy Principles
issued by the US Department of Commerce in 2000 to help US companies comply
with EU and Swiss privacy laws when collecting, storing, processing or
transmitting data on EU or
Swiss citizens.
5. Which one of the following is not one of the three common threat modeling
techniques?
A. Focused on assets
B. Focused on attackers
C. Focused on software
D. Focused on social engineering -ANSWER ✔✔D.
The three common threat modeling techniques are focused on attackers, software,
and assets. Social engineering is a subset of attackers.
6. Which one of the following elements of information is not considered personally
identifiable information that would trigger most US state data breach laws?
A. Student identification number
B. Social Security number
C. Driver's license number
D. Credit card number -ANSWER ✔✔A.
Most state data breach notification laws are modeled after California's law, which
covers Social Security number, driver's license number, state identification card
number, credit/debit card numbers, bank account numbers (in conjunction with a
PIN or password), medical records, and health insurance information.
, 7. In 1991, the federal sentencing guidelines formalized a rule that requires senior
executives to take personal responsibility for information security matters. What is
the name of this rule?
A. Due diligence rule
B. Personal liability rule
C. Prudent man rule
D. Due process rule -ANSWER ✔✔C.
The prudent man rule requires that senior executives take personal responsibility
for ensuring the due care that ordinary, prudent individuals would exercise in the
same situation. The rule originally applied to financial matters, but the Federal
Sentencing Guidelines applied them to information security matters in 1991.
8. Which one of the following provides an authentication mechanism that would be
appropriate for pairing with a password to achieve multifactor authentication?
A. Username
B. PIN
C. Security question
D. Fingerprint scan -ANSWER ✔✔D.
A fingerprint scan is an example of a "something you are" factor, which would be
appropriate for pairing with a "something you know" password to achieve
multifactor authentication. A username is not an authentication factor. PINs and
security questions are both "something you know," which would not achieve
multifactor
