Domain 1 CISSP Exam:Security and Risk Management

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 1: Security and Risk Management

1 / 203

Which of the following must a company do when creating and managing their security program and policies?

A. Ignore their business strategy, goals, mission, and objectives.

B. Consider only their business strategy.

C. Properly align their security function with their business strategy, goals, mission, and objectives.

D. Create a separate security function that is not in alignment with their business strategy, goals, mission, or objectives.

Incorrect

Correct!

Explanation: As stated in the text, an effective security function must be in alignment with the companys business strategy, goals, mission, and business objectives. Each of these elements should be considered during the creation and management of the organizations information security program and policies. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 44 in PDF)

2 / 203

What is a tried-and-true way for organizations to mitigate the risk of technology failure?

A. Firewall and antivirus protection

B. Physical access controls

C. System and data backups

D. Encryption of sensitive data

Incorrect

Correct!

Explanation: The passage states that system and data backups are the most tried-and-true way that organizations address the risk of technology failure. Organizations must have a comprehensive backup process to ensure important systems and data are captured, stored, and available for recovery when necessary.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 115 in PDF)

3 / 203

What are the five offenses related to cybercrime introduced by The Computer Misuse Act 1990 (U.K.)?

A. Malware distribution, password cracking, denial-of-service attacks, phishing, and identity theft

B. Unauthorized access to computer material, unauthorized access with intent to commit or facilitate commission of further offenses, unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc., unauthorized acts causing, or creating risk of, serious damage, and making, supplying, or obtaining articles for use in other offenses

C. Insider threat, social engineering, vishing, hacking, and phishing

D. None of the above.

Incorrect

Correct!

Explanation: The five offenses introduced by The Computer Misuse Act 1990 (U.K.) are Unauthorized access to computer material, Unauthorized access with intent to commit or facilitate commission of further offenses, Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc., Unauthorized acts causing, or creating risk of, serious damage, and Making, supplying, or obtaining articles for use in other offenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

4 / 203

What is the penalty for each violation of COPPA according to the Federal Trade Commission (FTC)?

A. $1,000

B. $5,000

C. $20,000

D. $43,280

Incorrect

Correct!

Explanation: According to the Federal Trade Commission (FTC), civil penalties of up to $43,280 may be levied for each violation of COPPA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 89 in PDF)

5 / 203

What is the annual rate of occurrence (ARO)?

A. A measure of the monetary loss you would expect from a single adverse event

B. The estimated percentage of loss to a specific asset if a specific threat is realized

C. The estimated annual frequency of occurrence for a given adverse event

D. The product of single loss expectancy (SLE) and exposure factor (EF)

Incorrect

Correct!

Explanation: ARO is the estimated annual frequency of occurrence for a given adverse event. In other words, ARO is the number of times that you expect a particular risk event to occur every year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

6 / 203

Which provision of the USA PATRIOT Act of 2001 absolves an organization from civil penalties associated with violations of the ECPA if the organization is responding to a request of a governmental entity?

A. Section 802 — Definition of domestic terrorism

B. Section 1004 — Critical infrastructure protection

C. Section 215 — Access to business records

D. Section 815 — Additional defense to civil actions relating to preserving records in response to government requests

Incorrect

Correct!

Explanation: Section 815 of the USA PATRIOT Act of 2001 absolves an organization from civil penalties associated with violations of the ECPA if the organization is responding to a request of a governmental entity. The provision helps organizations avoid being held liable for violating privacy laws when sharing private user data with the government in response to legitimate national security requests. This provision is relevant to the CISSP exam as it is a key component of the legal framework governing data protection in the United States.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

7 / 203

Which industry standard is designed to ensure that financial reports are accurate and reliable?

A. U.S. Sarbanes-Oxley Act of 2002 (SOX)

B. System and Organization Controls (SOC)

C. Payment Card Industry Data Security Standard (PCI DSS)

D. None of the above

Incorrect

Correct!

Explanation: The U.S. Sarbanes-Oxley Act of 2002 (SOX) is a federal law that requires public companies to establish internal controls and procedures to ensure that financial reports are accurate and reliable. It was enacted in response to financial scandals that occurred in the early 2000s.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 65 in PDF)

8 / 203

What is the primary objective of a Disaster Recovery Plan (DRP)?

A. To prevent disruptive events from occurring

B. To maximize business downtime

C. To minimize business downtime and reclaim normal operations as soon as possible

D. To allocate resources for risk management

Incorrect

Correct!

Explanation: The primary objective of a Disaster Recovery Plan (DRP) is to minimize business downtime and reclaim normal operations as soon as possible. DR is the subset of BC (Business Continuity) whose primary objective is to minimize business downtime and reclaim normal operations as soon as possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

9 / 203

What is the first step in a typical risk assessment process in the context of Security and Risk Management (Risk Identification)?

A. Determine the frequency and likelihood of any identified threats

B. Conduct a vulnerability assessment

C. Identify and classify your sensitive data

D. Define the acceptable level of risk for your organization

Incorrect

Correct!

Explanation: The first step in a typical risk assessment process in the context of Security and Risk Management is to identify assets and determine their value. This includes identifying and classifying sensitive data based on its value or sensitivity to the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 127 in PDF)

10 / 203

What organization was established by the Intelligence Reform and Terrorism Prevention Act of 2004 to help prevent terrorist acts against the United States?

A. The National Park Service

B. The National Counterterrorism Center (NCTC)

C. The Federal Reserve Board

D. The Environmental Protection Agency (EPA)

Incorrect

Correct!

Explanation: The National Counterterrorism Center (NCTC) was established by the Intelligence Reform and Terrorism Prevention Act of 2004 to help prevent terrorist acts against the United States.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

11 / 203

What is the penalty for noncompliance with the GLBA Safeguards Rule?

A. Civil fines up to $10,000 per violation for an organization

B. Civil fines up to $100,000 per violation for an organization

C. Criminal violations can include revocation of licenses and up to five years in prison

D. There is no penalty for noncompliance with the GLBA

Incorrect

Correct!

Explanation: According to the text, the penalty for noncompliance with the GLBA can include civil fines of up to $100,000 per violation for an organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 90 in PDF)

12 / 203

What is the purpose of identifying the classification or sensitivity of a role before recruiting candidates?

A. To set expectations for the employees performance

B. To determine the types of authorizations an employee will receive once they are hired

C. To ensure the candidate is a good fit for the position

D. To determine the candidates education and work history

Incorrect

Correct!

Explanation: Identifying the classification or sensitivity of a role based on the level of damage that can be done by a person in that role helps to inform the types of authorizations an employee will receive once they are hired. The thoroughness of a candidate screening process should match the security of the position being filled. By doing so, an organization can mitigate the risks associated with granting access to sensitive information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 117 in PDF)

13 / 203

What is the maximum fine that can be issued for infringements of the basic principles for processing and consent, data subjects rights, transfer of personal data to a third country, member state law obligations or noncompliance with supervisory authority orders under GDPR?

A. Up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher

B. Up to €15 million, or 3 percent of the worldwide annual revenue of the prior financial year, whichever is higher

C. Up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher

D. Up to €25 million, or 5 percent of the worldwide annual revenue of the prior financial year, whichever is higher

Incorrect

Correct!

Explanation: According to GDPR, the maximum fine for infringements of the basic principles for processing and consent, data subjects rights, transfer of personal data to a third country, member state law obligations or noncompliance with supervisory authority orders is up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 95 in PDF)

14 / 203

What is the purpose of risk maturity modeling?

A. To solely focus on individual security gaps.

B. To continuously improve the security posture of an organization.

C. To focus on purchasing more security tools.

D. To avoid implementing redundant security protocols.

Incorrect

Correct!

Explanation: The purpose of risk maturity modeling is to assess the strength of an organizations security program and create a plan for continuous improvement based on the results. The focus is on improving the security posture, not solely on individual security gaps, or purchasing more security tools, or avoiding implementing redundant security protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 137 in PDF)

15 / 203

What was the purpose of the Data Protection Act 1998 in the United Kingdom?

A. To regulate the use of social media platforms in the country

B. To provide financial compensation to victims of cybercrime

C. To protect citizens legal right to control their personal information stored on computing systems.

D. To establish a national cybersecurity agency in the country.

Incorrect

Correct!

Explanation: The Data Protection Act 1998 was established to give UK citizens the legal right to control their personal information stored on computing systems and was designed to enforce privacy of personal data. It aimed to regulate the processing of personal data, including obtaining, holding, use and disclosure of the data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

16 / 203

What is the importance of evaluating the potential operational impact of a countermeasure?

A. To determine if it is cost-effective.

B. To determine if it is purely security-effective.

C. To ensure it is not too difficult to implement or use.

D. To guarantee it is user-friendly.

Incorrect

Correct!

Explanation: Evaluating the potential operational impact of a countermeasure is important to ensure it is not too difficult to implement or use, as a countermeasure that is too difficult can actually increase risk because it is not used properly or at all. It is important to carefully consider the organizations culture and strategy when selecting countermeasures to avoid negative operational impacts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 133 in PDF)

17 / 203

What is NIST 800-53?

A. A nonregulatory agency of the U.S. Department of Commerce

B. A security control framework that defines hundreds of security controls

C. An agency that promotes innovation and industrial competitiveness by advancing standards and technologies

D. A document that defines the 18 control families

Incorrect

Correct!

Explanation: NIST 800-53 is a security control framework that defines hundreds of security controls across 18 control families.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 57 in PDF)

18 / 203

Which of the following offenses is criminalized by The Economic Espionage Act (EEA)?

A. Copying of software for personal use

B. Downloading of your own personal information

C. Stealing or transferring of trade secrets for a foreign entity

D. Sharing marketing research with a third-party vendor

Incorrect

Correct!

Explanation: The Economic Espionage Act (EEA) was enacted to define and establish strict penalties for theft or unauthorized use of trade secrets. The EEA makes it a criminal offense to copy, download, upload, alter, steal, or transfer trade secrets for the benefit of a foreign entity. Therefore, stealing or transferring trade secrets for a foreign entity is criminalized by EEA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

19 / 203

What does the term timeliness mean as it pertains to availability in the CIA Triad?

A. The ability and ease of a user to use a resource or access data when needed

B. The measure of the time between when information is expected and when it is available for use

C. The time expectation for availability of information and resources

D. The ability of a user to meet their needs with available data

Incorrect

Correct!

Explanation: Timeliness refers to the time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use. This means that information needs to be available to authorized users within an acceptable period of time to ensure timeliness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 41 in PDF)

20 / 203

What is the purpose of removing access that will no longer be needed during an employees transfer to a different role?

A. To enforce the principle of least privilege

B. To punish the employee for transferring roles

C. To create more work for the IT department

D. To prevent other employees from gaining access to sensitive information

Incorrect

Correct!

Explanation: Removing access that will no longer be needed during an employees transfer helps to enforce the principle of least privilege. This principle requires that users only have access to the information they need to do their job and nothing more. Removing unnecessary access is an important part of maintaining the security and confidentiality of sensitive information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 121 in PDF)

21 / 203

Which of the following control types is related to administrative methods and implemented by people?

A. Technical controls

B. Operational controls

C. Management controls

D. Automatic controls

Incorrect

Correct!

Explanation: Management controls are implemented by people and related to administrative methods. Examples include policies, procedures, and guidelines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

22 / 203

What is the first step in the NIST Risk Management Framework?

A. Select a baseline set of controls

B. Implement and monitor controls

C. Categorize all information systems by potential impact

D. Continuously monitor the effectiveness of controls

Incorrect

Correct!

Explanation: The first step of the NIST RMF involves categorizing all information systems based on the potential impact to the organization due to the loss of confidentiality, integrity, or availability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 142 in PDF)

23 / 203

Which of the following is not included in a well-managed risk-based security programs reporting requirements according to Domain 1?

A. Internal audits

B. External audits

C. System outage reporting

D. Suspected or confirmed security breaches

Incorrect

Correct!

Explanation: According to the text, significant changes to the organizations risk posture, significant changes to security or privacy controls, internal audits, external audits, suspected or confirmed security breaches, and other incidents are all included in a well-managed risk-based security programs reporting requirements. However, system outage reporting is not mentioned anywhere in the text.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 137 in PDF)

24 / 203

What is the Budapest Convention, and what is its purpose?

A. A convention to increase international trade cooperation and reduce trade barriers.

B. A treaty to address cybercrime and increase cooperation among nations to establish more consistent national laws related to preventing and prosecuting cybercrime.

C. A summit where global leaders meet to discuss environmental conservation and climate change.

D. An international agreement to ban trade in endangered species.

Incorrect

Correct!

Explanation: The correct answer is B. The Budapest Convention, also known as the Convention on Cybercrime, is the first international treaty established to address cybercrime. The treaty was first signed in 2001 and became effective in 2004, with the aim of increasing cooperation among nations and establishing more consistent national laws related to preventing and prosecuting cybercrime.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

25 / 203

What is a Business Continuity Plan (BCP)?

A. A plan that ensures the termination of all business operations during a crisis

B. A plan that identifies potential threats and their impact on the business

C. A plan that only deals with the management of employees during a disaster

D. A plan that allows an organization to keep their key business functions running during a crisis

Incorrect

Correct!

Explanation: A Business Continuity Plan (BCP) is a methodology and set of protocols that deals with allowing an organization to keep their key business functions running in the event of a crisis; this is sometimes referred to as continuity of operations (COOP). This plan ensures that essential business operations continue during and after a disaster, minimizing financial and reputational damages.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

26 / 203

What is the definition of risk in the context of security and risk management?

A. The negative impact on the organization due to a threat exploiting a vulnerability

B. The potential for positive impact on the organization

C. The likelihood of success for a threat exploiting a vulnerability

D. The probability of a vulnerability being present in an organizations assets

Incorrect

Correct!

Explanation: Risk is defined as the potential for negative impact on the organization, its goals or objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 124 in PDF)

27 / 203

Which of the following is true about ISO 31000 principles in the context of Security and Risk Management?

A. ISO 31000 principles provide a narrow focus on risk management.

B. ISO 31000 principles only apply to high-risk organizations.

C. ISO 31000 principles promote a structured and comprehensive approach to risk management.

D. ISO 31000 principles are outdated and no longer relevant in todays security landscape.

Incorrect

Correct!

Explanation: ISO 31000 principles promote a structured and comprehensive approach to risk management, which helps organizations to identify, assess, and manage risks more effectively. It provides a generic framework for risk management that can be applied to any organization, regardless of its size, sector, or nature of operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

28 / 203

Which industry standard provides guidelines for handling digital evidence, including a four-step process of identification, collection, acquisition, and preservation, across many types of media and scenarios, and covers chain of custody procedures and how to properly exchange evidence between jurisdictions?

A. ISO/IEC 27043:2015

B. NIST SP 800-86

C. ISO/IEC 27037:2012

D. NIST SP 800-101 Revision 1

Incorrect

Correct!

Explanation: ISO/IEC 27037:2012 provides guidelines for handling digital evidence, covering a four-step process of identification, collection, acquisition, and preservation, across many types of media and scenarios. This publication also covers chain of custody procedures and how to properly exchange evidence between jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 103 in PDF)

29 / 203

Which of the following concepts helps an organization continue essential operations during a security incident and recovery from a disaster as quickly and securely as possible?

A. Information security management system (ISMS)

B. Risk management

C. Business continuity and disaster recovery

D. Security assessment and testing

Incorrect

Correct!

Explanation: Business continuity (BC) and disaster recovery (DR) are closely related concepts that help an organization continue essential operations during a security incident and recovery from a disaster (or major disruptive event) as quickly and securely as possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

30 / 203

What are the four main categories of risk treatment?

A. Defend, deter, detect, and destroy

B. Evaluate, monitor, respond, and recover

C. Avoid, mitigate, transfer, and accept

D. Identify, assess, prioritize, and plan

Incorrect

Correct!

Explanation: When an organization assesses the risks it faces, there are four common responses: avoid the risk, mitigate the risk, transfer the risk and accept the risk. Each of these responses requires different actions within the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

31 / 203

Which of the following is a covered entity under HIPAA that processes or facilitates the processing of nonstandard health information and converts it into standard data types?

A. Health insurance companies

B. Hospitals

C. Healthcare clearinghouses

D. Nursing homes

Incorrect

Correct!

Explanation: According to the text, healthcare clearinghouses are private or public organizations that process or facilitate the processing of nonstandard health information and convert it into standard data types. They are covered entities under HIPAA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

32 / 203

Which of the following is an example of a personnel-related countermeasure?

A. Encryption

B. Modifying configuration settings

C. Hiring (or firing)

D. Implementing separation of duties

Incorrect

Correct!

Explanation: Personnel-related countermeasures involve people and their behavior. Hiring (or firing), organization restructuring, and awareness training are some common personnel-related countermeasures to reduce the likelihood of an adverse event or the impact of that event occurring.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

33 / 203

Which of the following are included in the scope of a typical BCP?

A. Threats, vulnerabilities, and risks

B. Cybersecurity training for employees

C. Physical security controls for servers

D. Social media marketing strategy

Incorrect

Correct!

Explanation: The scope of a typical BCP should include critical business functions, threats, vulnerabilities, and risks, data backup and recovery plan, BCP personnel, communications plan, and BCP testing requirements. Therefore, option A is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 113 in PDF)

34 / 203

Which of the following is a senior-level executive within an organization who is generally responsible for all physical security and personnel security matters?

A. Chief information security officer (CISO)

B. Security analyst

C. Director

D. Chief security officer (CSO)

Incorrect

Correct!

Explanation: The Chief security officer (CSO) is a senior-level executive within an organization who is generally responsible for all physical security and personnel security matters.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

35 / 203

What does Section 209 of the USA PATRIOT Act of 2001 authorize investigators to do?

A. Seize voicemail messages without a warrant

B. Seize voicemail messages with a wiretap order

C. Seize voicemail messages with a subpoena

D. Seize voicemail messages with a search warrant

Incorrect

Correct!

Explanation: Section 209 of the USA PATRIOT Act of 2001 authorizes investigators to seize voicemail messages with a search warrant. Prior to the Patriot Act, voicemail was only authorized for seizure with a harder-to-obtain wiretap order.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 76 in PDF)

36 / 203

Which of the following is the senior-level executive within an organization who is responsible for the overall management and supervision of the information security program?

A. Chief information officer (CIO)

B. Security analyst

C. Chief security officer (CSO)

D. Chief information security officer (CISO)

Incorrect

Correct!

Explanation: As mentioned in the text, the Chief information security officer (CISO) is the senior-level executive within an organization who is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 51 in PDF)

37 / 203

Which of the following organizations is classified as a healthcare clearinghouse under HIPAA?

A. Hospitals

B. Billing services

C. Health insurance companies

D. Pharmacies

Incorrect

Correct!

Explanation: Healthcare clearinghouses are public and private organizations, like billing services, that process or facilitate the processing of nonstandard health information and convert it into standard data types. A healthcare clearinghouse is usually the intermediary between a healthcare provider and a health plan or payer of health services. Therefore, billing services are classified as healthcare clearinghouses under HIPAA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

38 / 203

Which of the following is an effective method for measuring program effectiveness through knowledge retention?

A. Evaluating your organizations overall security posture

B. Conducting security awareness days or weeks

C. Analyzing training completion rates

D. Providing anonymous questionnaires

Incorrect

Correct!

Explanation: Analyzing training completion rates is a simple metric that is a great place to start when evaluating the effectiveness of your security awareness program. These types of metrics can tell you whether your training resources are reaching a sufficient percentage of your employees and may alert you if alternate delivery methods are necessary. It is an effective method for measuring program effectiveness through knowledge retention.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 161 in PDF)

39 / 203

Which of the following control types is typically put in place after a detective control identifies a problem?

A. Preventive

B. Detective

C. Corrective

D. Compensating

Incorrect

Correct!

Explanation: Corrective controls are designed to minimize and repair damages following an adverse security event; they are typically put in place after a detective control identifies a problem.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

40 / 203

What is the goal of the GDPR?

A. To allow organizations to freely collect and use data of EU citizens

B. To protect the privacy of EU citizens personal data

C. To impose fines on EU citizens for privacy violations

D. To restrict EU citizens access to their own personal data

Incorrect

Correct!

Explanation: The GDPR requires organizations to protect the privacy of EU citizens, and is considered the worlds strongest data privacy law. It was established in 2016 and replaced the EUs 1995 Data Protection Directive.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

41 / 203

Which is one of the most effective methods of measuring program effectiveness through knowledge retention in security awareness program evaluation?

A. Training metrics

B. Quizzes

C. Security awareness days or weeks

D. Inherent evaluation

Incorrect

Correct!

Explanation: Quizzes are one of the most effective methods of measuring program effectiveness through knowledge retention in security awareness program evaluation. Analysis of quiz results can help identify trends and necessary modifications to training materials. Quizzes are most reliable when measuring the effectiveness of security policies and related information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

42 / 203

Which industry-standard certification can be pursued to demonstrate accountability and commitment to security and privacy?

A. HIPAA

B. COBIT

C. ISO 27001

D. SSAE 18

Incorrect

Correct!

Explanation: ISO 27001 is an industry-standard certification that provides a framework for information security management systems. It demonstrates that an organization has implemented a comprehensive and systematic approach to managing and protecting its information assets, including personal data. Therefore, it can be pursued to demonstrate accountability and commitment to security and privacy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 93 in PDF)

43 / 203

What is one of the key principles of ISO 31000 when it comes to security and risk management?

A. The exclusion of stakeholders from risk management processes

B. The promotion of secrecy around risk management processes

C. The inappropriate and untimely involvement of stakeholders

D. The appropriate and timely involvement of stakeholders

Incorrect

Correct!

Explanation: According to ISO 31000, the appropriate and timely involvement of stakeholders is necessary for effective risk management. This principle emphasizes the importance of taking into account the perspectives and expertise of all relevant stakeholders in the risk management process. By doing so, organizations can make more informed decisions that better protect against potential risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

44 / 203

What is the primary focus of the attacker-centric threat modeling approach?

A. Identifying vulnerabilities in a system

B. Profiling potential attackers and their characteristics

C. Analyzing different types of attacks

D. Creating a plan for disaster recovery

Incorrect

Correct!

Explanation: The attacker-centric approach starts with profiling potential attackers, including their characteristics, skillset, and motivation, and then uses that profile to identify attackers who would be most likely to execute specific types of attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

45 / 203

Which of the following is an open-source threat modeling approach and tool that uses threat models as a risk management tool?

A. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

B. Construct a platform for Risk Analysis of Security Critical Systems (CORAS)

C. Trike

D. Visual, Agile, and Simple Threat Modeling (VAST)

Incorrect

Correct!

Explanation: Trike is an open-source threat modeling approach and tool that focuses on using threat models as a risk management tool. It is a collaborative project between a number of security professionals and enthusiasts. Trike provides a novel way of conducting threat modeling exercises that is both simple and precise, requiring little in the way of technical knowledge or specialized tools. Trike is available free of charge, under the GPL open source license.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 151 in PDF)

46 / 203

What did the Identity Theft and Assumption Deterrence Act establish?

A. Identity theft as a civil offense under U.S. federal law.

B. Identity theft as a criminal act under U.S. federal law.

C. Identity theft as a state-level crime.

D. Identity theft as a federal crime, but not a felony.

Incorrect

Correct!

Explanation: The Identity Theft and Assumption Deterrence Act of 1998 formally established identity theft as a criminal act under U.S. federal law. Prior to the act, identity theft was not regulated or investigated as a crime, making it difficult to prosecute cases. Now, identity theft is a federal crime that can be prosecuted, as well as a felony in some states.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

47 / 203

Which of the following statements is true about ISO 31000:2018?

A. ISO 31000:2018 is only applicable to organizations within certain industries.

B. ISO 31000:2018 is based on ISO/IEC Guide 74:2009.

C. ISO 31000:2018 encourages integration of risk management activities across organizational lines.

D. ISO 31000:2018 has a set of ten principles that drive the development of the risk framework

Incorrect

Correct!

Explanation: ISO 31000:2018 is intended to be applicable to any organization, regardless of the governance structure or industry, and encourages the integration of risk management activities across organizational lines and levels to provide the organization with a consistent approach to management of operational and strategic risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 139 in PDF)

48 / 203

What is the definition of control assessments (test) when trying to confirm that security controls are implemented as they are documented and that they are operating effectively and as intended?

A. Ensuring that all security controls are implemented

B. Comparing actual with expected behavior under specified conditions

C. Assessing the risk of security controls

D. Documenting security controls

Incorrect

Correct!

Explanation: Control assessments (test) is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. This stage is used to confirm that security controls are implemented as they are documented and that they are operating effectively and as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

49 / 203

What is an administrative investigation, as defined for (ISC)2 purposes?

A. An investigation conducted by external entities such as law enforcement, investors, third-party suppliers, or attackers

B. An investigation ordered by a regulatory body such as the Drug Enforcement Agency or the Food and Drug Administration

C. An internal investigation of an organization conducted by staff and employees within the organization or specialized contractors hired by the organization

D. A type of investigation that carries the highest burden of proof of all investigation types

Incorrect

Correct!

Explanation: For (ISC)2 purposes, the term administrative refers to actions constrained to those conducted within a single organization, such as an internal investigation. The organization can task staff and employees within the organization or specialized contractors hired by the organization to conduct an administrative investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 98 in PDF)

50 / 203

What is the examine method used for in security and risk management?

A. To perform vulnerability scans

B. To conduct penetration testing

C. To review, inspect, observe, study or analyze assessment objects

D. To establish security controls

Incorrect

Correct!

Explanation: The examine method is used in security and risk management as a process of reviewing, inspecting, observing, studying or analyzing assessment objects to facilitate assessor understanding, achieve clarification, or obtain evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 135 in PDF)

51 / 203

What should be addressed during an employee orientation program regarding information security?

A. Employees hobbies and interests

B. The organizations policy on company cars

C. Information security expectations and requirements

D. Employee vacation time

Incorrect

Correct!

Explanation: During an employee orientation program, one of the items that should be addressed is information security expectations and requirements. This includes reminding employees of their obligations to protect information, current threats to the organizations information assets, and the processes for reporting security incidents. They should also be made aware of the existence of controls that monitor their use of the organizations assets. The goal is to set the expectation for work behavior and provide assurance that the organization takes action to protect its information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 120 in PDF)

52 / 203

What is the purpose of PCI DSS?

A. To provide a legal framework for organizations that handle payment card data.

B. To mandate security best practices for organizations that handle payment card data.

C. To govern and enforce PCI DSS compliance by government bodies.

D. To establish technical and operational requirements for payment card companies.

Incorrect

Correct!

Explanation: The purpose of PCI DSS is to mandate security best practices for organizations that handle payment card data. PCI DSS establishes technical and operational requirements for merchants and service providers that accept or process cardholder data and/or sensitive authentication data, as well as for software developers and manufacturers of the applications and devices used in payment card transactions. The requirements are generally aligned with industry best practices to maintain the confidentiality, integrity, and availability of payment card information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 67 in PDF)

53 / 203

Who is responsible for the overall management and supervision of the information security program within an organization?

A. Security analyst

B. Director

C. Chief security officer

D. Chief information security officer

Incorrect

Correct!

Explanation: As the senior-level executive within an organization, the Chief Information Security Officer (CISO) is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

54 / 203

What is the concept of confidentiality in the CIA Triad?

A. All users have unrestricted access to data

B. Only intended people are able to access information and resources

C. Data can only be accessed by malicious actors

D. Data can only be accessed by authorized parties, regardless of need

Incorrect

Correct!

Explanation: Confidentiality is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties. In other words, confidentiality guarantees that only intended people are able to access information and resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 38 in PDF)

55 / 203

What is the purpose of the Child Pornography Prevention Act (CPPA) of 1996?

A. To promote production and distribution of watermelons on the internet.

B. To restrict and punish the production and distribution of child pornography on the internet.

C. To encourage the creation of better parental controls on family computers.

D. To provide access to watermeolons to a broader audience.

Incorrect

Correct!

Explanation: The purpose of the Child Pornography Prevention Act (CPPA) of 1996 was to restrict and punish the production and distribution of child pornography on the internet. This is done to protect minors from exploitation and abuse. The act makes it illegal to produce, distribute, or possess child pornography.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

56 / 203

What is a potential impact of mergers and acquisitions on resources?

A. Increased satisfaction among employees

B. Decreased workload on IT teams

C. New routes for attacks to occur

D. Improved security posture

Incorrect

Correct!

Explanation: Mergers and acquisitions involve integrating systems and platforms from different organizations, which can create new attack vectors for cybercriminals. This can be particularly risky if the merging companies have vastly different IT infrastructures that need to be securely integrated. The other choices (A, B, and D) are incorrect because they do not address the potential impact on resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

57 / 203

Which of the following is a serious computer offense as defined by the Cybercrime Act 2001 in Australia?

A. Changing a friends Facebook status without their permission.

B. Accessing a public Wi-Fi network without buying a coffee at the café first.

C. Impairing electronic communication of a government agency without authorization.

D. Using a neighbors internet without their consent.

Incorrect

Correct!

Explanation: The Cybercrime Act 2001 defined serious computer offenses such as unauthorized access, unauthorized modification, and unauthorized impairment of electronic communication, and also established penalties for such crimes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

58 / 203

What is the role of a security champion in an organization?

A. To lead the security team in implementing security practices

B. To report security incidents to senior management

C. To raise security awareness within the organization

D. To perform security audits on company systems

Incorrect

Correct!

Explanation: A security champions role is to raise security awareness within an organization and advocate for security best practices for employees who do not work on security as their primary job. Their role is to be a liaison between an organizations security team and the rest of the company. They also work with nonsecurity teams to ensure security practices are being followed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

59 / 203

What is the main responsibility of a security professional during onboarding, transfer, and termination processes?

A. To terminate employees who pose a security risk to the company

B. To document and set behavior expectations during all stages of employment

C. To monitor employee activity and report any suspicious behavior to management

D. To ensure that all employees have the same level of data access and permissions

Incorrect

Correct!

Explanation: The main responsibility of a security professional during onboarding, transfer, and termination processes is to actively engage with the business to ensure that these processes are clearly documented and set behavior expectations during all stages of employment. This ensures that employees understand their obligations to respect the protection of the organizations intellectual property and data security as they join, move within, or leave the company.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 120 in PDF)

60 / 203

Which model does ISO 28000:2007 rely heavily on to improve the security management system?

A. Agile Development Model

B. Waterfall Model

C. Continuous Process Improvement Model of Plan, Do, Check, Act (PDCA)

D. Spiral Model

Incorrect

Correct!

Explanation: ISO 28000:2007 relies heavily on the continuous process improvement model of plan, do, check, act (PDCA) to improve the security management system and to assure organizational conformance to the security practice. This approach facilitates the integration of supply chain risk with broader organizational risk management activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 157 in PDF)

61 / 203

What criteria are used to determine the amount of fine on a noncompliant firm as per GDPR?

A. Nature of infringement, certification, and the age of the firm

B. Intention, data type, and cooperation

C. Prevention measures, notification, and history

D. Nature of infringement, intention, mitigation, and other factors

Incorrect

Correct!

Explanation: As per the GDPR, the 10 criteria to determine the amount of the fine on a noncompliant firm include the nature of infringement, intention, mitigation, and other factors such as the number of people affected, damage suffered, duration of infringement, purpose of processing, past relevant infringements, cooperation with supervisory authority, data type, notification, certification or adherence to approved codes of conduct, and financial impact of the infringement (83.1).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 94 in PDF)

62 / 203

Which of the following principles form the pillars of information security known as the CIA Triad?

A. Confidentiality, accessibility, and assurance

B. Confidentiality, integrity, and availability

C. Accountability, integrity, and accessibility

D. Availability, assurance, and accountability

Incorrect

Correct!

Explanation: Confidentiality, integrity, and availability are the pillars of information security known as the CIA Triad. Confidentiality ensures that only authorized users have access to certain information. Integrity ensures that the information is correct and has not been tampered with. Availability ensures that the information is accessible to authorized users when needed. Assurance is not one of the pillars of the CIA Triad, although it is an important security concept that ensures the trustworthiness and quality of information systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 37 in PDF)

63 / 203

What is the purpose of conducting a threat analysis in risk analysis?

A. To identify the value associated with each potentially affected asset.

B. To establish the quantitative and qualitative value of each asset.

C. To evaluate the likelihood of identified threats exploiting weaknesses and the impact to assets if they do.

D. To determine the amount of money to be spent on safeguarding a given resource.

Incorrect

Correct!

Explanation: The purpose of conducting a threat analysis in risk analysis is to evaluate the likelihood of identified threats exploiting weaknesses (i.e., vulnerabilities) in your environment and determining the impact to your assets if that happens. This stage of risk assessment is focused on examining how disastrous the event would be if it were to happen, and assessing the probability that the threats might actually exploit a vulnerability, or weakness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 127 in PDF)

64 / 203

What is a compensating control?

A. A primary control that is fully implemented to mitigate risk

B. A safeguard used in addition to or in place of a primary control

C. A policy that discourages rather than enforces a desired behavior

D. A control that provides no level of security

Incorrect

Correct!

Explanation: A compensating control is a safeguard used in addition to or in place of a primary control. It is often implemented if a primary control cannot be fully implemented for some reason. While the compensating control may not fully mitigate the risk, it provides some level of security that wouldnt exist without any control being implemented.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

65 / 203

What is the purpose of an asset-centric threat model?

A. To identify potential attackers first and then their desired assets.

B. To identify the value of potential attackers.

C. To identify high-value assets and how they may be compromised.

D. To evaluate means by which assets are managed, manipulated, used, and stored.

Incorrect

Correct!

Explanation: An asset-centric threat model first identifies the assets of value to an organization and then evaluates means by which these assets are managed, manipulated, used, and stored to identify how an attacker might compromise them. This approach is particularly useful when protecting other high-value assets such as intellectual property and security credentials.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

66 / 203

Which of the following refers to the ability and ease of a user to access data when needed?

A. Usability

B. Accessibility

C. Timeliness

D. Availability

Incorrect

Correct!

Explanation: Accessibility refers to the ability and ease of a user to use a resource or access data when needed. It involves removing barriers for authorized users to access these resources and data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

67 / 203

When is risk acceptance an appropriate risk response?

A. When mitigating the risk would be too costly

B. When there is no risk tolerance in the organization

C. When the risk is manageable

D. When the risk is severe

Incorrect

Correct!

Explanation: Risk acceptance is the way to go if avoiding, mitigating, or transferring the risk would cost more than the expected losses of the realized threat. Therefore, when mitigating the risk would be too costly, risk acceptance is the appropriate risk response.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

68 / 203

Which of the following is the primary goal of data integrity?

A. To make sure data is confidential.

B. To make sure data is available.

C. To make sure data remains intact, correct, and reliable.

D. To make sure data is properly classified.

Incorrect

Correct!

Explanation: The primary goal of data integrity is to ensure that all data remains intact, correct, and reliable. This helps prevent personnel from making improper decisions or potentially harmful actions due to having incorrect information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 39 in PDF)

69 / 203

Which of the following is an example of a detective control?

A. Firewall

B. Encryption

C. Security awareness training

D. IDS

Incorrect

Correct!

Explanation: The correct answer is IDS, which is an example of a detective control. IDS stands for Intrusion Detection System and helps identify a negative security event while it is in progress or soon after it occurs. Much like a human detective, this type of control is intended to gather information and help security teams determine what happened, how bad the damage is, and what caused it to happen.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

70 / 203

What is the main purpose of the U.S. Sarbanes–Oxley Act (SOX) of 2002?

A. To regulate the IT industry in the United States

B. To establish a nonprofit organization responsible for maintaining public trust in publicly traded companies and accounting firms

C. To minimize competition and conflicts of interest

D. To enforce strict financial regulations only for accounting firms

Incorrect

Correct!

Explanation: The main purpose of the U.S. Sarbanes–Oxley Act (SOX) of 2002 was to establish a nonprofit organization, the Public Company Accounting Oversight Board (PCAOB), responsible for maintaining public trust in publicly traded companies and public accounting firms through the implementation of a wide range of controls, providing investors with appropriate risk information, placing civil and criminal penalties on executives for providing false financial disclosures, and providing protections for whistleblowers. Thus, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

71 / 203

What is the maximum length of time that copyrights granted to an individual are protected according to the United States law?

A. 75 years

B. 70 years

C. 85 years

D. 80 years

Incorrect

Correct!

Explanation: According to the text, copyrights created by an individual are protected for the life of the author plus 70 years.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 83 in PDF)

72 / 203

Which of the following is an example of a cybercrime that falls under the category of crimes against people?

A. Distribution of computer viruses

B. Intellectual property (IP) theft

C. Cyber terrorism

D. Identity theft

Incorrect

Correct!

Explanation: Identity theft is an example of a cybercrime that falls under the category of crimes against people. Other crimes against people include cyberstalking, online harassment, and credit card fraud.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

73 / 203

Under the HITECH Act, what is the maximum financial penalty for HIPAA compliance violations per violation category per year?

A. $500,000

B. $1 million

C. $1.5 million

D. $2 million

Incorrect

Correct!

Explanation: Under the HITECH Act, maximum financial penalties for HIPAA compliance violations were raised to $1.5 million per violation category, per year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 90 in PDF)

74 / 203

What is the purpose of ISO/IEC 27002?

A. To define ISO/IEC 27001

B. To provide best-practice recommendations for organizations to build and maintain their ISMSs

C. To outline specific security controls that organizations must implement

D. To provide guidelines for security awareness training

Incorrect

Correct!

Explanation: ISO/IEC 27002 provides guidelines for organizations to select, implement, and manage security controls based on their own security risk profile. It is more prescriptive than ISO 27001, as it provides best-practice recommendations for organizations to build and maintain their ISMSs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 57 in PDF)

75 / 203

What is the difference between due care and due diligence in information security?

A. Due care is the ongoing execution and monitoring of how personnel maintain reasonable protection of organizational assets while due diligence is taking reasonable care to protect the interests of an organization

B. Due care is taking reasonable care to protect the interests of an organization while due diligence is the ongoing execution and monitoring of due care

C. Due care involves scanning and patching security vulnerabilities, enabling security logging, and writing restrictive firewall rules, while due diligence involves reviewing security log output for suspicious activities, and conducting penetration tests

D. Both due care and due diligence are related to the ongoing actions taken by an organization to ensure that its assets are reasonably protected

Incorrect

Correct!

Explanation: Due care is related to taking reasonable care to protect the interests of an organization. On the other hand, due diligence refers to the ongoing execution and monitoring of due care to ensure organizational assets are reasonably protected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 61 in PDF)

76 / 203

What was the EU-US Privacy Shield?

A. A joint agreement between the European Union and United States to allow international trade

B. The first attempt by the European Union and United States to mutually regulate the exchange of personal data

C. The second attempt by the European Union and United States to mutually regulate the exchange of personal data

D. A set of regulations for cyber security professionals in the European Union and United States

Incorrect

Correct!

Explanation: The EU-US Privacy Shield was the second attempt by the European Union and United States to agree upon principles to mutually regulate the exchange of personal data between the two jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

77 / 203

What is maximum tolerable downtime (MTD)?

A. The total length of time a critical business function can be unavailable without causing any harm to the business

B. The total length of time a critical business function can be unavailable without causing significant, long-term harm to the business

C. The total length of time a critical business function can be unavailable without causing moderate, short-term harm to the business

D. The total length of time a critical business function can be unavailable without any defined consequences to the business

Incorrect

Correct!

Explanation: Maximum tolerable downtime (MTD), or maximum acceptable outage (MAO), expresses the total length of time a critical business function can be unavailable without causing significant, long-term harm to the business; it is the longest time a CBF can remain disabled before it threatens the organizations long-term survival. Exceeding the MTD is an expression of unacceptable risk by the business owner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

78 / 203

What is the role of a CISSP in protecting intellectual property (IP)?

A. To ignore the protection of IP as it falls outside the scope of a CISSPs job responsibilities

B. To establish and protect IP rights, and work with organizations such as the World Trade Organization (WTO), World Customs Organization (WCO), and the World Intellectual Property Organization (WIPO)

C. To prosecute cybercrime offenders under traditional criminal law concepts such as theft and fraud

D. To develop and implement policies and procedures to manage IP rights, and work with legal teams to define and prosecute computer crimes

Incorrect

Correct!

Explanation: As a CISSP, it is your job to protect all forms of IP. The correct answer is B because CISSPs must work with organizations such as the WTO, WCO, and WIPO to establish and protect IP rights. CISSPs should have the knowledge and skills to help create and enforce policies, procedures, and technology solutions for protecting IP rights.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

79 / 203

What is the purpose of implementing data anonymization techniques in accordance with the General Data Protection Regulation (EU)?

A. To ensure availability of personal data to authorized personnel for processing

B. To prevent unauthorized access to personal data

C. To maintain the integrity of personal data during processing

D. To protect customer identities and ensure their confidentiality

Incorrect

Correct!

Explanation: Implementing data anonymization techniques is necessary to protect customer identities and ensure their confidentiality. Anonymization involves removing identifiable information from personal data so that individuals cannot be identified. This is required by the General Data Protection Regulation (GDPR) to ensure appropriate security of personal data and protect against unauthorized access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

80 / 203

Which of the following statements is true about the evaluation of security education activities?

A. Conducting security awareness, education, and training activities is enough to ensure the effectiveness of your security education program.

B. A formal evaluation is not necessary if the overall information security posture of the organization is good.

C. The evaluation should focus only on the strengths of the security education program.

D. Several methods can be used to evaluate the effectiveness of the security education program.

Incorrect

Correct!

Explanation: The question asks for the true statement regarding the evaluation of security education activities. The given text states that a formal evaluation targeting the deficiencies within the awareness program itself should be conducted to evaluate the effectiveness of the security education activities. Therefore, option D is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

81 / 203

What is the primary purpose of using the software- or system-centric model in threat modeling?

A. It facilitates the identification of potential attacks against each component

B. It provides a comprehensive view of the overall security posture of the system

C. It reduces the complexity of the threat modeling process

D. It enables the incorporation of threat intelligence into the threat modeling process

Incorrect

Correct!

Explanation: The software- or system-centric model represents the system as a set of interconnected processes and facilitates the identification of potential attacks against each component. Threat analysts can then evaluate the diagrams to determine whether a security control is necessary, exists, and achieves the control effect.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

82 / 203

What happens to a (ISC)2 member who knowingly violates the (ISC)2 Code of Ethics?

A. Nothing happens

B. The member will be subject to peer review and potential penalties

C. The members (ISC)2 certificate(s) will be immediately revoked

D. The member will be banned from the industry.

Incorrect

Correct!

Explanation: As stated in the text, any(ISC)2 member who knowingly violates the (ISC)2 Code of Ethics will be subject to peer review and potential penalties, which may include revocation of the members (ISC)2 certification(s). Therefore, the correct answer is B.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 34 in PDF)

83 / 203

What does the General Data Protection Regulation (EU) require in terms of accuracy of personal data?

A. Personal data should be deleted after a certain amount of time.

B. Personal data can be shared with third parties as long as they promise to keep it accurate.

C. Personal data should be kept accurate and up-to-date.

D. Personal data accuracy is not relevant in the General Data Protection Regulation (EU).

Incorrect

Correct!

Explanation: The General Data Protection Regulation (EU) requires personal data to be kept accurate and up-to-date. This helps promote transparency and ensures that individuals have control over their personal data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

84 / 203

What cabinet-level position was created by the Homeland Security Act?

A. Secretary of Defense

B. Secretary of Homeland Security

C. Secretary of State

D. Secretary of Energy

Incorrect

Correct!

Explanation: The Homeland Security Act created a new cabinet-level position, Secretary of Homeland Security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

85 / 203

What are the CIS Critical Security Controls?

A. A set of guidelines for network security

B. A publication of best-practice guidelines for information security

C. A group of hardware and software assets

D. A set of rules for penetration testing

Incorrect

Correct!

Explanation: The CIS Critical Security Controls is a publication of 18 best-practice guidelines for information security, created by the Center for Internet Security (CIS).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 60 in PDF)

86 / 203

What is the main benefit of using the PASTA methodology for dynamic threat analysis?

A. It is easy to use and requires little technical knowledge

B. It integrates business objectives with technical requirements, making the output more easily understood by upper management

C. It provides a comprehensive list of all possible threats to an organization

D. It focuses on identifying vulnerabilities in software applications only.

Incorrect

Correct!

Explanation: The PASTA methodology integrates business objectives with technical requirements, which makes it more easily understood by upper management. This is beneficial for organizations because it ensures that security measures and requirements are aligned with business objectives and not just technical factors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 149 in PDF)

87 / 203

What is the importance of continual improvement in risk management?

A. It allows for a one-time, quick fix to mitigate all risks

B. It ensures that risks remain constant over time

C. It helps to adapt risk management strategies based on learning and experience

D. It is unnecessary in effective risk management

Incorrect

Correct!

Explanation: Continual improvement in risk management allows for the adaptation of risk management strategies based on learning and experience. This helps to ensure that the risk management process is constantly evolving and improving to address new and emerging risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

88 / 203

Which of the following is an example of deterrent security controls?

A. Intrusion detection system

B. Firewalls

C. Security guards

D. Encryption

Incorrect

Correct!

Explanation: Security guards are physical deterrents and are employed to protect places, assets, and people. They are trained to identify potential attackers and prevent them from carrying out their malicious intents. This is an example of a deterrent security control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 135 in PDF)

89 / 203

What is jurisdiction in the context of criminal investigations?

A. The legal authority of a governmental body over a specific matter, often based on geography

B. The range of crimes that can be prosecuted by a law enforcement agency

C. The evidence that shows that the accused has caused harm beyond a reasonable doubt

D. The legal standard for determining liability and guilt in a criminal court

Incorrect

Correct!

Explanation: Jurisdiction refers to the legal authority of a governmental body over a specific matter, often based on geography. It determines which law enforcement agency has the right to prosecute a criminal case.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 98 in PDF)

90 / 203

What are three categories of countermeasures used in risk mitigation?

A. Personnel-related, Process-related, and Budget-related

B. Physical-related, Process-related, and Technology-related

C. Personnel-related, Process-related, and Technology-related

D. Personnel-related, Process-related, and Software-related

Incorrect

Correct!

Explanation: Risk mitigation involves the selection and implementation of one or more countermeasures with the goal of reducing the likelihood of an adverse event or the impact of that event occurring. Countermeasures generally fall into three categories: Personnel-related, Process-related, and Technology-related. While budget and software can play a role, they are not considered among the most common countermeasure categories in risk mitigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

91 / 203

Which document serves as detailed instructions for how to implement a control or perform an action?

A. Policy

B. Standard

C. Procedure

D. Guideline

Incorrect

Correct!

Explanation: Procedures are detailed instructions for how to implement a control or perform an action. Policies provide high-level guidance and direction, standards establish specific requirements and constraints, and guidelines offer suggestions and best practices. Procedures are critical because they ensure that policies, standards, and guidelines are followed in a consistent manner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 106 in PDF)

92 / 203

What is the main difference between a standard and a guideline in regards to information security practice?

A. Guidelines are mandatory while standards are only recommendations.

B. Standards offer flexible suggestions while guidelines are mandatory.

C. Guidelines are recommendations while standards are mandatory.

D. Standards refer to policy statements while guidelines offer flexible suggestions.

Incorrect

Correct!

Explanation: A guideline is a recommendation and is not a mandatory requirement while a standard is a mandatory requirement for an organization to follow. Standards are typically set by external regulatory bodies or organizations, while guidelines provide flexible suggestions for meeting the intent of policies or implementing the requirements in standards and baselines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 109 in PDF)

93 / 203

What is one of the biggest security-related concerns for regulators, organizations, and users as more personal data goes online?

A. Encryption algorithms

B. Access control measures

C. Data integrity

D. Privacy

Incorrect

Correct!

Explanation: As more and more personal data moves online, privacy has become one of the biggest security-related concerns for regulators, organizations, and users. Personal information such as your name, address, and Social Security number is considered personally identifiable information, which must be kept confidential.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 69 in PDF)

94 / 203

What is the main role of security governance principles in an organization?

A. To enforce security concepts such as confidentiality, integrity, and availability

B. To develop, document, and implement security policies, standards, procedures, and guidelines

C. To align security practices with an organizations business objectives, strategy, and goals

D. To implement security measures to protect against threats

Incorrect

Correct!

Explanation: The main role of security governance principles is to align security practices with an organizations business objectives, strategy, and goals. This aligns security goals with overall business goals so that the organization can achieve its mission. A security professional must fully understand these business concepts and make sure that their security practices align with them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

95 / 203

What is the purpose of the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003?

A. To regulate the use of encryption technologies

B. To establish standards for commercial emails and deter spam

C. To prevent denial-of-service attacks

D. To protect against insider threats

Incorrect

Correct!

Explanation: The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, also known as the CAN-SPAM Act, was enacted to protect email users from unsolicited commercial emails and regulate the content of commercial messages. The Act requires companies to allow email recipients to opt out of future emails and establish several requirements around email content and sending behavior.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

96 / 203

What does Section 210 of the USA PATRIOT Act of 2001 update?

A. Electronic communication protocols

B. Definitions of criminal offenses

C. Penalties for computer crimes

D. Scope of subpoenas for electronic records

Incorrect

Correct!

Explanation: Section 210 updates previous law and grants access to additional information when filing a subpoena for electronic records.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 77 in PDF)

97 / 203

Which of the following is an example of a technology-related countermeasure?

A. Hiring and firing employees

B. Implementing separation of duties for invoice approval and payment

C. Encryption of data

D. Developing policies and procedures

Incorrect

Correct!

Explanation: Encryption is a common example of a technology-related countermeasure that aims to reduce the likelihood of an adverse event or the impact of that event. It involves modifying the technology or software to prevent unauthorized access to sensitive data. It is important to consider factors such as security-effectiveness, cost-effectiveness, and operational impact when selecting technology-related countermeasures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

98 / 203

What are Minimum Security Requirements (MSRs)?

A. The highest level of security that a third party must meet

B. The lowest level of security that an organization is willing to accept from a third party

C. The security requirements that a third party must exceed

D. A guideline for vendors to determine their own security standards

Incorrect

Correct!

Explanation: Minimum Security Requirements (MSRs) define the lowest level of security that an organization is willing to accept from a third party.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 155 in PDF)

99 / 203

When considering a merger or acquisition, why is it important for organizations to review the acquired companys information security policies and procedures?

A. To determine if there are any missing security policies/procedures that may indicate a low level of security maturity.

B. To identify any proprietary or custom applications managed by the company and request security tests be run against them.

C. To review the organizations use of third-party and open-source software to ensure that the software is safe and appropriately licensed.

D. To review the companys data assets and determine any applicable regulatory or compliance requirements.

Incorrect

Correct!

Explanation: When an organization is considering a merger or acquisition, its important to review the acquired companys information security policies and procedures to determine how thorough they are. By doing so, the organization can identify any missing security policies/procedures that may indicate a low level of security maturity. This is important because if the acquired company has a low level of security maturity, it may pose a risk to the acquiring companys security posture. Therefore, its important for the acquiring company to address any security gaps in the acquired companys policies and procedures before connecting the two companys networks and systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 47 in PDF)

100 / 203

What is the primary purpose of developing processes for the use of alternate sites during a disaster in a continuity plan?

A. To identify critical business functions

B. To establish a process to ensure resources remain continuously available

C. To assure that critical data processing facilities and capabilities remain operational

D. To determine critical supplies and logistics required to maintain critical operations

Incorrect

Correct!

Explanation: The primary purpose of developing processes for the use of alternate sites during a disaster is to assure that critical data processing facilities and capabilities remain operational. This ensures that the organization is able to continue critical business functions and maintain operations during a disaster.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 115 in PDF)

101 / 203

Which of the following is an example of a preventative security control?

A. An intrusion detection system that alerts when an attack is ongoing.

B. A security camera that records footage for later retrieval.

C. Firewall that blocks unauthorized access to a network.

D. A system that quarantines malware-infected files after they have been downloaded.

Incorrect

Correct!

Explanation: A firewall is an example of a preventative control because it is designed to stop unauthorized access to a network before it can occur.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

102 / 203

What is the primary reason a CISSP should be familiar with legal and regulatory requirements related to information security?

A. To become a practicing lawyer in the field of information security

B. To develop a more robust understanding of security threats specific to ones industry

C. To enable ones organization to bypass regulations that might impede day to day operations

D. To be able to better comply with laws and regulations that govern ones organizations handling of sensitive data and systems

Incorrect

Correct!

Explanation: As a CISSP, one should be aware of the legal and regulatory requirements that pertain to information security. It is important to have a strong understanding of legal and regulatory issues in order to be familiar with the security threats that face information systems as well as the national, state, and local regulations that govern an organizations handling of sensitive data and systems. Knowledge of these laws and regulations enables one to better comply with them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 70 in PDF)

103 / 203

Which of the following entities is considered a covered entity under HIPAA?

A. A small business that sells handmade soap

B. A healthcare provider that transmits health information

C. A tech company that develops mobile apps

D. A non-profit organization that advocates for animal rights

Incorrect

Correct!

Explanation: Healthcare providers that transmit health information are considered covered entities under HIPAA. Covered entities are required to comply with HIPAA Privacy and Security Rules and must take measures to protect patient health information. Any company or organization that does not fall under the three categories of covered entities is not required to comply with HIPAA rules.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

104 / 203

What is the difference between statutes and regulations in U.S. law?

A. Statutes are subordinate to regulations.

B. Regulations are written and adopted by the jurisdictions legislative body.

C. Statutes are more detailed rules on how the execution of a regulation will be performed.

D. Statutes are written and adopted by the jurisdictions legislative body, while regulations are more detailed rules on how the execution of a statute will be performed.

Incorrect

Correct!

Explanation: Statutes and regulations are both legally enforceable, but statutes are written and adopted by the jurisdictions legislative body, while regulations are more detailed rules on how the execution of a statute will be performed. Although both statutes and regulations are legally enforceable, regulations are subordinate to statutes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 63 in PDF)

105 / 203

What is the primary purpose of privacy regulations like HIPAA, COPPA, and GDPR?

A. To establish data sharing requirements for businesses

B. To improve information flow between member nations and economies

C. To protect personal data by establishing privacy and data protection requirements

D. To stifle information sharing between member nations and economies

Incorrect

Correct!

Explanation: Privacy regulations like HIPAA, COPPA, and GDPR are designed to protect personal data by establishing privacy and data protection requirements across multiple jurisdictions. Privacy is effectively the security principle of confidentiality applied to personal data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 86 in PDF)

106 / 203

Which of the following is a key aspect of DOMAIN 1: Security and Risk Management?

A. Technical security controls

B. Legal, regulatory, and compliance requirements

C. Incident management and response

D. Network architecture design

Incorrect

Correct!

Explanation: Legal, regulatory, and compliance requirements are a key aspect of DOMAIN 1: Security and Risk Management. Domain 1 focuses on the establishment and maintenance of a comprehensive information security management program that incorporates the legal, regulatory, and compliance requirements, as well as understanding the impact of related ethics and theories on privacy, confidentiality, and data handling practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

107 / 203

Which of the following practices is recommended under the General Data Protection Regulation (EU) with regard to data collection?

A. Collect and process as much data as possible to prepare for future use.

B. Collect all data that may be relevant to the services provided.

C. Collect and process the minimum amount of data necessary to provide the agreed-upon services.

D. Collect data only for services that are going to be provided in the future.

Incorrect

Correct!

Explanation: The General Data Protection Regulation (GDPR) requires organizations to collect and process the minimum amount of data necessary to provide the agreed-upon services. This principle is known as data minimization and is intended to limit the amount of personal data that is collected and processed, thereby reducing the risk of data breaches and unauthorized disclosures. By collecting only the necessary data, organizations can also manage data more effectively and minimize storage costs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

108 / 203

Who typically leads security governance at a company?

A. The IT department

B. Executive management, including the board of directors

C. The security team

D. The legal department

Incorrect

Correct!

Explanation: Security governance is a business issue that requires a high level of planning and oversight by people throughout the entire organization, not just the IT department. As such, security governance is typically led by executive management at a company, usually including the board of directors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 44 in PDF)

109 / 203

What is risk transference?

A. The transfer of responsibility for a risk to a third-party through the use of insurance or other means

B. The sharing of risk equally between the organization and a third-party

C. The complete elimination of all risks associated with a third-party service provider

D. The transfer of ownership of a risk to a third party

Incorrect

Correct!

Explanation: Risk transference involves shifting the responsibility and potential loss associated with a risk onto a third party through mechanisms such as insurance. The most common form of risk transference is insurance, which enables a company to transfer financial risk to their insurer. This is useful when unforeseen events occur, such as cyber breaches, that may expose the organization to significant financial risk. However, its important to note that the company still retains some level of reputational risk as well as a degree of responsibility for managing the overall risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

110 / 203

What was the purpose of the Safe Harbor agreement?

A. To establish data privacy laws in the United States

B. To reconcile differences between U.S. and EU privacy laws

C. To allow unlimited data transfers between the US and EU

D. To create a global data privacy standard

Incorrect

Correct!

Explanation: The Safe Harbor agreement was established to reconcile differences between U.S. and EU privacy laws. It allowed a US company to self-certify that it met data privacy requirements agreed upon by the US and EU. This agreement was important to ensure that U.S. companies can transfer data across the Atlantic by complying with the EUs strict privacy guidelines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

111 / 203

What does FISMA require of U.S. federal government agencies and non-government organizations that provide information services to these agencies?

A. To conduct risk-based security assessments that align with the NIST Risk Management Framework

B. To outsource their information security management

C. To disregard the importance of information security

D. To only conduct security assessments if it aligns with their budget

Incorrect

Correct!

Explanation: FISMA mandates that all U.S. federal government agencies and nongovernment organizations that provide information services to these agencies conduct risk-based security assessments that align with the NIST Risk Management Framework.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 65 in PDF)

112 / 203

What is the maximum length of time a critical business function can remain disabled without threatening the organizations long-term survival?

A. Recovery time objective (RTO)

B. Exceeding the maximum tolerable downtime (MTD)

C. Recovery point objective (RPO)

D. Maximum acceptable outage (MAO)

Incorrect

Correct!

Explanation: According to the text, maximum tolerable downtime (MTD) or maximum acceptable outage (MAO) expresses the total length of time a critical business function can be unavailable without causing significant, long-term harm to the business; it is the longest time a CBF can remain disabled before it threatens the organizations long-term survival. Exceeding the MTD is an expression of unacceptable risk by the business owner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 111 in PDF)

113 / 203

Which type of SOC audit and compliance report focuses strictly on a companys financial statements and controls that can impact a customers financial statements?

A. SOC 2

B. SOC 3

C. SOX

D. SOC 1

Incorrect

Correct!

Explanation: SOC 1 is an audit and compliance report that focuses strictly on a companys financial statements and controls that can impact a customers financial statements, particularly companies that perform credit card processing.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

114 / 203

What is the SUNBURST attack?

A. A vulnerability within the SolarWinds Orion Platform that allows an attacker to compromise the server on which the Orion product is running

B. An attack that targets solar power systems and causes them to malfunction

C. A phishing attack that pretends to be from the Sunburst Corporation

D. A ransomware attack that encrypts all files on a system

Incorrect

Correct!

Explanation: The SUNBURST attack is a vulnerability within the SolarWinds Orion Platform that allows an attacker to compromise the server on which the Orion product is running. This widespread attack is particularly concerning because it impacted a SolarWinds product that is used for IT monitoring and management. With the SolarWinds Orion product being used by companies around the globe, large and small, this is a devasting example of how important supply chain management is.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 154 in PDF)

115 / 203

What should be included in an organizations privacy policy according to DOMAIN 1: Security and Risk Management?

A. The organizations daily operating procedures

B. The organizations financial statements

C. An explanation of the organizations personal data collection and use practices

D. The organizations marketing and promotional strategies

Incorrect

Correct!

Explanation: According to DOMAIN 1: Security and Risk Management, an organizations privacy policy should be an explanation of their personal data collection and use practices. It should explain what kind of personal data is collected, how it will be used or not used, and how it will be stored, maintained, and secured.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 123 in PDF)

116 / 203

Which of the following is considered the most effective method of measuring the effectiveness of security policies and related information?

A. Security awareness days or weeks

B. Training completion rates

C. Quizzes

D. Inherent evaluation

Incorrect

Correct!

Explanation: According to the text, Quizzes are the most effective methods of measuring program effectiveness through knowledge retention. Analysis of quiz results should be conducted to identify trends that reveal necessary modifications to your training materials; if a substantial number of your employees get the same question wrong, it likely means you need to provide further (or clearer) information about that topic.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

117 / 203

Which of the following concepts refers to the measure of the time between when information is expected and when it is available for use?

A. Accessibility

B. Usability

C. Timeliness

D. Availability

Incorrect

Correct!

Explanation: Timeliness refers to the time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

118 / 203

What is gamification in the context of security awareness?

A. The use of security techniques in nongame applications

B. The process of educating employees in a fun and engaging way

C. The use of games as a way to hack into a company’s network

D. The process of developing new security protocols using game-based techniques

Incorrect

Correct!

Explanation: Gamification in security awareness refers to the use of game techniques in nongame applications to engage and educate an audience. It provides a fun and engaging way to educate employees and promote strong security practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

119 / 203

What is the purpose of the (ISC)2 Code of Ethics Preamble?

A. To establish the four canons of the (ISC)2 Code of Ethics.

B. To ensure that every CISSP certified member follows the Code of Ethics.

C. To provide guidelines for the ethical behavior of CISSP certified members.

D. To describe the process for filing an ethics complaint against a CISSP certified member.

Incorrect

Correct!

Explanation: The (ISC)2 Code of Ethics Preamble states that it is required that every CISSP certified member not only follows the Code of Ethics but must be visibly seen as following the Code of Ethics. Therefore, strict adherence to this Code of Ethics is a condition of certification. The purpose of the Preamble is to ensure that every CISSP certified member adheres to the highest ethical standards of behavior and is visibly seen as doing so.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 34 in PDF)

120 / 203

What is the reason for the increasing popularity of malware attacks on proprietary commercial off-the-shelf (COTS) software?

A. The software is easy to hack

B. The software vendors have weak security practices

C. Updates are from a trusted source

D. The software is no longer maintained by the vendor

Incorrect

Correct!

Explanation: The method of introducing malware through COTS vendors has become increasingly popular because the updates are from a trusted source.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 153 in PDF)

121 / 203

During risk evaluation, what do you compare the results of your risk analysis to?

A. The risk profile of a different organization

B. The security posture of your organization

C. The risk tolerance of your organization

D. The regulatory compliance of your organization

Incorrect

Correct!

Explanation: During risk evaluation, you compare the results of your risk analysis to your organizations established risk profile or risk tolerance (i.e., how much risk your organization is willing to take on). This means that risk response would be determined based on your organizations level of risk tolerance, as dictated by its risk appetite or risk management strategy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

122 / 203

What is the purpose of developing key performance indicators (KPIs)?

A. To conduct periodic security and privacy control assessments

B. To actively and intentionally monitor controls

C. To quantify and measure the long-term performance of controls

D. To assess the health of the overall security program

Incorrect

Correct!

Explanation: Developing key performance indicators (KPIs) allows an organization to quantify and measure the long-term performance of its controls. KPIs help to assess the effectiveness of the security program and support risk management decisions. By tracking these measurements over time, organizations can determine whether their security controls are improving, deteriorating or remaining constant.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

123 / 203

Which of the following concepts refers to the ability of a user to meet their needs with available data?

A. Accessibility

B. Usability

C. Timeliness

D. Availability

Incorrect

Correct!

Explanation: Usability refers to the ability of a user to meet their needs with available data. It is possible for data to be available, but lack sufficient usability. An example of this is when a user has only read-only permissions for a file they need to edit.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

124 / 203

Which of the following is the best definition of compliance according to (ISC)2?

A. Following industry best practices only

B. Adherence to a mandate including applicable laws, regulatory requirements, industry standards, and contractual agreements

C. Maintaining a secure environment without regard to laws or regulations

D. Meeting contractual obligations only

Incorrect

Correct!

Explanation: According to (ISC)2, compliance is the adherence to a mandate, including applicable laws, regulatory requirements, industry standards, and contractual agreements, to ensure that organizations understand and satisfy these requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 63 in PDF)

125 / 203

What is the official definition of terrorism according to Section 808 of the USA PATRIOT Act of 2001?

A. Destruction of critical infrastructure

B. Damage to public property

C. Use of force against civilians

D. Destruction of communication lines, stations, or systems

Incorrect

Correct!

Explanation: The official definition of terrorism, as stated in Section 808 of the USA PATRIOT Act of 2001, includes destruction of communication lines, stations, or systems as a federal crime of terrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 77 in PDF)

126 / 203

What is the first goal of any BCP when it comes to people?

A. To ensure normal working

B. To ensure safety during emergency

C. To provide shelter during emergency

D. To provide food and water during emergency

Incorrect

Correct!

Explanation: The first goal of any BCP must be to ensure the safety of your people during and after an emergency.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 114 in PDF)

127 / 203

What is the purpose of threat modeling?

A. To identify potential threats to physical environments

B. To identify countermeasures against existing attacks

C. To reduce the attack surface by limiting areas of exposure.

D. To address overall system vulnerabilities and security controls.

Incorrect

Correct!

Explanation: Threat modeling is a technique by which you can identify potential threats to your systems and applications, as well as identify suitable countermeasures against those threats, and is most often used during the application development phase. However, it can also be used to help reduce risk in existing applications and environments. Threats may be related to overall system vulnerabilities or an absence of necessary security controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

128 / 203

Which of the following is true regarding the U.S. Electronic Communications Privacy Act of 1986 (ECPA)?

A. The act only applies to restrictions on government wire taps for telephone calls.

B. The act prohibits only unauthorized interception of electronic communications.

C. The act allows communications providers to monitor their networks without user notification.

D. The act complements the CFAA by prohibiting eavesdropping, interception, and unauthorized monitoring of all electronic communications.

Incorrect

Correct!

Explanation: The ECPA complements the CFAA by prohibiting eavesdropping, interception, and unauthorized monitoring of all electronic communications, including those sent over computer networks. It was enacted by the U.S. Congress in 1986 to extend restrictions on government wire taps to include computer and network-based communications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

129 / 203

What is the basis for determining cost-effectiveness of a countermeasure?

A. Annual risk assessment of the organization

B. Comparison of cost of countermeasure to costs of compromise

C. Amount of money the organization is willing to spend on security

D. Reputation of the vendor of the countermeasure

Incorrect

Correct!

Explanation: Cost-effectiveness of a countermeasure can be calculated by comparing the cost of a countermeasure to the costs that would be realized by a compromise of the risks that the countermeasures are intended to mitigate. A countermeasure can be considered cost-effective if the annual loss expectancy (ALE) with the countermeasure plus the cost of countermeasure is less than ALE without the countermeasure.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 133 in PDF)

130 / 203

What is Recovery Time Objective (RTO)?

A. The planned time necessary to restore a system to the point where it meets the maximum service expectations of the system owner.

B. The minimum period of time within which a CBF (Critical Business Function) must be restored after a disruption to avoid unacceptable business consequences.

C. The maximum period of time within which a CBF must be restored after a disruption to avoid unacceptable business consequences.

D. The amount of time it takes to restore a system to its original state after a data breach.

Incorrect

Correct!

Explanation: Recovery Time Objective (RTO) is the planned time necessary to restore a system to the point where it meets the minimum service expectations of the system owner. In other words, RTO is the maximum period of time within which a CBF must be restored after a disruption to avoid unacceptable business consequences.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

131 / 203

What is Recovery Point Objective (RPO)?

A. The cost associated with data loss

B. The period of time that the business will tolerate without data loss

C. The frequency at which backups are performed

D. The amount of data that can be lost without significant impact on business operations

Incorrect

Correct!

Explanation: Recovery Point Objective (RPO) represents the maximum period of time that a business can tolerate data loss. This must be defined by the business and is responsible for resourcing the controls to achieve the RPO.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

132 / 203

What can help organizations establish expectations with third parties and potentially lead to additional compliance burden on the organization who must enforce them?

A. Vulnerability scans

B. Background checks

C. NDAs and other employment agreement policies

D. Penetration testing

Incorrect

Correct!

Explanation: NDAs and other employment agreement policies play a big part in establishing expectations with third parties and can lead to additional compliance burden on the organization who must enforce them. The text states that information security policies should be in place to ensure that these relationships do not expose sensitive information to an unreasonable amount of risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 123 in PDF)

133 / 203

What is the recommended minimum frequency for reviewing and updating security awareness, education, and training program content to ensure that it remains relevant?

A. Quarterly

B. Bi-annually

C. Annually

D. Every other year

Incorrect

Correct!

Explanation: According to the text, security awareness, education, and training program content should be reviewed and updated annually, at a minimum, to ensure that it remains relevant.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

134 / 203

Which of the following is NOT a component of a standard security awareness program?

A. New user orientation

B. Lectures or computer-based trainings

C. Compliance audits

D. Printed materials like posters and handouts that share security tips

Incorrect

Correct!

Explanation: Compliance audits are not part of a standard security awareness program. A security awareness program should include new user orientation, lectures or computer-based trainings (CBTs), and printed materials like posters and handouts that share security tips.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 158 in PDF)

135 / 203

What is the difference between SOC 1 and SOC 2 audits?

A. SOC 1 audits evaluate a companys financial statements, whereas SOC 2 audits evaluate an organization based on AICPAs five Trust Services principles.

B. SOC 1 audits evaluate an organization based on AICPAs five Trust Services principles, whereas SOC 2 audits focus strictly on a companys financial statements and controls.

C. SOC 1 audits are a lite version of a SOC 2 report and abstract or remove all sensitive details, whereas SOC 2 reports generally indicate whether an organization has demonstrated each of the five Trust Services principles without disclosing specifics.

D. There is no difference between SOC 1 and SOC 2 audits.

Incorrect

Correct!

Explanation: SOC 1 audits focus strictly on a companys financial statements and controls that can impact a customers financial statements, while SOC 2 audits evaluate an organization based on AICPAs five Trust Services principles: privacy, security, availability, processing integrity, and confidentiality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

136 / 203

If a former employee accuses your organization of creating a hostile work environment, what action should be taken to prevent the destruction of potential evidence?

A. Ignore the request as it is not mandatory to provide evidence in civil investigations.

B. Cooperate with the plaintiff and their attorney to collect and preserve evidence.

C. Refuse to provide any evidence, as it may be damaging to the organizations reputation.

D. Request that the court provide evidence, as it is not the responsibility of the organization to collect and preserve evidence.

Incorrect

Correct!

Explanation: In civil investigations, when your organization is the defendant, you may have to oversee the collection of evidence and prevent the destruction of potential evidence upon request by courts or attorneys. It is important to cooperate with the plaintiff and their attorney to collect and preserve evidence, as failing to do so may result in legal consequences for the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 101 in PDF)

137 / 203

What mnemonic can be used for quantitative risk rating security threats and what five categories does it represent?

A. RESET, Relevance, Exposure, Security, Threats

B. DREAD, Damage, Reproducibility, Exploitability, Affected users, Discoverability

C. FEAR, Frequency, Extent, Attackers, Risks

D. THREAT, Transport, Hostility, Resistance, Attack, Threat

Incorrect

Correct!

Explanation: DREAD is a quantitative risk rating technique originally used by Microsoft to prioritize security threats. DREAD stands for Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 150 in PDF)

138 / 203

What is the purpose of Section 814 of the USA PATRIOT Act of 2001?

A. To impose heavier penalties on persons convicted of cyberterrorism

B. To prohibit the use of encryption software for criminal purposes

C. To provide law enforcement with more authority over internet service providers

D. To regulate the import/export of technology related to cyberterrorism

Incorrect

Correct!

Explanation: Section 814 of the USA PATRIOT Act of 2001 aims to deter and prevent cyberterrorism by strengthening the penalties associated with violations in the Computer Fraud and Abuse Act (CFAA). It doubles the maximum prison sentence from 10 to 20 years for persons convicted of cyberterrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

139 / 203

Which framework was developed by ISACA to assess the IT activities of an organization?

A. Sarbanes-Oxley Act

B. RiskIT

C. The Payment Card Industry Data Security Standard (PCI DSS)

D. The Health Insurance Portability and Accountability Act (HIPAA)

Incorrect

Correct!

Explanation: The RiskIT framework was developed by ISACA to provide a structure for the identification, evaluation, and monitoring of information technology risk. It simplifies the integration of IT risk into the larger organization enterprise risk management (ERM) activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 144 in PDF)

140 / 203

What is the importance of candidate screening and background investigations in maintaining information security?

A. Candidate screening and background investigations have no effect on maintaining information security.

B. Candidate screening and background investigations are only important for highly sensitive information.

C. Candidate screening and background investigations play a critical part in ensuring that an organizations data stays in the right hands.

D. Candidate screening and background investigations are only useful for large corporations.

Incorrect

Correct!

Explanation: Candidate screening and background investigations are critical in ensuring that the employees who handle sensitive information are trustworthy. A robust personnel security program can aid in identifying risks such as criminal records, history of drug or alcohol abuse, and any other red flags that indicate they may not be fit to handle the organizations data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

141 / 203

What does the General Data Protection Regulation (EU) require regarding personal data processing?

A. Obtain and process personal data any way the organization deems fit without informing the customer

B. Obtain and process personal data in accordance with any laws applicable only to the organizations country without informing the customer

C. Obtain and process personal data in accordance with applicable laws and fully inform the customer of how their data will be used

D. Obtain and process personal data only if the customer gives explicit permission for the organization to do so

Incorrect

Correct!

Explanation: The General Data Protection Regulation (EU) requires organizations to obtain and process personal data in accordance with applicable laws and to fully inform the customer of how their data will be used. This includes ensuring that the processing of personal data is lawful, fair, and transparent.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

142 / 203

Which of the following is an example of a cybercrime against property?

A. Online harassment

B. Identity theft

C. Intellectual property theft

D. Cyber terrorism

Incorrect

Correct!

Explanation: Intellectual property theft is an example of a cybercrime against property, which falls under the category of crimes against property in which property may include information stored within a computer, or the computer itself.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

143 / 203

What is a nondisclosure agreement (NDA)?

A. An agreement that restricts an employee from directly competing with an organization during their employment and for a fixed time after employment.

B. An agreement that restricts an employee or contractor from disclosing sensitive information they obtain through the course of their employment or relationship with an organization.

C. An agreement that outlines acceptable use policies, code of conduct, or conflict of interest policies that an employee must abide by after joining an organization.

D. An agreement that specifies the technical specifications required to work for a particular company.

Incorrect

Correct!

Explanation: A nondisclosure agreement (NDA) is an agreement that restricts an employee or contractor (or anyone else with access to sensitive information) from disclosing sensitive information they obtain through the course of their employment or relationship with an organization. An NDA is designed to protect the confidentiality of the organizations data (such as trade secrets or customer information) and is often a lifetime agreement (even after the employee leaves the company).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)

144 / 203

Which of the following statements is true regarding risk management?

A. Risk management only covers the identification of vulnerabilities and threats.

B. Risk management only involves quantitative analysis of risks.

C. Risk management provides a structured method for making security decisions.

D. Risk management is not a core component of information security.

Incorrect

Correct!

Explanation: The text specifically states that risk management provides a structured method for making security decisions such as purchasing and implementing security tools and hiring people. Therefore, option C is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 124 in PDF)

145 / 203

Which of the following best describes purpose limitation according to General Data Protection Regulation (EU)?

A. Data must be collected for any purpose deemed relevant by the data controller.

B. Data must be collected for any purpose deemed relevant by the data subject.

C. Data must be collected for a specific, explicit, and legitimate purpose, and data subjects must be informed of such purpose.

D. Data can be collected for any purpose without informing the data subjects.

Incorrect

Correct!

Explanation: Purpose limitation requires data controllers to identify specific, explicit, and legitimate purposes for data collection and inform data subjects of such purpose.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

146 / 203

Which of the following measures should an organization implement to ensure that third parties protect its information from security risks?

A. Removing all third-party dependencies

B. Ensuring that third parties are aware of security risks

C. Establishing a third-party risk management program

D. Monitoring only new third parties

Incorrect

Correct!

Explanation: The passage states that any organization doing business with third parties should establish a third-party risk management policy to assess, monitor, and control risks associated with outsourcing. This includes assessing new third parties, documenting gaps, and continuously monitoring all third parties. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 154 in PDF)

147 / 203

What is single loss expectancy (SLE)?

A. The estimated frequency of occurrence for a given adverse event.

B. The estimated percentage of loss to a specific asset if a specific threat is realized.

C. The product of annual rate of occurrence (ARO) and assets value (AV).

D. The monetary loss expected from a single adverse event.

Incorrect

Correct!

Explanation: Single loss expectancy (SLE) is a measure of the monetary loss (calculated in dollars) you would expect from a single adverse event. It estimates how much you would lose from one occurrence of a particular realized threat by multiplying an assets value (AV) by its exposure factor (EF).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

148 / 203

Which of the following organizations would be considered a covered entity under HIPAA requirements?

A. A software company that develops medical billing software

B. A fitness equipment manufacturer that sells equipment to hospitals

C. A hospital that transmits health information

D. A food delivery service that caters to healthcare providers

Incorrect

Correct!

Explanation: Healthcare providers like hospitals are one of the three categories of covered entities under HIPAA requirements, and must comply with both the HIPAA Privacy Rule and Security Rule. They are responsible for protecting the confidentiality, integrity, and availability of patient health information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

149 / 203

When merging with or acquiring another organization, what potential risk is created by adding in new systems and platforms?

A. Dissatisfied employees

B. Operational challenges

C. Creating new attack vectors

D. Absorbing the unknown

Incorrect

Correct!

Explanation: By adding new systems and platforms, organizations are potentially creating new routes for attackers to exploit. Acquiring a company that uses different operating systems or platforms creates additional complexity for IT teams to manage and secure. This is particularly problematic if the new systems are not properly integrated and secured before being connected to the acquiring companys network. By creating these new attack vectors, organizations are increasing their overall risk profile.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

150 / 203

What is the purpose of Section 816 of the USA PATRIOT Act of 2001?

A. To establish regional computer forensic laboratories to support forensic examinations on seized or intercepted computer evidence

B. To limit the authority of law enforcement in protecting the United States against terrorist acts

C. To prohibit the use of computerized evidence in criminal proceedings

D. To allow federal, state, and local law enforcement personnel to conduct forensic analysis of computer evidence without training or education

Incorrect

Correct!

Explanation: Section 816 of the USA PATRIOT Act of 2001 requires the U.S. Attorney General to establish regional computer forensic laboratories to support forensic examinations on seized or intercepted computer evidence. These laboratories are also required to provide forensic analysis training and education to law enforcement personnel and prosecutors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

151 / 203

Which of the following statements best describes the Protect (PR) core function of the NIST Cybersecurity Framework?

A. Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

B. Develop and implement appropriate safeguards to ensure delivery of critical services.

C. Develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident.

D. Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

Incorrect

Correct!

Explanation: The Protect (PR) core function of the NIST Cybersecurity Framework refers to the development and implementation of appropriate safeguards to ensure the delivery of critical services. These safeguards may include access controls, awareness training, and data security measures. The function is intended to help organizations create a strong security posture by preventing or limiting the impact of cyber attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 59 in PDF)

152 / 203

Which of the following threats involves a malicious party assuming the identity of another party by falsifying information?

A. Tampering

B. Elevation of privilege

C. Spoofing

D. Repudiation

Incorrect

Correct!

Explanation: Spoofing involves a malicious party assuming the identity of another party by falsifying information. A common example of identity spoofing occurs when email spammers modify the “From:” field to depict the name of a sender that the target recipient is more likely to trust. Within applications, spoofing can occur if an attacker steals and uses a victims authentication information (like username and password) to impersonate them within the application.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 148 in PDF)

153 / 203

What organization is responsible for setting computer security standards for unclassified, nonmilitary government computer systems according to the U.S. Computer Security Act of 1987?

A. Department of Defense

B. National Institute of Standards and Technology

C. National Security Agency

D. Central Intelligence Agency

Incorrect

Correct!

Explanation: The U.S. Computer Security Act of 1987 established the National Institute for Standards and Technology (NIST) as the organization responsible for setting computer security standards for unclassified, nonmilitary government computer systems. The National Security Agency (NSA) is responsible for setting security guidance for classified government and military systems and applications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 64 in PDF)

154 / 203

Which of the following is defined as a notional construct outlining the organizations approach to security, including a list of specific security processes, procedures, and solutions used by the organization?

A. Security control

B. Security management

C. Security control framework

D. Security governance

Incorrect

Correct!

Explanation: A security control framework is defined as a notional construct outlining the organizations approach to security, including a list of specific security processes, procedures, and solutions used by the organization. It is a collection of security controls and processes that are designed to help organizations meet specific security requirements and objectives.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 53 in PDF)

155 / 203

Who is responsible for executing day-to-day security work?

A. Chief information security officer (CISO)

B. Chief security officer (CSO)

C. Security analyst

D. Manager or program manager

Incorrect

Correct!

Explanation: A security analyst is someone with technical expertise in one or more security domains who executes the day-to-day security work, such as data analysis, firewall rule management, incident handling, and other operational activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

156 / 203

Which SOC report type abstracts or removes all sensitive details and generally indicates whether an organization has demonstrated each of the five Trust Services principles without disclosing specifics?

A. SOC 1

B. SOC 2

C. SOC 3

D. None of the above

Incorrect

Correct!

Explanation: SOC 3 is a “lite” version of a SOC 2 report and abstracts or removes all sensitive details. A SOC 3 report generally indicates whether an organization has demonstrated each of the five Trust Services principles without disclosing specifics (like exactly what they do or dont do).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

157 / 203

What is a vulnerability?

A. A threat actor

B. A weakness or gap within a system that may be exploited to compromise an assets security or trigger a risk event

C. A patch for software applications

D. A fire suppression system

Incorrect

Correct!

Explanation: A vulnerability is a weakness or gap that exists within a system that may be exploited (by a threat actor) to compromise an assets security or trigger a risk event.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 126 in PDF)

158 / 203

What is the primary objective of a governance committee?

A. To set the direction of the companys marketing function

B. To provide guidance on the companys financial strategy

C. To provide oversight for the companys security function

D. To manage the companys sales operations

Incorrect

Correct!

Explanation: The text states that the primary objective of a governance committee is to provide oversight for the companys security function, while ensuring that the security function continues to meet the needs of the organization and its stakeholders.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 47 in PDF)

159 / 203

Which of the following is true regarding patents issued by the USPTO?

A. Patents are valid in all countries where the US has a patent agreement

B. Patents are valid for a maximum of 25 years

C. To qualify for a patent, an invention must be old, useful, and nonobvious

D. Patent law in the United States is enforced by the U.S. legal system (not the USPTO)

Incorrect

Correct!

Explanation: While the USPTO issues patents, patent law in the United States is not enforced by the USPTO; it is enforced by the U.S. legal system. The USPTO is simply responsible for granting patents. The correct answer is therefore D.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 82 in PDF)

160 / 203

What is the risk associated with using unlicensed software?

A. Unlicensed software does not receive updates or patches

B. Unlicensed software is more secure than licensed software

C. There is no risk associated with using unlicensed software

D. Unlicensed software is always free to use

Incorrect

Correct!

Explanation: The use of unlicensed software increases the risk of software vulnerabilities, as the users are unable to get patches and updates. This leaves the users of bootleg software at risk when compromises are found in the software.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 81 in PDF)

161 / 203

Which of the following is an example of a cybercrime against government?

A. Credit card fraud

B. Intellectual property theft

C. Cyberstalking

D. Hacking into a government server

Incorrect

Correct!

Explanation: Hacking into a government server is considered a cybercrime against government as it is an attack on that countrys sovereignty. It may also involve theft of confidential information or cyber terrorism, making it a serious offense.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

162 / 203

Which assessment method involves exercising one or more assessment objects under specified conditions to compare actual with expected behavior?

A. Examine

B. Interview

C. Test

D. All of the above

Incorrect

Correct!

Explanation: The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. This method seeks to confirm that security controls are implemented as they are documented and that they are operating effectively and as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 135 in PDF)

163 / 203

What does Section 202 of the USA PATRIOT Act of 2001 authorize?

A. Investigators to obtain a wiretap for any computer-related crime

B. Investigators to obtain a search warrant for any computer-related crime

C. Investigators to obtain a wiretap for felony violations relating to computer fraud and abuse

D. Investigators to obtain a search warrant for felony violations relating to computer fraud and abuse

Incorrect

Correct!

Explanation: Section 202 amends the CFAA to authorize investigators to obtain a wiretap for felony violations relating to computer fraud and abuse, not for any computer-related crime or for search warrants.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 76 in PDF)

164 / 203

Which of the following describes baselines in relation to standards?

A. Baselines are publicly-announced standards.

B. Baselines establish specific behavior and actions that must be followed and enforced to satisfy policies.

C. Baselines are related to but distinct from standards, and establish a minimum level of security for a system, network, or device.

D. Baselines are specific and granular requirements that give direction to support broader, higher-level policies.

Incorrect

Correct!

Explanation: Baselines are related to but distinct from standards, and establish a minimum level of security for a system, network, or device. They identify what specific settings, applications, and configurations must be in place to meet a companys security standards and policies. While standards establish specific behavior and actions that must be followed and enforced to satisfy policies, baselines serve as a minimum level of security necessary to achieve those standards.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 107 in PDF)

165 / 203

What is one potential risk factor to consider when absorbing an unknown IT infrastructure during a merger or acquisition?

A. Difficulty managing a third operating system

B. Employee burnout from stretched IT teams

C. Incompatibility of information security policies

D. Lack of marketing team personnel

Incorrect

Correct!

Explanation: When merging with or acquiring another organization, you are absorbing its entire IT infrastructure — good or bad. This means that you are acquiring systems that are likely managed differently from your own, and there may be significant differences in the security controls and processes in place. Differences in security processes may result in operational challenges and inconsistent procedures during and after integration of the two businesses. Therefore, it is important to review the companys information security policies and procedures to determine how thorough they are and take note of any missing security policies/procedures that may indicate a low level of security maturity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

166 / 203

Which of the following is one of the most effective methods of measuring program effectiveness through knowledge retention?

A. Analysis of quiz results

B. Evaluating overall security posture

C. Simple metrics like training completion rates

D. Security awareness days or weeks

Incorrect

Correct!

Explanation: Analysis of quiz results is one of the most effective methods of measuring program effectiveness through knowledge retention. This helps to identify the areas where employees might need further information or clarification.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

167 / 203

What is risk avoidance in regards to security and risk management?

A. Decreasing the likelihood that a risk will occur

B. Accepting a risk and mitigating its impact

C. Eliminating a risk by stopping or removing the activity or technology causing it

D. Transferring the risk to another party

Incorrect

Correct!

Explanation: Risk avoidance involves eliminating a risk by stopping or removing the activity or technology that causes the risk in the first place. For example, if there is a risk associated with using removable media, a policy that bans their use would be considered an avoidance step since it eliminates the risk completely. However, complete avoidance can be difficult to achieve without business disruption, and thus other risk treatment options may need to be considered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

168 / 203

Which of the following is NOT a general approach to threat modeling?

A. Attacker-centric

B. Resource-centric

C. Software-centric

D. Asset-centric

Incorrect

Correct!

Explanation: The correct answer is B. Resource-centric. The three general approaches to threat modeling are attacker-centric, asset-centric, and software-centric. Resource-centric is not a valid approach to threat modeling.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

169 / 203

Which of the following is an example of a cybercrime against property?

A. Cyberstalking

B. Identity theft

C. Intellectual property theft

D. Cyber terrorism

Incorrect

Correct!

Explanation: Intellectual property (IP) theft is an example of a cybercrime against property. Cybercrimes against property refer to crimes committed against information stored within a computer or the computer itself. These types of crimes include hacking, distribution of computer viruses, computer vandalism, and copyright infringement. IP theft involves the stealing of copyrighted materials such as music, videos, and software. It is considered a significant threat and can result in significant financial loss for the owner of the intellectual property.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

170 / 203

In a civil investigation where your organization is the plaintiff and you are overseeing the collection of evidence, what is your main objective?

A. To punish the defendant

B. To prove the defendant caused harm to the organization

C. To prevent future incidents from occurring

D. To recover stolen data

Incorrect

Correct!

Explanation: As the plaintiff, your organization is seeking restitution for the harm caused by the defendant. Thus, your main objective in overseeing the collection of evidence is to gather proof that the defendant caused harm to the organization, which is necessary to support your claim for damages.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 101 in PDF)

171 / 203

What is annualized loss expectancy (ALE) in a quantitative risk analysis?

A. The estimated frequency of occurrence for a given adverse event

B. The monetary loss you would expect from one occurrence of a particular realized threat

C. The estimated percentage of loss to a specific asset if a specific threat is realized

D. A measure of the monetary impact of a realized threat on your organizations assets

Incorrect

Correct!

Explanation: Annualized loss expectancy (ALE) is a metric used in quantitative risk analysis that helps quantify the impact of a realized threat on an organizations assets. It is measured in dollars and is the product of single loss expectancy (SLE) and annual rate of occurrence (ARO). SLE estimates the monetary loss you would expect from one occurrence of a particular realized threat, while ARO estimates the number of times that you expect a particular risk event to occur every year. Therefore, ALE represents the annual cost of a particular risk to an organization, which is an important measure of the effectiveness of risk management strategies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

172 / 203

Which of the following is an example of a security procedure?

A. Employee onboarding procedures

B. Marketing campaign planning procedures

C. Performance evaluation procedures

D. Patch management procedures

Incorrect

Correct!

Explanation: Patch management procedures are an example of a security procedure as they are used to identify and remediate vulnerabilities in software applications and operating systems. Employee onboarding, marketing campaign planning, and performance evaluation procedures are examples of non-security procedures that may also need to be reviewed for security purposes, but they do not relate specifically to information security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 108 in PDF)

173 / 203

Which of the following is an example of a process-related countermeasure for risk mitigation?

A. Encryption

B. Firewall

C. Separation of duties on invoice approval and payment

D. Access control lists

Incorrect

Correct!

Explanation: Process-related countermeasures are policy, procedure, and other workflow-based mitigations. Separation of duties on invoice approval and payment falls into this category, as it is a process-related mitigation against cyber fraud.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

174 / 203

Which of the following are examples of Recovery controls?

A. Access control lists

B. Firewall rules

C. Data backups and disaster recovery sites

D. Intrusion detection systems

Incorrect

Correct!

Explanation: Recovery controls include measures designed to help a system return to normal as quickly as possible after an incident. Examples of recovery controls include data backups and disaster recovery sites.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

175 / 203

Which of the following is true about data breaches?

A. Data breaches only occur in information systems.

B. Cybercrimes pose no threat to a person, a company, or an entire nation.

C. Laws dont govern how cybercrimes are prevented, detected, and handled.

D. Data breaches are a specific cybercrime where information is accessed or stolen by a cybercriminal without authorization.

Incorrect

Correct!

Explanation: A data breach is a specific cybercrime where information is accessed or stolen by a cybercriminal without authorization. The target of a data breach is the information system and the data stored within it. It poses a significant threat to individuals, companies, or entire nations causing huge financial losses and reputational damage. Organizations must take preventative measures to ensure the best possible protection of sensitive data and must develop a proactive response plan in case of its breach.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

176 / 203

Which of the following is an example of a property asset?

A. Your companys employees

B. Your companys customers

C. Your companys software code

D. Your companys vendors

Incorrect

Correct!

Explanation: Property assets include tangible things like servers and equipment, as well as intangible things like software code and other intellectual property.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 126 in PDF)

177 / 203

What is the primary focus of a SOC 1 audit and compliance report?

A. An organizations compliance with AICPAs five Trust Services principles

B. An organizations controls that can impact a customers financial statements

C. An organizations processing integrity

D. An organizations security controls

Incorrect

Correct!

Explanation: A SOC 1 audit and compliance report focuses specifically on an organizations controls that can impact a customers financial statements. The report ensures that financial information is accurate and trustworthy, particularly for customers initiating transactions or other interactions with the organization. Examples of companies that perform credit card processing that are likely to require a SOC 1 audit include banks and financial institutions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

178 / 203

Which principle for risk management explicitly considers any limitations of available information?

A. ISO 27001 principles

B. ISO 31000 principles

C. NIST standards

D. PCI DSS requirements

Incorrect

Correct!

Explanation: ISO 31000 principles for risk management explicitly consider any limitations of available information. It emphasizes the importance of using the best available and reliable information, and understanding the limitations of that information. It also includes a requirement to continuously review and update risk assessments as new information becomes available.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

179 / 203

What is a potential security concern related to disgruntled employees during mergers and acquisitions?

A. Limited availability of IT resources

B. Adding new attack vectors with new systems and platforms

C. Absorbing the unknown with different IT infrastructures

D. High risk of insider threat

Incorrect

Correct!

Explanation: When employees are dissatisfied with a merger or acquisition, they may become disgruntled and pose a severe threat as insiders with access to sensitive information. Insider threat is commonly considered a top security concern that organizations need to address.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

180 / 203

What was the primary goal of the Information Technology Act of 2000 in India?

A. To establish legal recognition of electronic documents and digital signatures

B. To establish definitions and penalties for petty theft

C. To establish cyber terrorism as a crime

D. To establish child pornography as a crime

Incorrect

Correct!

Explanation: The Information Technology Act was passed by the Indian Parliament in 2000 and amended in 2008. The act established legal recognition of electronic documents and digital signatures, while it also established definitions and penalties for cybercrimes such as data theft, identity theft, child pornography, and cyber terrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

181 / 203

Why should security frameworks be customized to the organization?

A. To avoid external interference from regulatory agencies

B. To satisfy the requirements of every department in the organization

C. To ensure it is proportionate to the organization and the level of risk

D. To reduce the implementation time

Incorrect

Correct!

Explanation: The framework should be customized and proportionate to the organization and the level of risk. A framework that is not customized could create excessive administrative overhead and unnecessary expenses. Organizations must balance the costs associated with applying a framework across their practice while delivering the requisite value. By customizing the framework, organizations can ensure that it is proportionate to their needs and level of risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

182 / 203

Which of the following is NOT a threat modeling methodology discussed in the Security and Risk Management domain?

A. STRIDE

B. PASTA

C. NIST 800-154

D. CISCO

Incorrect

Correct!

Explanation: The text specifically mentions STRIDE, PASTA, NIST 800-154, and DREAD as important threat modeling methodologies. Cisco is not mentioned and is therefore not a valid answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

183 / 203

What is the maximum fine for GDPR infringements issued to controllers and processors under Articles 8, 11, 25–39, 42, 43?

A. Up to €5 million or 1 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

B. Up to €10 million or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

C. Up to €20 million or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

D. Up to €1 million or 0.4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Incorrect

Correct!

Explanation: According to GDPR, the maximum fine for GDPR infringement for controllers and processors under Articles 8, 11, 25–39, 42, 43 is up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 95 in PDF)

184 / 203

What is the criminal offense associated with altering, damaging, or destroying a protected computer or its information, or preventing authorized use of the computer or information, such that it results in an aggregate loss of $1,000 or more during a one-year period?

A. Obtaining national security information

B. Accessing a computer and obtaining information

C. Damaging a computer or information

D. Trafficking in passwords

Incorrect

Correct!

Explanation: Section 1030(a)(5) describes the felony act associated with altering, damaging, or destroying a protected computer or its information, or preventing authorized use of the computer or information, such that it results in an aggregate loss of $1,000 or more during a one-year period. Although this provision was later rewritten and now more generally describes a misdemeanor act associated with knowingly and intentionally causing damage to a computer or information, it can still upgrade the crime to a felony if the damage results in losses of $5,000 or more during one year, modifies medical care of a person, causes physical injury, threatens public health or safety, damages systems used for administration of justice or national security, or if the damage affects 10 or more protected computers within 1 year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 74 in PDF)

185 / 203

What is the purpose of control assessments via interview?

A. To implement new security controls

B. To review evidence provided during examine phase

C. To ignore the security controls in place

D. To test the effectiveness of firewalls

Incorrect

Correct!

Explanation: The main purpose of control assessments via interview is to gain additional clarity on what security controls are in place and how they work, after reviewing any evidence provided during the examine phase.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

186 / 203

What is the biggest security concern in a divestiture?

A. Ensuring all impacted systems are completely destroyed

B. Maintaining confidentiality as the company gets rid of assets that may contain sensitive or proprietary information

C. Transferring all access permissions to the new organization

D. Meeting regulatory compliance for data retention and deletion

Incorrect

Correct!

Explanation: The biggest security concern in a divestiture is maintaining confidentiality as the company gets rid of assets that may contain sensitive or proprietary information. Information usually accompanies the physical assets and interests that a company divests, so creating a complete inventory of all impacted assets is a critical first step to ensuring a secure divestiture.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 49 in PDF)

187 / 203

What actions should an organization take when an employee is involuntarily terminated?

A. Nothing special needs to be done since the employee is leaving involuntarily

B. Notify the information security organization to disable access to electronic and physical systems

C. Only recover company property if it is easily accessible

D. Continue to allow access to electronic and physical systems for a few days after the employee is terminated

Incorrect

Correct!

Explanation: When an employee is involuntarily terminated, the organization must assume that the former employee is a threat and take appropriate action to protect organizational assets. The organization should have specific processes to notify the information security organization to disable access to electronic and physical systems, and attempt to recover any company property the terminated employee used. The recovered material should be tracked as evidence and retained for subsequent forensic analysis. Finally, remaining staff should be informed that the terminated individual is no longer allowed access and any attempts to access resources or property should be reported. (Source: CISSP Study Guide, Chapter 1)

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 121 in PDF)

188 / 203

What is transborder data flow?

A. The process of restricting certain data to or from specific geographic locations or jurisdictions

B. The process of importing or exporting data from one country to another

C. The process of encrypting data during transmission across borders

D. The process of storing data in multiple data centers located in different countries

Incorrect

Correct!

Explanation: Transborder data flow refers to the process of restricting certain data to or from specific geographic locations or jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 85 in PDF)

189 / 203

Which of the following statements is true regarding dynamic risk management using ISO 31000 principles?

A. Risks should be managed with a focus on operational factors rather than strategic factors.

B. Risk management should only focus on anticipating changes and not respond to detected changes.

C. Risk management should detect changes in a timely fashion but not acknowledge or respond to them.

D. Risk management should anticipate, detect, acknowledge, and respond to changes in a timely fashion.

Incorrect

Correct!

Explanation: Dynamic risk management using ISO 31000 principles requires the identification of risks, analyzing them, and evaluating the risks and their potential effect on the organization. Risk management should anticipate, detect, acknowledge, and respond to changes in a timely fashion.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

190 / 203

What is the purpose of measuring the security-effectiveness of a security control during the selection and implementation process?

A. To make sure that the control is popular in the security community

B. To ensure that every risk identified in the risk analysis is addressed

C. To add complexity to the security architecture

D. To boost employee morale

Incorrect

Correct!

Explanation: The purpose of measuring the security-effectiveness of a security control during the selection and implementation process is to ensure that every risk identified in the risk analysis is addressed. This helps to ensure that the specific policy, technology, or operational control selected is able to directly address a risk identified during the risk analysis process.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

191 / 203

What is a noncompete agreement?

A. An agreement that restricts an employee from disclosing sensitive information they obtain through the course of their employment

B. An agreement that restricts an employee from directly competing with the organization during their employment and, in most cases, for a fixed time after employment

C. An agreement that requires an employee to review and/or sign various employment policies

D. An agreement that requires an employee to report any conflicts of interest they may have.

Incorrect

Correct!

Explanation: A noncompete agreement is an agreement that restricts an employee from directly competing with the organization during their employment and, in most cases, for a fixed time after employment. Noncompetes are designed to protect organizations from unfair competition by former employees or contractors

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)

192 / 203

What should an organization do when considering using third-party hardware, software, or services?

A. Skip the evaluation process and just use the new hardware, software, or service.

B. Determine how the new hardware, software, or service may fit into the organizations existing environment, and evaluate how the additions may impact the organizations overall security posture.

C. Only consider the price of the new hardware, software, or service, and ignore any security risks.

D. Only consider the compliance risks when using a third-party provider.

Incorrect

Correct!

Explanation: Before adopting any new hardware, software, or services, it is important to assess how this may impact the organizations security posture. This includes a security evaluation of any potential new risks that may arise as a result and how they can be mitigated.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 152 in PDF)

193 / 203

What is ALE in quantitative risk analysis and how is it measured?

A. It is a measure of subjective likelihood and is measured in percentages.

B. It is a measure of probable impact and is measured in categories like low, medium, and high.

C. It is a measure of the monetary loss from a realized threat on an organizations assets and is measured in dollars.

D. It is a measure of the probability of a realized threat on an organizations assets and is measured in fractions.

Incorrect

Correct!

Explanation: ALE (annualized loss expectancy) is a metric used in quantitative risk analysis that measures the monetary loss an organization expects to face over a year from a realized threat. It is calculated by multiplying the single loss expectancy (SLE) and annual rate of occurrence (ARO), both of which are also discussed in the text. The answer choices A, B, and D are incorrect because they do not accurately describe ALE or how it is measured.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

194 / 203

What is the first step in NIST 800-154s four major steps for data-centric system threat modeling?

A. Analyze the threat model.

B. Identify and characterize the system and data of interest.

C. Characterize the security controls for mitigating the attack vectors.

D. Identify and select the attack vectors to be included in the model.

Incorrect

Correct!

Explanation: According to NIST 800-154, the first step in data-centric system threat modeling is to identify and characterize the system and data of interest. This is crucial because different types of data may require different security controls and protections.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 150 in PDF)

195 / 203

What is a trademark according to the USPTO?

A. A legal grant that identifies and distinguishes the source of a service rather than goods

B. A word, phrase, symbol, and/or design that identifies and distinguishes the source of the goods of one party from those of others

C. A type of contract between two parties for the use of a specific brand name

D. A set period of time during which a brand can be used in commerce

Incorrect

Correct!

Explanation: A trademark is a word, phrase, symbol, and/or design that identifies and distinguishes the source of the goods of one party from those of others according to the USPTO.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 82 in PDF)

196 / 203

What was the aim of the Data Protection Directive?

A. To regulate the processing of European businesses

B. To regulate the security of European businesses

C. To regulate the processing of personal data of European citizens

D. There was no real aim to the Data Protection Directive

Incorrect

Correct!

Explanation: The Data Protection Directive aimed at regulating the processing of the personal data of European citizens.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 90 in PDF)

197 / 203

What is the first stage in the U.K. National Cyber Security Centres 12 principles for establishing and maintaining effective control of the supply chain?

A. Understand the risks

B. Establish control

C. Check your arrangements

D. Continuous improvement

Incorrect

Correct!

Explanation: The first stage in the U.K. National Cyber Security Centres 12 principles for establishing and maintaining effective control of the supply chain is to understand the risks. This stage involves identifying your vendors in your supply chain and establishing what needs to be protected in that supply chain (and why).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 157 in PDF)

198 / 203

Which of the following statements is true about supply chain risk management frameworks?

A. There are no frameworks that address supply chain risks.

B. Supply chain risks are unrelated to risk management.

C. Managing the information systems supply chain is not complex.

D. Several frameworks explicitly address supply chain risks.

Incorrect

Correct!

Explanation: It is true that several frameworks explicitly address supply chain risks. The complexities of managing the information systems supply chain have been evident for many years, making supply chain risk management an essential aspect of security and risk management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 155 in PDF)

199 / 203

What is ITAR?

A. A regulation that establishes import/export controls for dual-use technology in the European Union

B. A regulation that controls the export of defense articles and defense services to keep those sensitive materials out of the hands of foreign nationals in the United States

C. A regulation that requires information technology vendors to submit their products to the Russian Government for technical analysis

D. A regulation that prohibits the use of Kaspersky Labs products in any U.S. government computer system

Incorrect

Correct!

Explanation: ITAR is a regulation that controls the export of defense articles and defense services to keep those sensitive materials out of the hands of foreign nationals in the United States. It applies to both government agencies and contractors or subcontractors who handle regulated materials outlined in the United States Munitions List (USML). Sending an email containing ITAR-controlled data is considered an export under ITAR.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 84 in PDF)

200 / 203

What is the importance of risk management in information security?

A. Risk management is not necessary in information security

B. Risk management helps identify organizational goals only

C. Risk management helps identify the right security controls to implement based on evaluating security risks

D. Risk management is only needed in certain industries

Incorrect

Correct!

Explanation: Risk management is essential in information security as it helps identify potential security risks and vulnerabilities, and assists in devising a plan to implement appropriate security measures to reduce risk. By evaluating security risks, one can identity the right security controls needed to implement in their environment.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

201 / 203

What is the purpose of security governance in an organization?

A. To implement and manage access control policies and procedures

B. To ensure that all security tools are up-to-date and working properly

C. To define and manage information security policies and procedures

D. To investigate security incidents and breaches

Incorrect

Correct!

Explanation: Security governance is the set of all organizational processes involved in defining and managing information security policies and procedures, including the oversight to ensure that those policies and procedures follow the direction of the organizations strategy and mission.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 46 in PDF)

202 / 203

Who is responsible for the overall management and supervision of the information security program in an organization?

A. Chief security officer (CSO)

B. Security analyst

C. Manager or program manager

D. Chief information security officer (CISO)

Incorrect

Correct!

Explanation: A CISO is the senior-level executive within an organization who is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

203 / 203

Which of the following agreements is designed to restrict an employee from directly competing with the organization during their employment and for a fixed time after employment?

A. Nondisclosure agreement

B. Noncompete agreement

C. Acceptable use policy

D. Conflict of interest policy

Incorrect

Correct!

Explanation: A noncompete agreement is an agreement that restricts an employee from directly competing with the organization during their employment and, in most cases, for a fixed time after employment. Noncompetes are one-way agreements that are designed to protect organizations from unfair competition by former employees or contractors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)

Your score is

🔒 Hands-On Cybersecurity Course + INTERNSHIP 🔒

Visit to Cyber Course

Welcome to our CISSP Practice Questions for Domain 1: Security and Risk Management.

This section is designed to help you understand and master the concepts related to security governance, risk management, and compliance.

Our free practice questions will prepare you for the CISSP exam by covering essential topics such as security policies, risk analysis, and business continuity planning.

Key Topics Covered

Our questions cover:

Security policies
Risk analysis
Business continuity planning

We also provide a free Anki deck to help you reinforce your learning. Don’t forget to check our Domain 2: Asset Security and Domain 3: Security Architecture and Engineering pages for comprehensive coverage of the CISSP exam.

For more detailed information, visit the official ISC² website.

Back to All CISSP Domains / Home

Domain 1 CISSP Exam:Security and Risk Management

Key Topics Covered

Explore our other free practice tests:

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER