Free CISSP Practice Test: DOMAIN 6: Security Assessment and Testing + Anki Decks

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 6: Security Assessment and Testing

1 / 93

What is a benefit of utilizing a standard audit and assessment methodology?

2 / 93

What is an example of a valuable KRI that can indicate that more robust security tools or additional staff are needed?

3 / 93

What type of testing provides complete knowledge of the system or network to be tested, like IP addresses and system version numbers, and simulates an insider threat?

4 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

5 / 93

What is an architecture that places scanning agents inside network segments to allow the endpoints in that segment to be scanned and then consolidates the results to a central console?

6 / 93

What is an appropriate response to an increase in the number of phishing attempts detected or reported, as indicated by a KRI?

7 / 93

What is a key element required to design a security metrics program?

8 / 93

Which framework specifies that management must periodically review the information security program for continuing suitability, adequacy and effectiveness?

9 / 93

What is the primary purpose of misuse case testing?

10 / 93

Which of the following situations may require mandatory reporting of a discovered vulnerability?

11 / 93

Which of the following is an example of a physical control for enforcing access control in an information system?

12 / 93

What is the importance of fostering a relationship across teams with regards to vulnerability assessment?

13 / 93

What is the goal of the exploitation phase in pen testing?

14 / 93

What category of attack can be tested by a breach attack simulation tool using test messages?

15 / 93

What can logs be used for in a security program?

16 / 93

What is the purpose of interface testing in security assessments?

17 / 93

Compliance checks should be treated as a starting point rather than a security objective for an organizations risk management program. Which of the following statements regarding audits or assessments is true?

18 / 93

What is the goal of fingerprinting network endpoints in Phase 4 of Pen Testing?

19 / 93

What does branch coverage ensure in a program or system being tested?

20 / 93

Which of the following metrics could be useful to test and evaluate the effectiveness of a security training and awareness program?

21 / 93

Why is management support and sponsorship of security initiatives crucial?

22 / 93

Which framework requires management to periodically review the information security program for continuing suitability, adequacy, and effectiveness?

23 / 93

What method of testing combines elements of vulnerability scanning and automated penetration testing, and utilizes a continuously refreshed database of attack methods and newly discovered vulnerabilities?

24 / 93

What is a potential drawback of internal audits?

25 / 93

Which of the following best describes a KPI?

26 / 93

Which of the following is an example of a preventative technical control?

27 / 93

Which of the following is a companion to ISO 15048 and provides standards for consistent criteria and evaluation methods?

28 / 93

Which of the following is an example of preventative technical processes in security assessment and testing, according to DOMAIN 6 of CISSP?

29 / 93

What is the difference between black-box testing and white-box testing?

30 / 93

Why is identifying the organizations critical assets important before performing vulnerability assessments?

31 / 93

What is the importance of marking port scans from a vulnerability scanners IP address as nonsuspicious?

32 / 93

What is the purpose of the reporting phase in pen testing?

33 / 93

What is a key element of governance and risk management related to security, and covered in Chapter 1?

34 / 93

Which compliance framework requires an ongoing annual assessment in order to maintain Authority to Operate (ATO) status?

35 / 93

What is the final phase of a pen testing activity?

36 / 93

What is a common issue that vulnerability scanners may cause?

37 / 93

What are the key components of documenting an exception in the exception handling process?

38 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

39 / 93

What is the purpose of synthetic transactions in SLA monitoring?

40 / 93

What is the difference between KPIs and metrics?

41 / 93

What are key performance indicators (KPIs) and key risk indicators (KRIs) used for in a governance, risk, and compliance (GRC) program?

42 / 93

What is the main goal of conducting or facilitating a security audit?

43 / 93

What does black-box testing rely on?

44 / 93

What is one purpose of employing synthetic transactions as a test mechanism?

45 / 93

What is the importance of generating reports for security evaluations?

46 / 93

What is responsible disclosure in relation to vulnerability disclosure?

47 / 93

What is full disclosure in ethical disclosure of vulnerability findings?

48 / 93

What is a possible solution to reduce the volume of traffic generated by vulnerability scanners that can lead to DoS conditions?

49 / 93

Which section of an audit report provides a high-level overview of testing activities and findings, typically taking up no more than one page?

50 / 93

When is it appropriate to conduct assessments from an internal perspective?

51 / 93

Which of the following techniques would pen testers use to identify active network hosts and services running on a network?

52 / 93

Which of the following metrics can be used to measure the implementation of an organizational policy barring personal social media use on organization-issued equipment?

53 / 93

Which of the following is an example of technical processes that detect incidents or deviations?

54 / 93

What should physical pen testers be provided with in the event they are caught or detained?

55 / 93

Which audit framework provides a formal assessment process for technology products against a defined set of security functional requirements?

56 / 93

What is the purpose of synthetic transactions?

57 / 93

What specific review requirements does ISO 27001 control 9.3 have for management?

58 / 93

What is the difference between an audit and an assessment?

59 / 93

Which of the following controls might be put in place to restrict and monitor access and must contain all required information like user role, justification for access, and necessary approvals?

60 / 93

What is the difference between white- and black-box testing in penetration testing?

61 / 93

Which of the following is a common method of checking the status of controls in place to meet compliance objectives?

62 / 93

What is the purpose of sampling in the audit technique?

63 / 93

Which category of technical metrics measures the organizations effectiveness at implementing multilayered security by capturing metrics on preventative technical processes such as network access controls like virtual private networks (VPNs)?

64 / 93

What is a potential drawback of using external auditors for security assessments and testing?

65 / 93

What is the purpose of breach attack simulations (BAS) for an organization?

66 / 93

When is it advisable or even required to use an external firm for assessments, testing, or audits, according to regulatory reasons?

67 / 93

What is the advantage of a recurring audit schedule?

68 / 93

What is responsible disclosure in terms of security research?

69 / 93

What is something that can cause issues with reports or processes that expect valid data stored in the system during automated vulnerability scanning?

70 / 93

Which of the following can be used as a Key Risk Indicator (KRI) to indicate security program deficiencies that require additional attention or resources?

71 / 93

When choosing and configuring a vulnerability scanner, what is a major consideration for organizations with mixed IT environments?

72 / 93

What is a KPI?

73 / 93

What is the primary purpose of performing discovery or reconnaissance during the pen testing phase of security assessment and testing?

74 / 93

What is the main goal of implementing a process for remediation in response to security testing findings?

75 / 93

Why are defined rules of behavior important to include in a pen testing engagement?

76 / 93

What is the purpose of performing a test restore from backup media?

77 / 93

What does the Mean time to detect (MTTD) metric measure?

78 / 93

Which of the following is the official set of requirements and guidance for auditors performing certification audits against ISO 27001?

79 / 93

Which framework requires management to establish performance measures and generate relevant, quality information to support the functioning of internal control?

80 / 93

Which of the following is a crucial example of blended control types in account management?

81 / 93

Which of the following questions should a security practitioner seek to answer when conducting a third-party audit?

82 / 93

What is the purpose of synthetic transactions for data integrity monitoring?

83 / 93

What is a crucial factor to consider when choosing appropriate scanning tools and prioritizing scanning efforts in a vulnerability assessment?

84 / 93

What is the purpose of Key Risk Indicators (KRIs)?

85 / 93

Which of the following is the foundation for the Common Criteria certification and is a formal assessment process for technology products against a defined set of security functional requirements?

86 / 93

Which type of breach attack simulation focuses on testing security controls monitoring for malicious network scans or complex interactions with applications that should be blocked by a web application firewall (WAF)?

87 / 93

Which compliance framework requires an annual audit by a third-party auditor and routine internal activities such as quarterly vulnerability scans?

88 / 93

What does ISO 27001 control 9.3 specify in relation to management review?

89 / 93

Which of the following is a key consideration for a sound third party audit strategy related to supply chain security?

90 / 93

What is MTTR and why is it important in measuring the effectiveness of a security program?

91 / 93

What is a key process data to collect from account management processes?

92 / 93

Which of the following is a critical element to be considered while performing security assessment and testing related to disaster recovery and business continuity (BCDR) plan?

93 / 93

What is the difference between full disclosure and responsible disclosure in ethical disclosure of vulnerabilities?

Your score is

Share the Post:
Previous slide
Next slide

Fill up to receive the FREE CISSP deck!

* indicates required
Share the Post:

Understanding Domain 6 CISSP Exam: Security Assessment and Testing

Key Aspects of Domain 6 CISSP Exam

  1. Security Control Testing

    • Learn methods to test security controls.
    • Assess management, operational, and technical controls.
  2. Vulnerability Assessment

    • Identify system vulnerabilities.
    • Use tools and techniques for vulnerability assessment.
  3. Security Process Data Analysis

    • Analyze data from security processes.
    • Collect, review, and interpret data for decision-making.
  4. Security Auditing

    • Conduct audits to ensure compliance with policies.
    • Understand audit strategies and methodologies.
  5. Internal and Third-Party Audits

    • Know the difference between internal and external audits.
    • Learn their roles in improving security.

Benefits of Our CISSP Practice Exam

  • Detailed Answer Explanations: Understand the reasoning behind each answer.
  • Aligned with Exam Objectives: Covers all Domain 6 topics comprehensively.
  • Instant Feedback: Get immediate feedback to identify improvement areas.

Continuous Learning

Prepare with our “CISSP Practice Exam” to confidently tackle Domain 6 and advance your cybersecurity career.

For more information, refer to the official ISC2.

 

Related Posts

RSS  
  • Discover How to Work Remotely and Travel!
    Have you ever dreamed about working from beautiful places like Thailand or Japan, but weren’t sure if it’s possible? I’m here to share my adventures and some tips on how to make working remotely while exploring the world a reality.  Who Am I? My name is Josh, and I’m all about creating helpful content on […]
  • Why Contract Work in IT Can Be a Good Start for Your Career
    Hey buddies! Are you curious about what it’s like to work in IT and cyber security? Well, you’re in luck because today we’re diving into the world of contract work and how it might just be the jumpstart your career needed! Getting Into the World of Contract Work in IT Josh, an expert in IT […]
  • Is Cyber Security a Career That Will Last Forever?
    Hey everyone! Have you ever wondered if choosing a career in cyber security is a good idea for the long haul? Well, let’s dive into this topic with the help of Josh Maor’s insights, and find out why cyber security might just be one of the smartest career choices out there. What Is Cyber Security? […]