Domain 6 CISSP Exam: Security Assessment and Testing

Ref:📕The Official ISC2 CISSP CBK Reference 6th Edition

DOMAIN 6: Security Assessment and Testing

1 / 93

Which of the following is a key consideration for a sound third party audit strategy related to supply chain security?

A. Scoping the audit only to suppliers handling sensitive data

B. Performing audits only by organizational resources

C. Relying solely on SOC 2 Type I reports provided by suppliers

D. Including all third parties critical to the organizations operations

Incorrect

Correct!

Explanation: A sound third party audit strategy must be scoped to include any third-party critical to the organizations operations, handling any data valuable to the organization, or providing regulated services like payment processing. Therefore, option D is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 547 in PDF)

2 / 93

Which of the following is a common method of checking the status of controls in place to meet compliance objectives?

A. Routine internal activities

B. Continuous monitoring

C. Compliance auditors

D. Random security testing

Incorrect

Correct!

Explanation: Compliance auditors are a common method of checking the status of controls in place to meet compliance objectives. Compliance audits or assessments are conducted on a defined schedule to evaluate the security program at a specific point in time. Compliance checks are part of oversight designed to verify the status of controls in place to meet compliance objectives.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 572 in PDF)

3 / 93

What is the purpose of interface testing in security assessments?

A. To ensure that the user interface looks aesthetically pleasing.

B. To test the functionality and security of the systems various interfaces.

C. To test the ability of the system to handle unexpected situations.

D. To determine if the system meets the organizations data analytics goals.

Incorrect

Correct!

Explanation: Interface testing is essential in evaluating the functionality and security of the systems various interfaces, including the user interface and APIs. This type of testing identifies if the interface behaves as expected under different scenarios and verifies if the interface has adequate data protection controls implemented to support the organizations security goals. It is also a crucial element in security testing activities like vulnerability assessments, penetration tests, and security testing like breach simulations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 569 in PDF)

4 / 93

What is the difference between black-box testing and white-box testing?

A. Black-box testers have access to the source code, while white-box testers do not.

B. White-box testers model the perspective of an external attacker, while black-box testers have knowledge of internal elements of the application.

C. Black-box testing tests the actual running program, while white-box testing uses static code analysis tools.

D. White-box testing tests the actual running program, while black-box testing uses static code analysis tools.

Incorrect

Correct!

Explanation: Black-box testing models the perspective of an external attacker, while white-box testing has knowledge of internal elements of the application that an outsider would not have. Black-box testers do not have access to the source code or internal workings of the application, while white-box testers do.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 565 in PDF)

5 / 93

What is the advantage of a recurring audit schedule?

A. It provides a snapshot of the security program

B. It allows the program to be tracked over time and show improvements

C. It facilitates external audits

D. It is not needed for an effective audit program

Incorrect

Correct!

Explanation: A recurring audit schedule allows the organization to track its security program over time and identify areas that need improvement. This approach also helps the organization show the effectiveness of its security program and how it has improved over time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 595 in PDF)

6 / 93

Which of the following is a critical element to be considered while performing security assessment and testing related to disaster recovery and business continuity (BCDR) plan?

A. Does the organization rely on critical third parties or services?

B. Are new staff trained on key BCDR roles as part of onboarding?

C. Is the current version of the plan readily accessible and securely stored?

D. All of the above

Incorrect

Correct!

Explanation: All of the given elements are important considerations for a security assessment and testing related to disaster recovery and business continuity (BCDR) plan. The reliance on critical third-party services, training of new staff, storage and accessibility of the BCDR plan, testing the plan regularly, and maintaining a check on any significant changes in the organization are essential elements for an effective disaster recovery and business continuity plan.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 585 in PDF)

7 / 93

What is a potential drawback of using external auditors for security assessments and testing?

A. External auditors may overlook findings to protect the organization being audited.

B. External auditors may be more costly and lack knowledge about an organizations operations.

C. External auditors may have conflicts of interest that affect the audit process.

D. External auditors may not have specialized skills needed to perform the audit.

Incorrect

Correct!

Explanation: The key advantage of an external auditor is total independence from the organization being audited, but one of the potential drawbacks of using external auditors is the cost, which can be significant for large and complex audits, as well as their lack of knowledge about an organizations operations. This can lead to false positive audit findings.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 597 in PDF)

8 / 93

What is one purpose of employing synthetic transactions as a test mechanism?

A. To generate financial transactions between systems

B. To monitor heartbeat of systems that are offline

C. To record every user interaction with an application

D. To log into an application to verify if the service meets agreed level

Incorrect

Correct!

Explanation: Synthetic transactions can be employed as a test mechanism to monitor SLA agreements to ensure the service is meeting the agreed level of service.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 564 in PDF)

9 / 93

Which of the following best describes a KPI?

A. A patch management metric like the number of patches applied to a computing environment

B. The number of endpoints in the environment

C. A performance indicator that uses metrics and provides context

D. The time required to resolve incidents

Incorrect

Correct!

Explanation: A KPI is a performance indicator that uses metrics and provides context. It exists to identify how effectively controls are operating to mitigate risks, and provide notice if a control is ineffective, which indicates a risk that may be more likely to occur. When designing KPIs for the organizations security program, it is helpful to understand the information needed by the organization and essential to ensure the KPIs provide clear information to support decision making.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 583 in PDF)

10 / 93

Which of the following is an example of technical processes that detect incidents or deviations?

A. Network access controls like VPNs

B. Encryption of data and securing access to decryption keys

C. Host-based firewalls

D. EDR and SIEM

Incorrect

Correct!

Explanation: EDR and SIEM are technical processes that detect incidents or deviations. EDR is endpoint detection and response, which detects and responds to advanced security threats on endpoints, and SIEM is security information and event management, which collects and analyzes log data to detect security incidents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 575 in PDF)

11 / 93

What is responsible disclosure in terms of security research?

A. Reporting a vulnerability to law enforcement or other authorities may be mandatory.

B. Fully and transparently reported to the organization responsible for fixing it as soon as possible.

C. The discoverer should disclose the vulnerability in a timely manner and publicly disclose it immediately.

D. There may be contractual or legal obligations that prevent disclosure of a vulnerability.

Incorrect

Correct!

Explanation: Responsible disclosure is defined as a principle wherein a vulnerability or weakness is fully and transparently reported to the organization responsible for fixing it as soon as possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 594 in PDF)

12 / 93

What are the key components of documenting an exception in the exception handling process?

A. Risk details, reason for having the risk, remediation plan, time frame for compliance

B. Risk details, reason for exception, compensating controls, exception approval, time

C. Risk details, reason for non-compliance, policy updates, management decision review

D. Risk details, reason for exception, exemption from security assessment, time frame for exemption

Incorrect

Correct!

Explanation: When a situation arises where a risk cannot be treated, an exception must be granted. The key components of documenting an exception in the exception handling process include risk details, reason for the exception, compensating controls, an explicit decision of exception approval, and time. These components help to identify and explain the issue, provide reasoning for the exception, partially mitigate the risk with compensating controls, and to limit the time-frame for the exception.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 590 in PDF)

13 / 93

When is it appropriate to conduct assessments from an internal perspective?

A. As part of an ongoing monitoring process

B. When the organization has no staff or resources for audits

C. When an objective outsider is required for the audit

D. When preparing for an external audit is not necessary

Incorrect

Correct!

Explanation: Assessments conducted from an internal perspective are appropriate as part of ongoing or continual assessment processes and are often used as part of continuous monitoring with a supplemental external audit performed less frequently.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 542 in PDF)

14 / 93

What does branch coverage ensure in a program or system being tested?

A. Every Boolean expression in the code is validated for both true and false conditions

B. Every function in the program is called

C. Every branch in a control statement has been executed

D. The execution of every statement in the program is validated

Incorrect

Correct!

Explanation: Branch coverage measures whether each branch in a control statement has been executed. Control statements are program structures like loops and conditional statements that affect the flow of the program. This type of coverage ensures that all execution paths of a program or system have been tested.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 568 in PDF)

15 / 93

Compliance checks should be treated as a starting point rather than a security objective for an organizations risk management program. Which of the following statements regarding audits or assessments is true?

A. Scheduled audits or assessments are conducted on a defined schedule and are an effective way to monitor security risk.

B. Compliance audits like SOC 2 Type II and ISO 27001 only evaluate security over a period of performance if it is requested by the organization being audited.

C. Compliance frameworks recognize that audits at a single point in time are an effective way to monitor security risk.

D. Organizations undergoing a FedRAMP assessment are only required to perform continuous monitoring after the initial full security assessment to maintain Authority to Operate (ATO) status.

Incorrect

Correct!

Explanation: The text states that most compliance frameworks recognize that an audit at a single point in time is not an effective way to monitor security risk. However, scheduled audits or assessments conducted on a defined schedule, such as annual audits for PCI-DSS and SOC 2, or ISO 27001 audits once every three years, are effective ways to evaluate the security program at a specific point in time. Additionally, compliance frameworks typically include requirements for more frequent assessment of key controls or areas.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 571 in PDF)

16 / 93

Which of the following is a companion to ISO 15048 and provides standards for consistent criteria and evaluation methods?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 18045:2008

D. ISO/IEC 27006:2015

Incorrect

Correct!

Explanation: ISO/IEC 18045:2008 is a companion to ISO 15048 and provides standards for consistent criteria and evaluation methods.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 596 in PDF)

17 / 93

What is the purpose of the reporting phase in pen testing?

A. To compile a list of all tested systems and their associated vulnerabilities.

B. To find and report vulnerabilities only to the technical staff responsible for system maintenance.

C. To gather information on weaknesses in the IT staff who were targeted during the testing process.

D. To capture all activities performed, vulnerabilities found, and access achieved, and to provide recommendations to remediate any identified vulnerabilities.

Incorrect

Correct!

Explanation: The purpose of the reporting phase in pen testing is to capture all activities performed, vulnerabilities found, and access achieved, and to provide recommendations to remediate any identified vulnerabilities. The report is usually presented in a formal meeting, which marks the end of the pen test engagement. The different parts of the report may be designed for different audiences, such as an executive summary for management and a more technically detailed report for IT staff.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 562 in PDF)

18 / 93

Which compliance framework requires an annual audit by a third-party auditor and routine internal activities such as quarterly vulnerability scans?

A. ISO 27001

B. FedRAMP

C. HIPAA

D. SOC 2

Incorrect

Correct!

Explanation: ISO 27001 requires an external audit every three years while the organization must perform continuous monitoring and oversight, including internal auditing and surveillance audits on an annual basis. It also requires the evaluation of security over a period of performance. It is the only option listed that requires both an external audit and internal activities such as quarterly vulnerability scans.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 572 in PDF)

19 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

A. ISO/IEC 27006:2015

B. NIST Special Publication (SP) 800-53A

C. ISO/IEC 15408-1:2009

D. ISO/IEC 18045:2008

Incorrect

Correct!

Explanation: NIST Special Publication (SP) 800-53A is a guide to assessing the controls outlined in NIST SP 800-53. It introduces a simple set of testing procedures to assess control effectiveness: test, examine, or interview. Although applicable to U.S. government agencies, it is freely available and may be adapted for use by any organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 595 in PDF)

20 / 93

What is a benefit of utilizing a standard audit and assessment methodology?

A. It ensures that all systems and processes are equally evaluated.

B. It reduces the cost of monitoring activities.

C. It makes testing results more comparable over time.

D. It eliminates the need for identifying and addressing risks.

Incorrect

Correct!

Explanation: Using a standard methodology for audit and assessment offers key benefits including repeatable testing and results that will be more comparable over time. This ensures consistency in testing practices and allows for the measurement of return on investment from the organizations spending on security efforts over time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 543 in PDF)

21 / 93

What is the final phase of a pen testing activity?

A. Attempt to exploit vulnerabilities

B. Gathering information

C. Documenting a report

D. Testing the organizations cyber defenses

Incorrect

Correct!

Explanation: The final phase of a pen testing activity is documenting a report on the vulnerabilities found and exploited. This report is used to help the organization improve their cyber defenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 558 in PDF)

22 / 93

Which compliance framework requires an ongoing annual assessment in order to maintain Authority to Operate (ATO) status?

A. PCI-DSS

B. ISO 27001

C. FedRAMP

D. SOC 2

Incorrect

Correct!

Explanation: FedRAMP requires an ongoing annual assessment after the initial full security assessment and also requires a continuous monitoring strategy for key risks in order to maintain Authority to Operate (ATO) status.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 572 in PDF)

23 / 93

What is the primary purpose of performing discovery or reconnaissance during the pen testing phase of security assessment and testing?

A. To obtain hard copies of sensitive information

B. To emulate the behavior of the attackers

C. To collect information from the organizations monitoring devices

D. To use publicly available tools such as Shodan or Have I Been Pwned

Incorrect

Correct!

Explanation: The primary purpose of performing discovery or reconnaissance during the pen testing phase is to emulate the behavior of attackers by gathering information about the target. This information can be used to create a more effective attack simulation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 559 in PDF)

24 / 93

What is an architecture that places scanning agents inside network segments to allow the endpoints in that segment to be scanned and then consolidates the results to a central console?

A. Firewall rules

B. VLANs

C. Zero trust network architecture

D. Distributed scanning

Incorrect

Correct!

Explanation: Distributed scanning is an architecture that places scanning agents inside network segments to allow the endpoints in that segment to be scanned and then consolidates the results to a central console. This is a way to overcome the difficulties introduced by network segmentation with access controls when performing vulnerability scanning.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 553 in PDF)

25 / 93

Which of the following is an example of preventative technical processes in security assessment and testing, according to DOMAIN 6 of CISSP?

A. EDR and SIEM

B. Monitoring the status of hardware or software to detect unexpected outages

C. Endpoint controls like host-based firewalls

D. Network- and host-based intrusion prevention systems (IPSs)

Incorrect

Correct!

Explanation: According to DOMAIN 6 of CISSP, preventative technical processes in security assessment and testing include encryption of data and securing access to decryption keys, network access controls like virtual private networks (VPNs), and endpoint controls like host-based firewalls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 575 in PDF)

26 / 93

What is the goal of fingerprinting network endpoints in Phase 4 of Pen Testing?

A. To determine which endpoints are not valuable

B. To discover useful details like operating system and application software versions

C. To exhaust all identified possibilities

D. To see how long the tester can remain undetected

Incorrect

Correct!

Explanation: The goal of fingerprinting network endpoints is to discover useful details like operating system and application software versions, which is useful for choosing and executing specific exploits.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 562 in PDF)

27 / 93

Which framework specifies that management must periodically review the information security program for continuing suitability, adequacy and effectiveness?

A. NIST and FedRAMP

B. SOC 2

C. COBIT

D. ISO 27001

Incorrect

Correct!

Explanation: ISO 27001 control 9.3 specifies that management must periodically review the information security program for continuing suitability, adequacy and effectiveness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 580 in PDF)

28 / 93

What is a potential drawback of internal audits?

A. Internal auditors lack sufficient independence to perform an objective assessment.

B. Internal audits are often more expensive than external audits.

C. Internal auditors are unfamiliar with an organizations processes, tools, and personnel.

D. Internal auditors cannot identify issues due to their familiarity with an environment.

Incorrect

Correct!

Explanation: Internal auditors may lack sufficient independence to perform an objective assessment. Finding a major issue that could impact financial performance or the auditors relationship with team members can create an incentive to downplay issues discovered. In some organizations, this can be solved by making auditors a separate team within the company, though for smaller organizations, that may not be a viable option.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 597 in PDF)

29 / 93

What is the purpose of sampling in the audit technique?

A. To increase the amount of work required

B. To reduce the amount of work required while maintaining assurance that deficiencies are identified

C. To add extra work to the audit task without any benefits

D. To decrease the quality of assurance that deficiencies are identified

Incorrect

Correct!

Explanation: The purpose of sampling in the audit technique is to reduce the amount of work required while maintaining assurance that deficiencies are identified. Sampling is a technique utilized in audits to balance the cost of work to gather information and gain assurance against the benefit of risk visibility. The sample should be representative to ensure that identified deficiencies are applicable to the entire population of systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 596 in PDF)

30 / 93

Why are defined rules of behavior important to include in a pen testing engagement?

A. To provide testers with an opportunity to exploit any vulnerabilities found.

B. To ensure that the pen testing team fully tests the organizations response capabilities.

C. To provide guidelines and set ground rules for testers and ensure the safety of everyone involved during the testing process.

D. To document and report any critical security issues to the organization immediately.

Incorrect

Correct!

Explanation: Defined rules of behavior provide guidelines and set ground rules for testers to follow, ensuring everyone involved in the testing process is safe and that testers do not accidentally cause a Business Interruption event or provoke external incidents. This also helps ensure that the pen testing engagement is properly managed, that proper documentation for the testing results, incident records, and reporting are available.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 556 in PDF)

31 / 93

What is a possible solution to reduce the volume of traffic generated by vulnerability scanners that can lead to DoS conditions?

A. Increase the number of requests the scanner generates in a given time period

B. Disable request throttling to allow the scanner to process more requests

C. Implement request throttling to limit the number of requests the scanner generates in a given time period

D. Conduct scans at times of high user activity

Incorrect

Correct!

Explanation: Implementing request throttling is a proper configuration solution to reduce the volume of traffic generated by vulnerability scanners and limit the number of requests the scanner generates in a given time period. This can help prevent DoS conditions on both networks and systems. Other solutions like increasing the number of requests, disabling throttling, or conducting scans at times of high user activity can increase the risk of DoS conditions and are not recommended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 551 in PDF)

32 / 93

What is the purpose of performing a test restore from backup media?

A. To verify the encryption of the backup data

B. To ensure that all required data is present and readable

C. To evaluate the performance of the backup system

D. To check the accessibility of the backup data

Incorrect

Correct!

Explanation: Performing a test restore from backup media is important to verify that all required data is present and readable. This ensures that the backup data is usable in the event of data loss or corruption. If data is missing, it could indicate backup configuration issues or corruption of the backup media.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 584 in PDF)

33 / 93

What should physical pen testers be provided with in the event they are caught or detained?

A. A letter of apology

B. A reward for successfully gaining access

C. A get out of jail free card

D. A recommendation letter

Incorrect

Correct!

Explanation: Physical pen testers should be provided with a get out of jail free card that details the purpose of their activity and a point of contact within the organization who can verify their story in the event they are caught or detained. This card can be presented to help them avoid potential legal trouble like being arrested and charged with trespassing.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 563 in PDF)

34 / 93

Which category of technical metrics measures the organizations effectiveness at implementing multilayered security by capturing metrics on preventative technical processes such as network access controls like virtual private networks (VPNs)?

A. Detect

B. Respond

C. Prevent

D. None of the above.

Incorrect

Correct!

Explanation: Preventative technical processes include encryption of data and securing access to decryption keys, network access controls like virtual private networks (VPNs), and endpoint controls like host-based firewalls. Designing a technical metrics program should be done to measure the organizations effectiveness at implementing multilayered security. To do so, it is useful to capture metrics across categories like Prevent, Detect, and Respond. Therefore, the correct answer is C because preventative technical processes are measured in the Prevent category of technical metrics.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 575 in PDF)

35 / 93

Which of the following metrics can be used to measure the implementation of an organizational policy barring personal social media use on organization-issued equipment?

A. The number of audit logs generated by technical controls

B. The number of incidents reported by security guards

C. The number of users who have read and acknowledged their understanding of the policy by signing it

D. The number of process artifacts collected during process execution

Incorrect

Correct!

Explanation: In this scenario, the proposed policy has administrative components like an acceptable use policy and employee training and awareness, and it may comprise technical controls like web content filters or blocklists. Measuring the number of users who have read and acknowledged their understanding of the policy by signing it is an effective way to determine policy reach and ensure employee awareness about the policy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 576 in PDF)

36 / 93

When is it advisable or even required to use an external firm for assessments, testing, or audits, according to regulatory reasons?

A. Whenever the organization is unintentionally unaware of any issues it may have.

B. Whenever an organization is involved in legal or regulatory situations, such as maturity assessments against a maturity model or compliance purposes.

C. Whenever it requires specialized skills that are valuable but not needed full-time.

D. Whenever the organization is looking to save money on hiring full-time testers.

Incorrect

Correct!

Explanation: According to the text, external testing may be advisable or even required in some cases, especially for legal or regulatory reasons, such as maturity assessments against a maturity model or compliance purposes like PCI-DSS, ISO 27001, and the U.S. governments Federal Risk and Authorization Management Program (FedRAMP), which all require the use of an independent, authorized third-party auditor or assessor. Compliance with these standards brings a certain level of assurance to the clients or other companies doing business with audited firms, which makes it important that the audits be performed by a third-party with no active conflict of interest (Source: CISSP Study Guide by Sybex).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 546 in PDF)

37 / 93

What can logs be used for in a security program?

A. To prevent attacker access

B. To capture meaningless information

C. To provide evidence of technical controls

D. To replace the need for audits and assessments

Incorrect

Correct!

Explanation: Logs play an essential role as detective controls in a security program. Assessments and audits often rely on log entries as artifacts to directly prove that the organizations technical controls are in place and operating as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 563 in PDF)

38 / 93

Which section of an audit report provides a high-level overview of testing activities and findings, typically taking up no more than one page?

A. Assumptions or constraints

B. Executive summary

C. Recommendations

D. Summary of activities

Incorrect

Correct!

Explanation: The executive summary section of an audit report provides a high-level overview of testing activities and findings, typically taking up no more than one page. It gives the reader a quick understanding of the overall testing process and the main findings.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 588 in PDF)

39 / 93

What is the purpose of Key Risk Indicators (KRIs)?

A. To capture past risks to the organization

B. To provide a window into future risks and drive proactive mitigating action

C. To support short-term management decision-making

D. To measure the effectiveness of existing security controls

Incorrect

Correct!

Explanation: The purpose of Key Risk Indicators (KRIs) is to provide a window into future risks and drive proactive mitigating action, such as upgrading a firewall before it is overwhelmed. KRIs provide an organization with a chance to prepare for future risks and a chance to take mitigating action before the risk becomes a problem. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 583 in PDF)

40 / 93

What does the Mean time to detect (MTTD) metric measure?

A. The number of patches applied to a computing environment

B. The time required to resolve security incidents

C. The mean time required to detect a security incident or threat

D. The maturity of an organizations security efforts

Incorrect

Correct!

Explanation: The Mean time to detect (MTTD) metric measures the mean time required to detect a security incident or threat. It is an essential KPI for organizations since it helps them to understand how effectively their controls are operating to mitigate risk and provide notice if control is ineffective indicating a risk that may be more likely to occur.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 582 in PDF)

41 / 93

What is something that can cause issues with reports or processes that expect valid data stored in the system during automated vulnerability scanning?

A. Filling in form fields on a web application

B. Testing against a staging environment

C. Ignoring certain types of fields like email address

D. Using recognized type of test data that can easily be ignored or cleaned up after the scan

Incorrect

Correct!

Explanation: Vulnerability scanners can perform automated actions like filling in form fields on a web application to check for issues including Structured Query Language (SQL) injection or cross-site scripting (XSS). However, this testing data is obviously not real data that belongs in the system and can cause issues with reports or processes that expect valid data stored in the system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 553 in PDF)

42 / 93

What is the importance of marking port scans from a vulnerability scanners IP address as nonsuspicious?

A. It ensures that all vulnerability scanning activity is logged by the security team.

B. It prevents security alerts and incident response processes from being triggered by legitimate vulnerability scanning.

C. It identifies the vulnerability scanner as a trusted source and prevents it from being blocked by security measures.

D. It allows the security team to track the origin of vulnerability scanning activity and respond accordingly.

Incorrect

Correct!

Explanation: Marking port scans from a vulnerability scanners IP address as nonsuspicious is essential to prevent security alerts and incident response processes from being triggered by legitimate vulnerability scanning. Vulnerability scanners perform many of the same actions as attackers, and identifying their activity as suspicious could result in unnecessary and costly incident response actions. By marking the scanners IP address as nonsuspicious, the security team can focus on responding to actual threats and vulnerabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 552 in PDF)

43 / 93

What is the difference between full disclosure and responsible disclosure in ethical disclosure of vulnerabilities?

A. Full disclosure requires immediate public disclosure of the vulnerability, while responsible disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it

B. Full disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it, while responsible disclosure requires immediate public disclosure of the vulnerability

C. Full disclosure requires reporting the vulnerability only to law enforcement or other authorities, while responsible disclosure requires reporting the vulnerability to the organization in a timely manner and giving them time to fix it before publicly disclosing it

D. Full disclosure and responsible disclosure refer to the same thing in terms of ethical disclosure of vulnerabilities

Incorrect

Correct!

Explanation: Full disclosure argues that any time a weakness is discovered, it should be fully and transparently reported to the organization responsible for fixing it as soon as possible, which means immediate public disclosure of the vulnerability. Responsible disclosure, on the other hand, defines a responsibility for the discoverer to report a weakness to the organization in a timely manner and give them time to fix the vulnerability before publicly disclosing it.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 594 in PDF)

44 / 93

What is the main goal of conducting or facilitating a security audit?

A. To identify vulnerabilities in the system

B. To compare some aspect of an organization against a standard

C. To hack into the system

D. To assess the readiness of the disaster recovery plan

Incorrect

Correct!

Explanation: The main goal of conducting or facilitating a security audit is to compare some aspect of an organization against a standard. This allows the auditor to identify areas where the organization is not meeting the standard and to make recommendations for improvement.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 595 in PDF)

45 / 93

What is full disclosure in ethical disclosure of vulnerability findings?

A. Not disclosing vulnerability findings to anyone

B. Disclosing the vulnerability findings only to those who are directly responsible for fixing it

C. Reporting a vulnerability transparently to the organization responsible for fixing it as soon as possible

D. Disclosing vulnerability findings to law enforcement or other authorities

Incorrect

Correct!

Explanation: Full disclosure means reporting a vulnerability transparently to the organization responsible for fixing it as soon as possible. It is a philosophical argument that all discovered weaknesses should be reported fully and transparently to the responsible organization. While the goal of improving security is admirable, some vendors may not be open to researchers who attempt to report vulnerabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 593 in PDF)

46 / 93

What method of testing combines elements of vulnerability scanning and automated penetration testing, and utilizes a continuously refreshed database of attack methods and newly discovered vulnerabilities?

A. Social engineering testing

B. Network traffic analysis

C. Breach and attack simulations

D. Physical security testing

Incorrect

Correct!

Explanation: Breach and attack simulations (BAS) combine elements of vulnerability scanning and automated penetration testing, utilizing a continuously refreshed database of attack methods and newly discovered vulnerabilities to test the ability for the organization to withstand newly evolved threats.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 570 in PDF)

47 / 93

What is a key element of governance and risk management related to security, and covered in Chapter 1?

A. Continuous monitoring

B. Management review and approval processes

C. Certification and accreditation

D. Control objectives

Incorrect

Correct!

Explanation: The oversight task of management review and approval processes related to security is a key element of governance and risk management, which is covered in Chapter 1.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 579 in PDF)

48 / 93

What is the difference between white- and black-box testing in penetration testing?

A. White- or crystal-box testing provides zero knowledge to the attacker and instead relies on them to perform reconnaissance to gather details.

B. White- or crystal-box testing is total transparency, while black-box testing provides the pen testers with complete knowledge of the system or network to be tested.

C. White- or crystal-box testing combines elements of both white- and black-box methods.

D. Black-box testing is a hybrid method that combines elements of both white- and black-box methods.

Incorrect

Correct!

Explanation: White- or crystal-box testing is total transparency. The pen testers have complete knowledge of the system or network to be tested, like IP addresses and system version numbers. Black-box testing provides zero knowledge to the attacker and instead relies on them to perform reconnaissance to gather details. The name demonstrates how the interior of the system (the “box”) is completely in shadow or dark to the tester.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 554 in PDF)

49 / 93

Which framework requires management to periodically review the information security program for continuing suitability, adequacy, and effectiveness?

A. SOC 2

B. COBIT

C. ISO 27001 control 9.3

D. Certification and accreditation

Incorrect

Correct!

Explanation: ISO 27001 control 9.3 requires management to periodically review the information security program for continuing suitability, adequacy and effectiveness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 579 in PDF)

50 / 93

What is a key element required to design a security metrics program?

A. An understanding of the security program objectives and an exhaustive list of every possible security process data source.

B. An exhaustive list of every possible security process data source.

C. A collection of raw data from all security process data sources.

D. An understanding of the security program objectives and security controls that provide a method of measurement or quantification.

Incorrect

Correct!

Explanation: To design a security metrics program, two key elements are essential. First, an understanding of the security program objectives is necessary as it provides the reference point for the metrics. Second, the security controls must provide a method of measurement or quantification. For example, if multifactor authentication is required for all logins, access control logs can be queried to determine if this requirement is enforced 100 percent of the time. Therefore, option D is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 574 in PDF)

51 / 93

Which of the following is a guide to assessing the controls outlined in NIST SP 800-53?

A. ISO/IEC 15408-1:2009

B. ISO/IEC 27006:2015

C. NIST Special Publication (SP) 800-53A

D. ISO/IEC 18045:2008

Incorrect

Correct!

Explanation: NIST Special Publication (SP) 800-53A is a guide to assessing the controls outlined in NIST SP 800-53. It introduces a simple set of testing procedures to assess control effectiveness: test, examine, or interview. Although applicable to U.S. government agencies, it is freely available and may be adapted for use by any organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 596 in PDF)

52 / 93

What is the goal of the exploitation phase in pen testing?

A. Identify vulnerabilities

B. Analyze network traffic

C. Gain access to systems or data that should not be accessible

D. Test application security

Incorrect

Correct!

Explanation: The goal of the exploitation phase in pen testing is to gain access to systems or data that should not be accessible. Testers use a variety of methods, such as automated or manual exploitation tools, to try to exploit the identified vulnerabilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 561 in PDF)

53 / 93

What is a key process data to collect from account management processes?

A. Number of user accounts created per day

B. Average response time for access request tickets

C. Timely account management such as removal of access within specified timeframes after a user changes roles or leaves employment

D. Type of encryption keys used

Incorrect

Correct!

Explanation: It is important to ensure that access to resources is removed within specified timeframes after a user changes roles or leaves employment so as to prevent unauthorized access. This is a key process data to collect from account management processes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 577 in PDF)

54 / 93

What is the purpose of breach attack simulations (BAS) for an organization?

A. To test the organizations ability to withstand known attacks and vulnerabilities

B. To perform manual penetration testing rather than automated testing

C. To identify all potential vulnerabilities at once

D. To replace quarterly vulnerability scans and yearly penetration tests entirely

Incorrect

Correct!

Explanation: Breach attack simulations (BAS) are performed to simulate a real attacker attempting to gain unauthorized access on an organizations network or system. BAS utilizes a continuously refreshed database of attack methods and newly discovered vulnerabilities to test the organizations ability to withstand newly evolved threats. The purpose of BAS is to identify potential vulnerabilities sooner than traditional approaches like a quarterly vulnerability scan or yearly penetration test to ensure that the organizations security controls function as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 571 in PDF)

55 / 93

What is the difference between an audit and an assessment?

A. There is no difference between an audit and an assessment

B. An assessment involves evaluating the likelihood of a specific risk, while an audit involves a systematic analysis against a defined standard to determine if the object meets a set of criteria

C. An audit involves evaluating the likelihood of a specific risk, while an assessment involves a systematic analysis against a defined standard to determine if the object meets a set of criteria

D. An audit involves gathering information, while an assessment involves testing security controls

Incorrect

Correct!

Explanation: An assessment involves evaluating the likelihood of a specific risk and measuring or estimating the impact of risks that could affect those assets, while an audit is a more formal process that involves a systematic analysis against a defined standard to determine if the object meets a set of criteria. Therefore, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 542 in PDF)

56 / 93

What is the importance of fostering a relationship across teams with regards to vulnerability assessment?

A. To ensure that vulnerabilities are not taken seriously and addressed by asset owners.

B. To prioritize the findings for remediation using CVSS scores.

C. To communicate the context of any findings to nonsecurity personnel.

D. To keep vulnerability scanners owned by the business management team.

Incorrect

Correct!

Explanation: Fostering a relationship across teams is important to ensure that vulnerabilities are taken seriously and addressed. Communicating context to the audience is important and may require formatting results in a way that is best suited to the asset owner, especially nonsecurity personnel who typically do not understand CVSS scores. This will help the asset owner to take action on the findings. Hence, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 552 in PDF)

57 / 93

Which of the following is the official set of requirements and guidance for auditors performing certification audits against ISO 27001?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 27006:2015

D. NIST SP 800-53A

Incorrect

Correct!

Explanation: According to the text, ISO/IEC 27006:2015 is the official set of requirements and guidance for auditors performing certification audits against ISO 27001.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 596 in PDF)

58 / 93

What is the purpose of synthetic transactions for data integrity monitoring?

A. To identify systems that are offline or unresponsive

B. To monitor dynamic rules for handling data and alert administrators if processing a set of test data does not result in the expected outcome

C. To measure the performance of a system or application

D. To monitor users in real time as they interact with an application or service

Incorrect

Correct!

Explanation: Synthetic transactions can be used to monitor complex business logic rules that process data. By simulating the inputs to these rules, administrators can check if the output items the expected result. This helps to ensure that data integrates are being maintained as expected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 564 in PDF)

59 / 93

Which of the following can be used as a Key Risk Indicator (KRI) to indicate security program deficiencies that require additional attention or resources?

A. Number of successful firewall intrusions

B. Number of security incidents

C. Number of successful phishing attempts

D. Number of successful ransomware attacks

Incorrect

Correct!

Explanation: An increase in the number of security incidents could indicate that the threat environment has changed, and more robust security tools or additional staff are needed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 584 in PDF)

60 / 93

What is a crucial factor to consider when choosing appropriate scanning tools and prioritizing scanning efforts in a vulnerability assessment?

A. The number of systems to be scanned

B. The size of the organization

C. The criticality of the systems to be scanned

D. The location of the systems to be scanned

Incorrect

Correct!

Explanation: When performing a vulnerability assessment, it is crucial to understand the criticality of each system to prioritize scanning efforts and choose appropriate scanning tools. Vulnerabilities in highly critical systems should be prioritized first since exploiting a vulnerability in a low criticality system is less likely to disrupt operations. Therefore, the criticality of the systems is a significant factor to consider.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 549 in PDF)

61 / 93

What is the purpose of synthetic transactions?

A. To monitor financial transactions in a system

B. To test the uptime of a hosted or cloud-based service

C. To record every user interaction with an application or web page

D. To scan a system for vulnerabilities

Incorrect

Correct!

Explanation: Synthetic transactions can be employed as a test mechanism for a variety of purposes, including SLA monitoring. Hosted or cloud-based services may guarantee certain levels of service, and synthetic transactions can be used to log into the application every hour to verify if the service meets the agreed level.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 564 in PDF)

62 / 93

Which of the following questions should a security practitioner seek to answer when conducting a third-party audit?

A. What is the third-partys revenue and market share?

B. What is the third-partys employee turnover rate?

C. What standards do they use for selecting controls and auditing their effectiveness?

D. What is the third-partys social media presence?

Incorrect

Correct!

Explanation: When conducting a third-party audit, a security practitioner should seek to answer questions related to the third-partys security program. This includes the standards they use for selecting controls and auditing their effectiveness. By doing so, the practitioner can assess whether the third-party has adequate controls in place to mitigate risks that could impact the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 598 in PDF)

63 / 93

What does ISO 27001 control 9.3 specify in relation to management review?

A. Management must perform security assessments and authorizations for all information systems periodically.

B. Management must ensure that IT and cybersecurity frameworks are suited to the organizations needs.

C. Management must periodically review the information security program for continuing suitability, adequacy and effectiveness.

D. Management must establish performance measures and quality information to support the functioning of internal control.

Incorrect

Correct!

Explanation: ISO 27001 control 9.3 specifies that management must periodically review the information security program for continuing suitability, adequacy and effectiveness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 580 in PDF)

64 / 93

What is the purpose of synthetic transactions in SLA monitoring?

A. To capture sensitive data entered by users

B. To monitor system activity like DNS resolution

C. To ensure services meet agreed levels of service

D. To detect slow or unresponsive pages

Incorrect

Correct!

Explanation: Synthetic transactions can be used to log into an application every hour to verify if the service meets the agreed level of service, which is the purpose of SLA monitoring.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 565 in PDF)

65 / 93

What is an appropriate response to an increase in the number of phishing attempts detected or reported, as indicated by a KRI?

A. No action is required as phishing attempts are not a serious threat to the organization.

B. Deploy additional security tools to collect even more data on phishing attempts.

C. Implement multifactor authentication (MFA), increase user training, and deploy additional system monitoring.

D. Increase IT budget and resource allocation to upgrade firewalls.

Incorrect

Correct!

Explanation: An increase in the number of phishing attempts detected or reported is often the precursor to an attack, as attackers seek to gain valid credentials to access the organizations resources. As a response, additional system monitoring, MFA, and user training could all be deployed to prevent successful attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 584 in PDF)

66 / 93

Which of the following controls might be put in place to restrict and monitor access and must contain all required information like user role, justification for access, and necessary approvals?

A. Administrative process for requesting user access

B. Technical implementation of user access

C. Physical controls to enforce access control

D. Audit and other assurance activities over these processes and artifacts

Incorrect

Correct!

Explanation: The administrative process for requesting user access, including formal request and approval before access is granted, may require an access request ticket or hard-copy access request form, and all user accounts must have corresponding request and approval documents, which must contain all required information like user role, justification for access, and necessary approvals. This control may also involve audit and other assurance activities. Therefore, option A is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 576 in PDF)

67 / 93

What is an example of a valuable KRI that can indicate that more robust security tools or additional staff are needed?

A. Number of findings

B. Phishing attempts detected or reported

C. Number of security incidents

D. Malware infection and containment rates

Incorrect

Correct!

Explanation: An increase in the number of security incidents can indicate that the threat environment has changed, and more robust security tools or additional staff are needed to handle the increased risk. This KRI can help drive proactive measures to prevent security incidents before they occur.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 584 in PDF)

68 / 93

Which framework requires management to establish performance measures and generate relevant, quality information to support the functioning of internal control?

A. ISO 27001

B. SOC 2

C. COBIT

D. NIST

Incorrect

Correct!

Explanation: SOC 2 requires management to establish “performance measures,” as well as generate and use “relevant, quality information to support the functioning of internal control.” This framework focuses primarily on security and availability controls for systems that store, process, and/or transmit data. The other frameworks have similar requirements for management review and oversight, but do not specifically mention generating performance measures to support internal control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 580 in PDF)

69 / 93

What is the primary purpose of misuse case testing?

A. To identify expected behavior when an actor interacts with a system

B. To identify vulnerabilities that might be exploitable under unexpected circumstances

C. To simulate specific threat scenarios and model potential attacks

D. To identify security requirements by specifying the ways a system could be abused by a malicious actor

Incorrect

Correct!

Explanation: The primary purpose of misuse case testing is to identify vulnerabilities that might be exploitable under unexpected circumstances. It assesses how a system or application responds to unexpected inputs or situations and identifies vulnerabilities. For instance, a misuse case for system login would describe the steps taken when a user enters incomplete login information. Several vulnerabilities have been found in several applications when users supply incomplete or unexpected information at a login prompt.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 567 in PDF)

70 / 93

What specific review requirements does ISO 27001 control 9.3 have for management?

A. Management must certify and accredit all information systems used in the organization.

B. Management must establish performance measures and use relevant quality information to support internal control.

C. Management must review the information security program periodically for continued suitability, adequacy, and effectiveness.

D. Management must assess and authorize information systems for use and issue an authorization to operate (ATO).

Incorrect

Correct!

Explanation: ISO 27001 control 9.3 specifies that management must periodically review the information security program for “continuing suitability, adequacy and effectiveness.”

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 579 in PDF)

71 / 93

Which of the following is the foundation for the Common Criteria certification and is a formal assessment process for technology products against a defined set of security functional requirements?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 18045:2008

D. ISO/IEC 27006:2015

Incorrect

Correct!

Explanation: ISO/IEC 15408-1:2009 is the foundation for the Common Criteria certification, which is a formal assessment process for technology products against a defined set of security functional requirements. It provides evaluation criteria for IT security, and is available free of charge.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 595 in PDF)

72 / 93

What is MTTR and why is it important in measuring the effectiveness of a security program?

A. MTTR is the Mean Time to Detect a security incident and is not helpful in measuring the effectiveness of a security program.

B. MTTR is the Mean Time to Recover from a security incident and is used to measure the effectiveness of a security program in responding to and resolving incidents.

C. MTTR is the Mean Time to Remediate from a security incident and is used to measure the effectiveness of a security program in preventing incidents from reoccurring.

D. MTTR is not a useful KPI for measuring the effectiveness of a security program.

Incorrect

Correct!

Explanation: MTTR is a key performance indicator that measures the time required to recover from a security incident. It is an important metric in assessing the effectiveness of a security program in responding to and resolving incidents. A shorter MTTR indicates a more effective security program in terms of incident response and resolution.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 582 in PDF)

73 / 93

What does black-box testing rely on?

A. The pen testers having complete knowledge of the system being tested.

B. The pen testers relying on the system to provide information about itself.

C. The pen testers being provided with some information about the system being tested.

D. The pen testers having limited knowledge about the system being tested.

Incorrect

Correct!

Explanation: Black-box testing provides zero knowledge to the attacker and instead relies on them to perform reconnaissance to gather details. The name demonstrates how the interior of the system (the “box”) is completely in shadow or dark to the tester.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 555 in PDF)

74 / 93

Which of the following is a crucial example of blended control types in account management?

A. Timely account management

B. Administrative process for requesting user access

C. Technical implementation of the system for submitting requests

D. Physical controls such as tokens and smartcards

Incorrect

Correct!

Explanation: Administrative processes for requesting user access require policies and procedures to be implemented using technology systems and may require physical controls like managing facility access or safeguarding account tokens like smart cards, making it a crucial example of blended control types in account management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 577 in PDF)

75 / 93

Which type of breach attack simulation focuses on testing security controls monitoring for malicious network scans or complex interactions with applications that should be blocked by a web application firewall (WAF)?

A. Endpoint

B. Network

C. Email

D. Behavior-based

Incorrect

Correct!

Explanation: Behavior-based breach attack simulations specifically test security controls such as security tools monitoring for malicious network scans or complex interactions with applications that should be blocked by a web application firewall (WAF).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 571 in PDF)

76 / 93

What is a KPI?

A. A measurement of a process or system without any indication of performance

B. A measurement of a process or system that provides context and an indication of performance

C. A measurement of a process or system that is only used to identify risks

D. A measurement of a process or system that is not used for decision making

Incorrect

Correct!

Explanation: A KPI, or key performance indicator, uses metrics and provides context to provide an indication of performance of a process or system. It is designed to identify how effectively controls are operating to mitigate risks, and provide notice if a control is ineffective, which indicates a risk that may be more likely to occur.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 582 in PDF)

77 / 93

Which of the following is an example of a preventative technical control?

A. EDR

B. Host-based intrusion prevention system (IPS)

C. Encryption of data

D. SIEM

Incorrect

Correct!

Explanation: Preventative technical controls include encryption of data and securing access to decryption keys, network access controls like virtual private networks (VPNs), and endpoint controls like host-based firewalls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 575 in PDF)

78 / 93

What is the main goal of implementing a process for remediation in response to security testing findings?

A. It allows for easier management of the security program.

B. It identifies timelines and milestones for the next security audit.

C. It addresses any discovered security vulnerabilities.

D. It tracks the work through to completion.

Incorrect

Correct!

Explanation: The main goal of implementing a process for remediation is to address any security vulnerabilities discovered during security testing, evaluations, assessments, and audits. This includes prioritizing work to be performed, identifying timelines and milestones, and tracking the work through to completion.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 589 in PDF)

79 / 93

When choosing and configuring a vulnerability scanner, what is a major consideration for organizations with mixed IT environments?

A. The legal, contractual, or regulatory obligations that may specify the scope, coverage, or frequency of scanning.

B. The depth, scope, or coverage of the scanner, including the ability to perform advanced scanning by authenticating to targets being scanned with administrative credentials.

C. The platform support.

D. The ability to perform cloud-based scanning.

Incorrect

Correct!

Explanation: A major consideration for organizations with mixed IT environments when choosing and configuring a vulnerability scanner is the platform support. This is because organizations with mixed IT environments may have different operating systems, such as Linux and Windows, which require different scanners. Thus, using a vulnerability scanner that supports multiple platforms ensures that a comprehensive assessment is conducted. Other factors such as legal, contractual, or regulatory obligations, or the depth, scope, or coverage of the scanner are also important considerations. However, platform support is a major consideration, especially for mixed IT environments.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 549 in PDF)

80 / 93

Which of the following metrics could be useful to test and evaluate the effectiveness of a security training and awareness program?

A. The number of employees who attended a training session

B. Whether employees are able to identify a phishing email

C. The number of hours employees spent on training

D. The amount of money spent on cybersecurity training in the past year

Incorrect

Correct!

Explanation: One way to evaluate the effectiveness of a security training and awareness program is by measuring whether employees are actually able to apply the knowledge they acquired during training to real-life situations. For instance, identifying a phishing email or recognizing unexpected system behavior could be indications of employees active involvement in implementing the training.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 584 in PDF)

81 / 93

What are key performance indicators (KPIs) and key risk indicators (KRIs) used for in a governance, risk, and compliance (GRC) program?

A. To communicate the state of existing security controls and monitor potential future risks

B. To communicate potential future risks and monitor the state of existing security controls

C. To monitor the effectiveness of existing security controls and identify potential future risks

D. To monitor potential future risks and identify potential future security controls

Incorrect

Correct!

Explanation: KPIs are used to monitor the state of existing security controls and their effectiveness at mitigating risk, while KRIs monitor potential future risks. Both are essential to a GRC program and provide proactive and reactive input to the GRC strategy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 580 in PDF)

82 / 93

Which of the following techniques would pen testers use to identify active network hosts and services running on a network?

A. Vulnerability scanning

B. Exploitation toolkit

C. Network footprinting

D. Banner grabs

Incorrect

Correct!

Explanation: Pen testers use tools like Nmap, nslookup, ping sweeps, and port scanning to perform queries that determine active network hosts and services running on a network, which is a part of network footprinting.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 560 in PDF)

83 / 93

Which audit framework provides a formal assessment process for technology products against a defined set of security functional requirements?

A. SSAE 18

B. ISO/IEC 15408-1:2009

C. ISO/IEC 27006:2015

D. NIST Cybersecurity Framework (CSF)

Incorrect

Correct!

Explanation: ISO/IEC 15408-1:2009 is the foundation for the Common Criteria certification, which is a formal assessment process for technology products against a defined set of security functional requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 596 in PDF)

84 / 93

Which of the following situations may require mandatory reporting of a discovered vulnerability?

A. Nondisclosure

B. Full disclosure

C. Responsible disclosure

D. Mandatory reporting

Incorrect

Correct!

Explanation: Mandatory reporting refers to the legal and regulatory frameworks that mandate security researchers to report a discovered vulnerability to law enforcement or other authorities. Therefore, it is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 594 in PDF)

85 / 93

Which of the following is an example of a physical control for enforcing access control in an information system?

A. A system for submitting access requests and performing reviews

B. Segregated VLAN or restrictive firewall rules

C. Usernames and passwords

D. Encryption keys

Incorrect

Correct!

Explanation: Segregated VLAN or restrictive firewall rules are examples of physical controls that can be used to enforce access control in an information system. Physical controls are used to safeguard physical access to system components or to manage physical access tokens like smart cards, and are crucial to ensure restricted physical access is maintained. Options A, C, and D are examples of administrative or technical controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 578 in PDF)

86 / 93

What is the importance of generating reports for security evaluations?

A. Reports help reduce the number of security tools and evaluations needed.

B. Reports help summarize key details of testing and evaluation activities, including findings and recommended remedial steps.

C. Reports only need to be generated for security team members, not for outside users.

D. Reports are unnecessary since security evaluations are performed with automated tools that generate reports automatically.

Incorrect

Correct!

Explanation: The primary importance of generating reports for security evaluations such as vulnerability scans, penetration tests, gap assessments, continuous monitoring, and audits is to summarize key details of testing and evaluation activities, including findings or issues discovered, actions performed during testing, and any recommended remedial steps to address the findings. It is essential to generate reports to communicate the results of the security testing to the appropriate audience or user of the report. The report must identify the audience or user of the report, which is crucial to determine appropriate levels and types of details to include.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 587 in PDF)

87 / 93

What category of attack can be tested by a breach attack simulation tool using test messages?

A. Endpoint

B. Network

C. Email

D. Behavior-based

Incorrect

Correct!

Explanation: Breached attack simulation (BAS) tools can test email security controls with generated test messages. If messages can reach inboxes or are opened, its an indication of a deficiency in email security controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 571 in PDF)

88 / 93

What type of testing provides complete knowledge of the system or network to be tested, like IP addresses and system version numbers, and simulates an insider threat?

A. Black-box testing

B. White- or crystal-box testing

C. Gray-box testing

D. Out-of-scope testing

Incorrect

Correct!

Explanation: White- or crystal-box testing provides complete knowledge of the system or network to be tested, like IP addresses and system version numbers. This allows for more complete test coverage and simulates an insider threat.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 554 in PDF)

89 / 93

What is a common issue that vulnerability scanners may cause?

A. Unauthorized data access

B. Excessive traffic and denial of service (DoS)

C. Social engineering attacks

D. Physical security breaches

Incorrect

Correct!

Explanation: Vulnerability scanners may generate excessive traffic and lead to a DoS. This can affect network performance while detecting vulnerabilities. Excessive scanning can also generate false positives and alert the wrong people, leading to unnecessary panic or ignoring real incidents.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 551 in PDF)

90 / 93

Why is management support and sponsorship of security initiatives crucial?

A. So that security practitioners can define and execute mission objectives

B. So that management can provide timely data to security practitioners

C. So that management can make informed decisions about identifying risks and mitigating actions

D. So that security practitioners can oversee the continuous monitoring program

Incorrect

Correct!

Explanation: Management support and sponsorship of security initiatives is crucial because it provides direction and support. Management review and approval of security process data should be performed to ensure that controls are functioning as intended; that is to say that they are reducing risks to an acceptable level and that previously accepted risks are still within acceptable parameters. Changes to the organizations operating environment can render controls ineffective, even if they were previously adequate to reduce risks. Examples include launching new lines of business, the addition of new systems or processes, new compliance or regulatory obligations, and organizational changes like mergers, acquisitions, and divestitures. Therefore, management needs to make informed decisions about identifying risks and mitigating actions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 578 in PDF)

91 / 93

What is the difference between KPIs and metrics?

A. KPIs and metrics are the same thing.

B. KPIs provide context, whereas metrics are simply measurements.

C. Metrics are more important than KPIs.

D. KPIs are less specific than metrics.

Incorrect

Correct!

Explanation: The terms KPIs and metrics are often used interchangeably, but there is a difference. Metrics are simply measurements, like the number of patches applied to a computing environment. A performance indicator uses metrics and provides context (an indication).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 581 in PDF)

92 / 93

Why is identifying the organizations critical assets important before performing vulnerability assessments?

A. To choose appropriate scanning tools and prioritize scanning efforts

B. To determine what level of authorization is needed to scan each system

C. To determine the cost of performing a vulnerability assessment

D. To identify which assets should be scanned first based on their size

Incorrect

Correct!

Explanation: Identifying the organizations critical assets is important to choose appropriate scanning tools and prioritize scanning efforts. Vulnerabilities in highly critical systems should be prioritized first since exploiting a vulnerability in a low criticality system is less likely to disrupt operations. The asset inventory may also capture important data, like the system classification, needed to scope vulnerability assessments.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 549 in PDF)

93 / 93

What is responsible disclosure in relation to vulnerability disclosure?

A. Reporting a weakness to the responsible organization and giving them enough time to fix the vulnerability before publicly disclosing it

B. Reporting a weakness publicly as soon as it is discovered

C. Reporting a weakness only if mandatory reporting requirements are met

D. Reporting a weakness to law enforcement or other authorities

Incorrect

Correct!

Explanation: Responsible disclosure is the principle that the discoverer of a vulnerability has a responsibility to report the weakness to the organization in a timely manner and give the organization time to fix the vulnerability before publicly disclosing it.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 593 in PDF)

Your score is

🔒 Hands-On Cybersecurity Course + INTERNSHIP 🔒

Visit to Cyber Course

Understanding Domain 6 CISSP Exam: Security Assessment and Testing

Key Aspects of Domain 6 CISSP Exam

Security Control Testing
- Learn methods to test security controls.
- Assess management, operational, and technical controls.
Vulnerability Assessment
- Identify system vulnerabilities.
- Use tools and techniques for vulnerability assessment.
Security Process Data Analysis
- Analyze data from security processes.
- Collect, review, and interpret data for decision-making.
Security Auditing
- Conduct audits to ensure compliance with policies.
- Understand audit strategies and methodologies.
Internal and Third-Party Audits
- Know the difference between internal and external audits.
- Learn their roles in improving security.

Benefits of Our CISSP Practice Exam

Detailed Answer Explanations: Understand the reasoning behind each answer.
Aligned with Exam Objectives: Covers all Domain 6 topics comprehensively.
Instant Feedback: Get immediate feedback to identify improvement areas.

Continuous Learning

Revisit Domain 5: Identity and Access Management
Start Studying Domain 7: Security Operations

Prepare with our “CISSP Practice Exam” to confidently tackle Domain 6 and advance your cybersecurity career.

For more information, refer to the official ISC2.

Back to All CISSP Domains / Home

Domain 6 CISSP Exam: Security Assessment and Testing

Key Aspects of Domain 6 CISSP Exam

Benefits of Our CISSP Practice Exam

Continuous Learning

Explore our other free practice tests:

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER