CISSP : Certified Information Systems Security Professional : Part 26

CISSP : Certified Information Systems Security Professional : Part 26

1. Which of the following is the primary advantage of segmenting Virtual Machines (VM) using physical networks?

   • Simplicity of network configuration and network monitoring
   • Removes the need for decentralized management solutions
   • Removes the need for dedicated virtual security controls
   • Simplicity of network configuration and network redundancy

2. Which of the following would an internal technical security audit BEST validate?

   • Whether managerial controls are in place
   • Support for security programs by executive management
   • Appropriate third-party system hardening
   • Implementation of changes to a system

3. Which of the following processes has the PRIMARY purpose of identifying outdated software versions, missing patches, and lapsed system updates?

   • Penetration testing
   • Vulnerability management
   • Software Development Life Cycle (SDLC)
   • Life cycle management

   Explanation:

   Reference: https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-operations/vulnerability-and-patch-management/#gref

4. A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments BEST fits their need?

   • Cloud Virtual Machines (VM)
   • Cloud application container within a Virtual Machine (VM)
   • On premises Virtual Machine (VM)
   • Self-hosted Virtual Machine (VM)

5. Which of the following processes is used to align security controls with business functions?

   • Data mapping
   • Standards selection
   • Scoping
   • Tailoring

6. Change management policies and procedures belong to which of the following types of controls?

   • Directive
   • Detective
   • Corrective
   • Preventative
   Explanation:
   Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP+Change+management+policies+and+procedures+belong+to+which+type+of+control&source=bl&ots=riGvVpUO4H&sig=ACfU3U0kRWWaIIj7gwqlovVku880wG5LOg&hl=en&sa=X&ved=2ahUKEwjA7cGL_anpAhULxoUKHc1lD3UQ6AEwCnoECBIQAQ#v=onepage&q=CISSP%20Change%20management%20policies%20and%20procedures%20belong%20to%20which%20type%20of%20control&f=false

7. What access control scheme uses fine-grained rules to specify the conditions under which access to each data item or applications is granted?

   • Mandatory Access Control (MAC)
   • Discretionary Access Control (DAC)
   • Role Based Access Control (RBAC)
   • Attribute Based Access Control (ABAC)
   Explanation:
   Reference: https://en.wikipedia.org/wiki/Attribute-based_access_control

8. Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?

   • The criteria for measuring risk is defined.
   • User populations to be assigned to each role is determined.
   • Role mining to define common access patterns is performed.
   • The foundational criteria are defined.

9. Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities?

   • Definitions for each exposure type
   • Vulnerability attack vectors
   • Asset values for networks
   • Exploit code metrics

10. Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system?

    • SOC 1 Type 1
    • SOC 1 Type 2
    • SOC 2 Type 1
    • SOC 2 Type 2

11. In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part of a comprehensive testing framework?

    • Source code review
    • Acceptance testing
    • Threat modeling
    • Automated testing

12. Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the following?

    • Personal belongings of organizational staff members
    • Supplies kept off-site at a remote facility
    • Cloud-based applications
    • Disaster Recovery (DR) line-item revenues

13. What is the best way for mutual authentication of devices belonging to the same organization?

    • Token
    • Certificates
    • User ID and passwords
    • Biometric

14. Which of the following encryption types is used in Hash Message Authentication Code (HMAC) for key distribution?

    • Symmetric
    • Asymmetric
    • Ephemeral
    • Permanent
    Explanation:
    Reference: https://www.brainscape.com/flashcards/cryptography-message-integrity-6886698/packs/10957693

15. Compared with hardware cryptography, software cryptography is generally

    • less expensive and slower.
    • more expensive and faster.
    • more expensive and slower.
    • less expensive and faster.
    Explanation:
    Reference: https://www.ontrack.com/uk/blog/making-data-simple/hardware-encryption-vs-software-encryption-the-simple-guide/

16. A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?

    • No, because the encryption solution is internal to the cloud provider.
    • Yes, because the cloud provider meets all regulations requirements.
    • Yes, because the cloud provider is GDPR compliant.
    • No, because the cloud provider is not certified to host government data.

17. An employee receives a promotion that entities them to access higher-level functions on the company’s accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege?

    • Access provisioning
    • Segregation of Duties (SoD)
    • Access certification
    • Access aggregation

18. Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved?

    • Data at rest protection
    • Transport Layer Security (TLS)
    • Role Based Access Control (RBAC)
    • One-way encryption

19. Which of the following offers the BEST security functionality for transmitting authentication tokens?

    • JavaScript Object Notation (JSON)
    • Terminal Access Controller Access Control System (TACACS)
    • Security Assertion Markup Language (SAML)
    • Remote Authentication Dial-In User Service (RADIUS)

20. What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)?

    • Establish lines of responsibility.
    • Minimize the risk of failure.
    • Accelerate the recovery process.
    • Eliminate unnecessary decision making.