CISSP PRACTICE QUESTIONS – 20210117

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first?
A. Select controls
B. Categorize the system
C. Assess risk to the system
D. Determine the impact of data

Continue reading

CISSP PRACTICE QUESTIONS – 20210116

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following is the best source to inform the scoping decision?
A. The assessment of risk to the system
B. The result of business impact analysis (BIA)
C. The design of the security architecture
D. The detailed plan for certification and accreditation

Continue reading

CISSP PRACTICE QUESTIONS – 20210115

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the compensating security control for replacing a baseline control. Which of the following best describes the process you are conducting?
A. Validation
B. Verification
C. Tailoring
D. Scoping

Continue reading

CISSP PRACTICE QUESTIONS – 20210114

According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)?
A. Software Assurance Maturity Model (SAMM)
B. Capability Maturity Model Integration (CMMI)
C. Cybersecurity Maturity Model Certification (CMMC)
D. Systems Security Engineering Capability Maturity Model (SSE-CMM)

Continue reading

CISSP PRACTICE QUESTIONS – 20210113

A client sent a Kerberos authentication request to the authentication server (AS) and received a response with an encrypted part containing the session key and ticket-granting ticket (TGT). Which of the following should the client use to decrypt the ciphertext?
A. The client’s secret key
B. The client’s private key
C. The authentication server’s public key
D. The session key shared by the client and the ticket-granting server (TGS)

Continue reading

CISSP PRACTICE QUESTIONS – 20210112

A client is authenticating to an identity provider (IdP). Which of the following is the least feasible authenticator or authentication mechanism?
A. A password transmitted in clear text
B. A timestamp encrypted by the hash of the password
C. A nonce from the IdP encrypted by the subject’s private key
D. An attribute sent over TLS/SSL that uniquely identifies the subject

Continue reading

CISSP PRACTICE QUESTIONS – 20210111

A software development team is concerned with the integrity of the access token received from the web site after users logging in. Which of the following is least likely considered?
A. Is the access token altered?
B. Is the web site the genuine origin of the access token?
C. Is the web site signs the access token?
D. Is the access token in transit lost?

Continue reading

CISSP PRACTICE QUESTIONS – 20210109

A client submits a user’s identity in the clear text alone with a timestamp encrypted by the hash of the user’s password to the Kerberos Authentication Server. The Kerberos message is encapsulated as KRB_AS_REQ. Which of the following best describes the purpose of the process?
A. Identification
B. Authentication
C. Pre-authentication
D. The TGT (Ticket-granting ticket)

Continue reading

CISSP PRACTICE QUESTIONS – 20210108

A session is a temporary logical connection between two end-user application processes for message exchange. Which of the following statements about the session is not true?
A. The session layer in the ISO OSI model maps to the application layer in TCP/IP.
B. The establishment of a session is independent of underlying transports.
C. The RESTful-style architecture prescribes how a session is managed.
D. A session can maintain state information even if the transport is connectionless.

Continue reading