Free Certified Information Systems Security Professional CISSP Exam Practice Test

The core component of Role Based Access control (RBAC) must be constructed of defined data elements. Which elements are required?

• Users, permissions, operators, and protected objects
• Users, rotes, operations, and protected objects
• Roles, accounts, permissions, and protected objects
• Roles, operations, accounts, and protected objects

When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be defined?

• Only when assets are clearly defined
• Only when standards are defined
• Only when controls are put in place
• Only procedures are defined

When resolving ethical conflicts, the information security professional MUST consider many factors. In what order should these considerations be prioritized?

• Public safety, duties to individuals, duties to the profession, and duties to principals
• Public safety, duties to principals, duties to individuals, and duties to the profession
• Public safety, duties to the profession, duties to principals, and duties to individuals
• Public safety, duties to principals, duties to the profession, and duties to individuals

Which of the following is an example of two-factor authentication?

• Retina scan and a palm print
• Fingerprint and a smart card
• Magnetic stripe card and an ID badge
• Password and Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

The use of private and public encryption keys is fundamental in the implementation of which of the following?

• Diffie-Hellman algorithm
• Secure Sockets Layer (SSL)
• Advanced Encryption Standard (AES)
• Message Digest 5 (MD5)

An attacker has intruded into the source code management system and is able to download but not modify the code. Which of the following aspects of the code theft has the HIGHEST security impact?

• The attacker could publicly share confidential comments found in the stolen code.
• Competitors might be able to steal the organization's ideas by looking at the stolen code.
• A competitor could run their own copy of the organization's website using the stolen code.
• Administrative credentials or keys hard-coded within the stolen code could be used to access sensitive data.

Refer to the information below to answer the question.An organization experiencing a negative financial impact is forced to reduce budgets and the number of Information Technology (IT) operations staff performing basic logical access security administration functions. Security processes have been tightly integrated into normal IT operations and are not separate and distinct roles.Which of the following will MOST likely allow the organization to keep risk at an acceptable level?

• Increasing the amount of audits performed by third parties
• Removing privileged accounts from operational staff
• Assigning privileged functions to appropriate staff
• Separating the security function into distinct roles

Which of the following statements is TRUE about Secure Shell (SSH)?

• SSH does not protect against man-in-the-middle (MITM) attacks.
• SSH supports port forwarding, which can be used to protect less secured protocols.
• SSH can be used with almost any application because it is concerned with maintaining a circuit.
• SSH is easy to deploy because it requires a Web browser only.

What is the difference between media marking and media labeling?

• Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures.
• Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures.
• Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy.
• Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy.

Which of the following would an internal technical security audit BEST validate?

• Whether managerial controls are in place
• Support for security programs by executive management
• Appropriate third-party system hardening
• Implementation of changes to a system