Free Certified Information Systems Security Professional CISSP Exam Practice Test

Which application type is considered high risk and provides a common way for malware and viruses to enter a network?

• Instant messaging or chat applications
• E-mail applications
• Peer-to-Peer (P2P) file sharing applications
• End-to-end applications

Which of the following statements BEST distinguishes a stateful packet inspection firewall from a stateless packet filter firewall?

• The SPI inspects the flags on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) packets.
• The SPI inspects the traffic in the context of a session.
• The SPI is capable of dropping packets based on a pre-defined rule set.
• The SPI inspects traffic on a packet-by-packet basis.

A healthcare insurance organization chose a vendor to develop a software application. Upon review of the draft contract, the information security professional notices that software security is not addressed. What is the BEST approach to address the issue?

• Update the service level agreement (SLA) to provide the organization the right to audit the vendor.
• Update the service level agreement (SLA) to require the vendor to provide security capabilities.
• Update the contract so that the vendor is obligated to provide security capabilities.
• Update the contract to require the vendor to perform security code reviews.

When telephones in a city are connected by a single exchange, the caller can only connect with the switchboard operator. The operator then manually connects the call.This is an example of which type of network topology?

• Star
• Tree
• Point-to-Point Protocol (PPP)
• Bus

Which of the following is the MOST effective method of detecting vulnerabilities in web-based applications early in the secure Software Development Life Cycle (SDLC)?

• Web application vulnerability scanning
• Application fuzzing
• Code review
• Penetration testing

What are the first two components of logical access control?

• Confidentiality and authentication
• Authentication and identification
• Identification and confidentiality
• Authentication and availability

What should an auditor do when conducting a periodic audit on media retention?

• Check electronic storage media to ensure records are not retained past their destruction date.
• Ensure authorized personnel are in possession of paper copies containing Personally Identifiable Information....
• Check that hard disks containing backup data that are still within a retention cycle are being destroyed....
• Ensure that data shared with outside organizations is no longer on a retention schedule.

How does Radio-Frequency Identification (RFID) assist with asset management?

• It uses biometric information for system identification.
• It uses two-factor authentication (2FA) for system identification.
• It transmits unique Media Access Control (MAC) addresses wirelessly.
• It transmits unique serial numbers wirelessly.

Which security evaluation model assesses a product's Security Assurance Level (SAL) in comparison to similar solutions?

• Payment Card Industry Data Security Standard (PCI-DSS)
• International Organization for Standardization (ISO) 27001
• Common criteria (CC)
• Control Objectives for Information and Related Technology (COBIT)

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory?

• Calculate the value of assets being accredited.
• Create a list to include in the Security Assessment and Authorization package.
• Identify obsolete hardware and software.
• Define the boundaries of the information system.