01. Which of the following requires the most frequent use of Just-in-Time identity services?
a) User registration on websites
b) Privilege escalation for processes
c) Deleting inactive user identities
d) Updating source code libraries
02. What do compliance tests determine?
a) Whether transaction logs are properly tracked
b) Whether a process is performing as expected
c) Whether a control exists and is operating appropriately
d) Whether employee access lists are accurate
03. When can a small sample size still provide useful risk information:
a) When precision is critical
b) When time and resources are limited
c) When processes are unique
d) When statistical significance is required
04. Encrypting all the data along a communications path between connecting nodes is known as:
a) Link encryption
b) End-to-end encryption
c) Generic encapsulation
d) Multiprotocol labeling
05. What type of analysis can help one quickly observe anomalous behavior in an application without needing access to source code?
a) Static binary analysis
b) Static source analysis
c) Dynamic source analysis
d) Dynamic binary analysis
06. A renewable energy company has contracted with a third-party vendor to manage its customer service platform. Recently, there was a security incident where customer data was exposed due to the vendor's inadequate security measures. Lisa, the company’s Chief Security Officer (CSO), must reassess the security value of third-party services.
What should Lisa prioritize to ensure third-party vendors meet the company's security requirements?
a) Implement strict access controls and network segmentation to limit vendor access to only necessary systems.
b) Incorporate robust security clauses in vendor contracts, including penalties for non-compliance with security standards.
c) Require vendors to comply with the company's security policies and undergo regular security assessments.
d) Establish continuous monitoring of vendor activities using advanced security tools to detect and respond to incidents.
07. Which of the following statements best describes why threat modeling is an integral part of a broad approach to information security?
a) It specifically focuses on the threat actors' perspective, complementing traditional defense-based approaches.
b) It is risk-based, which is the basis for most modern cybersecurity methodologies and frameworks.
c) It is part of NIST SP800-145, mandated for US federal agencies, and considered best practice.
d) Effective threat modelling focuses on incident response, thus lowering the organization’s overall security risk.
08. As a Security Manager for an international e-commerce platform, you are updating the incident response plan to address cross-border cyber incidents. Considering various legal jurisdictions, what key factor should you incorporate into the plan?
a) A unified incident response procedure applicable to all countries where the company operates
b) Delegation of incident response to local teams without centralized oversight
c) Emphasis on public relations strategies to manage customer perceptions and company reputation globally
d) Specific legal and regulatory requirements for each jurisdiction to ensure compliance during the incident response process
09. What happens when user identities are deprovisioned?
a) They are deleted and purged from all systems.
b) They are disabled, with data being retained according to policy.
c) They are transferred to another system.
d) They are encrypted.
10. IPv4 and IPv6 protocols are important to which layer(s) of the OSI model:
a) Layers 1 – 4
b) Layers 1 – 3
c) Layer 3
d) Layer 4
The purpose of this Sample Question Set is to provide you with information about the ISC2 Information Systems Security Professional exam. These sample questions will make you very familiar with both the type and the difficulty level of the questions on the CISSP certification test. To get familiar with real exam environment, we suggest you try our Sample ISC2 CISSP Certification Practice Exam. This sample practice exam gives you the feeling of reality and is a clue to the questions asked in the actual ISC2 Certified Information Systems Security Professional (CISSP) certification exam.
