CISSP Domain 1 (Security and Risk Management) Mind Map

Find the mind map for CISSP Domain 1 below in 3 different formats:

1: Image Format - It's a .jpg file. You can open it in any native image application that
supports opening .jpg files.

2: HTML Format - You can open this file in any browser, such as MS Edge, Chrome
etc.

3: .dmmx Format - You need to download a mind mapping app such as "iMindQ" to
open .dmmx files. iMindQ can be downloaded from here - iMindQ. Other mind
mapping apps may support it too but I haven't tried.

1: Use the following link to download CISSP domain 1 mind map in image format:

https://drive.google.com/file/d/1uu1NZivylUr9OkNYUB3PZexmXWN8qgwB/view?usp=sharing

2: Use the following link to download CISSP domain 1 mind map in HTML format (it
will appear scrambled in google drive. Just download it):

https://drive.google.com/file/d/18saYLcNl_52DfylUgcn8XT4YBOAQ8itd/view?usp=sharing

Open the downloaded file in any browser like IE, Chrome, Edge.

3: Use the following link to download CISSP domain 1 mind map in .dmmx format.

https://drive.google.com/file/d/1lXkHGla5iUu4WaFkjKPpn4K9kEv3KZlu/view?usp=sharing
 CISSP Practice Questions

Q1: Fill in the blanks:

The term “Authenticity” is a combination of ___________ and __________.

A. Integrity, Confidentiality
B. Confidentiality, Origin Authentication
C. Integrity, Origin Authentication
D. Confidentiality, Non-repudiation

Answer: C. Integrity, Origin Authentication. Authenticity is having the confidence that

data is authentic; hasn't been tampered with. It's also about having the confidence
that data originated from the source from where it should have originated.
Q2: Hexa Corp’s new chief information security officer has decided that the
organization would benefit from following NIST guidelines. So, the organization has
created a new baseline for all of their endpoints from NIST documents. However, they
decide to finetune it based on their specific environment. The NIST baseline says that
all internet-connected endpoints must have a DLP agent on them. But there’s a
segment of the network in Hexa Corp’s data center which is not connected to the
internet, so the DLP requirement is removed for those systems. What is the term
that describes this process?

A. Tailoring
B. Minimizing
C. Scoping
D. Customizing

Answer: C. Scoping. Scoping process removes controls from the recommended

baseline as they don't apply to your environment. On the other hand, tailoring is
modifying a control to make it appropriate to your environment. It’s about
customizing what's left after scoping.
Q3: Mega Corp. has recently started operations in the US. Their CISO (Chief
Information Security Officer) has decided to create a baseline to be followed based
on the NIST guidelines. As per the guidelines, they should scan their internet facing
systems once every month. So, the information security team is tasked with
configuring monthly scans for all internet facing systems. However, there are some
systems in a DMZ which process more sensitive information as compared to the rest
of the systems. So, for those DMZ systems, it is decided that scanning should be
done every 2 weeks instead of monthly. What is the term that describes the process
applied for the DMZ systems?

A. Tailoring
B. Minimizing
C. Scoping
D. Customizing

Answer: A. Tailoring. Tailoring means modifying a control to make it appropriate to

your environment. It’s about customizing what's left after scoping.
Q4: Which of the following statements is not correct?

A. Scoping process removes controls from the recommended baseline that don't
apply to your environment.
B. Tailoring is modifying a control to make it appropriate to your environment.
C. Scoping is customizing what's left after tailoring.
D. Scoping is selecting only the controls that apply to your environment.

Answer: C. Scoping is customizing what’s left after tailoring. Correct statement is

“Tailoring is customizing what's left after scoping”
Q5: Dilbert is the new CISO of XS-Corp. He decides to implement a new baseline for
all the on-premises data centers of XS-Corp. As per the baseline, it is recommended
that all entry and exit points of the data center should be manned from 8 AM to 8
PM. However, XS-Corp. already has security guards manning all entry and exit points
24 hours a day. Dilbert, along with his team, evaluates whether they should remove
the guards in the night (i.e. from 8 PM to 8 AM) as baseline does not ask for it and it
will save them some money too, or keep them. After a thorough evaluation, it is
decided to keep the guards 24 hours as it provides additional security. What is the
term used to describe the process seen here with respect to the baseline?

A. Tailoring
B. Customizing
C. Scoping
D. Accreditation

Answer: A. Tailoring. Tailoring means modifying a control within a baseline to make it

appropriate to your environment. After evaluation, an organization may decide to
keep some or remove some, depending on their requirements. "Tailoring" means
customizing a control as per a specific environment.
Q6: John is a new trainee who has recently joined Mega Corp.’s network team. He has
been given access to the network devices. One day, while checking out the
configuration of an edge router, he mistakenly removes an access-list entry which
was configured to restrict access to a web server only from certain IP addresses on
the internet. With the access-list entry removed, the web server is now left open to all
the IP addresses on the internet. Which of the following aspects of security are
compromised?

A. Integrity
B. Confidentiality
C. Availability
D. Authenticity
E. Privacy

Answer: B. Confidentiality. Confidentiality is about ensuring that information or

system is accessible only to authorized parties. With the access-list entry removed,
the access is now open for everyone - not just those that are authorized, hence its
confidentiality aspect is compromised. The server is still accessible, so availability is
not compromised. The question does not mention any kind of unauthorized changes
to the server, so integrity is not compromised. Authenticity does not apply here as it’s
a combination of origin authentication and integrity.
Q7: Max Corp. is a stock-trading firm that helps its customers invest in stocks and
shares based on current market trends. Due to the nature of their work, their
employees have access to sensitive information of various companies. However, they
make sure that the sensitive information that they have access to is not used to
provide undue advantages to its clients. One of their employees Mark has two
companies - ABC Corp. and XYZ Corp - as his customers both of which are
competitors of each other. In order to make sure that Mark cannot use sensitive
information of ABC Corp. for the benefit of XYZ Corp. and vice-versa, the company
has implemented an access control model, so that Mark cannot access data of both
the companies (ABC Corp. and XYZ Corp.) at the same time. So, if Mark accesses data
of ABC Corp., the controls automatically block his access for XYZ Corp. for some time,
and similarly, if he accesses data of XYZ Corp., his access is blocked for ABC Corp.
automatically for some time. In other words, the access control changes dynamically
based on Mark’s previous actions. This helps make sure that information cannot flow
between subjects and objects that would result in conflict of interest. Which security
model has been implemented by Max Corp.?

A. Brewer and Nash Model

B. Clark Wilson Model
C. Graham-Denning Model
D. Biba Model

Answer: A. Brewer and Nash Model. It’s also known as Chinese Wall model/Ethical
Wall/Cone of Silence. It ensures that no information can flow between subjects and
objects that would result in a conflict of interest.
Q8: Fill in the blanks:

The ___________ rule of Biba model says that a subject cannot ________ data from a
________ integrity level.

A. Simple integrity property, read, lower

B. Star integrity property, read, lower
C. Simple integrity property, read, higher
D. Star integrity property, read, higher

Answer: A. Simple Integrity Property, read, lower.

Biba model is similar to Bell-LaPadula but addresses the integrity of data instead of
confidentiality. Instead of using security levels (like Bell-LaPadula did), Biba model
uses integrity levels.

Two rules of Biba model:

- Simple Integrity Property: a subject cannot read data from a lower integrity level (no
read down)

- *-Integrity (Star Integrity) Property: a subject cannot write data to an object at a

higher integrity level (no write up)
Q9: Mega Corp. is an organization that provides weapons to government agencies.
The information and details about the government contracts are saved on a server
that's shared by multiple users of the organization. The contracts stored on the
server are classified as per following classification levels - Public, Secret, Top-Secret.
The users of the organization are also assigned following security clearances levels -
Public, Secret, Top-Secret.

One day, a new employee Jamie who has a security clearance of "Secret" logs on to
the server and tries to write some details to a file that had the classification level of
"Public", however, his attempt is denied. He approaches his manager who informs
that the behaviour exhibited by the server is correct and expected.

Based on the above details, which of the following security models is most likely
implemented on the server?

A. Biba Model
B. Clark-Wilson Model
C. Bell-LaPadula Model
D. Brewer and Nash Model

Answer: C. Bell-LaPadula Model. The rule that came into picture is the *-Property
(Star Property) Rule which says a subject cannot write data to a lower security level
(no write down). E.g. if Mark has clearance of secret, then he cannot write data to an
unclassified file.
Q10: Which of the following statements about Bell-LaPadula model is not correct?

A. Subject's clearance is compared with object's classification and then specific

rules are applied to control the access.
B. Enforces the integrity aspect of access control.
C. A subject can perform read and write functions on the object if the subject's
clearance and the object's classification are equal.
D. If a user has clearance of secret, then he cannot read data of top secret
classification.

Answer: B. Enforces the integrity aspect of access control. The Bell-LaPadula model
enforces confidentiality, not integrity. It is the Biba model that addresses integrity.
Q11: There are many ways in which information can flow within a system. Information
flow model controls all these ways to information flows. It makes sure that
information does not flow in a way that puts the system or data in a vulnerable state.
There are various security models built upon information flow model. Which of the
following security models is not built upon the information flow model?

A. Bell-LaPadula Model
B. Biba Model
C. Brewer and Nash Model
D. Graham-Denning Model

Answer: D. Graham-Denning Model.

Q12: As a message travels over the network, its content can get modified - both
intentionally (e.g. by hackers) and unintentionally (e.g. a spike in power supply). You
would like to make sure that your application has built-in mechanisms in place to
detect both intentional and unintentional modifications to the messages. Which of
the following would best fit this purpose?

A. Parity bits
B. Cyclic Redundancy Check
C. Hashing
D. PKI Certificate

Answer: C. Hashing. Hash algorithms can detect any kind of modifications to the
message - both intentional and unintentional.
Q13: Fill in the blanks:

John is a network administrator who was terminated from the job due to
misconduct. Before leaving the office premises, he decides to cause some serious
harm to the company as he knows that his account has not been disabled yet. He
logs into the company’s data center router and erases the configuration. He then
logs into the syslog server which was used to store the router logs and deletes the
logs related to the erasing of the configuration. By doing this, he compromised the
__________ of the syslog server and the _________ aspect of security.

A. Integrity, Repudiation
B. Confidentiality, Non-repudiation
C. Integrity, Non-repudiation
D. Integrity, Authenticity

Answer: C. Integrity, Non-repudiation. Erasing the logs from the syslog server
impacted the correctness of the information stored on it, thus, it impacted its
integrity. By doing this, he also compromised the non-repudiation aspect of security
- the aspect which means that a user cannot deny performing his actions.
Q14: Which of the following cannot be used to provide confidentiality?

A. Access-list
B. Authentication
C. Encryption
D. Digital Signature

Answer: D. Digital Signature. Digital signature provides authentication, integrity and

non-repudiation. In order to provide confidentiality, it needs to be encrypted too.
Q15: Harry wants to send a message to Barry secretively. The text of the message is
“MeetAt10”. In order to make sure no one other than Barry can understand it, he
rearranges the characters of the message to “0etMA1te” and informs Barry about the
reordering. What is the term for the technique that Harry used?

A. Steganography
B. Caesar Cipher
C. Transposition Cipher
D. Substitution Cipher

Answer: C. Transposition Cipher.

Steganography: It is the method of hiding a message in another media type. E.g.

hiding the message "the secret mission starts tomorrow" could be hidden in a
picture of your garden. The message is not encrypted, rather it is just hidden.

Substitution Cipher: Replaces each character or bit of the plaintext message out for
another character. E.g. Caesar cipher (also known as ROT3) replaces each letter with
the letter 3 places ahead of it in the alphabet. So, A becomes D, B becomes E and so
on.

Transposition Cipher: Scrambles or rearranges the characters or bits of the plaintext

message.
Q16: Which of the following statements about Diffie-Hellman is not true?

A. Tackles the issue of secure distribution of asymmetric keys.

B. Is not used to encrypt data but to share keying information securely.
C. Is a key agreement algorithm, and not a key exchange algorithm.
D. The agreed key is never actually transmitted.

Answer: A. Tackles the issue of secure distribution of asymmetric keys. The correct
answer is that it tackles the issue of secure distribution of symmetric keys (not
asymmetric keys). Rest options are all correct.
Q17: Fill in the blanks below with respect to the right sequence related to
cryptography:

Plaintext –> ________ –> ________ –> ________ –> Plaintext

A. Encryption, Decryption, Ciphertext

B. Ciphertext, Encryption, Decryption
C. Encryption, Ciphertext, Decryption
D. Ciphertext, Decryption, Encryption

Answer: C. Encryption, Ciphertext, Decryption. Plaintext goes through encryption

which results in ciphertext. The ciphertext then needs to go through decryption to
get the original plaintext back.
Q18: Matt and Pete want to communicate securely over the internet. They decide to
use a one-time pad technique and have securely exchanged a one-time pad which is
1010011010. Matt's system then converts the plain-text message into bits which gives
the value of 0011001110, runs it through the one-time pad, and sends the result to
Pete. Which of the given options represents what Pete receives as encrypted text?

A. 0010001010
B. 1011011110
C. 1100110011
D. 1001010100

Answer: D. 1001010100. A one-time pad uses the XOR function. Here's how it works:
The plain-text message is converted to binary (which in our case is 0011001110).
The one-time pad is made-up of random bits (which in our case is 1010011010). It
needs to be as long as the message.
Then XOR function is applied between the binary message and the one-time pad.
Here's how XOR works - If both values are the same, the result is 0 and if both values
are different, the result is 1. So, this is how you can remember it: same-0, different-1.
Now you apply XOR between these two:
Plain-text message: 0011001110
One-time pad: 1010011010
XOR result: 1001010100
So, the result 1001010100 is sent to the destination where the receiver needs to have
the same one-time pad. The receiver will again perform XOR on the received
message (1001010100) and the one-time pad (1010011010) and will get the plain-text
message which would be 0011001110.
Q19: John and Ron want to communicate securely and have decided to use
asymmetric cryptography. John needs to send a message to Ron and wants to make
sure no one other than Ron should be able to decrypt the message. Which of the
following keys should John use to send the message to Ron?

A. John's private key

B. John's public key
C. Ron's private key
D. Ron's public key

Answer: D. Ron's public key. When you want to make sure that a message can only
be decrypted by a certain person (personX), then you need to encrypt it with that
personX's public key. Then when that personX receives the encrypted message,
he/she will decrypt it with his/her own private key (corresponding to the public key
with which the message was encrypted). This way, even if someone were to intercept
the encrypted message, they wouldn't be able to decrypt it because they wouldn't
have the corresponding private key (as private key is not supposed to be shared with
anyone).
If you thought the answer is A - the answer would have been A if the question said
"John wants to make sure that when Ron receives the message, Ron can be sure that
it came only from John and no one else". So, if John encrypts the message with his
own private key, then anyone with John's public key will be able to decrypt (and the
fact that it's a public key, it need not be kept secret, so it's not just Ron who would
have John's public key). Someone would choose this option (of encrypting the
message with the sender's private key) when they are more concerned about
authenticity and non-repudiation, than confidentiality.
If one is concerned about confidentiality, then they need to encrypt the message
with the receiver's public key (option D).
Q20: Mark and Bob want to communicate securely. They decide to use
Diffie-Hellman. Which of the following statements is true with respect to
Diffie-Hellman?

A. Each user takes his own private key and the other person's private key and
runs them through the DH algorithm.
B. Each user takes his own public key and the other person's public key and runs
them through the DH algorithm.
C. Each user takes his own private key and the other person's public key and runs
them through the DH algorithm.
D. Each user takes his own public key and the other person's private key and runs
them through the DH algorithm.

Answer: C. Each user takes his own private key and the other person's public key and
runs them through the DH algorithm.
You do not share your private key with others, so option A and D are ruled out.
Option B is not right because why would you use something that's available to
anyone (i.e. two public keys) to create something secret?
Q21: Public-key cryptography uses a private key and a public key. Each key can be
used for different purposes. DeviceA wants to send a message to DeviceB and signs
it digitally before sending it across. When DeviceB receives the message, it wants to
verify the signature. Which key should DeviceB use for this purpose?

A. DeviceB's Public Key

B. DeviceB's Private Key
C. DeviceA's Public Key
D. The symmetric key they would have agreed upon

Answer: C. DeviceA's Public Key. The purpose of a digital signature is to verify the
sender. So, the sender (DeviceA in this case) signs the message with his private key
(confirming that no one else could have signed it because the private key is not
shared with anyone else). Then, when the receiver gets the message (DeviceB in this
case), he uses the sender's public key to verify the signature.
Q22: Sam and Ron want to communicate securely. They decide to use public key
cryptography. Sam encrypts the message with Ron's private key and sends it across
to Ron. What security service do they get using this method?

A. Authentication and Non-repudiation

B. Confidentiality, Authentication and Non-repudiation
C. Authentication
D. None. Sam shouldn’t have access to Ron’s private key.

Answer: D. None. Sam shouldn’t have access to Ron’s private key. It's because the
question says that the sender (Sam) will encrypt the message with the receiver's
(Ron's) private key. Private key is supposed to be kept private and not shared with
anybody other than the owner. So, ideally, Sam shouldn't have access to Ron's private
key.
Now, some explanation below that I hope will help clarify some concepts:
Encrypting with receiver's public key = Confidentiality (because only the receiver can
decrypt it using his private key)
Encrypting with sender's private key = Authentication and non-repudiation (because
it proves only the sender could have sent it as the private key is not with anyone else)
Hash = Integrity
Digital Signature = A hash value that's encrypted with sender's private key = Integrity,
Authentication and non-repudiation
So, encryption (with receiver's public key) plus digital signature provides
Confidentiality, authentication, non-repudiation and integrity.
Q23: Fill in the blanks:

Digital signatures involve two components - ___________ and ______________.

A. ECB, Symmetric Cryptography

B. ECB, Asymmetric Cryptography
C. Hashing, Asymmetric Cryptography
D. Hashing, Symmetric Cryptography

Answer: C. Hashing, Asymmetric Cryptography. A digital signature is a hash value

that has been encrypted by the sender's private key. The receiver then uses the
sender’s public key to decrypt the encrypted hash value.
Q24: Fill in the blank:

A digital signature is a hash value that has been encrypted with __________.

A. the receiver's public key

B. the sender's public key
C. the sender's private key
D. the secret key agreed upon during the initial handshake between the two
parties

Answer: C. the sender's private key. Remember the goal of a digital signature is - a) to
make sure that the message has not been modified (which is provided through hash
value) and b) to make sure that message came from a specific sender, so the hash
needs to be signed i.e. encrypted with the sender's private key as the private key is
not shared with anyone and so it provides authentication.
Q25: Which of the following algorithms provides only key exchange/agreement
facility, but not digital signatures or encryption?

A. RSA
B. Diffie-Hellman
C. El gamal
D. Elliptic Curve Cryptosystem

Answer: B. Diffie-Hellman. All the other three options - RSA, El Gamal, ECC, can be
used for key exchange, digital signatures and encryption. But DH can only be used to
agree on a key.
Q26: Which of the following security benefits do digital signatures provide?

A. Integrity, Authentication, Non-repudiation

B. Integrity, Authentication, Non-repudiation, Confidentiality
C. Integrity, Authentication, Confidentiality
D. Authentication, Non-repudiation, Confidentiality

Answer: A. Integrity, Authentication, Non-repudiation. Digital signature provides

integrity (through hashing) and authentication and non-repudiation (through
signing the hash with private key). To provide confidentiality, the message will need
to be encrypted.
Q27: Messages can be encrypted or hashed or digitally signed. Each function serves a
different purpose. If a message is encrypted as well as digitally signed, what does it
provide?

A. Confidentiality and integrity

B. Confidentiality and authentication
C. Authentication, non-repudiation and integrity
D. Confidentiality, authentication, non-repudiation and integrity

Answer: D. Confidentiality, authentication, non-repudiation and integrity.

Encryption = Confidentiality
Hash = Integrity
Digital Signature = A hash value that's encrypted with sender's private key = Integrity,
Authentication and non-repudiation
So, encryption plus digital signature provides Confidentiality, authentication,
non-repudiation and integrity.
Q28: "One-Time Pad" is a pad/keystream made of random values that is used for
cryptography. Which of the following statements about One-Time Pad is true?

A. Pad needs to be as long as the message that needs to be encrypted.

B. Pad needs to be shorter than the message that needs to be encrypted.
C. Pad needs to be longer than the message that needs to be encrypted.
D. Pad length does not matter. It can be shorter than, longer than, or as long as,
the message that needs to be encrypted.

Answer: A. Pad needs to be as long as the message. The way the one-time pad works
is that the first bit of the plaintext message is XORed with the first bit of one time
pad which gives us the first value of ciphertext. This process continues until the
whole message is encrypted. Hence the pad needs to be as long as the message.

E.g.
Plaintext - 00110011
Keystream - 10111001
Ciphertext -10001010
Q29: Which of the following two elements are used to calculate risk?

A. Probability, Business Impact

B. Probability, Asset Value
C. Probability, Threat
D. Asset Value, Vulnerability

Answer: A. Probability, Business Impact.

Q30: Fill in the blank:

_______ is the potential cause of an unwanted incident.

A. Threat
B. Threat Agent
C. Risk
D. Control

Answer: B. Threat Agent. A threat is a potential danger. It’s what can happen if there’s
a vulnerability. For example, if a router has a wide open access-list, the threat is that
someone on the internet can get into the network. Threat agent is the one who
actually exploits the vulnerability. Threat agent is the potential cause of an unwanted
incident.
Q31: Mega Corp. has a database server that stores both confidential and public
information. The database server has a vulnerability that could allow attackers to
gain access to it through a web server. The company later removes all confidential
information from the database server, leaving only public information on it. What
does this help reduce?

A. Risk
B. Exposure
C. Vulnerability
D. Probability

Answer: A. Risk. Risk is made up of two components - probability of something

happening and the resulting business impact of it. When the company removed the
confidential information from the database, it reduced the impact in the event the
server was hacked (because the server has only public information now, nothing
confidential). The probability of the server being hacked into still remains because
the vulnerability hasn’t actually been fixed. However, because the business impact
has been reduced, the overall risk rating comes down.
Q32: Christy, a security engineer, works with a social service organization in India. She
is not happy with the recent changes to a government policy which prevent people
from certain countries to come to India to take refuge. In order to show protest, she
hacks into the government’s website and defaces it. What would be the term used to
describe Christy here?

A. Threat
B. Threat Agent
C. Exposure Agent
D. Exploiter

Answer: B. Threat Agent. It is the entity that exploits a vulnerability. It could be a

person or a process.
Q33: Which of the following can NOT be put in place to mitigate risk?

A. Control
B. Safeguard
C. Countermeasure
D. Risk calculator

Answer: D. Risk Calculator. Other options all mean the same. A control is also known
as a safeguard or a countermeasure.
Q34: JohnTheAttacker compromises Harry’s system and is able to get access to the
hash value of Harry’s password for that system. JohnTheAttacker then uses the hash
to send a request to the network’s KDC to request a TGT. What is the term used to
refer to this type of attack?

A. Kerberoasting
B. Pass the Hash
C. Overpass the Hash
D. Silver Ticket Attack

Answer: C. Overpass the Hash. In pass-the-hash, the hash is used to authenticate,

whereas in overpass-the-hash, the hash is used to submit a signed request for TGT
and that is what happened in this case.
Q35: Fill in the blank:

Graham's team is part of a government project where they have been assigned the
task of developing a new hashing algorithm for the project. Everything was going
well until 2 days back when one of the members of Graham's team discovered that
the hashing algorithm was vulnerable to birthday attack. During the weekly briefing
with the government team, Graham explains to the government official that because
the hashing algorithm was discovered to be vulnerable to birthday attack,
_________________________________________________________.

A. an attacker could create a different message than the original one and both
messages could have the same hash value.
B. an attacker could use the same original message and create a different hash
value than the original one.
C. an attacker could remove the original hash value from the message and
replace it with his own, fake hash value.
D. an attacker would only need to try 2^23 combinations to discover the original
hash value.

Answer: A. an attacker could create a different message than the original one and
both messages could have the same hash value.

If a hashing algorithm produces the same hash value for two different messages, it is
called collision. A birthday attack is an attack where the attacker tries to force a
collision.
Q36: All communication between ABC Suppliers and XYZ Corporation is encrypted
because of the sensitivity of the information that is shared. A hacker is sniffing their
communication but can't understand it because it's encrypted. The hacker then
composes an email message which says "Forward this to the Marketing head of XYZ
Corporation immediately", makes it appear to be coming from ABC Suppliers'
Procurement head and sends it to one of the Procurement team members of ABC
Suppliers. The employee falls for it and forwards the message to the marketing head
of XYZ Corporation. The hacker who is sniffing the communication between the two
companies now has access to the plain-text (because he sent it) and the
corresponding cipher-text (because he's sniffing the encrypted communication).
Now the hacker needs to discover the key that was used for encrypting his message
and he can then use that key to decrypt other messages that would have been
encrypted using the same key.

What type of attack is this?

A. Known-Plaintext Attack
B. Chosen-Plaintext Attack
C. Chosen-Ciphertext Attack
D. Cipher-Only Attack

Answer: B. Chosen-Plaintext Attack. It's an attack where an attacker can choose what
plaintext gets encrypted and has access to the resulting ciphertext too.
Q37: Which of the following is an example of a side-channel attack?

A. The attacker tries to encrypt the plaintext using various possible sets of keys to
arrive at an intermediate text, and also tries to decrypt the ciphertext using
various keys to arrive at the same intermediate text as before.
B. The attacker tries to use subtle properties of a language, such as which letter
appears the most in an alphabet and which appears least, to decrypt the
ciphertext.
C. The attacker tries to deduce some information about an application based on
its response time.
D. The attacker captures the hash of a password (instead of the actual password)
and tries to use the captured hash to authenticate himself.

Answer: C. The attacker tries to deduce some information about an application based
on its response time.

A is Meet-in-the-middle attack
B is Frequency Analysis attack
D is Pass-the-Hash attack
Q38: Fill in the blank:

A birthday attack is _____________.

A. If a hashing algorithm produces the same hash for two different messages.
B. If an encryption algorithm produces the same ciphertext for two different
messages.
C. If a hashed output signed using the sender's private key is successfully
reversed due to compromise of private key.
D. If a hashed output signed using the receiver's private key is successfully
reversed due to compromise of private key.

Answer: A. A birthday attack is an attack where the attacker tries to force a collision.
And what's a collision? If a hashing algorithm produces the same hash value for two
different messages, it is called collision.
Q39: Danny is an attacker with good cryptography related skills. He has come to
know of a secret contract negotiation happening between WNACorp. and the
government but the communication is encrypted. Danny wants to discover the keys
used for encryption, so he can decrypt the communication between WNACorp. and
the government. He knows that more than one key is being used for encryption.
Using social engineering skills, he somehow has obtained access to certain plaintext
and the corresponding ciphertext. Danny then tries to encrypt the plaintext using
various possible sets of keys to arrive at an intermediate text, and also tries to decrypt
the ciphertext using various keys to arrive at the same intermediate text as before.
He is hoping that if the intermediate texts match (from trying to encrypt the
plaintext and from trying to decrypt the ciphertext), there's a high chance that the
corresponding keys are the keys used to encrypt.

What is the name of the attack that Danny is trying to perform?

A. Meet-in-the-middle attack
B. Known-ciphertext attack
C. Side-channel attack
D. Frequency analysis attack

Answer: A. Meet-in-the-middle attack. This attack requires the attacker to have both
the plaintext and the corresponding ciphertext. It's typically performed on text that
has been encrypted by more than one key. The attacker tries to encrypt the plaintext
using various possible sets of keys to arrive at an intermediate text, and also tries to
decrypt the ciphertext using various keys to arrive at the same intermediate text as
before (thus trying to meet in the middle). If the intermediate texts match (from
trying to encrypt the plaintext and from trying to decrypt the ciphertext), there's a
high chance that the corresponding keys are the keys used to encrypt.
Q40: Mega Corp. recently had to do a few layoffs because of the company’s financial
condition. During risk assessment, it was identified that the company does not have
any defined processes and practices in place to terminate employees, which keeps
the terminated employees’ accounts active for some days even after their
termination. The company wants to mitigate this risk and would like to define the
process and practices to effectively and smoothly terminate the employees. What
kind of control will cover this requirement?

A. Technical Control
B. Administrative Control
C. Physical Control
D. Logical Control

Answer: B. Administrative Control. Also known as work practice controls, procedural

controls and they are focused on business practices.
Q41: Bella Corp. has recently installed an IDS (Intrusion Detection System) in their
network. Mark, the security administrator, has configured the IDS so that if it detects
any malicious traffic, it can log into the edge router through which the malicious
connection came and issue necessary commands to terminate the malicious
connection. What type of control functionality is exhibited by the IDS when it
terminates the malicious connections?

A. Deterrent
B. Corrective
C. Recovery
D. Preventive

Answer: B. Corrective. Controls have different functionalities. A control has corrective

functionality if it is used to correct the issue when something bad has happened. It
can also be used to fix the issue to prevent it from happening again. E.g. terminating
a malicious connection, an IDS logging into a router to block a malicious host,
quarantining a virus. Recovery controls are similar to corrective controls but are used
in more complex, or more damaging situations. E.g. backups, offsite facility.
Q42: Fill in the blank:

Performing background checks before hiring people is an example of _____________.

A. Detective Control
B. Preventive Control
C. Compensating Control
D. Deterrent Control

Answer: B. Preventive Control. By performing background checks before hiring

someone, an organization tries to prevent bad hires that may have dubious or
criminal history.
Q43: Christy, a security engineer, works with a social service organization in India. She
is not happy with the recent changes to a government policy which prevent people
from certain countries to come to India to take refuge. In order to show protest, she
hacks into the government’s website and defaces it. What would be the term used to
describe Christy here?

A. Threat
B. Threat Agent
C. Exposure Agent
D. Exploiter

Answer: B. Threat Agent. It is the entity that exploits a vulnerability. It could be a

person or a process.
Q44: Jack has recently joined ABC Corp. as a network engineer. As he logs into a
router, he receives following banner message:

“Warning: This system is restricted to ABC Corp. authorized users for business
purposes only. Unauthorized access or use is a violation of company policy and the
law. This system may be monitored for administrative and security reasons.”

What type of control is the above banner message?

A. Preventive
B. Deterrent
C. Compensating
D. Detective

Answer: B. Deterrent. A deterrent control is used to discourage a potential attacker. It

tries to convince individuals not to take undesired actions.
Q45: Fill in the blank:

_________ acts as a "checklist" for auditors to see whether organizations comply with
FISMA.

A. CoBIT
B. COSO
C. NIST SP 800-53
D. ITIL

Answer: C. NIST SP 800-53. While CoBIT acts as a "checklist" for auditors to see
whether organizations comply with business-oriented regulations, NIST SP 800-53
acts as a "checklist" for auditors to see whether organizations comply with
govt.-oriented regulations (e.g. FISMA).
Q46: There are various frameworks related to enterprise architecture development.
Which of the following frameworks shows an enterprise from 4 perspectives -
business, data, application and architecture?

A. TOGAF
B. Zachman
C. DoDAF
D. MODAF

Answer: A. TOGAF - The Open Group Architecture Framework.

Q47: Fill in the blank:

The SOX Act is based upon _____________.

A. COSO
B. CoBIT
C. NIST SP 800-53
D. CMMI

Answer: A. COSO.
Q48: Which of the following frameworks deals with the objectives of the controls that
need to be put in place to accomplish the goals of the security program by mapping
IT goals to the enterprise goals?

A. COSO
B. ISO 27001
C. ITIL
D. CoBIT

Answer: D. CoBIT.
Q49: As ABC Corp. is growing rapidly, its senior management has realized that even
though it’s not an IT company, it still does rely heavily on internal IT to achieve various
business objectives. As a result, ABC Corp. would like to have a program in place that
would help optimize IT so as to support its business objectives. Specifically, it would
like the program to be focused towards internal SLAs between the IT department
and other business functions. Which of the following process management
development frameworks would best fit their needs?

A. CoBIT
B. ITIL
C. CMMI
D. ISO 27001

Answer: B. ITIL. It stands for Information Technology Infrastructure Library. Increased

dependence of business on IT led to the creation of ITIL. It provides a set of best
practices to optimize IT so as to support business objectives and is focused towards
internal SLAs between IT department and other business functions.
Q50: TOGAF (The Open Group Architecture Framework) is an enterprise architecture
development framework. It shows an enterprise from 4 different perspectives. Which
of the following is not one of those perspectives?

A. Business
B. Technology
C. Services
D. Data

Answer: C. Services. The 4 perspectives are - business, data, application, technology

(you can remember them using the acronym BDAT).
Q51: Paula is terminated from ABC Corp. due to misconduct. However, she does not
feel the termination was justified and would like to file a case against the company.
Which of the given laws would be applicable in this case?

A. Criminal Law
B. Administrative Law
C. Civil Law
D. Common Law

Answer: C. Civil Law. It’s an issue between an individual and an organization. Civil
laws are to settle disputes between individuals and organizations. E.g. contract
disputes, product liability, employment matters, real estate matters etc.
Q52: John purchased a new mobile phone from a company called PimPhone. As he
is charging the phone, he receives a call. He attends the call while the phone is
charging. The phone suddenly becomes extremely hot causing burns on his ear and
fingers. He later gets to know through the phone’s support company that they do
not advise taking calls while the phone is charging. He would like to sue the
PimPhone company for failure to warn him of the risk. Which law would best fit this
case?

A. Criminal Law
B. Administrative Law
C. Civil Law
D. Common Law

Answer: C. Civil Law. Civil law includes issues like failure to warn of risks, defects in
product manufacturing, design etc.
Q53: Fill in the blank:

Under ________ , responsibility is on the prosecution to prove guilt beyond a

reasonable doubt.

A. Criminal Law
B. Administrative Law
C. Civil Law
D. Common Law

Answer: A. Criminal Law. Under criminal law, the defendant (the party that is accused
of something in the court of law) is considered innocent until proven guilty and it is
the responsibility of the prosecution (the party accusing someone of doing
something illegal) to prove the guilt beyond a reasonable doubt.
Q54: Fill in the blanks:

Generally, in civil law, cases are initiated by __________ and after investigation, the
defendant is found ______ or not.

A. government prosecutors, guilty

B. private parties, liable for damages
C. government prosecutors, liable for damages
D. private parties, guilty

Answer: B. private parties, liable for damages.

It’s criminal law where cases are initiated by the government prosecutors and the
defendant is found guilty or not. In civil cases, private parties initiate the case and the
defendant is found liable or not liable for damages.
Q55: In which of the following cases, the probability of loss of freedom is the highest?

A. Criminal Law
B. Administrative Law
C. Civil Law
D. Common Law

Answer: A. Criminal Law.

Q56: ZenCars Corporation has designed a new sales brochure incorporating
compelling images, graphics and text, which it believes has resulted in increase in
the sales over the last 2 quarters. The company now wants to protect its sales
brochure, so its competitors don't copy it. Which of the following intellectual
property laws would suit this purpose?

A. Trademark
B. Copyright
C. Trade secret
D. Patent

Answer: B. Copyright. Copyright is for expression of ideas. It's about protecting

creative works and a sales brochure would come under creative works.
Q57: Which of the following laws provide protection for a limited time and once the
legal protection expires, others are free to use the protected work? Choose all that
apply.

A. Copyright
B. Patent
C. Trade Secret
D. Trademark

Answer: A. Copyright and B. Patent. Both trademark and trade secret don't have an
expiry. However, copyright and patent have expiry after which others can use the
protected work.
Q58: DKM Motorcycle's R&D team has, after years of work, finally succeeded in
developing a new engine that gives way higher mileage than any other engine in
any motorcycle. They built this engine from scratch using a new technology . They
want to make sure they get exclusive rights for the production and sale of this new
engine utilizing their in-house technology. Which of the following intellectual
property laws would be suitable for this purpose?

A. Trademark
B. Trade Secret
C. Patent
D. Copyright

Answer: C. Patent. A patent's primary purpose is to encourage innovation. It provides

inventors the incentive to get exclusive rights for the production and sale of patented
property. It protects things like inventions, new processes, or improved processes,
machines etc.
Q59: Bobby Bakery is famous for its Jelly Cake. They've been making this delicious
cake for the last 40 years and it has helped them keep the competition at bay. The
recipe for this cake is confidential and locked inside the cabinet of the owner's home.
Which of the following laws would be suitable to get protection for this recipe?

A. Trade secret
B. Trademark
C. Copyright
D. Patent

Answer: A. Trade Secret. Trade Secret is something that gives a competitive

advantage and the owner must take appropriate measures to keep it secret. It can't
be disclosed (like a patent).
Q60: SoftDevCorp has developed a new software program in the field of finance
which, it believes, will be a game-changing software. It would like to apply for an
intellectual property law which prohibits others from rewriting their source code in a
different form and accomplishing the same objective. Which of the following
intellectual property laws would best fit their needs?

A. Patent
B. Copyright
C. Trade Secret
D. Trademark

Answer: C. Trade Secret. Software is mostly associated with Copyright (as it comes
under literary works). However, the problem with Copyright is that it protects only
the actual text of the source code. Others could still achieve the same objective by
writing the same code in a different way. That's why the answer is C - Trade Secret, as
this way, the source code remains secret.
There have been some arguments about software being protected by Patents but it's
still not clear. Going by the CISSP Official Guide, the answer here should be C, not A.
Another problem with Patents is that to get a patent, you have to disclose your
invention and it's also valid only for a limited time after which anybody can recreate
your work.
Q61: Nike's logo (a tick sign) with the tagline "just do it" would be covered by which of
the following intellectual property laws?

A. Copyright
B. Trademark
C. Patent
D. Trade Secret

Answer: B. Trademark. Trademarks provide protection for specific words, graphics, a

symbol, logo or a phrase that help identify a brand. Even sounds are covered by
trademarks.
Q62: BoyToy Inc. is planning to launch a new marketing campaign which will be run
over various radio channels. For advertising purposes, BoyToy Inc. has developed a
2-second jingle sound that's meant to immediately tell the listeners that it's a
BoyToy's advertisement, enhance brand recollection, boost the brand value and
avoid any kind of confusion between BoyToy's and other similar companies'
advertisements. In order to make sure that this jingle sound is not copied or used by
any other brand, which of the following intellectual property laws would best suit
their needs?

A. Copyright
B. Trademark
C. Trade Secret
D. Patent

Answer: B. Trademark. Trademarks provide protection for specific words, graphics, a

symbol, logo or a phrase that help identify a brand. So, just about anything that helps
you distinguish one brand from another can fall into the trademark category. For
example, when you see the words "just do it" with a…. tick sign, you immediately
know it's about Nike. So the tagline of the Nike brand and the logo fall under
trademark. And it doesn’t just include something that you see. A trademark covers
sounds as well. So, when you hear the typical Britannia bell sound, even if you are not
looking at the TV, you can still tell that it’s a Britannia ad. That’s the purpose of a
trademark. It protects things that help you identify a brand, that help you distinguish
one brand from another.
Copyright is not the answer because copyright provides protection for EXPRESSION
of ideas. Expression of ideas includes things such as literary works, music, films, or
any artistic expressions.
Q63: Many laws, acts and standards have been created to deal with privacy related
issues and provide privacy protection. Which of the following is a self-regulation
approach to privacy, meaning that it did not come down from a government
agency?

A. FPA - Federal Privacy Act of 1974

B. FISMA
C. PCI-DSS
D. USA PATRIOT

Answer: C. PCI DSS. Other options - FPA (Federal Privacy Act), FISMA (Federal
Information Security Management Act) and USA PATRIOT (Uniting and
Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism) are all government created acts. PCI DSS was created by credit
card companies. So, it's an example of a self-regulation approach.
Q64: Fill in the blank:

NIST SP 800-53 outlines the controls that are needed to comply with ___________.

A. FISMA
B. HIPAA
C. PCI-DSS
D. Federal Privacy Act of 1974

Answer: A. FISMA - Federal Information Security Management Act of 2002.

Q65: Which of the following privacy laws promotes the use of EHR (Electronic Health
Records) and addresses privacy and security concerns related to electronic
transmission of healthcare data.

A. FISMA
B. HIPAA
C. HI-TECH
D. PCI-DSS

Answer: C. HI-TECH - Health Information Technology for Economic and Clinical

Health.
Q66: Which of the following is not a law?

A. FPA
B. PCI-DSS
C. USA PATRIOT
D. PIPEDA

Answer: B. PCI-DSS. It’s an initiative by the private sector, not a law.

Q67: Answer whether the below statement is true or false.

PCI-DSS is applicable to both online and brick-and-mortar businesses as long as they

accept, process or store credit card information.

A. True
B. False. It is applicable only to online businesses.
C. False. It is applicable only to brick-and-mortar businesses.

Answer: A. True.
Q68: Fill in the blank:

_________ are supposed to tell the “what”, not “how”, are generally broad and general,
and are technology-independent.

A. Standards
B. Policies
C. Procedures
D. Baselines

Answer: B. Policies.
Q69: Which of the following documents is meant to make sure that organizations
follow standards set by regulations like SOX, HIPAA, GLBA, PCI DSS etc.?

A. Advisory Policy
B. Informative Policy
C. Procedural Policy
D. Regulatory Policy

Answer: D. Regulatory Policy. There are 3 categories of policies - regulatory, advisory

and informative. Procedural Policy is a made up option. Regulatory policy is specific
to a type of industry e.g. healthcare, financial institutions etc. It is meant to make
sure that organizations follow standards set by regulations like HIPAA, SOX, GLBA,
PCI DSS etc.

Advisory policy is meant to advise employees of expected and unexpected behavior

and activities. E.g. how to handle sensitive data, how to engage with potential
vendors, how to handle medical information.

Informative policy is meant to inform employees about certain topics or issues. E.g.
Company's vision, mission, Company's hierarchy and org structure.
Q70: Implementing security is not just about deploying tools and technologies. You
also need to have right documentation in place which includes documents like
policies, procedures, standards etc. Which of the following pieces of documentation
is not a mandatory set of instructions to be followed?

A. Policy
B. Baseline
C. Guideline
D. Standard

Answer: C, Guideline. Policy, Standard and Baseline are all mandatory but guidelines
are general recommendations which may or may not be followed.
Q71: Fill in the blanks:

________ would say that encryption must be enabled between two systems. ________
would tell what type of encryption must be enabled.

A. Policy, Procedure
B. Policy, Guideline
C. Standard, Policy
D. Policy, Standard

Answer: D. Policy, Standard. Remember that policies are supposed to be broad and
general. They tell the "What", not "How" and are technology or solution independent.
Granularity is provided through other documents like standards, guidelines,
baselines and procedures. Since the second part of the question has a "must" in it, it
means it will be filled by "standard".
Q72: Bobby is a network administrator at ABC Corp. He has resigned and will be
leaving the organization in 2 weeks. He is in the middle of upgrading all the routers
of the organization due to a bug and is well versed with performing the upgrades
successfully. Bobby’s manager, John, asks him to create a document providing all the
steps to be executed in the right sequence, so that, after he has left the organization,
his replacement can continue upgrading the routers successfully without any issues
by following the document. Which of the following documents does Bobby need to
create?

A. Policy
B. Procedure
C. Standard
D. Guideline

Answer: B. Procedure. Procedures describe detailed step-by-step tasks that need to

be performed to achieve a certain outcome. E.g. how to upgrade firewalls, how to
install patches, how to perform backups.
Q73: Threat modeling is the process of identifying and analyzing potential threats.
There are many threat models, one of which is STRIDE developed by Microsoft.
Which of the following threats is not part of the STRIDE model?

A. Information Disclosure
B. Non-repudiation
C. Escalation/Elevation of Privilege
D. Tampering

Answer: B. Non-repudiation. The various threats that STRIDE model covers are -
Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation/Escalation
of Privilege.
Q74: An attacker was able to identify a vulnerability in the web application of ABC
Corp. and by exploiting the vulnerability, the attacker was able to gain access to the
database server in the backend. Once the attacker gained the access, he modified
certain critical items in the database which corrupted the database. Under which of
the following aspects of the STRIDE model would this attack come?

A. Unauthorized disclosure
B. Tampering
C. Repudiation
D. Denial of Service

Answer: B. Tampering. Tampering is about unauthorized changes to data. The

answer wouldn’t be A (Unauthorized disclosure) because the information wasn’t just
disclosed to an unauthorized party but it was modified too.
Q75: While performing threat modeling, there is a step where you look for
commonalities in the various attacks, so that fixing those commonalities can quickly
decrease the conditions that could lead to those attacks. What is this step called?

A. Reduction Analysis
B. Diagramming
C. Flowpath Analysis
D. Composition Analysis

Answer: A. Reduction Analysis.

Q76: ABC Corp. has a web server that’s accessible only to a few customers on the
internet and the access is allowed based on those customers’ public IP addresses.
Mark is a hacker who manages to change his machine’s IP address so the traffic
originating from his computer appears to be coming from one of ABC Corp.’s
customers’ public IP addresses. This allows him to gain access to ABC Corp.’s web
server. Now that Mark is able to successfully reach the web server, he sends
thousands of half-open TCP connection attempts to the web server which overloads
the buffer of the server due to which it slows down immensely and is unable to serve
legitimate requests from the customers. Which two aspects of the STRIDE model
have come into play here?

A. Spoofing
B. Tampering
C. Elevation of Privilege
D. Denial of Service

Answer: A. Spoofing, and D. Denial of Service.

Q77: Fill in the blank:

PASTA and VAST are examples of ________ methodologies.

A. Risk Assessment
B. Threat Modeling
C. Business Impact Analysis
D. Reduction Analysis

Answer: B. Threat Modeling.

Q78: Epson Tech's warehouse is estimated to have the value of USD 250,000. It is
estimated that if a fire were to occur in this warehouse, although the water sprinklers
would get engaged, by the time they are engaged and fire is doused, the company
would have lost assets worth USD 50,000. What is the exposure factor here?

A. 20%
B. 200,000
C. 50,000
D. None of the above

Answer: A. 20%. The value of USD 50,000 is SLE (Single Loss Expectancy) i.e. the
amount of loss that would occur if a threat were to materialize for an asset one time.
Exposure factor (EF) is the percentage of loss a realized threat would cause for an
asset.
SLE = Asset Value x EF. In our case, it's:
50,000 = 250,000 x EF
So, EF = 20%
Q79: F3 Corporation is working on its BC/DR plan. As part of the effort, its IT manager
is doing business impact analysis. During this exercise, the IT manager determined
that fire is one of the threats to its Pune factory. Further analysis revealed that if a fire
were to occur, the company would lose USD 500,000. The chances of fire occurring in
their Pune factory are once every 20 years. What is the single loss expectancy for this
case?

A. USD 500,000
B. USD 25,000
C. 0.02
D. 0.05

Answer: A. USD 500,000. SLE is the loss from a single instance. And that's what the
loss in a single fire is in this case.
Q80: Fill in the blank:
NIST 800-30, FRAP, FMEA, OCTAVE are examples of ___________ methodologies.

A. Risk Assessment
B. Threat Modeling
C. Business Continuity Planning
D. Business Impact Analysis

Answer: A. Risk Assessment.

Q81: Following sentence is a definition of which of the given options?

"Percentage of loss for an asset on a realized threat"

A. Exposure Factor
B. Single Loss Expectancy
C. Annual Rate of Occurrence
D. Annual Loss Expectancy

Answer: A. Exposure Factor.

Q82: Which of the following is the right formula to determine whether a safeguard
makes financial sense or not?

A. (ALE pre-safeguard - ALE post-safeguard) - Annual cost of safeguard

B. (ALE post-safeguard - ALE pre-safeguard) - Annual cost of safeguard
C. (ALE pre-safeguard - Annual cost of safeguard) - ALE post-safeguard
D. (Annual cost of safeguard - ALE pre-safeguard) - ALE post-safeguard

Answer: A. ALE stands for Annual Loss Expectancy. So, you first find out how much
loss is expected without the safeguard (ALE1). Then you find out how much will be
new/reduced loss with the safeguard in place (ALE2). You subtract the two (ALE1 -
ALE2). But there will be some cost of implementing the safeguard too. So, you
subtract that from the value you just arrived at (ALE1 - ALE2). Hence the answer is A.
Q83: Mega Corp.’s phone factory has an asset value of $1000,000. It is estimated that
a single instance of fire could cause 30% damage to the factory while leaving the
remaining 70% unharmed, and the fire is likely to occur once in 10 years. What would
be the annual loss expectancy?

A. 300,000
B. 700,000
C. 30,000
D. 70,000

Answer: C. 30,000.
SLE = Asset Value x Exposure Factor = 1000,000 x 30/100 = 300,000
Annualized Rate of Occurrence = 1 in 10 years = 1/10 = 0.1
ALE = SLE x ARO = 300,000 x 0.1 = 30,000
Q84: An IT Security Manager, who works for a pharmaceutical company, is preparing
the organization's business continuity and disaster recovery plan. He has identified
the following critical assets of the organization. As part of the BCP/DR effort, which of
the following assets should get topmost priority in terms of safety?

A. Patents stored in a safe in their head-office.

B. Main manufacturing facility in Virginia.
C. People of the organization.
D. Company-owned Research and Development facility.

Answer: C. People of the organization. Safety of people should always be the

top-most priority of any BC/DR plan.
Q85: Database backups are an essential part of disaster recovery planning. There are
various methods that can be used to create offsite copies of databases, each with its
own pros and cons. A company called Checkers LLC. is looking to create offsite
backup of its databases. It's mission-critical for the company to have its database
servers always be available, no matter how big the disruption is. So, they've created a
remote, backup site with a backup database server. Their main, live production
server is at their primary site. Looking at the criticality of their database servers, they
need the synchronization between production database server and backup database
server to happen instantly. This way, if primary site were to go down, the backup site
would be ready to go immediately. Which of the following backup techniques would
best fit their needs?

A. Remote Journaling
B. Electronic Vaulting
C. Remote Mirroring
D. Hot-Site Vaulting

Answer: C. Remote Mirroring. In Electronic Vaulting, the entire database is bulk

transferred and the sync between primary and backup site does not happen
instantly. There's a delay because of which in case of a disaster, some data could be
lost. In Remote Journaling, only the delta is backed up, not the entire database.
There's still a delay in the sync but it's not as big as it is in electronic vaulting. Remote
Mirroring is where the sync happens instantly and hence it's also the most expensive
option. There's no such term as "Hot-Site Vaulting".
Q86: Hexa Corp. is a small logistics company. They have a database of their
customers, vendors and employees. For disaster recovery purposes, they would like
to have backup for their database at some remote offsite facility. As they are tight on
budget, the transmission does not need to happen in real time. As the changes are
made to their database, a copy of that entire database can be sent to the remote
backup site every 24 hours.

Which of the following solutions would best fit their needs?

A. Remote Journaling
B. Electronic Vaulting
C. Remote Mirroring
D. Asynchronous Journaling

Answer: B. Electronic Vaulting.

In Electronic vaulting, the entire file is transferred to a remote site at some
predefined interval.
In remote journaling, only the changes (delta) is transferred to a remote site.
In remote mirroring, a live database server is maintained at the remote site which
receives changes live.
Q87: One of the steps in BC/DR planning is testing or performing drills or exercises to
make sure the plan goes as per expectation in the event of an actual disaster. There
are different types of tests that can be performed.

One such test involves moving the personnel to the alternate offsite facility and
implementing site activation procedures. Some systems could be moved to the
offsite facility, however, the operations at the main facility are not interrupted. Which
test is it?

A. Parallel Test
B. Simulation Test
C. Structured Walk-Through Test
D. Lessons Learned Test

Answer: A. Parallel Test. The key word(s) here is that the operations at the main site
are not interrupted even though some personnel are moved to the alternate site.
Q88: Which of the following is the right answer for an organization's RPO (Recovery
Point Objective)?

A. 4 hours
B. 4 GB
C. 4 TB
D. 4 critical servers

Answer: A. 4 hours, simply because this is the only option in terms of time. RPO is the
maximum amount of data that an organization can afford to lose but it's measured
in terms of time.
Q89: Which of the following statements is true?

A. MTD < RTO

B. RTO < MTD
C. RTO = MTD
D. RTO > RPO

Answer: B. RTO < MTD. RTO should always be less than MTD.
Q90: Fill in the blank:

Implementing policies and other supporting documents is an example of ________

being practiced by the company.

A. Due care
B. Due diligence
C. Separation of duties
D. Training

Answer: A. Due care.

Q91: Which of the following standards is used to measure the effectiveness of the
ISMS and the controls that have been implemented?

A. ISO 27003
B. ISO 27001
C. ISO 27004
D. ISO 27005

Answer: C. ISO 27004.

Q92: Fill in the blank:

Often, __________ needs to be performed before one can practice ___________.

A. Due care, due diligence

B. Due diligence, due care
C. Diligence, care
D. Care, diligence

Answer: B. Due diligence, due care.

Q93: ABC Corp.’s senior management takes information security seriously. As a result,
it takes the necessary steps to help protect the company, its resources and
employees. What is this an example of?

A. Due care
B. Due diligence
C. Management oversight
D. Management by objectives

Answer: A. Due care.

Q94: Fill in the blanks:

_______ is about gathering the necessary information and _______ is about prudent
management and acting responsibly.

A. Due diligence, due care

B. Due care, due diligence
C. Team owner, business owner
D. Mid-level management, senior-level management

Answer: A. Due diligence, due care.

Q95: Mega Corp. is planning to take over a fast-growing software company called SFS
Corp. The Chief Information Security Officer of Mega Corp. conducts a thorough
research for 4 weeks and finds out various shortcomings. It is found that the SFS
company's main product is built on an insecure platform, there's no redundancy, the
data is transmitted in clear-text, there are various critical vulnerabilities etc. Fixing all
of these issues will be a multi-year program for Mega Corp. and the profits that Mega
Corp. was expecting from taking over SFS Corp. do not seem to be possible for at
least 2 years after the takeover. Considering all of these issues, the takeover is
cancelled. Which of the following best describes the process that helped Mega Corp.
prevent their losses by cancelling the takeover?

A. Due Care
B. Due Diligence
C. Security Governance
D. Management Governance

Answer: B. Due Diligence. It is about gathering information, conducting research,

performing investigations, asking the relevant questions. It’s about knowing what
you are getting into before you make the final decision.
Q96: ABC Bank has a locker facility that is used by its customers to store their
valuables like jewelry, gold etc. To open the locker, two keys are needed - one of
which is with the customer and the second key is with the bank manager. Both the
customer and the bank manager need to be present to open the locker. What kind
of a control is this?

A. Preventive, Administrative
B. Detective, Administrative
C. Corrective, Technical
D. Detective, Technical

Answer: A. Preventive, Administrative. It is an example of separation of duties where it

is ensured that an individual is not able to complete a critical task by themselves.
Q97: Which of the following acts as a detective control?

A. Rotation of Duties
B. Split Knowledge
C. Dual Control
D. Separation of Duties

Answer: A. Rotation of Duties. It’s a detective, administrative control which is based

on the premise that one person should not stay in one position for long to avoid
giving them too much control. Employees should be rotated, so that new employee
may be able to detect fraud of previous employee.
Q98: Hexa Corp. has recently installed some new network devices from a new vendor
which no one in their network team has any experience of. So, the company would
like to make sure that all the members of the network team go through some kind of
a program so that by the end of the program, they are all well equipped to configure
the new network devices and are comfortable working on them to perform their
day-to-day operations.

Which of the following options would best fit their needs?

A. Education
B. Awareness
C. Training
D. Guidelines

Answer: C. Training. Training teaches employees how to perform their tasks. It is

targeted towards employees with similar job functions.
It cannot be Education because education is about teaching employees more than
what they need to know to perform their tasks. It is mostly associated with pursuing
certifications or seeking job promotion.
Q99: Max has been working with ABC Bank for the last 3 years and has hardly taken
any leaves. His manager, John, is suspecting that he could be doing something
fraudulent and would like to replace him with somebody else just for 2 weeks, so that
his replacement could discover any malpractices that Max could be following while
he is away. Which of the following solutions would best fit this need?

A. Dual Control
B. Mandatory Vacation
C. Rotation of Duties
D. Split Knowledge

Answer: B. Mandatory Vacation. It’s not C because rotation of duties (or job rotation)
is something that happens on a more regular basis where employees rotate through
jobs with other employees in order to not just provide peer review or detect fraud
but also to cross-train.
Q100: BeckyCorp.'s IT Director has recently created a new backup policy. As per the
new backup policy, they are supposed to take full backup of a critical server called
PII-DB in their data center every Sunday. They are also supposed to take differential
backups of the PII-DB server every Tuesday and Thursday. Out of the given options,
what all files will be backed up on Thursday?

A. The files that have changed since last Sunday.

B. The files that have changed since last Tuesday.
C. The files that have changed since last Thursday.
D. The files that have changed since the very first full backup.

Answer: A. The files that have changed since last Sunday. This is because in
differential backup, only those files are backed up that have changed since the last
full backup, not the last differential backup. In this case, a full backup is taken on
sundays. So, on Tuesdays, only those files will be backed up that have changed since
last sunday. Similarly, on Thursdays too, those files will be backed up that have
changed since last Sunday, not Tuesday.
I hope you found this document useful in your CISSP preparation.

After providing trainings for other training institutes for many years, I noticed
some common flaws in their approaches.

However, I was merely a trainer for them and didn't have much say in the way
the trainings were delivered.

So, in order to provide you a wholesome coaching experience while fixing the
flaws I noticed in others’ approaches, I have recently launched my own
coaching program called "CISSP Accelerator Program".

If you're interested to clear the CISSP exam in the very first attempt by
understanding the concepts in detail while being mentored by me
throughout your preparation, schedule a free call with me at
https://calendly.com/hemantsajwan or drop me an email at
support@hemantsajwan.com and we'll see I can help you.

All the best!

Hemant Sajwan