ISC2

CISSP
Certified Information Systems Security Professional
QUESTION & ANSWERS

https://www.dumpscollege.com/exam/CISSP
QUESTION: 1

Which of the fallowing statements is MOST accurate regarding information assets?

Option A : International Organization for Standardization (ISO) 27001 compliance specifies which
information assets must be included in asset inventory.

Option B : S3 Information assets include any information that is valuable to the organization,

Option C : Building an information assets register is a resource-intensive job.

Option D : Information assets inventory is not required for risk assessment.

Correct Answer: B

QUESTION: 2

What are the first two components of logical access control?

Option A : Confidentiality and authentication

Option B : Authentication and identification

Option C : Identification and confidentiality

Option D : Authentication and availability

Correct Answer: B

QUESTION: 3

If traveling abroad and a customs official demands to examine a personal computer, which of the following
should be assumed?

Option A : The hard drive has been stolen.

Option B : The Internet Protocol (IP) address has been copied.

Option C : The hard drive has been copied.

Option D : The Media Access Control (MAC) address was stolen

Correct Answer: C

https://www.dumpscollege.com/exam/CISSP
QUESTION: 4

Which of the following addresses requirements of security assessment during software acquisition?

Option A : Software assurance policy

Option B : Continuous monitoring

Option C : Software configuration management (SCM)

Option D : Data loss prevention (DLP) policy

Correct Answer: B

QUESTION: 5

Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-
system gracefully handle invalid input?

Option A : Negative testing

Option B : Integration testing

Option C : Unit testing

Option D : Acceptance testing

Correct Answer: B

QUESTION: 6

The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization
Control (SOC) report be created to outline the security and availability of aparticular system over a 12-month
period. Which type of SOC report should be utilized?

Option A : SOC 1 Type 1

Option B : SOC 2 Type 2

Option C : SOC 2 Type 2

Option D : SOC 3 Type 1

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: C

QUESTION: 7

employee training, risk management, and data handling procedures and policies could be characterized as
which type of security measure?

Option A : Non-essential

Option B : Management

Option C : Preventative

Option D : Administrative

Correct Answer: D

QUESTION: 8

What type of database attack would allow a customer service employee to determine quarterly sales results
before they are publically announced?

Option A : Polyinstantiation

Option B : Inference

Option C : Aggregation

Option D : Data mining

Correct Answer: A

QUESTION: 9

Which type of disaster recovery plan (DRP) testing carries the MOST operational risk?

Option A : Cutover

Option B : Walkthrough

Option C : Tabletop

Option D : Parallel

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: C

QUESTION: 10

Which of the following is included in change management?

Option A : Business continuity testing

Option B : User Acceptance Testing (UAT) before implementation

Option C : Technical review by business owner

Option D : Cost-benefit analysis (CBA) after implementation

Correct Answer: A

QUESTION: 11

The security team plans on using automated account reconciliation in the corporate user access review
process. Which of the following must be implemented for the BEST results with fewest errors when running
the audit?

Option A : Removal of service accounts from review

Option B : Segregation of Duties (SoD)

Option C : Clear provisioning policies

Option D : Frequent audits

Correct Answer: C

QUESTION: 12

What is the benefit of an operating system (OS) feature that is designed to prevent an application from
executing code from a non-executable memory region?

Option A : Identifies which security patches still need to be installed on the system

Option B : Stops memory resident viruses from propagating their payload

Option C : Reduces the risk of polymorphic viruses from encrypting their payload

https://www.dumpscollege.com/exam/CISSP
 Option D : Helps prevent certain exploits that store code in buffers

Correct Answer: C

QUESTION: 13

A developer is creating an application that requires secure logging of all user activity. What is the BEST
permission the developer should assign to the log file to ensure requirements are met?

Option A : Read

Option B : Execute

Option C : Write

Option D : Append

Correct Answer: C

QUESTION: 14

Which of the following goals represents a modern shift in risk management according to National Institute of
Standards and Technology (NIST)?

Option A : Focus on operating environments that are changing, evolving, and full of emerging threats.

Option B : Secure information technology (IT) systems that store, process, or transmit organizational
information.

Option C : Enable management to make well-informed risk-based decisions justifying security

Option D : Provide an improved mission accomplishment approach.

Correct Answer: C

QUESTION: 15

Which event magnitude is defined as deadly, destructive, and disruptive when a hazard interacts with human
vulnerability?

Option A : Disaster

https://www.dumpscollege.com/exam/CISSP
 Option B : Catastrophe

Option C : Crisis

Option D : Accident

Correct Answer: B

QUESTION: 16

A security professional can BEST mitigate the risk of using a Commercial Off-The-Shelf (COTS) solution by
deploying the application with which of the following controls in ?

Option A : Whitelisting application

Option B : Network segmentation

Option C : Hardened configuration

Option D : Blacklisting application

Correct Answer: A

QUESTION: 17

International bodies established a regulatory scheme that defines how weapons are exchanged between the
signatories. It also addresses cyber weapons, including malicious software, Command and Control (C2)
software, and internet surveillance software. This is a description of which of the following?

Option A : General Data Protection Regulation (GDPR)

Option B : Palermo convention

Option C : Wassenaar arrangement

Option D : International Traffic in Arms Regulations (ITAR)

Correct Answer: C

QUESTION: 18

Which of the following should be done at a disaster site before any item is removed, repaired, or replaced?

https://www.dumpscollege.com/exam/CISSP
 Option A : Take photos of the damage

Option B : Notify all of the Board of Directors

Option C : Communicate with the press following the communications plan

Option D : Dispatch personnel to the disaster recovery (DR) site

Correct Answer: A

QUESTION: 19

Which of the following departments initiates the request, approval, and provisioning business process?

Option A : Operations

Option B : Human resources (HR)

Option C : Information technology (IT)

Option D : Security

Correct Answer: A

QUESTION: 20

Which technique helps system designers consider potential security concerns of their systems and
applications?

Option A : Penetration testing

Option B : Threat modeling

Option C : Manual inspections and reviews

Option D : Source code review

Correct Answer: B

QUESTION: 21

What BEST describes the confidentiality, integrity, availability triad?

https://www.dumpscollege.com/exam/CISSP
 Option A : A tool used to assist in understanding how to protect the organization's data

Option B : The three-step approach to determine the risk level of an organization

Option C : The implementation of security systems to protect the organization's data

Option D : A vulnerability assessment to see how well the organization's data is protected

Correct Answer: C

QUESTION: 22

In order to provide dual assurance in a digital signature system, the design MUST include which of the
following?

Option A : The public key must be unique for the signed document.

Option B : signature process must generate adequate authentication credentials.

Option C : The hash of the signed document must be present.

Option D : The encrypted private key must be provided in the signing certificate.

Correct Answer: B

QUESTION: 23

Which of the following is established to collect information Se eee ee ee nation readily available in part
through implemented security controls?

Option A : Security Assessment Report (SAR)

Option B : Organizational risk tolerance

Option C : Information Security Continuous Monitoring (ISCM)

Option D : Risk assessment report

Correct Answer: D

https://www.dumpscollege.com/exam/CISSP
QUESTION: 24

An organization recently upgraded to a Voice over Internet Protocol (VoIP) phone system. Management is
concerned with unauthorized phone usage. securityconsultant is responsible for putting together a plan to
secure these phones. Administrators have assigned unique personal identification number codes for
eachperson in the organization. What is the BEST solution?

Option A : Use phone locking software to enforce usage and PIN policies.

Option B : Inform the user to change the PIN regularly. Implement call detail records (CDR) reports to
track usage.

Option C : Have the administrator enforce a policy to change the PIN regularly. Implement call detail
records (CDR) reports to track usage.

Option D : Have the administrator change the PIN regularly. Implement call detail records (CDR) reports to
track usage.

Correct Answer: C

QUESTION: 25

What action should be taken by a business line that is unwilling to accept the residual risk in a system after
implementing compensating controls?

Option A : Notify the audit committee of the situation.

Option B : Purchase insurance to cover the residual risk.

Option C : Implement operational safeguards.

Option D : Find another business line willing to accept the residual risk.

Correct Answer: B

QUESTION: 26

A security engineer is required to integrate security into a software project that is implemented by small
groups test quickly, continuously, and independently develop, test, and deploy code to the cloud. The
engineer will MOST likely integrate with which software development process'

Option A : Service-oriented architecture (SOA)

Option B : Spiral Methodology

Option C : Structured Waterfall Programming Development

https://www.dumpscollege.com/exam/CISSP
 Option D : Devops Integrated Product Team (IPT)

Correct Answer: C

QUESTION: 27

Which of the following MUST be done before a digital forensics investigator may acquire digital evidence?

Option A : Inventory the digital evidence.

Option B : Isolate the digital evidence.

Option C : Verify that the investigator has the appropriate legal authority to proceed.

Option D : Perform hashing to verify the integrity of the digital evidence.

Correct Answer: C

QUESTION: 28

Clothing retailer employees are provisioned with user accounts that provide access to resources at partner
businesses. All partner businesses use common identity and access management (IAM) protocols and
differing technologies. Under the Extended Identity principle, what is the process flow between partner
businesses to allow this TAM action?

Option A : Clothing retailer acts as identity provider (IdP), confirms identity of user using industry
standards, then sends credentials to partner businesses that act as a ServiceProvider and allows access
to services.

Option B : Clothing retailer acts as User Self Service, confirms identity of user using industry standards,
then sends credentials to partner businesses that act as a ServiceProvider and allows access to services.

Option C : Clothing retailer acts as Service Provider, confirms identity of user using industry standards,
then sends credentials to partner businesses that act as an identityprovider (IdP) and allows access to
resources.

Option D : Clothing retailer acts as Access Control Provider, confirms access of user using industry
standards, then sends credentials to partner businesses that act as a ServiceProvider and allows access
to resources.

Correct Answer: A

https://www.dumpscollege.com/exam/CISSP
QUESTION: 29

A security practitioner has been asked to model best practices for disaster recovery (DR) and business
continuity. The practitioner has decided that a formal committee is needed to establish a business continuity
policy. Which of the following BEST describes this stage of business continuity development?

Option A : Project Initiation and Management

Option B : Risk Evaluation and Control

Option C : Developing and Implementing business continuity plans (BCP)

Option D : Business impact analysis (BIA)

Correct Answer: D

QUESTION: 30

A security professional was tasked with rebuilding a company's wireless infrastructure. Which of the following
are the MOST important factors to consider while making a decision on which wireless spectrum to deploy?

Option A : Hybrid frequency band, service set identifier (SSID), and interpolation

Option B : Performance, geographic location, and radio signal interference

Option C : Facility size, intermodulation, and direct satellite service

Option D : Existing client devices, manufacturer reputation, and electrical interference

Correct Answer: D

QUESTION: 31

When designing a Cyber-Physical System (CPS), which of the following should be a security practitioner's first
consideration?

Option A : Detection of sophisticated attackers

Option B : Resiliency of the system

Option C : Topology of the network used for the system

Option D : Risk assessment of the system

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: B

QUESTION: 32

A company is enrolled in a hard drive reuse program where decommissioned equipment is sold back to the
vendor when it is no longer needed. The vendor pays more money for functioning drives than equipment that
is no longer operational. Which method of data sanitization would provide the most secure means of
preventing unauthorized data loss, whilealso receiving the most money from the vendor?

Option A : Pinning

Option B : Single-pass wipe

Option C : Degaussing

Option D : Multi-pass wipes

Correct Answer: C

QUESTION: 33

The acquisition of personal data being obtained by a lawful and fair means is an example of what principle?

Option A : Data Quality Principle

Option B : Openness Principle

Option C : Purpose Specification Principle

Option D : Collection Limitation Principle

Correct Answer: D

QUESTION: 34

A company wants to store data related to users on an offsite server. What method can be deployed to
protect the privacy of the user's information while maintaining the field-level configuration of the database?

Option A : {Encryption

Option B : Encoding

Option C : Tokenization

https://www.dumpscollege.com/exam/CISSP
 Option D : Hashing

Correct Answer: A

QUESTION: 35

An organization is trying to secure instant messaging (IM) communications through its network perimeter.
Which of the following is the MOST significant challenge?

Option A : IM clients can interoperate between multiple vendors.

Option B : IM clients can run without administrator privileges.

Option C : IM clients can utilize random port numbers.

Option D : IM clients can run as executable that do not require installation.

Correct Answer: B

QUESTION: 36

An organization wants to share data securely with their partners via the Internet. Which standard port is
typically used to meet this requirement?

Option A : Setup a server on User Datagram Protocol (UDP) port 69

Option B : Setup a server on Transmission Control Protocol (TCP) port 21

Option C : Setup a server on Transmission Control Protocol (TCP) port 22

Option D : Setup a server on Transmission Control Protocol (TCP) port 80

Correct Answer: C

QUESTION: 37

What is the PRIMARY benefit of relying on Security Content Automation Protocol (SCAP)?

Option A : Save security costs for the organization.

Option B : Improve vulnerability assessment capabilities.

https://www.dumpscollege.com/exam/CISSP
 Option C : Standardize specifications between software security products.

Option D : Achieve organizational compliance with international standards.

Correct Answer: C

QUESTION: 38

Which of the following are the three MAIN categories of security controls?

Option A : Administrative, technical, physical

Option B : Corrective, detective, recovery

Option C : Confidentiality, integrity, availability

Option D : Preventative, corrective, detective

Correct Answer: A

QUESTION: 39

Which of the following is a key responsibility for a data steward assigned to manage an enterprise data lake?

Option A : Ensure proper business definition, value, and usage of data collected and stored within the
enterprise data lake.

Option B : Ensure proper and identifiable data owners for each data element stored within an enterprise
data lake.

Option C : Ensure adequate security controls applied to the enterprise data lake.

Option D : Ensure that any data passing within remit is being used in accordance with the rules and
regulations of the business.

Correct Answer: A

QUESTION: 40

Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?

Option A : Vendors take on the liability for COTS software vulnerabilities.

https://www.dumpscollege.com/exam/CISSP
 Option B : In-house developed software is inherently less secure.

Option C : Exploits for COTS software are well documented and publicly available.

Option D : COTS software is inherently less secure.

Correct Answer: C

QUESTION: 41

A large human resources organization wants to integrate their identity management with a trusted partner
organization. The human resources organization wants to maintain the creation and management of the
identities and may want to share with other partners in the future. Which of the following options BEST
serves their needs?

Option A : Federated identity

Option B : Cloud Active Directory (AD)

Option C : Security Assertion Markup Language (SAML)

Option D : Single sign-on (SSO)

Correct Answer: A

QUESTION: 42

Which of the following is the top barrier for companies to adopt cloud technology?

Option A : Migration period

Option B : Data integrity

Option C : Cost

Option D : Security

Correct Answer: D

QUESTION: 43

The development team has been tasked with collecting data from biometric devices. The application will

https://www.dumpscollege.com/exam/CISSP
support a variety of collection data streams. During the testing phase, the team utilizes data from an old
production database in a secure testing environment. What principle has the team taken into consideration?

Option A : biometric data cannot be changed.

Option B : Separate biometric data streams require increased security.

Option C : The biometric devices are unknown.

Option D : Biometric data must be protected from disclosure.

Correct Answer: A

QUESTION: 44

Which of the following is the MOST effective method of detecting vulnerabilities in web-based applications
early in the secure Software Development Life Cycle (SDLC)?

Option A : Web application vulnerability scanning

Option B : Application fuzzing

Option C : Code review

Option D : Penetration testing

Correct Answer: C

QUESTION: 45

What is the MINIMUM standard for testing a disaster recovery plan (DRP)?

Option A : Semi-annually and in alignment with a fiscal half-year business cycle

Option B : Annually or less frequently depending upon audit department requirements

Option C : Quarterly or more frequently depending upon the advice of the information security manager

Option D : As often as necessary depending upon the stability of the environment and business
requirements

Correct Answer: D

https://www.dumpscollege.com/exam/CISSP
QUESTION: 46

The Open Web Application Security Project's (OWASP) Software Assurance Maturity Model (SAMM) allows
organizations to implement a flexible software security strategy tomeasure organizational impact based on
what risk management aspect?

Option A : Risk tolerance

Option B : Risk exception

Option C : Risk treatment

Option D : Risk response

Correct Answer: D

QUESTION: 47

While reviewing the financial reporting risks of a third-party application, which of the following Service
Organization Control (SOC) reports will be the MOST useful?

Option A : ISIsOC 1

Option B : SOC 2

Option C : SOC 3

Option D : SOC for cybersecurity

Correct Answer: A

QUESTION: 48

An organization outgrew its internal data center and is evaluating third-party hosting facilities. In this
evaluation, which of the following is a PRIMARY factor for selection?

Option A : Facility provides an acceptable level of risk

Option B : Facility provides disaster recovery (DR) services

Option C : Facility provides the most cost-effective solution

Option D : Facility has physical access protection measures

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: C

QUESTION: 49

What is the PRIMARY objective of the post-incident phase of the incident response process in the security
operations center (SOC)?

Option A : improve the IR process.

Option B : Communicate the IR details to the stakeholders.

Option C : Validate the integrity of the IR.

Option D : Finalize the IR.

Correct Answer: A

QUESTION: 50

Why would a system be structured to isolate different classes of information from one another and segregate
them by user jurisdiction?

Option A : The organization can avoid e-discovery processes in the event of litigation.

Option B : The organization's infrastructure is clearly arranged and scope of responsibility is simplified

Option C : The organization can vary its system policies to comply with conflicting national laws.

Option D : The organization is required to provide different services to various third-party organizations.

Correct Answer: C

QUESTION: 51

Which of the following techniques evaluates the secure Bet principles of network or software architectures?

Option A : Threat modeling

Option B : Risk modeling

Option C : Waterfall method

https://www.dumpscollege.com/exam/CISSP
 Option D : Fuzzing

Correct Answer: A

QUESTION: 52

A technician is troubleshooting a client's report about poor wireless performance. Using a client monitor, the
technician notes the following information:

Which of the following is MOST likely the cause of the issue?

Option A : Channel overlap

Option B : Poor signal

Option C : Incorrect power settings

Option D : Wrong antenna type

Correct Answer: A

QUESTION: 53

An engineer notices some late collisions on a half-duplex link. The engineer verifies that the devices on both
ends of the connection are configured for half duplex. Which of the following is the MOST likely cause of this
issue?

Option A : The link is improperly terminated

Option B : One of the devices is misconfigured

Option C : The cable length is excessive.

Option D : One of the devices has a hardware issue.

Correct Answer: A

https://www.dumpscollege.com/exam/CISSP
QUESTION: 54

An organization plans to acquire @ commercial off-the-shelf (COTS) system to replace their aging home-built
reporting system. When should the organization's security team FIRST get involved in this acquisition's life
cycle?

Option A : When the system is being designed, purchased, programmed, developed, or otherwise
constructed

Option B : When the system is verified and validated

Option C : When the system is deployed into production

Option D : When the need for a system is expressed and the purpose of the system Is documented

Correct Answer: D

QUESTION: 55

An attack utilizing social engineering and a malicious Uniform Resource Locator (URL) link to take advantage
of a victim's existing browser session with a web application is an example of which of the following types of
attack?

Option A : Cross-Site Scripting (XSS)

Option B : Cross-site request forgery (CSRF)

Option C : Injection

Option D : Click jacking

Correct Answer: B

QUESTION: 56

Which of the following is the MOST comprehensive Business Continuity (BC) test?

Option A : Full functional drill

Option B : Full table top

Option C : Full simulation

Option D : Full interruption

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: C

QUESTION: 57

What documentation is produced FIRST when performing an effective physical loss control process?

Option A : Deterrent controls list

Option B : Security standards list

Option C : inventory list

Option D : Asset valuation list

Correct Answer: C

QUESTION: 58

Which of the following actions should be taken by a security professional when a mission critical computer
network attack is suspected?

Option A : Isolate the network, log an independent report, fix the problem, and redeploy the computer.

Option B : Isolate the network, install patches, and report the occurrence.

Option C : Prioritize, report, and investigate the occurrence.

Option D : Turn the rooter off, perform forensic analysis, apply the appropriate fin, and log incidents.

Correct Answer: C

QUESTION: 59

Which of the following is a reason to use manual patch installation instead of automated patch
management?

Option A : The likelihood of system or application incompatibilities will be decreased.

Option B : The ability to cover large geographic areas is increased.

Option C : The cost required to install patches will be reduced.

Option D : The time during which systems will remain vulnerable to an exploit will be decreased.

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: A

QUESTION: 60

The adoption of an enterprise-wide Business Continuity (BC) program requires which of the following?

Option A : Good communication throughout the organization

Option B : A completed Business Impact Analysis (BIA)

Option C : Formation of Disaster Recovery (DR) project team

Option D : Well-documented information asset classification

Correct Answer: D

QUESTION: 61

What is the FINAL step in the waterfall method for contingency planning?

Option A : Maintenance

Option B : Testing

Option C : Implementation

Option D : Training

Correct Answer: A

QUESTION: 62

Which of the following is the MOST effective preventative method to identify security flaws in software?

Option A : Monitor performance in production environments.

Option B : Perform a structured code review.

Option C : Perform application penetration testing.

Option D : Use automated security vulnerability testing tods.

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: B

QUESTION: 63

Which of the following is a Key Performance Indicator (KPI) for a security training and awareness program?

Option A : The number of security audits performed

Option B : The number of attendees at security training events

Option C : The number of security training materials created

Option D : The number of security controls implemented

Correct Answer: B

QUESTION: 64

Which of the following is a MAJOR concern when there is a need to preserve or retain information for future
retrieval?

Option A : Laws and regulations may change in the interim, making it unnecessary to retain the
information.

Option B : The expense of retaining the information could become untenable for the organization.

Option C : The organization may lose track of the information and not dispose of it securely.

Option D : The technology needed to retrieve the information may not be available in the future.

Correct Answer: C

QUESTION: 65

Which of the following is an advantage of' Secure Shell (SSH)?

Option A : It operates at the network layer.

Option B : It encrypts transmitted User ID and passwords.

Option C : It uses challenge-response to authenticate each party.

Option D : It uses the International Data Encryption Algorithm (IDEA) for data privacy.

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: C

QUESTION: 66

What protocol is often used between gateway hosts on the Internet' To control the scope of a Business
Continuity Management (BCM) system, a security practitioner should identify which of the following?

Option A : Size, nature, and complexity of the organization

Option B : Business needs of the security organization

Option C : All possible risks

Option D : Adaptation model for future recovery planning

Correct Answer: B

QUESTION: 67

Which of the following is the BEST technique to facilitate secure software development?

Option A : Adhere to secure coding practices for the software application under development.

Option B : Conduct penetrating testing for the software application under development.

Option C : Develop a threat modeling review for the software application under development.

Option D : Perform a code review process for the software application under development.

Correct Answer: A

QUESTION: 68

What is the BEST approach for maintaining ethics when a security professional isunfamiliar with the culture
of a country and is asked to perform a questionable task?

Option A : Exercise due diligence when deciding to circumvent host government requests.

Option B : Become familiar with the means in which the code of ethics is applied and considered.

Option C : Complete the assignment based on the customer's wishes.

https://www.dumpscollege.com/exam/CISSP
 Option D : Execute according to the professional's comfort level with the code of ethics.

Correct Answer: B

QUESTION: 69

An employee receives a promotion that entities them to access higher-level functions on the company's
accounting system, as well as keeping their access to the previous system that is no longer needed or
applicable. What is the name of the process that tries to remove this excess privilege?

Option A : Access provisioning

Option B : Segregation of Duties (SoD)

Option C : Access certification

Option D : Access aggregation

Correct Answer: B

QUESTION: 70

A development operations team would like to start building new applications delegating the cybersecurity
responsibility as much as possible to the service provider. Which of the following environments BEST fits
their need?

Option A : Cloud Virtual Machines (VM)

Option B : Cloud application container within a Virtual Machine (VM)

Option C : On premises Virtual Machine (VM)

Option D : Self-hosted Virtual Machine (VM)

Correct Answer: A

QUESTION: 71

An application team is running tests to ensure that user entry fields will not accept invalid input of any
length. What type of negative testing is this an example of?

Option A : Reasonable data

https://www.dumpscollege.com/exam/CISSP
 Option B : Population of required fields

Option C : Allowed number of characters

Option D : Session testing

Correct Answer: C

QUESTION: 72

Which of the following is the final phase of the identity and access provisioning lifecycle?

Option A : Recertification

Option B : Revocation

Option C : Removal

Option D : Validation

Correct Answer: B

QUESTION: 73

Which of the following is true of Service Organization Control (SOC) reports?

Option A : SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an
organization's controls

Option B : SOC 2 Type 2 reports include information of interest to the service organization's management

Option C : SOC 2 Type 2 reports assess internal controls for financial reporting

Option D : SOC 3 Type 2 reports assess internal controls for financial reporting

Correct Answer: B

QUESTION: 74

Functional security testing is MOST critical during which phase of the system development life cycle (SDLC)?

Option A : Operations / Maintenance

https://www.dumpscollege.com/exam/CISSP
 Option B : Implementation

Option C : Acquisition / Development

Option D : Initiation

Correct Answer: B

QUESTION: 75

Which of the following media is LEAST problematic with data remanence?

Option A : Dynamic Random Access Memory (DRAM)

Option B : Electrically Erasable Programming Read-Only Memory (BPRCM)

Option C : Flash memory

Option D : Magnetic disk

Correct Answer: A

QUESTION: 76

Which of the following authorization standards is built to handle Application programming Interface (API)
access for federated Identity management (FIM)?

Option A : Remote Authentication Dial-In User Service (RADIUS)

Option B : Terminal Access Controller Access Control System Plus (TACACS+)

Option C : Open Authentication (OAuth)

Option D : Security Assertion Markup Language (SAML)

Correct Answer: C

QUESTION: 77

Which inherent password weakness does a One Time Password (OTP) generator overcome?

Option A : Static passwords must be changed frequently.

https://www.dumpscollege.com/exam/CISSP
 Option B : Static passwords are too predictable.

Option C : Static passwords are difficult to generate.

Option D : Static passwords are easily disclosed.

Correct Answer: D

QUESTION: 78

In the common criteria (CC) for information technology (IT) security evaluation, increasing Evaluation
Assurance Levels (EAL) results in which of the following?

Option A : Increased functionality

Option B : Increased interoperability

Option C : Increase in resource requirement

Option D : Increase in evaluated systems

Correct Answer: B

QUESTION: 79

After a breach incident, investigators narrowed the attack to a specific network administrator's credentials.
However, there was no evidence to determine how the hackers obtained the credentials. Much of the
following actions could have BEST avoided the above breach per the investigation described above?

Option A : A periodic review of network access loos

Option B : A periodic review of active users en the network

Option C : A periodic review of all privileged accounts actions

Option D : A periodic review of password strength of all users across the organization

Correct Answer: C

QUESTION: 80

When conducting a security assessment of access controls , Which activity is port of the data analysis phase?

https://www.dumpscollege.com/exam/CISSP
 Option A : Collect logs and reports.

Option B : Present solutions to address audit exceptions.

Option C : Categorize and Identify evidence gathered during the audit

Option D : Conduct statiscal sampling of data transactions.

Correct Answer: C

QUESTION: 81

A corporate security policy specifies that all devices on the network must have updated operating system
patches and anti-malware software. Which technology should be used to enforce this policy?

Option A : Network Address Translation (NAT)

Option B : Stateful Inspection

Option C : Packet filtering

Option D : Network Access Control (NAC)

Correct Answer: D

QUESTION: 82

Why are mobile devices something difficult to investigate in a forensic examination?

Option A : There are no forensics tools available for examination.

Option B : They may have proprietary software installed to protect them.

Option C : They may contain cryptographic protection.

Option D : They have password-based security at logon.

Correct Answer: B

QUESTION: 83

Which type of test suite should be run for fast feedback during application develoment?

https://www.dumpscollege.com/exam/CISSP
 Option A : Full recession

Option B : End-to-end

Option C : Smoke

Option D : Specific functionality

Correct Answer: C

QUESTION: 84

Which of the following is TRUE regarding equivalence class testing?

Option A : It is characterized by the stateless behavior of a process implemented In a function.

Option B : An entire partition can be covered by considering only one representative value from that
partition.

Option C : Test inputs are obtained from the derived boundaries of the given functional specifications.

Option D : It is useful for testing communications protocols and graphical user interfaces.

Correct Answer: C

QUESTION: 85

What are the roles within a scrum methodology?

Option A : Scrum master, retirements manager, and development team

Option B : System owner, scrum master, and development team

Option C : Scrum master, quality assurance team, and scrum team

Option D : Product owner, scrum master, and scrum team

Correct Answer: D

QUESTION: 86

Which of the following is the weakest form of protection for an application that handles Personally

https://www.dumpscollege.com/exam/CISSP
Identifiable Information (PII)?

Option A : Transport Layer Security (TLS)

Option B : Ron Rivest Cipher 4 (RC4) encryption

Option C : Security Assertion Markup Language (SAML)

Option D : Multifactor authentication

Correct Answer: B

QUESTION: 87

In fault-tolerant systems, what do rollback capabilities permit?

Option A : Restoring the system to a previous functional state

Option B : Identifying the error that caused the problem

Option C : Allowing the system to an in a reduced manner

Option D : Isolating the error that caused the problem

Correct Answer: A

QUESTION: 88

What technique used for spoofing the origin of an email can successfully conceal the sender s Internet
Protocol (IP) address?

Option A : Change In-Reply-To data

Option B : Web crawling

Option C : Onion routing

Option D : Virtual Private Network (VPN)

Correct Answer: C

https://www.dumpscollege.com/exam/CISSP
QUESTION: 89

Activity to baseline, tailor, and scope security controls tikes place dring which National Institute of Standards
and Technology (NIST) Risk Management Framework (RMF) step?

Option A : Authorize IS.

Option B : Assess security controls.

Option C : Categorize Information system (IS).

Option D : Select security controls.

Correct Answer: D

QUESTION: 90

When conducting a security assessment of access controls, which activity is part of the data analysis phase?

Option A : Present solutions to address audit exceptions.

Option B : Conduct statistical sampling of data transactions.

Option C : Categorize and identify evidence gathered during the audit.

Option D : Collect logs and reports.

Correct Answer: C

QUESTION: 91

Which of the following is the MOST common method of memory protection?

Option A : Compartmentalization

Option B : Segmentation

Option C : Error correction

Option D : Virtual Local Area Network (VLAN) tagging

Correct Answer: B

https://www.dumpscollege.com/exam/CISSP
QUESTION: 92

Who is responsible for the protection of information when it is shared with or provided to other
organizations?

Option A : Systems owner

Option B : Authorizing Official (AO)

Option C : Information owner

Option D : Security officer

Correct Answer: C

QUESTION: 93

A Security Operations Center (SOC) receives an incident response notification on a server with an
activeintruder who has planted a backdoor. Initial notifications are sent and communications are
established.What MUST be considered or evaluated before performing the next step?

Option A : Notifying law enforcement is crucial before hashing the contents of the server hard drive

Option B : Identifying who executed the incident is more important than how the incident happened

Option C : Removing the server from the network may prevent catching the intruder

Option D : Copying the contents of the hard drive to another storage device may damage the evidence

Correct Answer: D

QUESTION: 94

An international medical organization with headquarters in the United States (US) and branches in
Francewants to test a drug in both countries. What is the organization allowed to do with the test subject's
data?

Option A : Aggregate it into one database in the US

Option B : Process it in the US, but store the information in France

Option C : Share it with a third party

Option D : Anonymize it and process it in the US

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: B

QUESTION: 95

The core component of Role Based Access Control (RBAC) must be constructed of defined data
elements.Which elements are required?

Option A : Users, permissions, operations, and protected objects

Option B : Roles, accounts, permissions, and protected objects

Option C : Users, roles, operations, and protected objects

Option D : Roles, operations, accounts, and protected objects

Correct Answer: C

QUESTION: 96

The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data

Option A : through a firewall at the Session layer

Option B : through a firewall at the Transport layer

Option C : in the Point-to-Point Protocol (PPP)

Option D : in the Payload Compression Protocol (PCP)

Correct Answer: C

QUESTION: 97

Even though a particular digital watermark is difficult to detect, which of the following represents a way it
might still be inadvertently removed?

Option A : Truncating parts of the data

Option B : Applying Access Control Lists (ACL) to the data

Option C : Appending non-watermarked data to watermarked data

Option D : Storing the data in a database

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: A

QUESTION: 98

A security compliance manager of a large enterprise wants to reduce the time it takes to perform
network,system, and application security compliance audits while increasing quality and effectiveness of the
results.What should be implemented to BEST achieve the desired results?

Option A : Configuration Management Database (CMDB)

Option B : Source code repository

Option C : Configuration Management Plan (CMP)

Option D : System performance monitoring application

Correct Answer: A

QUESTION: 99

What is the foundation of cryptographic functions?

Option A : Encryption

Option B : Cipher

Option C : Hash

Option D : Entropy

Correct Answer: D

QUESTION: 100

Which of the following is the MOST effective method to mitigate Cross-Site Scripting (XSS) attacks?

Option A : Use Software as a Service (SaaS)

Option B : Whitelist input validation

Option C : Require client certificates

https://www.dumpscollege.com/exam/CISSP
 Option D : Validate data output

Correct Answer: B

QUESTION: 101

Which of the following is a direct monetary cost of a security incident?

Option A : Morale

Option B : Reputation

Option C : Equipment

Option D : Information

Correct Answer: C

QUESTION: 102

What is the process of removing sensitive data from a system or storage device with the intent that the data
cannot be reconstructed by any known technique?

Option A : Purging

Option B : Encryption

Option C : Destruction

Option D : Clearing

Correct Answer: A

QUESTION: 103

What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack?

Option A : Radio Frequency (RF) attack

Option B : Denial of Service (DoS) attack

Option C : Data modification attack

https://www.dumpscollege.com/exam/CISSP
 Option D : Application-layer attack

Correct Answer: B

QUESTION: 104

Which of the following is the PRIMARY reason for employing physical security personnel at entry points in
facilities where card access is in operation?

Option A : To verify that only employees have access to the facility.

Option B : To identify present hazards requiring remediation.

Option C : To monitor staff movement throughout the facility.

Option D : To provide a safe environment for employees.

Correct Answer: D

QUESTION: 105

At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a
datagram handled?

Option A : Transport Layer

Option B : Data-Link Layer

Option C : Network Layer

Option D : Application Layer

Correct Answer: C

QUESTION: 106

Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization
network?

Option A : Provide vulnerability reports to management.

Option B : Validate vulnerability remediation activities.

https://www.dumpscollege.com/exam/CISSP
 Option C : Prevent attackers from discovering vulnerabilities.

Option D : Remediate known vulnerabilities.

Correct Answer: B

QUESTION: 107

Although code using a specific program language may not be susceptible to a buffer overflow attack,

Option A : most calls to plug-in programs are susceptible.

Option B : most supporting application code is susceptible.

Option C : the graphical images used by the application could be susceptible.

Option D : the supporting virtual machine could be susceptible.

Correct Answer: C

QUESTION: 108

Which of the following is a weakness of Wired Equivalent Privacy (WEP)?

Option A : Length of Initialization Vector (IV)

Option B : Protection against message replay

Option C : Detection of message tampering

Option D : Built-in provision to rotate keys

Correct Answer: A

QUESTION: 109

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR).
This information has been formally communicated to the access provisioning team. Which of the following is
the BEST action to take?

Option A : Revoke access temporarily.

https://www.dumpscollege.com/exam/CISSP
 Option B : Block user access and delete user account after six months.

Option C : Block access to the offices immediately.

Option D : Monitor account usage temporarily.

Correct Answer: D

QUESTION: 110

Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create
information leakage?

Option A : Transference

Option B : Covert channel

Option C : Bleeding

Option D : Cross-talk

Correct Answer: D

QUESTION: 111

Sensitive customer data is going to be added to a database. What is the MOST effective implementation for
ensuring data privacy?

Option A : Discretionary Access Control (DAC) procedures

Option B : Mandatory Access Control (MAC) procedures

Option C : Data link encryption

Option D : Segregation of duties

Correct Answer: D

QUESTION: 112

What type of encryption is used to protect sensitive data in transit over a network?

https://www.dumpscollege.com/exam/CISSP
 Option A : Payload encryption and transport encryption

Option B : Authentication Headers (AH)

Option C : Keyed-Hashing for Message Authentication

Option D : Point-to-Point Encryption (P2PE)

Correct Answer: A

QUESTION: 113

A software security engineer is developing a black box-based test plan that will measure the system's
reaction to incorrect or illegal inputs or unexpected operational errors and situations. Match the functional
testing techniques on the left with the correct input parameters on the right.

Answer :

https://www.dumpscollege.com/exam/CISSP
QUESTION: 114

Which of the following is the MOST important output from a mobile application threat modeling exercise
according to Open Web Application Security Project (OWASP)?

Option A : Application interface entry and endpoints

Option B : The likelihood and impact of a vulnerability

Option C : Countermeasures and mitigations for vulnerabilities

Option D : A data flow diagram for the application and attack surface analysis

Correct Answer: D

QUESTION: 115

When planning a penetration test, the tester will be MOST interested in which information?

Option A : Places to install back doors

Option B : The main network access points

Option C : Job application handouts and tours

https://www.dumpscollege.com/exam/CISSP
 Option D : Exploits that can attack weaknesses

Correct Answer: D

QUESTION: 116

Which of the following BEST describes the purpose of the security functional requirements of Common
Criteria?

Option A : Level of assurance of the Target of Evaluation (TOE) in intended operational environment

Option B : Selection to meet the security objectives stated in test documents

Option C : Security behavior expected of a TOE

Option D : Definition of the roles and responsibilities

Correct Answer: C

QUESTION: 117

During the risk assessment phase of the project the CISO discovered that a college within the University is
collecting Protected Health Information (PHI) data via an application that was developed in-house. The
college collecting this data is fully aware of the regulations for Health Insurance Portability and
Accountability Act (HIPAA) and is fully compliant.What is the best approach for the CISO?During the risk
assessment phase of the project the CISO discovered that a college within the University is collecting
Protected Health Information (PHI) data via an application that was developed in-house. The college
collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act
(HIPAA) and is fully compliant.What is the best approach for the CISO?

Option A : Document the system as high risk

Option B : Perform a vulnerability assessment

Option C : Perform a quantitative threat assessment

Option D : Notate the information and move on

Correct Answer: B

https://www.dumpscollege.com/exam/CISSP
QUESTION: 118

Single Sign-On (SSO) is PRIMARILY designed to address which of the following?

Option A : Confidentiality and Integrity

Option B : Availability and Accountability

Option C : Integrity and Availability

Option D : Accountability and Assurance

Correct Answer: D

QUESTION: 119

What does an organization FIRST review to assure compliance with privacy requirements?

Option A : Best practices

Option B : Business objectives

Option C : Legal and regulatory mandates

Option D : Employee's compliance to policies and standards

Correct Answer: C

QUESTION: 120

Regarding asset security and appropriate retention, which of the following INITIAL top three areas are
important to focus on?

Option A : Security control baselines, access controls, employee awareness and training

Option B : Human resources, asset management, production management

Option C : Supply chain lead time, inventory control, encryption

Option D : Polygraphs, crime statistics, forensics

Correct Answer: A

https://www.dumpscollege.com/exam/CISSP
QUESTION: 121

Data remanence refers to which of the following?

Option A : The remaining photons left in a fiber optic cable after a secure transmission.

Option B : The retention period required by law or regulation.

Option C : The magnetic flux created when removing the network connection from a server or personal
computer.

Option D : The residual information left on magnetic storage media after a deletion or erasure.

Correct Answer: D

QUESTION: 122

Retaining system logs for six months or longer can be valuable for what activities?

Option A : Disaster recovery and business continuity

Option B : Forensics and incident response

Option C : Identity and authorization management

Option D : Physical and logical access control

Correct Answer: B

QUESTION: 123

Which of the following provides the MOST protection against data theft of sensitive information when a
laptop is stolen?

Option A : Set up a BIOS and operating system password

Option B : Encrypt the virtual drive where confidential files can be stored

Option C : Implement a mandatory policy in which sensitive data cannot be stored on laptops, but only on
the corporate network

Option D : Encrypt the entire disk and delete contents after a set number of failed access attempts

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: D

QUESTION: 124

Refer to the information below to answer the question.Desktop computers in an organization were sanitized
for re-use in an equivalent security environment. The data was destroyed in accordance with organizational
policy and all marking and other external indications of the sensitivity of the data that was formerly stored
on the magnetic drives were removed.Organizational policy requires the deletion of user data from Personal
Digital Assistant (PDA) devices before disposal. It may not be possible to delete the user data if the device is
malfunctioning. Which destruction method below provides the BEST assurance that the data has been
removed?

Option A : Knurling

Option B : Grinding

Option C : Shredding

Option D : Degaussing

Correct Answer: C

QUESTION: 125

Refer to the information below to answer the question.During the investigation of a security incident, it is
determined that an unauthorized individual accessed a system which hosts a database containing financial
information.Aside from the potential records which may have been viewed, which of the following should be
the PRIMARY concern regarding the database information?

Option A : Unauthorized database changes

Option B : Integrity of security logs

Option C : Availability of the database

Option D : Confidentiality of the incident

Correct Answer: A

QUESTION: 126

Refer to the information below to answer the question.A security practitioner detects client-based attacks on
the organization's network. A plan will be necessary to address these concerns.What MUST the plan include

https://www.dumpscollege.com/exam/CISSP
in order to reduce client-side exploitation?

Option A : Approved web browsers

Option B : Network firewall procedures

Option C : Proxy configuration

Option D : Employee education

Correct Answer: D

QUESTION: 127

The use of proximity card to gain access to a building is an example of what type of security control?

Option A : Legal

Option B : Logical

Option C : Physical

Option D : Procedural

Correct Answer: C

QUESTION: 128

Which of the following MUST system and database administrators be aware of and apply when configuring
systems used for storing personal employee data?

Option A : Secondary use of the data by business users

Option B : The organization's security policies and standards

Option C : The business purpose for which the data is to be used

Option D : The overall protection of corporate resources and data

Correct Answer: B

https://www.dumpscollege.com/exam/CISSP
QUESTION: 129

When implementing a secure wireless network, which of the following supports authentication and
authorization for individual client endpoints?

Option A : Temporal Key Integrity Protocol (TKIP)

Option B : Wi-Fi Protected Access (WPA) Pre-Shared Key (PSK)

Option C : Wi-Fi Protected Access 2 (WPA2) Enterprise

Option D : Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Correct Answer: C

QUESTION: 130

Which of the following BEST mitigates a replay attack against a system using identity federation and Security
Assertion Markup Language (SAML) implementation?

Option A : Two-factor authentication

Option B : Digital certificates and hardware tokens

Option C : Timed sessions and Secure Socket Layer (SSL)

Option D : Passwords with alpha-numeric and special characters

Correct Answer: C

QUESTION: 131

When using third-party software developers, which of the following is the MOST effective method of
providing software development Quality Assurance (QA)?

Option A : Retain intellectual property rights through contractual wording.

Option B : Perform overlapping code reviews by both parties.

Option C : Verify that the contractors attend development planning meetings.

Option D : Create a separate contractor development environment.

https://www.dumpscollege.com/exam/CISSP
 Correct Answer: B

QUESTION: 132

Which of the following actions MUST be taken if a vulnerability is discovered during the maintenance stage in
a System Development Life Cycle (SDLC)?

Option A : Make changes following principle and design guidelines.

Option B : Stop the application until the vulnerability is fixed.

Option C : Report the vulnerability to product owner.

Option D : Monitor the application and review code.

Correct Answer: C

QUESTION: 133

An organization allows ping traffic into and out of their network. An attacker has installed a program on the
network that uses the payload portion of the ping packet to move data into and out of the network. What
type of attack has the organization experienced?

Option A : Data leakage

Option B : Unfiltered channel

Option C : Data emanation

Option D : Covert channel

Correct Answer: A

QUESTION: 134

Which of the following is an attacker MOST likely to target to gain privileged access to a system?

Option A : Programs that write to system resources

Option B : Programs that write to user directories

Option C : Log files containing sensitive information

https://www.dumpscollege.com/exam/CISSP
 Option D : Log files containing system calls

Correct Answer: A

QUESTION: 135

Alternate encoding such as hexadecimal representations is MOST often observed in which of the following
forms of attack?

Option A : Smurf

Option B : Rootkit exploit

Option C : Denial of Service (DoS)

Option D : Cross site scripting (XSS)

Correct Answer: D

QUESTION: 136

In a financial institution, who has the responsibility for assigning the classification to a piece of information?

Option A : Chief Financial Officer (CFO)

Option B : Chief Information Security Officer (CISO)

Option C : Originator or nominated owner of the information

Option D : Department head responsible for ensuring the protection of the information

Correct Answer: C

QUESTION: 137

The use of strong authentication, the encryption of Personally Identifiable Information (PII) on database
servers, application security reviews, and the encryption of data transmitted across networks provide

Option A : data integrity.

Option B : defense in depth.

https://www.dumpscollege.com/exam/CISSP
 Option C : data availability.

Option D : non-repudiation.

Correct Answer: B

QUESTION: 138

Checking routing information on e-mail to determine it is in a valid format and contains valid information is
an example of which of the following anti-spam approaches?

Option A : Simple Mail Transfer Protocol (SMTP) blacklist

Option B : Reverse Domain Name System (DNS) lookup

Option C : Hashing algorithm

Option D : Header analysis

Correct Answer: D

QUESTION: 139

The key benefits of a signed and encrypted e-mail include

Option A : confidentiality, authentication, and authorization.

Option B : confidentiality, non-repudiation, and authentication.

Option C : non-repudiation, authorization, and authentication.

Option D : non-repudiation, confidentiality, and authorization.

Correct Answer: B

QUESTION: 140

In Business Continuity Planning (BCP), what is the importance of documenting business processes?

Option A : Provides senior management with decision-making tools

Option B : Establishes and adopts ongoing testing and maintenance strategies

https://www.dumpscollege.com/exam/CISSP
 Option C : Defines who will perform which functions during a disaster or emergency

Option D : Provides an understanding of the organization's interdependencies

Correct Answer: D

QUESTION: 141

What maintenance activity is responsible for defining, implementing, and testing updates to application
systems?

Option A : Program change control

Option B : Regression testing

Option C : Export exception control

Option D : User acceptance testing

Correct Answer: A

QUESTION: 142

While impersonating an Information Security Officer (ISO), an attacker obtains information from company
employees about their User IDs and passwords. Which method of information gathering has the attacker
used?

Option A : Trusted path

Option B : Malicious logic

Option C : Social engineering

Option D : Passive misuse

Correct Answer: C

QUESTION: 143

When transmitting information over public networks, the decision to encrypt it should be based on

Option A : the estimated monetary value of the information.

https://www.dumpscollege.com/exam/CISSP
 Option B : whether there are transient nodes relaying the transmission.

Option C : the level of confidentiality of the information.

Option D : the volume of the information.

Correct Answer: C

QUESTION: 144

Which of the following is an essential element of a privileged identity lifecycle management?

Option A : Regularly perform account re-validation and approval

Option B : Account provisioning based on multi-factor authentication

Option C : Frequently review performed activities and request justification

Option D : Account information to be provided by supervisor or line manager

Correct Answer: A

QUESTION: 145

Which of the following is the PRIMARY risk with using open source software in a commercial software
construction?

Option A : Lack of software documentation

Option B : License agreements requiring release of modified code

Option C : Expiration of the license agreement

Option D : Costs associated with support of the software

Correct Answer: D

QUESTION: 146

Which of the following is a PRIMARY advantage of using a third-party identity service?

Option A : Consolidation of multiple providers

https://www.dumpscollege.com/exam/CISSP
 Option B : Directory synchronization

Option C : Web based logon

Option D : Automated account management

Correct Answer: D

QUESTION: 147

Users require access rights that allow them to view the average salary of groups of employees. Which control
would prevent the users from obtaining an individual employee's salary?

Option A : Limit access to predefined queries

Option B : Segregate the database into a small number of partitions each with a separate security level

Option C : Implement Role Based Access Control (RBAC)

Option D : Reduce the number of people who have access to the system for statistical purposes

Correct Answer: C

QUESTION: 148

What is the purpose of an Internet Protocol (IP) spoofing attack?

Option A : To send excessive amounts of data to a process, making it unpredictable

Option B : To intercept network traffic without authorization

Option C : To disguise the destination address from a target's IP filtering devices

Option D : To convince a system that it is communicating with a known entity

Correct Answer: D

QUESTION: 149

When implementing a data classification program, why is it important to avoid too much granularity?

Option A : The process will require too many resources

https://www.dumpscollege.com/exam/CISSP
 Option B : It will be difficult to apply to both hardware and software

Option C : It will be difficult to assign ownership to the data

Option D : The process will be perceived as having value

Correct Answer: C

QUESTION: 150

What is the MOST important consideration from a data security perspective when an organization plans to
relocate?

Option A : Ensure the fire prevention and detection systems are sufficient to protect personnel

Option B : Review the architectural plans to determine how many emergency exits are present

Option C : Conduct a gap analysis of a new facilities against existing security requirements

Option D : Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Correct Answer: C

QUESTION: 151

What does the result of Cost-Benefit Analysis (C8A) on new security initiatives provide?

Option A : Quantifiable justification

Option B : Baseline improvement

Option C : Risk evaluation

Option D : Formalized acceptance

Correct Answer: A

https://www.dumpscollege.com/exam/CISSP