ISC2 CISSP Certified Information Systems Security Professional Exam Practice Test

Answer : A

The (ISC)* Code of Ethics is a set of principles and guidelines that govern the professional and ethical conduct of (ISC)* certified members and associates. The Code of Ethics consists of four mandatory canons, which are: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The canon that is most reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest is the second one: act honorably, honestly, justly, responsibly, and legally. This canon requires the (ISC)* certified members and associates to uphold the highest standards of integrity, fairness, responsibility, and lawfulness in their professional activities. This includes preserving the value of the systems, applications, and entrusted information that they work with, and avoiding any conflicts of interest that may compromise their objectivity, impartiality, or loyalty. The other canons are not as directly related to the scenario as the second one, although they may also have some relevance. The first canon: protect society, the common good, necessary public trust and confidence, and the infrastructure, requires the (ISC)* certified members and associates to safeguard the public interest, the common welfare, and the critical infrastructure from harm or misuse. This includes protecting the confidentiality, integrity, and availability of the systems, applications, and entrusted information that they work with, and reporting any incidents or breaches that may affect them. The third canon: provide diligent and competent service to principals, requires the (ISC)* certified members and associates to serve their clients, employers, or stakeholders with diligence and competence. This includes delivering quality work, meeting the expectations and requirements, and respecting the rights and interests of the principals. The fourth canon: advance and protect the profession, requires the (ISC)* certified members and associates to promote and enhance the information security profession. This includes maintaining and improving their knowledge and skills, sharing their expertise and experience, and adhering to the Code of Ethics and the professional standards.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 24-25.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 19-20.

Answer : C

The control plane is the part of a network that determines how traffic should flow based on the status of the infrastructure. The control plane consists of the protocols, algorithms, and policies that are used to calculate the best paths, routes, and forwarding decisions for the network traffic. The control plane communicates with the data plane, which is the part of the network that actually carries the traffic from the source to the destination. The control plane also communicates with the management plane, which is the part of the network that monitors, configures, and maintains the network devices and components. The control plane is the best answer among the given options to the question of which part of the network determines how traffic should flow based on the status of the infrastructure. The application plane is not a part of the network, but rather a layer of the Open Systems Interconnection (OSI) model that provides the interface and functionality for the network applications and services. The application plane does not determine how traffic should flow, but rather what type of traffic is generated or consumed by the applications and services. The data plane is the part of the network that actually carries the traffic from the source to the destination, as mentioned above. The data plane does not determine how traffic should flow, but rather executes the forwarding decisions made by the control plane. The traffic plane is not a part of the network, but rather a term that refers to the overall flow of traffic in the network. The traffic plane does not determine how traffic should flow, but rather reflects the result of the control plane and the data plane operations.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, p. 253.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 405.

Answer : A

Negative testing is a method of software testing that involves providing invalid, unexpected, or erroneous input to the system or sub-system and verifying that it can handle it gracefully, without crashing, freezing, or producing incorrect results. Negative testing helps to identify the boundary conditions, error handling, and exception handling of the system or sub-system, and to ensure its robustness, reliability, and security. Negative testing is the best method among the given options to ensure that systems and sub-systems gracefully handle invalid input. Integration testing is a method of software testing that involves combining two or more components or modules of the system and verifying that they work together as expected. Integration testing helps to identify the interface, compatibility, and communication issues between the components or modules, and to ensure their functionality, performance, and quality. Integration testing does not focus on how the system or sub-system handles invalid input, but rather on how it interacts with other parts of the system. Unit testing is a method of software testing that involves testing each individual component or module of the system in isolation and verifying that it performs its intended function. Unit testing helps to identify the logic, syntax, and functionality errors of the component or module, and to ensure its correctness, completeness, and efficiency. Unit testing does not focus on how the system or sub-system handles invalid input, but rather on how it performs its own function. Acceptance testing is a method of software testing that involves testing the system or sub-system by the end users or customers and verifying that it meets their requirements and expectations. Acceptance testing helps to identify the usability, suitability, and satisfaction issues of the system or sub-system, and to ensure its acceptance, delivery, and deployment. Acceptance testing does not focus on how the system or sub-system handles invalid input, but rather on how it satisfies the user or customer needs.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, p. 823-824.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 8: Software Development Security, p. 1004-1005.

Answer : B

Service Organization Control (SOC) reports are audit reports that provide information about the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payroll service. There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 reports focus on the controls that affect the financial reporting of the user entities (the clients of the service organization). SOC 2 reports focus on the controls that affect the security, availability, confidentiality, and privacy of the user entities' data and systems, as well as the processing integrity of the service organization. SOC 3 reports are similar to SOC 2 reports, but they are less detailed and more accessible to the general public. Each SOC report can be either Type 1 or Type 2. Type 1 reports describe the design and implementation of the controls at a specific point in time. Type 2 reports describe the operating effectiveness of the controls over a period of time, usually six to twelve months. When conducting a third-party risk assessment of a new supplier, the best report to review to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles is the SOC 2, Type 2 report. This report provides assurance that the service organization has implemented and maintained the controls that are relevant to the protection of the user entities' data and systems, and that the controls have been tested and verified by an independent auditor. International Organization for Standardization (ISO) 27001 and ISO 27002 are not audit reports, but rather standards for information security management systems (ISMS). ISO 27001 specifies the requirements for establishing, implementing, maintaining, and improving an ISMS. ISO 27002 provides guidelines and best practices for implementing the controls of the ISMS. While these standards can be used as a reference for evaluating the security posture of a service organization, they do not provide the same level of assurance and evidence as a SOC 2, Type 2 report.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 66-67.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 103-104.

Answer : D

Key management is the process of generating, distributing, storing, using, and destroying cryptographic keys. One of the most significant key management problems is the number of keys created, which affects the complexity, scalability, and security of the cryptographic system. The number of keys created depends on the type of encryption used: symmetric or asymmetric. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. When using symmetric encryption, the number of keys created grows exponentially with the number of users or devices involved. For example, if there are n users or devices that need to communicate securely with each other, then each user or device needs to have a unique key for each other user or device. Therefore, the total number of keys needed is n(n-1)/2, which is an exponential function of n. This means that as the number of users or devices increases, the number of keys needed increases dramatically, making it more difficult to provision, store, and protect the keys. When using asymmetric encryption, the number of keys created grows linearly with the number of users or devices involved. For example, if there are n users or devices that need to communicate securely with each other, then each user or device needs to have only one pair of keys: a public key and a private key. Therefore, the total number of keys needed is 2n, which is a linear function of n. This means that as the number of users or devices increases, the number of keys needed increases proportionally, making it easier to provision, store, and protect the keys.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, p. 287-288.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 433-434.

Answer : B

The type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period is SOC 2 Type 2. SOC 2 Type 2 is a security audit report that provides information about the design and the operating effectiveness of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 2 is the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it can:

Evaluate and assess the design and the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data that are used for providing the services or the solutions to the user entities or the customers, based on the criteria or the principles of the Trust Services Categories (TSC).

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion that is prepared and issued by the independent auditor or the practitioner, and that is intended for the general or the restricted use of the user entities and the other interested or relevant parties or stakeholders.

Cover a specified period of time, usually between six and twelve months, and include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

The other options are not the types of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period. SOC 1 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the internal control over financial reporting of the user entities or the customers, based on the control objectives defined by the service organization. SOC 1 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the controls that affect the financial reporting of the user entities or the customers.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, but rather the controls in relation to the internal control over financial reporting of the user entities or the customers.

Cover a specified period of time, or include the description of the tests of controls and the results performed by the auditor, but rather evaluate the design of the controls at a point in time.

SOC 2 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 2 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

SOC 3 Type 1 is a security audit report that provides information about the design of the controls at a service organization relevant to the security and availability trust service categories, as well as the other trust service categories such as processing integrity, confidentiality, and privacy. SOC 3 Type 1 is not the type of SOC report that should be utilized to outline the security and availability of a particular system over a 12-month period, because it does not:

Evaluate and assess the effectiveness of the controls that the service organization has implemented and maintained for ensuring the security and availability of the system and the data, but rather the design of the controls at a point in time.

Include the description of the tests of controls and the results performed by the auditor, to demonstrate the operational effectiveness of the controls over the security and availability of the system and the data.

Provide and present the information and the data about the service organization's system and the controls in relation to the security and availability, in the form of the audit report or the opinion, but rather in the form of the seal or the logo that indicates the compliance with the TSC.

Answer : D

Employee training, risk management, and data handling procedures and policies could be characterized as administrative security measures. Administrative security measures are the policies, procedures, standards, guidelines, and practices that define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data. Administrative security measures could be characterized as administrative security measures, because they can:

Establish and communicate the security objectives, requirements, and expectations of the organization and the personnel, and provide the direction and the guidance for achieving and maintaining them.

Educate and train the personnel on the security awareness, skills, and behaviors, and evaluate and monitor their performance and compliance with the security policies and procedures.

Identify and assess the risks and the threats to the information systems and the data, and implement and review the controls and the countermeasures to mitigate and manage them.

The other options are not the types of security measures that employee training, risk management, and data handling procedures and policies could be characterized as. Non-essential security measures are the security measures that are not required or necessary for the protection of the information systems and the data, and that may be removed or reduced without compromising the security objectives or requirements. Non-essential security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are essential and necessary for the protection of the information systems and the data, and they cannot be removed or reduced without compromising the security objectives or requirements. Management security measures are the security measures that are implemented and enforced by the management or the leadership of the organization, and that are related to the planning, organizing, directing, and controlling of the security activities and resources. Management security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not implemented and enforced by the management or the leadership of the organization, but rather by the personnel and the organization themselves. Preventive security measures are the security measures that are designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, such as the encryption, the authentication, or the firewall. Preventive security measures are not the type of security measures that employee training, risk management, and data handling procedures and policies could be characterized as, because they are not designed and deployed to prevent or deter the occurrence or the impact of the security incidents or the attacks, but rather to define and govern the roles, responsibilities, and actions of the personnel and the organization in relation to the security of the information systems and the data.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 19.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1: Security and Risk Management, page 19.