ISC2 Certified Information Systems Security Professional Exam Practice Test

Page: 1 / 14
Total 1486 questions
Question 1

Which of the (ISC)? Code of Ethics canons is MOST reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest?



Answer : A

The (ISC)* Code of Ethics is a set of principles and guidelines that govern the professional and ethical conduct of (ISC)* certified members and associates. The Code of Ethics consists of four mandatory canons, which are: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The canon that is most reflected when preserving the value of systems, applications, and entrusted information while avoiding conflicts of interest is the second one: act honorably, honestly, justly, responsibly, and legally. This canon requires the (ISC)* certified members and associates to uphold the highest standards of integrity, fairness, responsibility, and lawfulness in their professional activities. This includes preserving the value of the systems, applications, and entrusted information that they work with, and avoiding any conflicts of interest that may compromise their objectivity, impartiality, or loyalty. The other canons are not as directly related to the scenario as the second one, although they may also have some relevance. The first canon: protect society, the common good, necessary public trust and confidence, and the infrastructure, requires the (ISC)* certified members and associates to safeguard the public interest, the common welfare, and the critical infrastructure from harm or misuse. This includes protecting the confidentiality, integrity, and availability of the systems, applications, and entrusted information that they work with, and reporting any incidents or breaches that may affect them. The third canon: provide diligent and competent service to principals, requires the (ISC)* certified members and associates to serve their clients, employers, or stakeholders with diligence and competence. This includes delivering quality work, meeting the expectations and requirements, and respecting the rights and interests of the principals. The fourth canon: advance and protect the profession, requires the (ISC)* certified members and associates to promote and enhance the information security profession. This includes maintaining and improving their knowledge and skills, sharing their expertise and experience, and adhering to the Code of Ethics and the professional standards.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 24-25.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 19-20.


Question 2

Which of the following determines how traffic should flow based on the status of the infrastructure true?



Answer : C

The control plane is the part of a network that determines how traffic should flow based on the status of the infrastructure. The control plane consists of the protocols, algorithms, and policies that are used to calculate the best paths, routes, and forwarding decisions for the network traffic. The control plane communicates with the data plane, which is the part of the network that actually carries the traffic from the source to the destination. The control plane also communicates with the management plane, which is the part of the network that monitors, configures, and maintains the network devices and components. The control plane is the best answer among the given options to the question of which part of the network determines how traffic should flow based on the status of the infrastructure. The application plane is not a part of the network, but rather a layer of the Open Systems Interconnection (OSI) model that provides the interface and functionality for the network applications and services. The application plane does not determine how traffic should flow, but rather what type of traffic is generated or consumed by the applications and services. The data plane is the part of the network that actually carries the traffic from the source to the destination, as mentioned above. The data plane does not determine how traffic should flow, but rather executes the forwarding decisions made by the control plane. The traffic plane is not a part of the network, but rather a term that refers to the overall flow of traffic in the network. The traffic plane does not determine how traffic should flow, but rather reflects the result of the control plane and the data plane operations.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, p. 253.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 405.


Question 3

Which of the following is the BEST method a security practitioner can use to ensure that systems and sub-system gracefully handle invalid input?



Answer : A

Negative testing is a method of software testing that involves providing invalid, unexpected, or erroneous input to the system or sub-system and verifying that it can handle it gracefully, without crashing, freezing, or producing incorrect results. Negative testing helps to identify the boundary conditions, error handling, and exception handling of the system or sub-system, and to ensure its robustness, reliability, and security. Negative testing is the best method among the given options to ensure that systems and sub-systems gracefully handle invalid input. Integration testing is a method of software testing that involves combining two or more components or modules of the system and verifying that they work together as expected. Integration testing helps to identify the interface, compatibility, and communication issues between the components or modules, and to ensure their functionality, performance, and quality. Integration testing does not focus on how the system or sub-system handles invalid input, but rather on how it interacts with other parts of the system. Unit testing is a method of software testing that involves testing each individual component or module of the system in isolation and verifying that it performs its intended function. Unit testing helps to identify the logic, syntax, and functionality errors of the component or module, and to ensure its correctness, completeness, and efficiency. Unit testing does not focus on how the system or sub-system handles invalid input, but rather on how it performs its own function. Acceptance testing is a method of software testing that involves testing the system or sub-system by the end users or customers and verifying that it meets their requirements and expectations. Acceptance testing helps to identify the usability, suitability, and satisfaction issues of the system or sub-system, and to ensure its acceptance, delivery, and deployment. Acceptance testing does not focus on how the system or sub-system handles invalid input, but rather on how it satisfies the user or customer needs.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, p. 823-824.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 8: Software Development Security, p. 1004-1005.


Question 4

When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?



Answer : B

Service Organization Control (SOC) reports are audit reports that provide information about the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payroll service. There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 reports focus on the controls that affect the financial reporting of the user entities (the clients of the service organization). SOC 2 reports focus on the controls that affect the security, availability, confidentiality, and privacy of the user entities' data and systems, as well as the processing integrity of the service organization. SOC 3 reports are similar to SOC 2 reports, but they are less detailed and more accessible to the general public. Each SOC report can be either Type 1 or Type 2. Type 1 reports describe the design and implementation of the controls at a specific point in time. Type 2 reports describe the operating effectiveness of the controls over a period of time, usually six to twelve months. When conducting a third-party risk assessment of a new supplier, the best report to review to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles is the SOC 2, Type 2 report. This report provides assurance that the service organization has implemented and maintained the controls that are relevant to the protection of the user entities' data and systems, and that the controls have been tested and verified by an independent auditor. International Organization for Standardization (ISO) 27001 and ISO 27002 are not audit reports, but rather standards for information security management systems (ISMS). ISO 27001 specifies the requirements for establishing, implementing, maintaining, and improving an ISMS. ISO 27002 provides guidelines and best practices for implementing the controls of the ISMS. While these standards can be used as a reference for evaluating the security posture of a service organization, they do not provide the same level of assurance and evidence as a SOC 2, Type 2 report.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 66-67.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 103-104.


Question 5

Which of the following is the MOST significant key management problem due to the number of keys created?



Answer : D

Key management is the process of generating, distributing, storing, using, and destroying cryptographic keys. One of the most significant key management problems is the number of keys created, which affects the complexity, scalability, and security of the cryptographic system. The number of keys created depends on the type of encryption used: symmetric or asymmetric. Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a pair of keys: a public key for encryption and a private key for decryption. When using symmetric encryption, the number of keys created grows exponentially with the number of users or devices involved. For example, if there are n users or devices that need to communicate securely with each other, then each user or device needs to have a unique key for each other user or device. Therefore, the total number of keys needed is n(n-1)/2, which is an exponential function of n. This means that as the number of users or devices increases, the number of keys needed increases dramatically, making it more difficult to provision, store, and protect the keys. When using asymmetric encryption, the number of keys created grows linearly with the number of users or devices involved. For example, if there are n users or devices that need to communicate securely with each other, then each user or device needs to have only one pair of keys: a public key and a private key. Therefore, the total number of keys needed is 2n, which is a linear function of n. This means that as the number of users or devices increases, the number of keys needed increases proportionally, making it easier to provision, store, and protect the keys.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Communication and Network Security, p. 287-288.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 433-434.


Question 6

Which of the following are mandatory canons for the (ISC)* Code of Ethics?



Answer : B

The (ISC)* Code of Ethics is a set of principles and guidelines that govern the professional and ethical conduct of (ISC)* certified members and associates. The Code of Ethics consists of four mandatory canons, which are: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The other two options are not mandatory canons, but rather examples of how to apply the canons in practice. Develop comprehensive security strategies for the organization is an example of how to protect society, the common good, necessary public trust and confidence, and the infrastructure. Create secure data protection policies for principals is an example of how to provide diligent and competent service to principals.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 24-25.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 19-20.


Question 7

An organization is preparing to achieve General Data Protection Regulation (GDPR) compliance. The Chief Information Security Officer (CISO) is reviewing data protection methods.

Which of the following is the BEST data protection method?



Answer : A

Encryption is the process of transforming data into an unreadable format using a secret key or algorithm. Encryption ensures the confidentiality, integrity, and availability of the data, and protects it from unauthorized access, modification, or deletion. Encryption is also a requirement of the GDPR, which is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the EU.


Page:    1 / 14   
Total 1486 questions