ISC2 CISSP Certified Information Systems Security Professional Exam Practice Test

Answer : B

Information assets are any data or information that have value for the organization, such as financial records, customer data, intellectual property, or trade secrets. Information assets are essential for the organization to achieve its objectives and to maintain its competitive advantage. Information assets should be identified, classified, and protected according to their value, sensitivity, and criticality. International Organization for Standardization (ISO) 27001 compliance does not specify which information assets must be included in asset inventory, but rather provides a framework and a set of requirements for establishing, implementing, maintaining, and improving an information security management system (ISMS). Building an information assets register is not necessarily a resource-intensive job, but rather a necessary and beneficial one, as it helps to document and manage the information assets of the organization, and to support the risk assessment and security planning processes. Information assets inventory is required for risk assessment, as it helps to determine the scope, impact, and likelihood of the risks that may affect the information assets, and to prioritize and implement the appropriate controls and measures to mitigate the risks.

Answer : B

The main purpose of conducting a business impact analysis (BIA) is to determine the effect of mission-critical information system failures on core business processes. A BIA is a process that identifies and evaluates the critical business functions and their dependencies, and determines the impact of a disruption on them. A BIA helps to quantify the potential loss of revenue, reputation, productivity, or customer satisfaction due to an information system failure, as well as the recovery time and resources needed to resume the normal operations. A BIA does not determine the critical resources required to recover from an incident, as this is the role of a disaster recovery plan or a business continuity plan. A BIA does not determine the cost for restoration of damaged information system, as this is the role of a risk analysis or a cost-benefit analysis. A BIA does not determine the controls required to return to business critical operations, as this is the role of a contingency plan or a crisis management plan.

Answer : B

The main purpose of a security assessment plan is to provide the objectives for the security and privacy control assessments and a detailed roadmap of how to conduct such assessments. A security assessment plan defines the scope, criteria, methods, roles, and responsibilities of the security assessment process, which is the process of evaluating and testing the effectiveness and compliance of the security and privacy controls implemented in an information system. A security assessment plan helps to ensure that the security assessment process is consistent, systematic, and comprehensive. A security assessment plan does not provide guidance on security requirements, as this is the role of a security requirements analysis or a security architecture design. A security assessment plan does not provide technical information to executives, as this is the role of a security report or a security briefing. A security assessment plan does not provide education to employees, as this is the role of a security awareness or a security training program.

Answer : B

The planning phase of the software assurance life cycle is the stage where the objectives, requirements, scope, and constraints of the software project are defined and analyzed. This is the phase where the risks associated with software acquisition strategies should be identified, as this will help to select the most appropriate and secure software solution, as well as to plan for the mitigation and management of the risks. The follow-on phase is the stage where the software product is maintained and updated after its deployment. The monitoring and acceptance phase is the stage where the software product is tested and verified against the requirements and specifications. The contracting phase is the stage where the software product is procured and delivered by the vendor or supplier.

Answer : D

Security metrics are measurements that are used to evaluate and improve the effectiveness and efficiency of security processes, controls, and outcomes. The best characteristics of security metrics are that they are consistently measured and quantitatively expressed, as this ensures that the metrics are objective, reliable, comparable, and verifiable. Security metrics should not be generalized or provide a broad overview, as this may reduce their accuracy, relevance, and usefulness. Security metrics should not use acronyms and abbreviations to be concise, as this may cause confusion, ambiguity, or misunderstanding. Security metrics may use bar charts and Venn diagrams, or other graphical or visual representations, to illustrate or communicate the results, but this is not a characteristic of the metrics themselves, but rather a presentation technique.

Answer : C

Security awareness is the knowledge and understanding of security threats, risks, and best practices that enable users to protect themselves and the organization from cyberattacks. Security awareness training is a program that educates users on how to recognize and respond to various types of security incidents, such as phishing, social engineering, malware, ransomware, etc. The employee's reporting of the suspicious behavior is most likely the result of security awareness training, as it shows that the employee was able to identify a potential social engineering attempt and report it to the security team. Risk avoidance is a strategy that involves avoiding or eliminating activities or assets that pose a high level of risk to the organization. Risk avoidance does not explain the employee's reporting of the suspicious behavior, as it is not related to the incident. Security engineering is the application of engineering principles and practices to design and implement secure systems and processes. Security engineering does not explain the employee's reporting of the suspicious behavior, as it is not related to the incident. Phishing is a type of social engineering attack that uses fraudulent emails or websites to trick users into revealing sensitive information or installing malware. Phishing is not the result of the employee's reporting, but rather the possible motive of the suspicious behavior.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 34-35.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 51-52.

Answer : C

Network Access Control (NAC) is a solution that verifies the security posture and compliance of endpoints before granting them access to the network. NAC can check the endpoint security protections, such as antivirus, firewall, patch level, and OS version, and enforce policies based on the results. NAC can also quarantine or remediate non-compliant endpoints to prevent them from compromising the network security. NAC is the best solution to implement among the given options, as it provides both verification and enforcement of endpoint security. An intrusion prevention system (IPS) is a device that monitors network traffic and blocks or alerts on malicious or suspicious activities. An IPS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IPS is a reactive rather than proactive solution. A firewall is a device that controls the network traffic based on predefined rules. A firewall does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. A firewall is a preventive rather than detective solution. An intrusion detection system (IDS) is a device that monitors network traffic and alerts on malicious or suspicious activities. An IDS does not verify the endpoint security protections or OS versions, nor does it enforce any policies on the endpoints. An IDS is a passive rather than active solution.Reference:CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, p. 518-519.Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 451-452.