CISSP Practice Set_01: Security and Risk Management_2

Home » CISSP Practice Set_01: Security and Risk Management_2

Security and Risk Management

Domain 01 Practice Set: 01

CISSP DOMAIN 01: Security and Risk Management (Assessment Mode)

Domain 1 of the CISSP exam covers Security and Risk Management, which is a broad area encompassing various aspects of information security, including concepts related to governance, risk management, compliance, law, ethics, and security education.

Domain 01: Practice Set 01

Disclaimer: The practice exam questions provided are representative of the certification exam, but not the actual questions you will see on the certification exam. Practice exams are for self-assessment.

Page : 1/11

1. What is the primary goal of the CIA Triad in information security?

A) Ensure compliance with legal requirements

B) Provide a structured framework for IT management

C) Protect information confidentiality, integrity, and availability

D) Prioritize security tasks based on their impact on business operations

2. What is the primary function of a Security Information and Event Management (SIEM) system?

A) To physically secure an organization's premises from unauthorized access.

B) To manage the configuration of network devices and software.

C) To collect, analyze, and report on security logs and events from various sources.

D) To encrypt data in transit and at rest.

3. Which of the following scenarios BEST illustrates the concept of a "Man in the Middle" (MitM) attack?

A) An attacker intercepts and modifies communications between two parties without their knowledge.

B) A virus spreads across an organization's network, encrypting files for ransom.

C) An unauthorized user gains physical access to a data center and steals hardware.

D) A phishing email tricks users into revealing their passwords.

4. Which of the following best describes the primary purpose of implementing security governance within an organization?

A) To ensure that security strategies are aligned with business objectives and regulatory requirements.

B) To monitor and manage the organization's IT infrastructure.

C) To define the operational tasks of the security team.

D) To establish technical controls across the network.

5. Which of the following BEST describes the goal of a Risk Appetite Statement?

A) To document the organization’s formal position on how much risk it is willing to accept.

B) To list all identified risks and their potential impacts on the organization.

C) To outline the technical measures the organization will use to mitigate risks.

D) To describe the responsibilities of employees in the event of a security incident.

Page : 2/11

6. What should management consider the most when classifying data?

A. The type of employees, contractors, and customers who will be accessing the data.

B. Availability, integrity, and confidentiality.

C. Assessing the risk level and disabling countermeasures.

D. The access controls that will be protecting the data.

7. Which of the following is a key benefit of implementing an effective Security Awareness Training program?

A) It eliminates the need for technical security controls.

B) It ensures that all technical vulnerabilities within the IT infrastructure are patched.

C) It reduces the likelihood of security breaches by educating employees on security best practices and potential threats.

D) It guarantees compliance with all industry regulations and standards.

8. Who is ultimately responsible for making sure data is classified and protected?

A. Data owners

B. Users

C. Administrators

D. Management

9. Which of the following best exemplifies the concept of "Tailgating" in a physical security context?

A) Intercepting and analyzing packets on a network to gain unauthorized access to data.

B) Following someone through a secure door without presenting proper credentials.

C) Sending deceptive emails to employees to trick them into revealing their passwords.

D) Creating a backdoor in a software program to bypass normal authentication mechanisms.

10. If different user groups with different security access levels need to access the same information, which of the following actions should management take?

A. Decrease the security level on the information to ensure accessibility.

B. Require specific written approval each time an individual needs to access the information.

C. Increase the security controls on the information.

D. Decrease the classification label on the information.

Page : 3/11

11. Which of the following is an example of a physical security control?

A) Firewalls

B) Encryption

C) Biometric access controls

D) Antivirus software

12. Which of the following is NOT a primary objective of implementing security controls based on the CIA Triad?

A) Preventing all cyber threats

B) Protecting information confidentiality

C) Ensuring data integrity

D) Guaranteeing system and data availability

13. What role does an Incident Response Team play in an organization's security posture?

A) It is primarily responsible for developing and enforcing the organization's security policies.

B) It conducts daily audits of system configurations to ensure compliance with security standards.

C) It manages the organization's physical security measures, such as access controls and surveillance systems.

D) It responds to and manages security incidents to minimize impact and restore normal operations.

14. What is the primary purpose of implementing the principle of least privilege?

A) To ensure that users are given the minimum level of access necessary to perform their duties

B) To increase the complexity of the IT infrastructure

C) To enhance the skills of the IT staff

D) To allocate budget effectively for security controls

15. Which of the following is a PRIMARY goal of information security governance?

A) Ensuring operational functionality

B) Protecting organizational interests

C) Increasing the efficiency of IT systems

D) Enhancing the skills of the IT staff

Page : 4/11

16. Which of the following best describes the concept of 'integrity' in the context of information security?

A) Ensuring information is accessible when needed

B) Preventing unauthorized access to information

C) Ensuring information is accurate and unaltered

D) Verifying the identity of users accessing information

17. Which of the following best describes the concept of "Separation of Duties"?

A) It is a process of dividing tasks and privileges among multiple users or systems to prevent fraud and errors.

B) It involves assigning all tasks related to a specific function to a single user to increase accountability.

C) It refers to the physical separation of an organization's network infrastructure to enhance security.

D) It is the practice of rotating employees through different jobs to increase their skill sets.

18. Which of the following best describes the term "Third-Party Risk"?

A) The risk associated with using open-source software within an organization.

B) The potential security threats that arise from doing business with external vendors or service providers.

C) The risk of employees using their personal devices for work purposes.

D) The potential for a security breach due to outdated hardware within an organization.

19. In the context of risk management, what is the significance of "Risk Appetite" in determining an organization's security investment?

A) It dictates the exact technologies and products to be purchased for security improvements.

B) It guides the allocation of resources by defining how much risk the organization is willing to accept.

C) It is used to identify which security controls should be outsourced to third-party vendors.

D) It specifies the regulatory compliance requirements the organization must meet.

20. What is the primary goal of compliance in the context of information security?

A) To ensure that the organization's IT systems are the most technologically advanced

B) To guarantee that all employees follow the organization's internal security policies.

C) To adhere to laws, regulations, and guidelines relevant to the organization's business operations

D) To eliminate all cyber threats facing the organization.

Page : 5/11

21. Which of the following best exemplifies ethical behavior in information security?

A) Reporting a security flaw without first attempting to exploit it.

B) Using knowledge of a security vulnerability for personal gain.

C) Sharing confidential information with stakeholders without consent.

D) Keeping silent about discovered vulnerabilities.

22. Which of the following is an essential element of effective information security governance?

A) Implementation of technical controls.

B) Regular penetration testing.

C) Senior management commitment and support.

D) Frequent security awareness training for all employees.

23. Which group causes the most risk of fraud and computer compromises?

A. Employees

B. Hackers

C. Attackers

D. Contractors

24. In the context of information security frameworks, what is the primary goal of ISO/IEC 27001?

A) To provide a standard for the ethical conduct of IT professionals.

B) To establish guidelines for social media governance.

C) To set a global standard for an information security management system (ISMS).

D) To outline best practices for the physical security of IT infrastructure.

25. What does 'availability' in the CIA Triad refer to?

A) The information is accessible by authorized users in a timely manner

B) The information is kept confidential from unauthorized users

C) The information remains unchanged unless altered by authorized entities

D) The security controls are easy to use and do not hinder business processes

Page : 6/11

26. What is the main difference between qualitative and quantitative risk assessment?

A) Qualitative risk assessment uses numerical values to assess risk, whereas quantitative does not.

B) Quantitative risk assessment is faster and less expensive than qualitative risk assessment.

C) Qualitative risk assessment focuses on the subjective analysis of risk factors, while quantitative risk assessment uses numerical data and models to assess risk.

D) Quantitative risk assessment is used exclusively in IT security, while qualitative is used in physical security.

27. An organization is evaluating its incident response plan (IRP) and aims to align it with best practices. Which of the following is a critical element that should be included to enhance the effectiveness of the IRP?

A) A detailed budget for marketing strategies to improve the organization’s public image post-incident.

B) Mandatory bi-annual security training for all employees, focusing exclusively on password management.

C) Clearly defined roles and responsibilities for the incident response team, including external communications.

D) A policy stating that all incidents must be resolved within 24 hours to minimize downtime.

28. What is the PRIMARY purpose of risk management in information security?

A) To eliminate all risks.

B) To minimize the impact of risks on organizational operations.

C) To transfer all risks to third parties.

D) To quantify all organizational risks in financial terms.

29. Which of the following is a key component of a "Security Awareness Program"?

A) Regularly testing employees with simulated phishing attacks.

B) Installing antivirus software on all organizational computers.

C) Conducting annual security audits by external auditors.

D) Purchasing cybersecurity insurance for the organization.

30. In the context of access control, what does the term "Authentication" refer to?

A) The process of determining whether a user is permitted to perform an action within a system.

B) The process of verifying the identity of a user or system.

C) The process of granting or denying specific requests to obtain and use information and related information processing services.

D) The process of tracking user activities and recording security-relevant information.

Page : 7/11

31. Which of the following BEST describes the purpose of risk analysis in an organization's security and risk management process?

A) To identify the organization's assets and their values

B) To determine the potential impact of an identified risk

C) To assess the likelihood of a threat exploiting a vulnerability

D) To allocate budget effectively for security controls

32. Which of the following scenarios exemplifies the concept of "Defense in Depth"?

A) Implementing a firewall and nothing else to protect the network perimeter.

B) Using a single, complex password for all accounts to simplify user access.

C) Employing multiple security measures, such as firewalls, intrusion detection systems, and security awareness training.

D) Placing all security controls at the network entry point to ensure maximum protection.

33. What is the primary purpose of the "Data Owner" role in information security?

A) To perform regular backups of data.

B) To provide technical support to end-users.

C) To decide on the classification levels of data and ensure appropriate handling.

D) To implement encryption mechanisms on sensitive data.

34. What is the primary purpose of encryption in cybersecurity?

A) To speed up data transmission over the internet.

B) To verify the identity of communicating parties.

C) To ensure the confidentiality and integrity of data.

D) To create a backup of data in a secure format.

35. What is the primary purpose of a Business Impact Analysis (BIA)?

A) To identify the organization's most critical systems and processes and the impact of their failure.

B) To assess the overall financial health of the organization.

C) To evaluate the effectiveness of the IT department.

D) To determine the market value of the organization's assets.

Page : 8/11

36. A company is planning to expand its operations internationally and is concerned about the varied data protection laws in different countries. What is the most effective strategy for managing these legal and regulatory compliance risks?

A) Implementing a uniform global information security policy that meets the most stringent regulations.

B) Customizing data protection policies for each country based on local laws and regulations.

C) Relying solely on encryption for data in transit and at rest without considering local regulations.

D) Outsourcing data handling to third-party vendors in countries with the least stringent data protection laws.

37. In the context of information security, what does "Confidentiality" aim to prevent?

A) Unauthorized modification of information.

B) Unauthorized disclosure of information.

C) Loss of availability of information.

D) Physical theft of information assets.

38. Your organization has identified a risk with a high impact but low likelihood. Which of the following is the MOST appropriate risk response?

A) Accept

B) Mitigate

C) Transfer

D) Avoid

39. Which of the following best defines "Social Engineering"?

A) A method of securing social media platforms against unauthorized access.

B) The practice of manipulating individuals into divulging confidential information.

C) The process of designing social networks to enhance user privacy and security.

D) A technical mechanism for protecting organizations against external threats.

40. Your organization is implementing an information classification program. Which of the following is the primary reason for classifying information?

A. To determine the level of encryption required for data at rest.

B. To ensure appropriate levels of access control are applied to information assets.

C. To facilitate regulatory compliance.

D. To reduce the cost of storage by archiving old data.

Page : 9/11

41. What principle is primarily concerned with ensuring that data is only accessible to those authorized to view it?

A) Integrity

B) Availability

C) Confidentiality

D) Accountability

42. Which of the following best describes the purpose of risk management in an organization's security strategy?

A) To eliminate all risks.

B) To assess and mitigate risks to an acceptable level.

C) To transfer all risks to a third party.

D) To ignore risks that are deemed low.

43. Which of the following best describes a Security Policy?

A) A detailed step-by-step guide on how to configure security tools.

B) A formal statement of rules on how security will be implemented within an organization.

C) An informal set of guidelines that users are encouraged to follow.

D) A list of recommended software to enhance an organization's security posture.

44. Which of the following incidents would MOST likely trigger the activation of a Disaster Recovery Plan (DRP)?

A) Detection of a phishing email campaign targeting the organization.

B) Discovery of a critical vulnerability within the organization's network.

C) A significant data breach resulting in the loss of sensitive customer data.

D) A natural disaster causing physical damage to the organization's data center.

45. What does the term "Due Diligence" refer to in the context of information security?

A) The technical measures taken to protect data.

B) The continuous monitoring of security systems.

C) The investigation and analysis conducted to protect an organization's assets.

D) The process of implementing security controls based on industry standards.

Page : 10/11

46. Which of the following best describes the purpose of compliance with legal and regulatory requirements in information security?

A) Ensuring that all employees follow internal security policies.

B) Avoiding legal penalties and sanctions.

C) Enhancing the organization's reputation.

D) Guaranteeing the confidentiality of all corporate data.

47. Who has the primary responsibility of determining the classification level for information?

A. The functional manager

B. Senior management

C. The owner

D. The user

48. What is the primary purpose of conducting a vulnerability assessment?

A) To identify weaknesses in an organization's IT systems and networks that could be exploited.

B) To evaluate the performance of IT staff in managing security incidents.

C) To determine the financial impact of potential security breaches on the organization.

D) To assess the organization's compliance with international security standards.

49. What is the primary goal of an information security governance program?

A) To ensure that security policies are technically enforced.

B) To ensure that the organization's security policies and practices reflect its objectives and are aligned with regulations.

C) To implement the most advanced technological security controls.

D) To train employees on the latest cybersecurity threats.

50. What is the main goal of an Incident Response Plan (IRP)?

A) To prevent security incidents from occurring.

B) To outline the processes for detecting, responding to, and recovering from security incidents.

C) To ensure that all employees are trained on the latest cybersecurity threats.

D) To document the organization's security policies and standards.

Page : 11/11

51. What is the primary objective of a Data Classification Policy?

A) To define the roles and responsibilities of employees within the organization.

B) To outline the steps for securely disposing of data.

C) To identify and categorize data based on its level of sensitivity and importance to the organization.

D) To establish guidelines for the technical configuration of network devices.

CISSP Practice Test, Quiz & Flashcards

5

CISSP Practice Sets

250

Questions

5.8

Test Submited by Users

Security and Risk Management

Domain 01 Practice Set: 01

CISSP DOMAIN 01: Security and Risk Management (Assessment Mode)

Domain 01: Practice Set 01

Disclaimer: The practice exam questions provided are representative of the certification exam, but not the actual questions you will see on the certification exam. Practice exams are for self-assessment.

CISSP Practice Test, Quiz & Flashcards

More practice question and flash cards

Risk & Security Management

Asset Security

Security Architecture & Engineering

Communication & Network Security

Identity & Access Management

CISSP Practice Sets Status

5

250

5.8

info@sajinshivdas.com