10 CISSP sample questions | ThorTeaches CISSP, CISM, CC, and PMP training

<Hard question>

As configuration manager for an application, Francis checks the daily message digests of the files stored on ten production servers, and finds one server has different message digests for three configuration files. What is the BEST action Francis should do?

Replace the three configuration files with copies from one of the other servers

Review the change tickets applied to that server that would account for the change; if the change is not authorized then alert SOC

Re-perform the hash to see if the message digest changes

Call the SOC to ask if they want him to replace the files with copies from another server

<Easy/Mid question>

Which of these, if used right, is the MOST secure form of “something you have” authentication?

Single-use password.

Magnetic card.

Passport.

Smart card.

<Hard question>

Our organization is spread across many smaller offices across the country. Which of these would present the LARGEST security risk?

System operations procedures are not being followed.

System capacity management processes are not being followed.

Software development is outsourced.

Change management processes are not being followed.

<Hard question>

Natalie is performing a risk assessment. She has been given the list of assets and owners of each asset. Harry is developing the list of Exposure Factors for each identified threat that is realized. What does Natalie need to ask the asset owners, in order to derive the Single Loss Expectancy?

The business value of each asset, that is how much it contributes to the revenues or saves in business costs

The replacement cost of each asset, that is how much it would cost to replace

The asset values using relative values on an ordinal scale

The value of the asset in monetary units

<Easy/Mid question>

We want our employees to be able to access our internal network over the internet from an external connection. For this implementation we also want to make sure attackers are not able to gain access pretending to be authorized users. Which of these technologies would make it the MOST secure?

Challenge response.

IDS (Intrusion Detection System).

2FA (2 Factor Authentication).

SSO (Single Sign-On).

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?

Low level step-by-step guides.

Recommendations.

Non-specific, but can contain patches, updates, strong encryption.

Specific, all laptops are W10, 64 bit, 8GB memory, etc.

<Hard question>

Which of these is the MOST important ability we should look for when we are interviewing candidates for a new CISO (Chief Information Security Officer) for our organization?

A clear understanding of how to map Information Security technology to the needs of the organization.

A clear understanding of the regulatory and legal requirement that are relevant to our industry and our organization.

Knowledge about the latest IT technology platforms, trends, and development methodologies.

The ability to lead a diverse group of employees efficiently and effectively.

<Hard question>

We are a financial institution and changes are being made to some of the security aspects of the PCI-DSS standard. What should our Information Security manager do FIRST?

Analyze the key risks in the compliance.

Update our current security and privacy policies.

Meet with the financial and legal leadership teams and decide how to comply.

Assess if our existing controls fulfill the new requirements.

<Easy/Mid question>

Which type of access control model is based on a subject’s clearance?

DAC.

RBAC.

MAC.

RUBAC.

10.

<Easy/Mid question>

We are in a court where the evidence must be “the majority of the proof.” Which type of law does that relate to?

Private regulations.

Criminal law.

Civil law.

Administrative law.

Try some sample practice questions from our CISSP course

<Hard question>

<Easy/Mid question>

Which of these, if used right, is the MOST secure form of “something you have” authentication?

<Hard question>

<Hard question>

<Easy/Mid question>

We want our employees to be able to access our internal network over the internet from an external connection. For this implementation we also want to make sure attackers are not able to gain access pretending to be authorized users. Which of these technologies would make it the MOST secure?

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?

<Hard question>

<Hard question>

<Easy/Mid question>

Which type of access control model is based on a subject’s clearance?

<Easy/Mid question>

We are in a court where the evidence must be “the majority of the proof.” Which type of law does that relate to?

Get our courses: