Questions for the CISSP were updated on : Dec 09 ,2025
Which of the following is an open standard for exchanging authentication and authorization data
between parties?
D
Explanation:
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and
authorization data between parties, such as a service provider and an identity provider. SAML is
based on Extensible Markup Language (XML), which is a markup language that defines a set of rules
for encoding and structuring data in a human-readable and machine-readable format. SAML enables
single sign-on (SSO), which is a system that allows a user to log in and access multiple related servers
and applications with a single authentication process. SAML uses assertions, which are statements
that contain information about the user, such as their identity, attributes, or privileges, to
communicate between the parties. SAML also uses protocols, which are sets of rules and messages
that define how the parties request and respond to the assertions, to establish the trust and security
of the communication. Wired markup language is not a term used in information security, but it
could refer to a markup language that is used for creating web pages or applications that run on a
wired network. Hypertext Markup Language (HTML) is a markup language that is used for creating
and displaying web pages or applications that run on a web browser. HTML is not an open standard
for exchanging authentication and authorization data between parties, but rather a standard for
defining the structure and content of web pages or applications.
An information security professional is reviewing user access controls on a customer-facing
application. The application must have multi-factor authentication (MFA) in place. The application
currently requires a username and password to login. Which of the following options would BEST
implement MFA?
D
Explanation:
Entering an automatically generated number from a hardware token would be the best option to
implement multi-factor authentication (MFA) for a customer-facing application. MFA is a method of
authentication that requires two or more independent factors to verify the identity of a user, such as
something you know, something you have, or something you are. A hardware token is a device that
generates a one-time password (OTP) or a personal identification number (PIN) that the user must
enter along with their username and password to login. A hardware token provides a strong and
secure second factor of authentication, as it is based on something the user has, and it is resistant to
phishing, replay, or brute-force attacks. Geolocating the user and comparing to previous logins would
not be a good option to implement MFA, as it is based on something the user is, which is a weak and
unreliable factor of authentication, as it can be easily spoofed, manipulated, or inaccurate. Requiring
a pre-selected number as part of the login would not be a good option to implement MFA, as it is
based on something the user knows, which is the same factor as the username and password, and it
does not provide any additional security or verification. Having the user answer a secret question
that is known to them would not be a good option to implement MFA, as it is also based on
something the user knows, and it can be easily guessed, forgotten, or compromised.
P-
Which of the fallowing statements is MOST accurate regarding information assets?
B
Explanation:
Information assets are any data or information that have value for the organization, such as financial
records, customer data, intellectual property, or trade secrets. Information assets are essential for
the organization to achieve its objectives and to maintain its competitive advantage. Information
P-
assets should be identified, classified, and protected according to their value, sensitivity, and
criticality. International Organization for Standardization (ISO) 27001 compliance does not specify
which information assets must be included in asset inventory, but rather provides a framework and a
set of requirements for establishing, implementing, maintaining, and improving an information
security management system (ISMS). Building an information assets register is not necessarily a
resource-intensive job, but rather a necessary and beneficial one, as it helps to document and
manage the information assets of the organization, and to support the risk assessment and security
planning processes. Information assets inventory is required for risk assessment, as it helps to
determine the scope, impact, and likelihood of the risks that may affect the information assets, and
to prioritize and implement the appropriate controls and measures to mitigate the risks.
What is the overall goal of software security testing?
C
Explanation:
The overall goal of software security testing is to reduce the vulnerabilities within a software system.
A software system is a collection of software components, such as applications, programs, or
modules, that interact with each other and with other systems, such as hardware, networks, or
databases, to perform certain functions or tasks. A vulnerability is a weakness or a flaw in a software
system that can be exploited by a threat, such as an attacker, a malware, or an error, to cause harm
or damage, such as unauthorized access, data breach, denial of service, or corruption. Software
security testing is a process of evaluating and verifying the security aspects and features of a
software system, such as confidentiality, integrity, availability, authentication, authorization, or
encryption, by using various tools, techniques, and methods, such as static analysis, dynamic
analysis, code review, or fuzzing. Software security testing can help to identify and eliminate the
vulnerabilities within a software system, or to mitigate and manage their impact, and thus to
improve the security and quality of the software system. Identifying the key security features of the
software is not the overall goal of software security testing, but rather a specific objective or a
subtask of the process. Ensuring all software functions perform as specified is not the overall goal of
software security testing, but rather a general goal of software testing, which is a broader process
that covers not only the security aspects, but also the functional, non-functional, performance,
usability, and compatibility aspects of a software system. Making software development more agile
is not the overall goal of software security testing, but rather a benefit or an outcome of the process,
as software security testing can help to integrate the security considerations and practices into the
software development life cycle, and to enable faster and more frequent delivery of secure and
reliable software products.
In setting expectations when reviewing the results of a security test, which of the following
P-
statements is MOST important to convey to reviewers?
B
Explanation:
The most important statement to convey to reviewers when setting expectations for reviewing the
results of a security test is that the results of the tests represent a point-in-time assessment of the
target(s). A security test is a process of evaluating and measuring the security posture and
performance of an information system or a network, by using various tools, techniques, and
methods, such as vulnerability scanning, penetration testing, or security auditing. The results of a
security test reflect the security state of the target(s) at the time of the test, and they may not be
valid or accurate for a different time period, as the security environment and conditions may change
due to various factors, such as new threats, patches, updates, or configurations. Therefore, reviewers
should understand that the results of a security test are not definitive or permanent, but rather
indicative or temporary, and that they should be interpreted and used accordingly. The statement
that the target’s security posture cannot be further compromised is not true, as a security test does
not guarantee or ensure the security of the target(s), but rather identifies and reports the security
issues or weaknesses that may exist. The statement that the accuracy of testing results can be greatly
improved if the target(s) are properly hardened is not relevant, as a security test is not meant to
improve the accuracy of the results, but rather to assess the security of the target(s), and hardening
the target(s) before the test may not reflect the actual or realistic security posture of the target(s).
The statement that the deficiencies identified can be corrected immediately is not realistic, as a
security test may identify various types of deficiencies that may require different levels of effort,
time, and resources to correct, and some deficiencies may not be correctable at all, due to technical,
operational, or financial constraints.
Which of the following is an important design feature for the outer door o f a mantrap?
D
Explanation:
A mantrap is a physical security mechanism that consists of a small space with two interlocking
doors, that allows only one person to pass through at a time, and that can be controlled and
monitored by security personnel or devices. An important design feature for the outer door of a
mantrap is to allow it be opened when the inner door of the mantrap is also open, as this can provide
an emergency exit in case of a fire, a power outage, or a medical situation. The outer door should not
be opened by an alarmed emergency button, as this can compromise the security of the mantrap
and allow unauthorized access. The outer door should not prevent anyone from entering it alone, as
this can defeat the purpose of the mantrap and create inconvenience for the users. The outer door
should not be hidden from closed-circuit television (CCTV) cameras, as this can reduce the visibility
and accountability of the mantrap and allow malicious or illegal activities to occur.
Which of the following BEST describes the use of network architecture in reducing corporate risks
associated with mobile devices?
C
Explanation:
Segmentation and demilitarized zone (DMZ) monitoring are network architecture techniques that
can reduce the corporate risks associated with mobile devices. Segmentation is the process of
dividing the network into smaller and isolated segments, based on the functions, roles, or security
levels of the devices or users. Segmentation can help to limit the access and the impact of mobile
devices on the network, as well as to prevent or contain the spread of attacks. DMZ monitoring is the
process of observing and analyzing the traffic and activities in the DMZ, which is a network segment
that separates the internal network from the external network, and hosts the services that are
accessible to both networks, such as web servers or email servers. DMZ monitoring can help to
detect and respond to any malicious or unauthorized actions that involve mobile devices that access
the network through a VPN, which is a secure and encrypted connection that extends the network
P-
over a public network, such as the internet. Maintaining a closed applications model on all mobile
devices depends on demilitarized zone (DMZ) servers is not a valid statement, as a closed
applications model is a policy that restricts the installation and use of applications on mobile devices
to only those that are approved by the organization, and it does not depend on the DMZ servers.
Split tunneling enabled for mobile devices improves demilitarized zone (DMZ) security posture is not
a valid statement, as split tunneling is a feature that allows a VPN user to access both the internal
and the external network simultaneously, and it does not improve the DMZ security posture, but
rather increases the risk of exposing the internal network to external threats. Applications that
manage mobile devices are located in an Internet demilitarized zone (DMZ) is not a valid statement,
as applications that manage mobile devices, such as mobile device management (MDM) or
enterprise mobility management (EMM) applications, are usually located in the internal network,
and not in the internet DMZ, as they need to have full control and visibility over the mobile devices
and their data.
When designing a Cyber-Physical System (CPS), which of the following should be a security
practitioner’s first consideration?
C
Explanation:
A Cyber-Physical System (CPS) is a system that integrates physical processes, computational
capabilities, and communication networks. A CPS can have various applications, such as smart grids,
autonomous vehicles, or industrial control systems. When designing a CPS, the first consideration for
a security practitioner should be the risk assessment of the system, which is the process of
identifying, analyzing, and evaluating the potential threats, vulnerabilities, and impacts that could
affect the system. A risk assessment can help to determine the security requirements, objectives,
and controls for the CPS, as well as the priorities and resources for the security implementation and
management. Resiliency, detection, and topology are all important aspects of CPS security, but they
are not the first consideration, as they depend on the outcome of the risk assessment.
Information Security Continuous Monitoring (1SCM) is defined as maintaining ongoing awareness of
information security, vulnerabilities, and threats to support organizational risk management
P-
decisions. Which of the following is the FIRST step in developing an ISCM strategy and implementing
an ISCM program?
A
Explanation:
The first step in developing an Information Security Continuous Monitoring (ISCM) strategy and
implementing an ISCM program is to define a strategy based on risk tolerance that maintains clear
visibility into assets, awareness of vulnerabilities, up-to-date threat information, and
mission/business impacts. An ISCM strategy is a document that outlines the goals, objectives, scope,
and approach of the ISCM program, which is a program that involves collecting, analyzing, and
reporting data on the performance and security of the information systems and networks. An ISCM
strategy should be aligned with the risk tolerance of the organization, which is the level of risk that
the organization is willing to accept or mitigate. An ISCM strategy should also maintain clear visibility
into the assets, which are the resources that support the organization’s mission and business
processes, such as hardware, software, data, or personnel. An ISCM strategy should also maintain
awareness of the vulnerabilities, which are the weaknesses or flaws that can be exploited by threats,
as well as the up-to-date threat information, which is the data or intelligence that indicates the
sources, methods, and intentions of the adversaries. An ISCM strategy should also consider the
mission/business impacts, which are the consequences or effects of the security events or incidents
on the organization’s operations, objectives, or reputation. The other steps in developing an ISCM
strategy and implementing an ISCM program are conducting a vulnerability assessment, analyzing
the data collected and reporting findings, and responding to findings with appropriate actions, but
these are not the first step.
Which of the following is the FIRST requirement a data owner should consider before implementing
a data retention policy?
B
Explanation:
The first requirement a data owner should consider before implementing a data retention policy is
the legal requirement. A data retention policy is a document that defines the rules and procedures
for retaining, storing, and disposing of data, based on its type, value, and purpose. A data owner is a
person or an entity that has the authority and responsibility for the creation, classification, and
management of data. A data owner should consider the legal requirement before implementing a
data retention policy, as there may be laws, regulations, or contracts that mandate the minimum or
maximum retention periods for certain types of data, as well as the methods and standards for data
preservation and destruction. A data owner should also consider the business, storage, and training
requirements for implementing a data retention policy, but these are not the first or the most
important factors to consider.
What is the MAIN purpose of conducting a business impact analysis (BIA)?
B
Explanation:
P-
The main purpose of conducting a business impact analysis (BIA) is to determine the effect of
mission-critical information system failures on core business processes. A BIA is a process that
identifies and evaluates the critical business functions and their dependencies, and determines the
impact of a disruption on them. A BIA helps to quantify the potential loss of revenue, reputation,
productivity, or customer satisfaction due to an information system failure, as well as the recovery
time and resources needed to resume the normal operations. A BIA does not determine the critical
resources required to recover from an incident, as this is the role of a disaster recovery plan or a
business continuity plan. A BIA does not determine the cost for restoration of damaged information
system, as this is the role of a risk analysis or a cost-benefit analysis. A BIA does not determine the
controls required to return to business critical operations, as this is the role of a contingency plan or
a crisis management plan.
What is the MAIN purpose of a security assessment plan?
B
Explanation:
The main purpose of a security assessment plan is to provide the objectives for the security and
privacy control assessments and a detailed roadmap of how to conduct such assessments. A security
assessment plan defines the scope, criteria, methods, roles, and responsibilities of the security
assessment process, which is the process of evaluating and testing the effectiveness and compliance
of the security and privacy controls implemented in an information system. A security assessment
plan helps to ensure that the security assessment process is consistent, systematic, and
comprehensive. A security assessment plan does not provide guidance on security requirements, as
this is the role of a security requirements analysis or a security architecture design. A security
assessment plan does not provide technical information to executives, as this is the role of a security
report or a security briefing. A security assessment plan does not provide education to employees, as
this is the role of a security awareness or a security training program.
What are the first two components of logical access control?
B
Explanation:
Authentication and identification are the first two components of logical access control, which is the
process of granting or denying access to resources based on the identity and credentials of a user or
a device. Identification is the process of verifying the identity of a user or a device, such as by using a
username, an email address, or a certificate. Authentication is the process of verifying the validity of
the credentials of a user or a device, such as by using a password, a token, or a biometric factor.
Confidentiality and availability are not components of logical access control, but rather properties or
objectives of information security. Confidentiality is the property of preventing unauthorized
disclosure of information, while availability is the property of ensuring timely and reliable access to
information.
P-
If traveling abroad and a customs official demands to examine a personal computer, which of the
following should be assumed?
C
Explanation:
If traveling abroad and a customs official demands to examine a personal computer, the most
reasonable assumption is that the hard drive has been copied. The hard drive is the component of
the computer that stores the data and the operating system, and it can be easily copied or cloned by
using a device or a software. The customs official may copy the hard drive to inspect its contents, to
search for illegal or suspicious data, or to obtain sensitive or valuable data. The hard drive may not be
stolen, as the customs official may return the computer to the owner after the examination. The
Internet Protocol (IP) address may not be copied, as the IP address is not a fixed or permanent
attribute of the computer, but rather a dynamic and temporary identifier that is assigned by the
network. The Media Access Control (MAC) address may not be stolen, as the MAC address is a
unique and permanent identifier that is embedded in the network interface card (NIC) of the
computer, and it cannot be easily changed or modified.
Spyware is BEST described as
A
Explanation:
Spyware is a type of malicious software that covertly collects and transmits information about the
user’s activities, preferences, or behavior, without the user’s knowledge or consent. Spyware is best
described as data mining for advertising, as the main purpose of spyware is to gather data that can
be used for targeted marketing or advertising campaigns. Spyware can also compromise the security
and privacy of the user, as it can expose sensitive or personal data, consume network bandwidth, or
degrade system performance. Spyware is not a form of cyber-terrorism, as it does not intend to
cause physical harm, violence, or fear. Spyware is not an information gathering technique, as it is not
a legitimate or ethical method of obtaining data. Spyware is not a web-based attack, as it does not
exploit the vulnerabilities of the web applications or protocols, but rather the vulnerabilities of the
user’s system or browser.