CISSP Practice Exam Information Security & Risk Management: Answers

1. Which of the following is not an example of security control that ensures

confidentiality?
C: Restricting changes is an integrity protecting security mechanism.

2. Who is ultimately responsible and liable if the security perimeter of an

organization is violated by an intruder and asset losses occur?
A: Senior management is ultimately responsible and liable if the security
perimeter of an organization is violated by an intruder and asset losses
occur. Senior management is responsible for all aspects of security and
is the primary decision maker. However, in most cases the
implementation of security is delegated to lower levels of the authority
hierarchy, such as the network or system administrators.

3. Which of the following is not an example of a technical or logical security

control?
B: Personnel screening is an administrative security control. There are three
types of security controls: administrative, physical, and logical or
technical.

4. Which of the following is an administrative security control?

A: Personnel screening is an administrative security control

5. Which of the following is a technical security control?

B: Security devices are technical security controls.

6. Which of the following is a physical security control?

D: Environmental controls are physical security controls.

7. Which of the following is the best personnel arrangement for the design and
management of security for an organization?
B: The best personnel arrangement for the design and management of
security for an organization is a team of internal security professionals.

8. Which of the following is not a role or responsibility of the Security

Administration team or group within an organization?
D: Approving the security policy is the responsibility of senior
management, not that of the Security Administration team or group
within an organization.

1
9. Who is ultimately responsible for negligence in protecting the assets of an
organization?
A: Senior management is ultimately responsible for implementing prudent
due care and is liable for negligence in protecting the assets of an
organization.

10. Which of the following is not one of the three security control types that a
security administrator can employ to manage and impose security?
C: Administrative, technical, and physical are the three security control
types that a security administrator can employ to manage and impose
security.

11. Which of the following is not an element in the CIA triad?

C: Confidentiality, integrity, and availability are the elements of the CIA
triad.

12. Which of the following is a valid definition for confidentiality?

A: Confidentiality can be defined by "Unauthorized disclosure is
prevented."

13. Which of the following is not a task assigned to a data owner?

D: Implementing security controls is the responsibility of the security
administration team or data custodians, not senior management.

14. A security administrator may employ all but which of the following types of
controls to implement a security solution?
A: Executive is not a valid type of security control. The three valid types of
security control are administrative, technical (or logical), and physical.

15. Which of the following is an example of an administrative security control?

B: Policies are an example of an administrative security control.

16. Which of the following is not an example of an administrative security

control?
C: Identification is an example of a logical/technical security control.

17. Which of the following is not one of the fundamental principles of security
included in the CIA triad?
C: While accountability is an important part of IT security, it is not one of
the three fundamental principles of security included in the CIA triad,
which includes Confidentiality, Integrity and Availability.

2
18. The ability of a computer system to provide adequate capacity for predictable
performance represents which of the fundamental security principles of the
CIA triad?
D: The ability of a computer system to provide adequate capacity for
predictable performance is an example of Availability.

19. Which of the following is not an example of a physical security control?

C: Biometric authentication is an example of a technical/logical security
control.

20. Which of the following is not an example of a valid activity of security

management?
D: It is not a good security management practice to implement new security
controls, especially in mission critical environments, before that control
has been thoroughly tested.

21. Which of the following is an example of a technical security control?

D: Encryption is an example of a technical/logical security control.

22. Which of the following is not an example of a technical security control?

A: Fire detection and suppression is an example of a physical security
control.

23. Which of the following is an example of a physical security control?

B: CCTV is an example of a physical security control.

24. Which of the following is an example of a security control that focuses on

maintaining availability?
B: Quick recovery from faults is an example of a security control that
focuses on maintaining availability.

25. Which of the following is not an example of a security control that focuses on
maintaining availability?
C: Implementing need to know access controls is an example of a security
control that focuses on maintaining confidentiality.

26. What is a vulnerability?

D: A vulnerability is the absence or weakness of a safeguard that could be
exploited.

3
27. Which of the following is not an example of a security control that focuses on
maintaining confidentiality?
C: Change restrictions is an example of a security control that focuses on
maintaining integrity.

28. Which of the following is an example of a security control that focuses on

maintaining integrity?
D: Encryption of data in transit is an example of a security control that
focuses on maintaining integrity.

29. Which of the following is not an example of a security control that focuses on
maintaining integrity?
A: Network monitoring is an example of a security control that focuses on
maintaining availability.

30. For a security policy to be effective and comprehensive, it must thoroughly

address the three fundamental principles of security, which are?
A: The three fundamental principles of security are Confidentiality,
Integrity, and Availability.

31. Which of the following is an example of a security control that focuses on

maintaining confidentiality?
B: Network traffic padding is an example of a security control that focuses
on maintaining confidentiality.

32. Which of the following is not an example of a risk?

A: Failing to review audit logs is not a risk, but it does show a lack of
compliance with a realistic security policy. Audit logs will often reveal
when a risk has become an actual intrusion or attack.

33. Which of the following is not a method by which risk is reduced or

eliminated?
B: Waiting is not a valid response to risk and waiting will not reduce risk.

34. An instance of being exposed to losses from a threat is known as?

C: Exposure is an instance of being exposed to losses from a threat.

35. Which of the following is not an example of a vulnerability?

A: Assigning all users access based on job descriptions is a valid form of
security control, however it is not an example of a vulnerability.

36. Which of the following is an example of a vulnerability?

4
 B: Failing to enforce the password policy is an example of a vulnerability.

37. Which of the following is not an example of a threat?

C: A biometric device failing to authenticate a valid user is a False
Rejection (Type I) error, but it is not a threat.

38. Which of the following is an example of a threat?

D: A user destroying confidential data is an example of a threat.

39. Which of the following is not true regarding an operational security plan?
A: A system specific plan includes an approved software list.

40. The purpose of a safeguard is to?

D: A safeguard's purpose is to reduce or remove a vulnerability.

41. Which of the following is not an example of a safeguard?

A: Relaxing the filters on a firewall is the removal of a safeguard.

42. The top down approach to security management provides for all but which of
the following?
B: The top down approach to security management does not provide for the
assignment of responsibility to down-level administrators. Senior
management is always ultimately responsible for the success or failure
of the security policy and resulting security solution.

43. Which of the following is not an example of a risk?

C: Replacing human security guards with dogs is a change in a security
access control, it is not an example of a risk.

44. Risk is the ______________ of something happening that will damage assets.
D: Risk is the possibility of something happening that will damage assets.

45. When will risk be totally eliminated?

A: Risk will be totally eliminated only when the organization ceases to
exist.

46. Which of the following represent the primary security factors that a private
sector organization is concerned about?
B: Private sector organizations are primarily concerned about data
availability and integrity.
47. The most important aspect of security to military organizations is?
C: Confidentiality is the most important aspect of security to military
organizations.

5
48. What is the primary goal of risk management?
D: The primary goal of risk management is to reduce risk to an acceptable
level.

49. An effective safeguard, when evaluated via risk analysis, should?

A: An effective safeguard from a risk analysis perspective is that the
safeguard should cost less than the cost of the loss due to the risk.

50. All but which of the following apply to senior management in relation to risk
analysis?
B: The Risk Assessment Team should be comprised of a representative
from most or all departments, not necessarily senior management.

51. The first step in risk analysis is?

C: Asset valuation is the first step in risk analysis. If assets have no value,
there is no need to protect them.

52. Risk management attempts to reduce risk to an acceptable level by performing

all but which of the following activities?
A: Tracking down intruders for prosecution is not function or element of
risk management, it is possibly a factor in intrusion detection.

53. Which of the following is not an example of a risk?

B: Blocking ports is a safeguard, not a risk.

54. The value of an asset helps to determine?

D: The value of an asset helps to determine the relative strength and cost of
the safeguard selected to protect it.

55. Which of the following is not considered an element in determining the cost of
an asset?
A: The cost to train personnel to employ is not as relevant as the costs to
develop, acquire, and maintain an asset when determining the cost of an
asset. Training costs are often difficult to quantify since training on any
specific asset is typically grouped in training regarding overall IT
interaction. While this answer is technically correct, it is the least
correct answer of those offered.

56. Which of the following is not considered an element in determining the cost of
an asset?

6
 B: The cost of backward engineering is the competitors cost, not the
organization.

57. The purpose of risk management is?

B: The purpose of risk management is risk mitigation. However, even in the
most successful implementation, there is always some level of risk.

58. Risk analysis is used to determine whether safeguards are all but which of the
following?
C: No safeguard is exhaustive of all risks.

59. The objectives of risk analysis include all but which of the following?
D: Risk analysis is used to compare safeguards, but it does not select the
countermeasure to implement. Countermeasure Selection is left to the
decision makers, i.e. senior management or their delegated
administrators.

60. An exposure factor is?

C: An exposure factor is the percentage of loss that a realized threat event
would cause against a specific asset.

61. The annualized loss expectancy can be calculated using which of the following
equations?
D: The annualized loss expectancy can be calculated using asset value x
exposure factor x annualized rate of occurrence. It can also be
calculated using single loss expectancy x annualized rate of occurrence.

62. Which of the following is not considered an element in determining the cost of
an asset?
C: The file formats used by the asset are typically not an element in
determining the cost of an asset.

63. Determining the value of an asset can be useful in all but which of the
following requirements or activities?
B: Asset valuation is useful in assigning classifications. Cost/Benefit
analysis can determine which safeguards to select. How much insurance
to get to cover a particular asset. Risk to a threat would not be
determined by asset value.

64. A quantitative risk analysis approach employs which of the following?

7
 A: A quantitative risk analysis approach employs specific dollar values
assigned to each risk.

65. Which of the following is not true?

B: A purely quantitative risk analysis is not possible, since it is not possible
to quantify all qualitative items.

66. What form of qualitative risk analysis employs a group of people who reach a
consensus through an anonymous means of voting and exchanging ideas?
A: The Delphi technique is a form of qualitative risk analysis that employs
a group of people who reach a consensus through an anonymous means
of voting and exchanging ideas.

67. Which of the following is not a method used in qualitative risk analysis?
B: Quantitative, not qualitative, risk analysis can be automated with
software.

68. The value of a safeguard to an organization can be calculated using a formula

which includes all but which of the following factors?
C: Residual risk is not used in the formula for calculating the value of a
safeguard, instead it is the calculation of risk remaining after safeguards
are implemented.

69. What element in a formalized security infrastructure consists of documents

that are compulsory in nature?
C: Standards are primarily compulsory in nature.

70. Which of the following describes the practice of a formalized security

infrastructure?
D: Procedures detail step-by-step activities, not guidelines.

71. If _____________________________________, managers can be held liable

for negligence and held accountable for asset losses.
A: If a company does not practice due care and due diligence, managers can
be held liable for negligence and held accountable for asset losses.

72. Which of the following is not an accepted response to the results of risk
analysis?
B: Rejecting risk is not an accepted response to the results of risk analysis.

73. Which response to risk can be implemented by purchasing insurance against

loss?
C: Assigning risk can be implemented by purchasing insurance against loss

8
74. Which of the following is not a valid example of assigning risk?
D: Delegating security policy implementation responsibilities is not a valid
example of assigning risk. Risk remains the responsibility of senior
management, it cannot be delegated.

75. What security mechanism is primarily responsible for implementing security

controls that protect data in the most cost-effective manner?
B: Data classification is the security mechanism that is primarily
responsible for implementing security controls that protect data in the
most cost-effective manner.

76. Which of the following is not one of the five standard data classifications used
by the military?
C: Private is a data classification used by the private sector (i.e. corporate
business), not the military.

77. What level of private sector data classification represents assets that if
disclosed will not cause an adverse impact?
D: The public data classification represents assets that if disclosed will not
cause an adverse impact.

78. What is the difference between total risk and residual risk?
D: Residual risk is what remains after selected safeguards are applied (i.e.
controls gap). Residual risk = total risk - controls gap.

79. Acceptable risk is?

A: Acceptable risk is the amount of risk an organization is willing to
shoulder.

80. What form of security policy outlines the laws and industry restrictions placed
upon an organization?
B: Regulatory security policies outline the laws and industry restrictions
placed upon an organization.

81. A vulnerability is?

C: The absence of a safeguard is a vulnerability.

82. Which of the following is not a vulnerability?

D: Human error is a threat not a vulnerability

83. Which of the following is not a threat?

9
 B: Not inspecting the fire suppression system is an exposure.

84. Which of the following is a valid definition for integrity?

B: Integrity can be defined by "Unauthorized modification is prevented."

85. Which of the following is a valid definition for availability?

C: Availability can be defined by "Resources are accessible at all times by
authorized users."

86. How can risk be reduced?

A: Removing the vulnerability or removing the threat agent will reduce risk

87. Which of the following is not used to mitigate a potential risk?

C: Activity logging is not used to mitigate potential risk, as least not
directly.

88. Which of the following is the best definition for countermeasures and
safeguards?
D: Reduces the risk of a threat taking advantage of a vulnerability is the
best definition offered in this question for countermeasures and
safeguards.

89. Which of the following is a security control that ensures availability?

B: Blocking DoS attacks ensures availability.

90. Which of the following is typically not considered a countermeasure or

safeguard?
B: Punching through a firewall for VPN connections is not a safeguard or
countermeasure and may introduce new vulnerabilities.

91. Who within an organization is responsible for establishment of the foundations

of security as well as ongoing support and direction?
C: Upper or senior management is responsible for establishment of the
foundations of security as well as ongoing support and direction.

92. Who within an organization is responsible for the development and

management of standards, guidelines, and procedures?
B: Middle management is responsible for the development and
management of standards, guidelines, and procedures.

93. What aspect of an asset determines whether it should be protected and to what
extent that protection should extend?

10
 C: The value of asset determines its need for security.

94. Which of the following is typically not included in the valuation of an asset?
D: The cost to store and serve an asset is not included in the value
evaluation of an asset, that is considered a cost of the infrastructure.

95. What is the primary security purpose for mandatory week long minimum
yearly vacations?
D: Mandatory vacations are used to perform auditing.

96. Who is responsible for assigning data classifications?

B: The data owner is responsible for assigning data classification.

97. Which of the following is not a goal of risk analysis?

A: Expanding security awareness training is not a goal of risk analysis.

98. Guidelines serve all but which of the following purposes within an
organization's formalized security structure?
A: Guidelines do not serve as step-by-step implementation manuals.

99. A ________________ is a document that includes general statements about the

overall state of security for an organization. Senior management creates this
document.
D: A policy is a document that includes general statements about the
overall state of security for an organization. Senior management creates
this document.

100. All but which of the following are characteristics of an effective security
plan?
C: Implementing cost effective safeguards is an aspect of a security plan,
but not all safeguards or security mechanisms are inexpensive. The cost
is not a characteristic of an efficient security plan.

101. What is the formula used to derive annualized loss expectancy?

A: Asset value x Exposure Factor x Annualized Rate of Occurrence or
Single Loss Expectancy x Annualized Rate of Occurrence is the formula
for the Annualized Loss Expectancy.

102. The security model employed by an organization depends upon their primary
needs. What is the primary need of a government or military organization?

11
 D: Confidentiality is the primary need of government and military
organizations.

103. Baselines are used for all but which of the following within an organization's
formalized security structure.
D: Baselines are not used as operational guides.

104. Which element of a formalized security structure is positioned just above

actual implementation and which defines the steps or actions required to
deploy security in an organization?
B: A procedure is positioned just above actual implementation and which
defines the steps or actions required to deploy security in an
organization.

105. Which of the following statements is true?

C: A purely quantitative risk analysis cannot be performed since qualitative
aspects cannot be quantified.

106. The greatest number of threats to the assets of an organization come from
where?
A: The greatest number of threats to the assets of an organization come
from inside the organization (over 85%).

107. Which of the following is not a task that should be performed by the risk
assessment/risk analysis team?
C: To implement an appropriate countermeasure is not a task of the risk
assessment team. They are only to provide cost/analysis of
countermeasures. It is the responsibility of management to select an
appropriate countermeasure based on the analysis and assign the
implementation procedure to the security management/administration
team.

108. Who is held liable for an organization's failure to perform due care and due
diligence?
C: The senior management is held liable for the failure to perform due care
and due diligence.
109. What is the cardinal rule of risk analysis?
D: The annual cost of safeguards should not exceed the possible annual cost
of the loss of an asset is the cardinal rule of risk analysis.

110. Which of the following risk analysis approaches assigns real numbers to the
costs of asset loss and countermeasure implementation?

12
 B: Quantitative analysis assigns real numbers to the costs of asset loss and
countermeasure implementation.

111. Which of the following military data classification levels is used to label
assets that may cause some serious damage to national security if that asset was
disclosed?
B: Secret assets may cause serious damage to national security if that asset
was disclosed.

112. What security mechanism is often employed as the primary defense against
collusion?
A: Job rotation is the primary defense against collusion.

113. In the formula for calculating residual risk, what does the controls gap
element represent?
C: The controls gap represents countermeasures and safeguards.

114. Which of the following commercial business data classification levels

represents the most sensitive collection of assets?
A: The confidential classification represents the most sensitive collection of
assets.

115. Standards are used for what purpose in a formalized security structure?
C: Standards are used to establish uniformity across an organization.

116. Which qualitative analysis method is a group decision method that seeks a
consensus while retaining the anonymity of the participants?
A: Delphi Technique

117. All but which of the following statements are true in regards to security
awareness training?
B: Obtaining certifications is not a function of Security Awareness
Training.

118. What is the most important aspect of the exit interview for terminated
employees?
A: The most important aspect of the exit interview is to review non-
disclosure agreements.

119. Which of the following is not a reason, benefit, or requirement to perform

asset valuation?

13
 A: Asset valuation does not typically improve asset hosting costs.

120. The risk assessment team should be comprised how?

B: The risk assessment team should include members from every
department or division. This often requires assigning or appointing team
membership rather than relying on volunteers.

121. Risk analysis is used to ensure all but which of the following?
C: No system is 100% risk free.

122. What is the weakest element in an organization's security?

D: People are the weakest element in an organization's security.

123. Which of the following is true?

D: No system can be 100% risk free.

124. The security model employed by an organization depends upon their primary
needs. What are the primary needs of a private sector business?
C: The primary needs of a private sector business are integrity and
availability.

125. Which of the four possible responses to the identification and cost/benefit
analysis of risk is considered an invalid response?
B: Reject is considered an invalid response.

126. Who is responsible for protecting the confidentiality, integrity, and

availability of data?
C: The data custodian is responsible for protecting the confidentiality,
integrity, and availability of data.

127. What type of policy is not enforceable?

A: Informative policies cannot be enforced.

128. Identification establishes _____________.

D: Accountability. Identification is a means to verify who you are. It
enables systems to trace activities to individual users that may be held
responsible for their actions.

129. Which of the following is not a type of risk?

14
 B: Backup media verification is not a type of risk, rather it is a safeguard to
ensure the viability of backup restorations.

130. How is the value of a safeguard determined?

B: Annual Loss Expectancy before the safeguard - Annual Loss Expectancy
after the safeguard - cost of implementing safeguard is the method used
to calculate the value of a safeguard.

131. The percentage of loss of the value of an asset, which an organization would
incur if a threat event was realized, is known as?
D: The exposure factor is the percentage of loss of the value of an asset,
which an organization would incur if a threat event was realized.

132. In the realm of risk analysis, senior management is responsible for all but
which of the following?
A: The risk assessment team, not senior management, is responsible for
performing the cost/benefit analysis.

133. Job rotation as a security mechanism has shown itself effective against which
of the following?
C: Job rotation is directly affective against collusion.

134. The likelihood of a threat taking advantage of a vulnerability is known as?

A: Risk is the likelihood of a threat taking advantage of a vulnerability.

135. The security administration team should be responsible for all but which of
the following?
C: Approving the security policy is the responsibility of senior
management, not the security administration team.

15