[1] CISSP – MCQ – Security Management Practices - Tech Hyme (2022)

This article offers you a solid foundation for the Certified Information Systems Security Professional (CISSP) exam. This article is designed for readers and students who want to study for the CISSP certification exam.

The CISSP exam is governed by the International Information Systems Security Certification Consortium, Inc. (ISC)2 organization.

  1. CISSP – MCQ – Security Management Practices
  2. CISSP – MCQ – Access Control Systems
  3. CISSP – MCQ – Telecommunications and Network Security
  4. CISSP – MCQ – Cryptography
  5. CISSP – MCQ – Security Architecture and models
  6. CISSP – MCQ – Operations Security
  7. CISSP – MCQ – Applications and Systems Development
  8. CISSP – MCQ – Business Continuity Planning and Disaster Recovery Planning
  9. CISSP – MCQ – Law, Investigation and Ethics
  10. CISSP – MCQ – Physical Security
  11. CISSP – MCQ – Systems Security Engineering
  12. CISSP – MCQ – Certification and Accreditation
  13. CISSP – MCQ – Technical Management
  14. CISSP – MCQ – U.S. Government Information Assurance (IA) Regulations

(ISC)2 is a global not-for-profit organization. It has four primary mission goals:

  • Maintain the Common Body of Knowledge for the field of information systems security
  • Provide certification for information systems security professionals and practitioners
  • Conduct certification training and administer the certification exams
  • Oversee the ongoing accreditation of qualified certification candidates through continued education

In this article, all the questions are related to “Security Management Practices” and are as follows:

1) Which choice below is an incorrect description of a control?

  • Detective controls discover attacks and trigger preventative or correcting controls.
  • Corrective controls reduce the likelihood of a deliberate attack.
  • Corrective controls reduce the effect of an attack.
  • Controls are the countermeasures for vulnerabilities.

2) Which statement below is accurate about the reasons to implement a layered security architecture?

  • A layered security approach is not necessary when using COTS products.
  • A good packet-filtering router will eliminate the need to implement a layered security architecture.
  • A layered security approach is intended to increase the work-factor for an attacker.
  • A layered approach doesn’t really improve the security posture of the organization.

3) Which choice below represents an application or system demonstrating a need for a high level of confidentiality protection and controls?

  • Unavailability of the system could result in inability to meet payroll obligations and could cause work stoppage and failure of user organizations to meet critical mission requirements. The system requires 24-hour access.
  • The application contains proprietary business information and other financial information, which if disclosed to unauthorized sources, could cause an unfair advantage for vendors, contractors, or individuals and could result in financial loss or adverse legal action to user organizations.
  • Destruction of the information would require significant expenditures of time and effort to replace. Although corrupted information would present an inconvenience to the staff, most information, and all vital information, is backed up by either paper documentation or on disk.
  • The mission of this system is to produce local weather forecast information that is made available to the news media forecasters and the general public at all times. None of the information requires protection against disclosure.

4) Which choice below is NOT a concern of policy development at the high level?

(Video) #1 How to PASS exam Certified Information Systems Security Professional CISSP in 12 hours | Part1

  • Identifying the key business resources
  • Identifying the type of firewalls to be used for perimeter security
  • Defining roles in the organization
  • Determining the capability and functionality of each role

5) Which choice below is NOT an accurate about the visibility of IT security policy?

  • The IT security policy should not be afforded high visibility.
  • The IT security policy could be visible through panel discussions with guest speakers.
  • The IT security policy should be afforded high visibility.
  • The IT security policy should be included as a regular topic at staff meetings at all levels of the organization.

6) Which question below is NOT accurate regarding the process of risk assessment?

  • The likelihood of a threat must be determined as an element of the risk assessment.
  • The level of impact of a threat must be determined as an element of the risk assessment.
  • Risk assessment is the first process in the risk management methodology.
  • Risk assessment is the final result of the risk management methodology.

7) Which choice below would NOT be considered an element of proper user account management?

  • Users should never be rotated out of their current duties.
  • The user’s accounts should be reviewed periodically.
  • A process for tracking access authorizations should be implemented.
  • Periodically re-screen personnel in sensitive positions.

8) Which choice below is NOT one of NIST’s 33 IT security principles?

  • Implement least privilege.
  • Assume that external systems are insecure.
  • Totally eliminate any level of risk.
  • Minimize the system elements to be trusted.

9) How often should an independent review of the security controls be performed, according to OMB Circular A-130?

  • Every year
  • Every three years
  • Every five years
  • Never

10) Which choice below BEST describes the difference between the System Owner and the information Owner?

  • There is a one-to-one relationship between system owners and information owners.
  • One system could have multiple information owners.
  • The information Owner is responsible for defining the system’s operating parameters.
  • The System Owner is responsible for establishing the rules for appropriate use of the information.

11) Which choice below is NOT a generally accepted benefit of security awareness, training, and education?

  • A security awareness program can help operators understand the value of the information.
  • A security education program can help system administrators recognize unauthorized intrusion attempts.
  • A security awareness and training program will help prevent natural disasters from occurring.
  • A security awareness and training program can help an organization reduce the number and severity of errors and omissions.

12) Who has the final responsibility for the preservation of the organization’s information?

(Video) Fundamental Concepts of Security Models - CISSP

  • Technology providers
  • Senior management
  • Users
  • Application owners

13) Which choice below is NOT an example of an issue-specific policy?

  • Email privacy policy
  • Virus-checking disk policy
  • Defined router ACLs
  • Unfriendly employee termination policy

14) Which statement below is NOT true about security awareness, training, and educational programs?

  • Awareness and training help users become more accountable for their actions.
  • Security education assists management in determining who should be promoted.
  • Security improves the users’ awareness of the need to protect information resources.
  • Security education assists management in developing the in-house expertise to manage security programs.

15) Which choice below is an accurate statement about standards?

  • Standards are the high-level statements made by senior management in support of information systems security.
  • Standards are the first element created in an effective security policy program.
  • Standards are used to describe how policies will be implemented within an organization.
  • Standards are senior management’s directives to create a computer security program.

16) Which choice below is a role of the information Systems Security Officer?

  • The ISO establishes the overall goals of the organization’s computer security program.
  • The ISO is responsible for day-to-day security administration.
  • The ISO is responsible for examining systems to see whether they are meeting stated security requirements.
  • The ISO is responsible for following security procedures and reporting security problems.

17) Which statement below is NOT correct about safeguard selection in the risk analysis process?

  • Maintenance costs need to be included in determining the total cost of the safeguard.
  • The best possible safeguard should always be implemented, regardless of cost.
  • The most commonly considered criteria is the cost effectiveness of the safeguard.
  • Many elements need to be considered in determining the total cost of the safeguard.

18) Which choice below is usually the number-one-used criterion to determine the classification of an information object?

  • Value
  • Useful life
  • Age
  • Personal association

19) What are high-level policies?

  • They are recommendations for procedural controls.
  • They are the instructions on how to perform a Quantitative Risk Analysis.
  • They are statements that indicate a senior management’s intention to support InfoSec.
  • They are step-by-step procedures to implement a safeguard.

20) Which policy type is MOST likely to contain mandatory or compulsory standards?

(Video) CISSP Practice Questions of the Day from IT Dojo - #24 - Encryption and Network Attacks

  • Guidelines
  • Advisory
  • Regulatory
  • Informative

21) What does an Exposure Factor (EF) describe?

  • A dollar figure that is assigned to a single event
  • A number that represents the estimated frequency of the occurrence of an expected threat
  • The percentage of loss that a realized threat event would have on a specific asset
  • The annual expected financial loss to an organization from a threat

22) What is the MOST accurate definition of a safeguard?

  • A guideline for policy recommendations
  • A step-by-step instructional procedure
  • A control designed to counteract a threat
  • A control designed to counteract an asset

23) Which choice MOST accurately describes the differences between standards, guidelines, and procedures?

  • Standards are recommended policies, whereas guidelines are mandatory policies.
  • Procedures are step-b-step recommendation for complying with mandatory guidelines.
  • Procedures are the general recommendations for compliance with mandatory guidelines.
  • Procedures are step-by-step instructions for compliance with mandatory standards.

24) What are the detailed instructions on how to perform or implement a control called?

  • Procedures
  • Policies
  • Guidelines
  • Standards

25) How is an SLE derived?

  • (Cost-benefit) * (% of Asset Value)
  • AV * EF
  • ARO * EF
  • % of AV – implementation cost

26) What is a noncompulsory recommendation on how to achieve compliance with published standards called?

  • Procedures
  • Policies
  • Guidelines
  • Standards

27) Which group represents the MOST likely source of an asset loss through inappropriate computer use?

  • Crackers
  • Hackers
  • Employees
  • Saboteurs

28) Which choice MOST accurately describes the difference between the role of a data owner versus the role of a data custodian?

(Video) Information Security Tutorial

  • The custodian implements the information classification scheme after the initial assignment by the owner.
  • The data owner implements the information classification scheme after the initial assignment by the custodian.
  • The custodian makes the initial information classification assignments, whereas the operations manager implements the scheme.
  • The custodian implements the information classification scheme after the initial assignment by the operations manager.

29) What is an ARO?

  • A dollar figure assigned to a single event
  • The annual expected financial loss to an organization from a threat
  • A number that represents the estimated frequency of an occurrence of an expected threat
  • The percentage of loss that a realized threat event would have on a specific asset

30) Which formula accurately represents an Annualized Loss Expectancy (ALE) calculation?

  • SLE * ARO
  • Asset Value (AV) * EF
  • ARO * EF – SLE
  • % of ARO * AV

Tags: Certification and Accreditation, CISSP, CISSP 2021, CISSP Answers, CISSP Blog, CISSP Books, CISSP Chapters, CISSP Clear Exam, CISSP Exam, CISSP Exam 2022, CISSP Exam Details, CISSP Exam Question, CISSP Exam Questions, CISSP Exam Voucher, CISSP MCQ, CISSP MCQ Answers, CISSP Questions, CISSP Result, CISSP Tech Hyme, CISSP Test Questions, CISSP Tips, CISSP Top Questions, CISSP Training, security architecture, Security Management Practices, Technical Management

FAQs

Is Cissp multiple choice? ›

CISSPs must pass an electronic exam consisting of 250 multiple choice questions, and demonstrate five years of full-time experience working in information security. Candidates who pass the exam, but lack the experience, may identify themselves as Associates of ISC2 until they meet the work experience requirement.

What is the first step in business continuity planning Mcq? ›

To create an effective business continuity plan, a firm should take these five steps:
  • Step 1: Risk Assessment. This phase includes: ...
  • Step 2: Business Impact Analysis (BIA) ...
  • Step 3: Business Continuity Plan Development. ...
  • Step 4: Strategy and Plan Development. ...
  • Step 5: Plan Testing & Maintenance.
11 Feb 2020

What are the primary objectives of information security Mcq? ›

The main objectives of InfoSec are typically related to ensuring confidentiality, integrity, and availability of company information.

Which of the following is an example of a Type 2 authentication factor? ›

Two-factor authentication methods rely on a user providing a password as the first factor and a second, different factor -- usually either a security token or a biometric factor, such as a fingerprint or facial scan.

What is the pass rate for CISSP? ›

The CISSP pass rate is approximately 20%. The exam lasts for 6 hours consisting of 250 questions from 8 Goliath domains and the minimum passing percentage is 70% and the CISSP passing score is 700 out of 1000. The CISSP exam contains a mix of MCQ's and advanced innovative questions.

What is a passing grade on the CISSP exam? ›

The questions are weighted differently, adding up to 1,000 points. To pass the CISSP exam, you must obtain a minimum passing score of 700.

What are the 5 components of business continuity plan? ›

In order to achieve this, every business continuity plan needs to incorporate five key elements.
  • Risks and potential business impact. ...
  • Planning an effective response. ...
  • Roles and responsibilities. ...
  • Communication. ...
  • Testing and training.
6 Jul 2020

What is grab list? ›

A list of items that individuals should take with them prior to evacuating a building.

What is RTO for critical process? ›

Recovery Time Objective (RTO) refers to the maximum acceptable length of time that can elapse before the lack of a business function severely impacts the organization. This is the maximum agreed time for the resumption of the critical business functions.

What are the 3 types of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

What are the 3 types authentication methods and what is included in each? ›

There are three basic types of authentication. The first is knowledge-based — something like a password or PIN code that only the identified user would know. The second is property-based, meaning the user possesses an access card, key, key fob or authorized device unique to them. The third is biologically based.

What are three ways to authenticate? ›

There are three common factors used for authentication: Something you know (such as a password) Something you have (such as a smart card) Something you are (such as a fingerprint or other biometric method)

What are 4 types of information security? ›

There are four types of information technology security you should consider or improve upon:
  • Network Security.
  • Cloud Security.
  • Application Security.
  • Internet of Things Security.
3 Feb 2022

What are the 3 principles of information security? ›

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

Which is better cybersecurity or information security? ›

Information security differs from cybersecurity in that InfoSec aims to keep data in any form secure, whereas cybersecurity protects only digital data. If your business is starting to develop a security program, information security is where you should begin, as it is the foundation for data security.

How many people fail CISSP first time? ›

You Studied, But Didn't Pass the CISSP Exam.

Though the pass rates for the CISSP are not publicly released, it is widely assumed that pass rates are well below 50%.

How many hours study for CISSP? ›

In terms of preparation: For Risk Management professionals find 60-70 hours of time quite sufficient to pass the CISSP exam. For IT professionals, 40-50 hours of study should be sufficient to clear the exam.

How do I prepare for my CISSP in 2 months? ›

  1. Refer variety of study resources to prepare for the CISSP.
  2. Take part in a study group to pass the CISSP Exam.
  3. Time management is the key to pass CISSP Test.
  4. Make a CISSP Exam Strategy.
  5. Take the Mock Tests.
  6. Do some research on internet and take references from qualified professionals.

Is CISSP changing in 2022? ›

Beginning June 1, 2022, the CISSP exam in the Computerized Adaptive Testing (CAT) format will contain 50 pretest (unscored) items, which will increase the minimum and maximum number of items you will need to respond to from 100-150 to 125-175 items during your exam.

How tough is CISSP exam? ›

However, before you appear for the examination, you should know the difficulty in passing the exam. To answer the question- how hard is the CISSP exam? It is considerably tough. The course is designed in such a way that it makes sure that the people who crack it are well-suited for this industry.

What happens if you fail the CISSP exam? ›

If you fail the test, when can you retake it? If you do not pass the exam on your first attempt, you will have to wait 30 days before you can retake the test. If you fail a second time, you will have a 90-day waiting period before you can take the exam again. Failing a third time requires a 180-day waiting period.

What are the 3 main areas of business continuity management? ›

A business continuity plan has three key elements: Resilience, recovery and contingency.

Is business continuity a good career? ›

The overall job outlook for Business Continuity Planner careers has been positive since 2019; vacancies for this career have increased by 12.9 % nationwide (Recruiter.com).

What is the full form of BC Dr? ›

BCDR or Business Continuity and Disaster Recovery is a set of practices that bring together people, technology and process used to help an organization continue or recover business operations in a disaster. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.

What is call tree testing? ›

Call tree testing

asking designated callers to ask recipients to confirm other contact numbers; recording the start and end time of the call tree exercise to figure out how long it takes; making the necessary corrections regarding contact information; and. creating records for audit purposes.

How many users does Grab have? ›

In 2018, the number of Grab's unique app users amounted to around 68 million. This figure was projected to reach 122 million in 2019.
...
Number of unique users of Grab Holdings Inc.'s application from 2017 to 2019 (in millions)
CharacteristicNumber of app users in millions
--
2 more rows
18 Mar 2022

What is Grab used for? ›

Grab started out as a taxi-hailing app, and has extended its products to include ride-hailing, food, grocery and package delivery, and financial services.

What is the average RTO? ›

RTOs and RPOs should be between two to four hours. These workloads can remain unusable after an outage for several hours or even days, with only a minor impact on business operations. RTOs and RPOs should be between four to 24 hours.

What is a good RTO? ›

A good RTO, in this case, would be to have your operations up again in an hour or two (at most). In contrast, an organization that can afford to operate using paper orders and manual invoicing for a day or two can afford to have a 1- or 2-day RTO, or even a one-week RTO, in extreme scenarios.

How is RTO calculated? ›

Different businesses have different and unique RPOs and RTOs. However, the methodology to calculate RPO and RTO are somewhat similar.
...
For instance:
  1. Tier 1/ Gold = 15 min – 1hr RTO.
  2. Tier 2/ Silver = 1hr – 4hr RTO.
  3. Tier 3/ Bronze = 4hr – 24hr RTO.
5 Aug 2022

Is the CISSP exam hard? ›

For anyone looking to earn their CISSP cert and be part of this elite club, there is an obvious reason the CISSP is so valuable: it's a difficult exam. Though the pass rates for the CISSP are not publicly released, it is widely assumed that pass rates are well below 50%.

Is CISSP open book exam? ›

The CISSP exam is not open book. Candidates are not allowed to bring in any materials other than what is provided by (ISC)².

Can you take CISSP without experience? ›

You can take the CISSP exam without any experience, while not recommended, and then you'll have 6 years to complete your 5 years of industry experience. After that, you officially submit your endorsement to become an official CISSP, and then you can start using those letters after your name.

How long is CISSP good for? ›

How long is the CISSP certification good for? While the CISSP certification is valid for three years, there are certain requirements for (ISC)² certified members and associates to maintain their membership, certification and active status.

How many hours study for CISSP? ›

In terms of preparation: For Risk Management professionals find 60-70 hours of time quite sufficient to pass the CISSP exam. For IT professionals, 40-50 hours of study should be sufficient to clear the exam.

Is CISSP 2022 worth IT? ›

The CISSP certification is extremely valuable, it provides the required knowledge and experience to cyber security professionals that they can implement in their work life. The added benefits that you get from a CISSP certification are unparallel.

How do I prepare for my CISSP in 2 months? ›

  1. Refer variety of study resources to prepare for the CISSP.
  2. Take part in a study group to pass the CISSP Exam.
  3. Time management is the key to pass CISSP Test.
  4. Make a CISSP Exam Strategy.
  5. Take the Mock Tests.
  6. Do some research on internet and take references from qualified professionals.

What happens if you fail CISSP? ›

" What if I fail the exam? "

According to the retake policy on the (ISC)² website, if you fail, you can take the test again after 30 days, and if you fail again, you must wait 90 days (then 180 days), but you cannot take the exam more than three times in a 12-month period.

What is the hardest Cyber security exam? ›

The 7 hardest cybersecurity certifications:
  1. Offensive Security Certified Professional (OSCP) ...
  2. Certified Information Systems Security Professional (CISSP) ...
  3. Licensed Penetration Tester (Master) ...
  4. Certified Ethical Hacker (CEH) ...
  5. CompTIA Advanced Security Practitioner (CASP+) ...
  6. Computer Hacking Forensics Investigator (CHFI)

Is CISSP changing in 2022? ›

Beginning June 1, 2022, the CISSP exam in the Computerized Adaptive Testing (CAT) format will contain 50 pretest (unscored) items, which will increase the minimum and maximum number of items you will need to respond to from 100-150 to 125-175 items during your exam.

Can you get a job with just a CISSP? ›

The most common job positions for CISSP holders include the following: Chief information security officer. Security systems administrator. Information assurance analyst.

Is CISSP very technical? ›

The CISM certification is solely management-focused, while CISSP is both technical and managerial and designed for security leaders who design, engineer, implement and manage the overall security posture of an organization. CISSP is more widely known than CISM, with 136,428 CISSPs globally, compared with 28,000 CISMs.

Does CISSP require coding? ›

The answer to this question is that yes, cybersecurity definitely requires coding.

How many people in the world are CISSP certified? ›

How Many CISSPs Are There In the World?
CountryNumber of CISSPsPopulation (2017)
United States82,577325,719,178
Bermuda1665,441
Hong Kong SAR1,6607,391,700
Jersey2091,084
115 more rows
10 Jan 2019

Which is better CISM or CISSP? ›

CISM is solely management-focused. CISSP is both management- and technically focused for security leaders who design, engineer, implement and manage an organization's overall security posture. CISSP is more widely recognized than CISM — globally, there are nearly 150,000 CISSPs and 46,000 CISMs.

What to do after passing CISSP? ›

Once you have passed the CISSP certification exam, you will need to apply for and receive the endorsement of an (ISC)²-certified professional. The endorser must be able to verify your work experience and standing within the cyber security industry. The endorsement process must be completed within nine months.

Videos

1. SC-900 Microsoft Security, Compliance and Identity Exam Cram (Full Course)
(Inside Cloud and Security)
2. Cyber Security Tutorial 2021 | Certified Cloud Security Professional Training Part 1 | CCSP Tutorial
(Lecteron)
3. 🔥Cybersecurity Full Course For 2022 | Cyber Security for Beginners | Cybersecurity | Simplilearn
(Simplilearn)
4. Microsoft Security Certification Exam Roadmap (2021 Edition)
(Inside Cloud and Security)
5. (ISC)2 CAP Certification Exam Preparation | NIST RISK MANAGEMENT FRAMEWORK
(TighTech Consult)
6. Common Secure Coding Techniques
(CBT Nuggets)

Top Articles

Latest Posts

Article information

Author: Greg O'Connell

Last Updated: 12/01/2022

Views: 6229

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.