
















Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Certified Information Systems Security Professional (CISSP) Notes.docx
Typology: Exams
1 / 24
This page cannot be seen from the preview
Don't miss anything!

















What is the ISC2 Code of Ethics Preamble? - answer - The safety and welfare of society and the common good, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
What is Non-Repudiation? - answer - The inability to refuse participation in a digital transaction, contract, or communication (S/MIME).
What is Least Privilege? - answer - An aspect of AAA and IAM where the subject has just the proper level or amount of permissions and rights to perform the job role or responsibility and nothing more.
What are some elements of Defense in Depth (DiD)? - answer - Also referred to as "Layered Defense".
Which term describes a policy in which traffic is not allowed to flow from the ingress interface to the egress interface in the event of a component failure of a firewall? - answer Fail closed Which security principle is often implemented by using advanced verification in the form of more stringent multi-factors such as biometric authentication?
In an information security policy lifecycle, which of these critical success factors means the policy can accommodate change and be adapted if necessary? - answer Flexible What is an inventory strategy used to increase efficiency and decrease waste by acquiring goods only as needed in the production process? - answer JIT Which data type is the least mature and most difficult to protect due to overhead from encryption/decryption? - answer Data in use You have restricted subjects and objects based on a mandatory access control model. What attribute have you used to establish an asset classification level? - answer Architecture What asset and data role is the keeper of the object from a technical perspective so that CIA is maintained? - answer Custodian Which phase of the data lifecycle is concerned with the residual risk from data, metadata, and artifacts that are left over after a software deletion process? - answer Remanence What is the best and most common destruction technique for microfilm (microfiche), laser discs, and document imaging applications? - answer Pulverizing What system plays a critical role in several IT management initiatives such as IT Service Management (ITSM) and IT Asset Management (ITAM) by storing metadata and modifications to items? - answer CMDB You have configured a network access control list to protect traffic coming into your virtual network at a popular cloud provider. Which type of control is this? - answer Technical
What is the standardized language developed by MITRE (in a collaborative way) to represent structured information about cyber threats? - answer STIX At what defense-in-depth layer would you deploy data loss prevention, HIPS, and patch management? - answer Endpoint security In which phase of the data lifecycle would you apply the Do and Check activities of the PDCA model? - answer Information What is a set of services and tools that allows organizations to simplify security operations in threat management, incident response, and security operations automation? - answer SOAR Your company's facility is built in a 100-year flood zone so your executive management decides not to get flood insurance. What type of risk treatment is this? - answer Acceptance Your SOC needs a risk management tool to use for a security audit. What is a unique, open-source threat modeling method focused on enhancing the security auditing process from a cyber risk management perspective? - answer TRIKE Which security framework offers the Cloud Control Matrix to ensure handling of requirements stemming from new technologies and controls? - answer CSA Which formal system evaluation methodology is performed with a full Security Test and Evaluation (ST&E) as part of an official security authorization? - answer SCA What security management model is needed due to the many risks that exist because vendors' employees can introduce cybersecurity vulnerabilities with hardware, software, and services? - answer SCRM
Which model handles the access decisions of subjects based on organization charts, responsibilities, or geographic location? - answer Role-based What access control model seeks to imitate real world decision making while also considering operational needs and vulnerability with every access control decision? - answer Risk-based What access model uses integrity verification procedures that run periodically to check the consistency of the integrity rules in the system? - answer Clark-Wilson In which access model is the owner of an object most likely to have some control over permissions and sharing? - answer Discretionary Which of these MAC models is a confidentiality model? - answer Bell- LaPadula Which form of access model is often used with infrastructure ACLs on routers and firewall devices? - answer Rule-based Which these security measures are used to specifically control physical access? - answer Fire suppression, Signage, Bollards, & Safes What is another term for a Type 1 hypervisor? - answer Native What access model would you choose if you wanted to make decisions based on weighing rules against the characteristics of the subject's actions and the request environment? - answer Attribute-based
Which type of organization is structured around traditional roles and departments such as Human Resources, IT, Sales, Marketing, and Finance? - answer Functional Which IdM process involves collecting attributes or digital documents to support a claim of identification for a specific subject to validate the veracity of the claim? - answer Proofing When provisioning resources using an identity management system, which component offers an accepted origination point or "system of record" for user identity data attributes? - answer Authorized sources Which of these are common activities of auditing account access? - answer Confirming the deployment of SSO best practices, Reviewing when a user's job requires new access, Assuring the proper removal of terminated users, & Confirming that roles are modified when a user changes jobs Which authentication and authorization protocol is used with IEEE 802.1X? - answer RADIUS Which type of SSO attack would involve secret cooperation between a principal and service provider system to launch an attack? - answer Collusion attack Which is a basic and common identity layer on top of the OAuth 2.0 protocol?
Which of these are valid reasons why a distributed system needs more security measures than centralized system? - answer Often many users, Distributed control, Multiple sites, & Differentiated data Which is a distributed computing standard that brings compute services and data storage close to the site commonly used in content delivery networking (CDN)? - answer Edge computing Which of these is a serious threat where a process running in the guest VM interacts directly with the host OS? - answer VM escape Which of these are specific physical best security practices for distribution frames and wiring closets? - answer No window access or use security windows with wire mesh, Use hardened management stations and environmental controls, Lock all doors to server rooms and frame rooms, & Cameras can be used along with other types of sensors and access alarms Which NIST special publication has guidelines for media sanitization? - answer 800- What are strategically placed physical controls meant to prohibit vehicles from entering certain areas as well as in parking lots or along sidewalks to guide pedestrian traffic? - answer Bollards On the CISSP exam, what category of control is physical security? - answer Operational
What is an intentional or unintentional sag, slump, or drop in electrical voltage? - answer Brownout What type of lighting, although slow to turn on, is a preferred outdoor security lighting? - answer Mercury vapor What is the recommend temperature and humidity respectively for a data center or server room expressed in Fahrenheit? - answer 72 to 76 degrees and 40 to 60% What are enclosures that block electromagnetic fields emanating from Electric Magnetic Interference (EMI), Carrington events, solar flares, and Electro-magnetic Pulses (EMP)? - answer Faraday cage What type of fire extinguisher is for electrical equipment and wires using inert gas, dry powders, powdered aerosols, foam, or carbon dioxide? - answer Type C What term describes the physical separation of the control network and the other networks? - answer Airgap Which service decouples the physical hardware from the network map in order to support virtualization and allow the data center network to be deployed programmatically? - answer VXLAN Which infrastructure devices have session level access control for management protocols and Management Frame Protection features? - answer Wireless LAN controllers Which AWS CDN feature controls who can download content directly from a CloudFront distribution? - answer Private Content Feature