ISC CISSP Practice Questions

AcingExam

homeHome local_fire_departmentPopular Exams library_booksView All Exams mailContact

AcingExam

Precision in Certification. Momentum in Career.

Product

Home
View All Exams

Company

About Us
Privacy Policy
Terms of Service

Connect

public alternate_email share

System Status: Optimal

AcingExam

homeHome local_fire_departmentPopular Exams library_booksView All Exams mailContact

AcingExam

Precision in Certification. Momentum in Career.

Product

Home
View All Exams

Company

About Us
Privacy Policy
Terms of Service

Connect

public alternate_email share

System Status: Optimal

mail[email protected]

Trusted by 1.5M+ IT Professionals

AcingExam

homeHome local_fire_departmentPopular Exams library_booksView All Exams mailContact

Homechevron_rightISCchevron_rightCISSPchevron_rightPractice Questions

The latest changes and updates from the administration for this exam.

verified

Latest Update: Jun 13 2026

All questions are working fine.

All Questions (645)bookmarkBookmarked (0)

All645Show all accessible questions in this exam.Missed645Questions you haven't attempted yet.Incorrect0Questions you answered incorrectly on your last attempt.

Question 151

What is another term we could use for penetration testing?

Fracking.

Ethical hacking.

Gray hat hacking.

Black hat hacking.

check_circle

Correct AnswerB

Penetration Testing (Pen Testing), also called ethical hacking or white hat hacking. Test if the vulnerabilities are exploitable

Question 152

In the software capability maturity model, at which level are some processes "possibly repeatable with consistent results"?

Level 4.

Level 3.

Level 2.

Level 1.

check_circle

Correct AnswerC

Level 2: Repeatable This level of maturity that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

Question 153

You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?

Regulations.

Dogs.

Biometric authentication.

Access lists.

check_circle

Correct AnswerB

Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.

Question 154

Which of these is NOT a type of open-source software licensing?

BSD.

GNU.

Apache.

Oracle.

check_circle

Correct AnswerD

Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.

Question 155

Which type of access control model would we use if confidentiality was the MOST important factor to us?

Discretionary Access Control (DAC)

Rule-Based Access Control (RUBAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

check_circle

Correct AnswerC

MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.

Question 156

We are using a hot site secondary data center as part of DR (Disaster Recovery) plan. What would we have at the hot site?

Internet, power, racks, but no servers or applications installed.

Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data.

Internet, power, racks, servers and applications, but no backups.

Internet, power, racks, servers, but no applications installed.

check_circle

Correct AnswerB

Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems.

Still often a smaller but a full data center, with redundant UPS', HVACs, ISPs, generators.

We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

Question 157

We use different risk analysis approaches and tools in our risk assessments. In which type of risk analysis would you see these terms? Exposure factor (EF), Asset Value (AV), and Annual Rate of Occurrence (ARO)?

Quantitative

Residual.

Quadratic.

Qualitative.

check_circle

Correct AnswerA

Quantitative Risk Analysis is where we put a number on the risk: how much does it cost per time? How often does it happen? Asset Value (AV) – How much is the asset worth? Exposure factor (EF) – Percentage of Asset Value lost? Annual Rate of Occurrence (ARO) – How often will this happen each year?

Question 158

When an attacker can guess a URL they don't know about, from another similar logical URL, what is that called?

Under protected API's

CSRF.

Unvalidated redirects.

Insecure direct object reference.

check_circle

Correct AnswerD

2013 A4 Insecure direct object reference. Users can access resources they shouldn't, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization's network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.

Question 159

We need to get rid of some old hard drives, and we need to ensure proper data disposal and no data remanence. Which of these options has NO known tools that can restore the data once that specific disposal process has been used?

Overwriting.

Formatting the hard drive.

Installing a new OS over the old one.

Deleting files.

check_circle

Correct AnswerA

We can still recover files from deleted, formatted or reinstalled drives.

Overwriting is done by writing 0’s or random characters over the data.

As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Question 160

We use many different names for different types of networks. When our engineers are talking about the extranet, what are they referring to?

An organization's privately owned and operated internal network.

Connected private intranets often between business partners or parent/child companies.

The local area network we have in our home.

The global collection of peered WAN networks, often between ISPs or long haul providers.

check_circle

Correct AnswerB

An Extranet is a connection between private Intranets, often connecting business partners' Intranets.

chevron_left 1...15 16 17...33 chevron_right

AcingExam

Precision in Certification. Momentum in Career.

Product

Home
View All Exams

Company

About Us
Privacy Policy
Terms of Service

Connect

public alternate_email share

System Status: Optimal

AcingExam

homeHome local_fire_departmentPopular Exams library_booksView All Exams mailContact

AcingExam

Precision in Certification. Momentum in Career.

Product

Home
View All Exams

Company

About Us
Privacy Policy
Terms of Service

Connect

public alternate_email share

System Status: Optimal

ISC CISSP Practice Questions - AcingExam

mail[email protected]

Trusted by 1.5M+ IT Professionals

AcingExam

homeHome local_fire_departmentPopular Exams library_booksView All Exams mailContact

Homechevron_rightISCchevron_rightCISSPchevron_rightPractice Questions

The latest changes and updates from the administration for this exam.

verified

Latest Update: Jun 13 2026

All questions are working fine.

All Questions (645)bookmarkBookmarked (0)

All645Show all accessible questions in this exam.Missed645Questions you haven't attempted yet.Incorrect0Questions you answered incorrectly on your last attempt.

Question 151

What is another term we could use for penetration testing?

Fracking.

Ethical hacking.

Gray hat hacking.

Black hat hacking.

check_circle

Correct AnswerB

Penetration Testing (Pen Testing), also called ethical hacking or white hat hacking. Test if the vulnerabilities are exploitable

Question 152

In the software capability maturity model, at which level are some processes "possibly repeatable with consistent results"?

Level 4.

Level 3.

Level 2.

Level 1.

check_circle

Correct AnswerC

Question 153

You have been tasked with looking at PURELY physical security controls for a new implementation. Which of these would you consider using?

Regulations.

Dogs.

Biometric authentication.

Access lists.

check_circle

Correct AnswerB

Dogs are a physical security control. Access lists and biometrics are technical and regulations are administrative.

Question 154

Which of these is NOT a type of open-source software licensing?

BSD.

GNU.

Apache.

Oracle.

check_circle

Correct AnswerD

Open source software can be protected by a variety of licensing agreement. GNU (General Public License), BSD (Berkeley Software Distribution) and Apache are all examples of this.

Question 155

Which type of access control model would we use if confidentiality was the MOST important factor to us?

Discretionary Access Control (DAC)

Rule-Based Access Control (RUBAC)

Mandatory Access Control (MAC)

Role-Based Access Control (RBAC)

check_circle

Correct AnswerC

Question 156

We are using a hot site secondary data center as part of DR (Disaster Recovery) plan. What would we have at the hot site?

Internet, power, racks, but no servers or applications installed.

Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data.

Internet, power, racks, servers and applications, but no backups.

Internet, power, racks, servers, but no applications installed.

check_circle

Correct AnswerB

Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems.

Still often a smaller but a full data center, with redundant UPS', HVACs, ISPs, generators.

We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

Question 157

Quantitative

Residual.

Quadratic.

Qualitative.

check_circle

Correct AnswerA

Question 158

When an attacker can guess a URL they don't know about, from another similar logical URL, what is that called?

Under protected API's

CSRF.

Unvalidated redirects.

Insecure direct object reference.

check_circle

Correct AnswerD

Question 159

Overwriting.

Formatting the hard drive.

Installing a new OS over the old one.

Deleting files.

check_circle

Correct AnswerA

We can still recover files from deleted, formatted or reinstalled drives.

Overwriting is done by writing 0’s or random characters over the data.

As far as we know there is no tool available that can recover even single pass overwriting (not possible on damaged media).

Question 160

We use many different names for different types of networks. When our engineers are talking about the extranet, what are they referring to?

An organization's privately owned and operated internal network.

Connected private intranets often between business partners or parent/child companies.

The local area network we have in our home.

The global collection of peered WAN networks, often between ISPs or long haul providers.

check_circle

Correct AnswerB

An Extranet is a connection between private Intranets, often connecting business partners' Intranets.

chevron_left 1...15 16 17...33 chevron_right

AcingExam

Precision in Certification. Momentum in Career.

Product

Home
View All Exams

Company

About Us
Privacy Policy
Terms of Service

Connect

public alternate_email share

System Status: Optimal

Update History

Update History