CISSP Exam Questions And Accurate
Answers (A+ Graded)
CIA Triangle - Answer root of infosec. Confidentiality, Integrity, Availability
Confidentiality CIA Triangle - Answer prevention of unauthorized disclosure of
information; prevention of unauthorized read access to data
Integrity CIA Triangle - Answer prevention of unauthorized modification of data;
prevention of unauthorized write access to data
Availability CIA Triangle - Answer assures data is usable when needed by those who
need them
Opposing forces to CIA - Answer DAD: disclosure, alteration, destruction
Identification is the process that started when a subject claims an identity and
accountability Ex: typing a username, swiping a smart card, waving a proximity device -
badging in, speaking a phrase, etc Always part of a two-step process with
authenticating
Authentication - The process of verifying that a person is who they say they are: ex
password/PIN entrée, biometrics, etc. Always two-factor with identification
Authorization - What does a person have access or privileges to the applicable data
Auditing (monitoring) - Log of events and activities relating to the system and subjects
accountability (accounting)-the process of reviewing log files to detect the type of
compliance and violations that need to occur in order to hold subjects accountable
,non-repudiation-the inability for a user to deny taking a particular action
subject-an entity that independently performs active functions within the system;
typically a user, but could also be a script or program designed to perform actions on
data
object-any passive data within the system
ISC2 Code of Ethics Canons (4) - Answer 1. protect society, commonwealth,
infrastructure
2. act honorably, justly, responsibly, legally
3. provide diligent and competent service
4. advance and protect the profession
applied strictly in order; exam questions where more than one canon could be the
answer, pick the highest priority per this order
policy - Answer required high level management directions; elements of policy
1. purpose: describes why the policy is necessary
2. scope: what systems, people, facilities, organizations are covered
3. responsibilities: specific duties of involved parties
4. compliance: effectiveness of policy, violations of policy
procedure - Response low level step by step guide for accomplishing a task
standard - Response describes the specific use of technology applied to hardware or
software; mandatory
,guideline - Response discretionary recommendations (e.g. not mandatory)
baseline - Response a uniform way of implementing a standard
3 access/security control categories - Answer 1. administrative: implemented by
creating org policy, procedure, regulation. user awareness/training also fall here
2. technical: implemented using hardware, software, firmware that restricts logical
access to a system
3. physical: locks, fences, walls, etc
preventive access control
(can be administrative, technical, physical) - Answer prevents actions from occurring by
applying restrictions on what a user can do. example: privilege level
detective access control
(can be administrative, technical, physical) - Answer controls that signal an alarm
during or after a successful attack; alarm systems, or closed circuit tv
corrective access control
(can be administrative, technical, physical) - Answer restoring a system that has been
damaged; often works in conjunction with detective controls for example antivirus
software
recovery access control
(can be administrative, technical, physical) - Answer controls to restore a system after
an incident has occurred;
deterrent access control
Administrative, Technical, Physical-Answer prevents users from taking actions against
a system
Compensating Access Control
, Administrative, Technical, Physical-Answer extra control implemented to compensate
for deficiencies in other controls when necessary
Formula of Risk-Answer risk=threat x vulnerability x impact
Market approach-to estimate intangible asset. ANSWER assumes the fair value of an
asset reflects the price which comparable assets have been purchased in transactions
under similar circumstances.
Income approach-for estimating intangible asset. ANSWER the value of an asset is the
present value of the future earning capacity that an asset will generate over the rest of
its lifecycle.
cost approach for determining intangible assets - fair value estimated based on
replacement cost
exposure factor EF- percentage of asset value lost as a result of the incident
single loss expectancy SLE - AV x EF dollar value of asset times exposure factor
annualized rate of occurrence ARO- Number of losses that occur in one year
annualized loss expectancy (ALE) - Answer yearly cost due to risk
SLE x ARO = ALE
legally defensible security - Answer to obtain legal restitution a company must
demonstrate a crime was committed, suspect committed that crime, and took
reasonable efforts to prevent the crime
files are accurate, policy in place, proper authentication, compliance with laws and
regulation