Practice questions
CISSP (ISC2): Practice Questions
A dozen original concept-check questions on core CISSP ideas. Choose an answer to reveal the explanation. Aim to reason like a risk-focused manager.
-
Giving a user only the access strictly required to do their job is the principle of:
Correct answer: B. Least privilege limits access to the minimum necessary, reducing the impact of misuse or compromise. -
Ensuring data has not been altered in an unauthorised way protects which part of the CIA triad?
Correct answer: B. Integrity is about preventing unauthorised modification so information stays accurate and trustworthy. -
The Bell-LaPadula model is primarily designed to protect:
Correct answer: C. Bell-LaPadula focuses on confidentiality, with rules such as 'no read up' and 'no write down'. -
Buying insurance to handle the financial impact of a risk is an example of risk:
Correct answer: C. Transferring risk shifts its impact to a third party, for example through insurance or outsourcing. -
'Defense in depth' means:
Correct answer: B. Defense in depth uses multiple, overlapping layers of control so that one failure does not compromise everything. -
Risk is most commonly assessed as a function of:
Correct answer: B. Risk is typically the likelihood of a threat exploiting a vulnerability multiplied by the impact if it does. -
Multi-factor authentication (MFA) requires:
Correct answer: B. MFA combines factors of different types — knowledge, possession, inherence — so a single stolen factor is not enough. -
Which statement describes hashing rather than encryption?
Correct answer: B. Hashing is one-way and verifies integrity (and stores passwords with a salt). Encryption is reversible and protects confidentiality. -
An access control model where the system enforces access using security labels and clearances is:
Correct answer: C. MAC enforces access centrally using classifications and clearances, rather than leaving it to resource owners as DAC does. -
The Recovery Time Objective (RTO) defines:
Correct answer: B. RTO is the target time to recover a function. RPO addresses acceptable data loss; MTD is the absolute maximum tolerable downtime. -
The main purpose of separation of duties is to:
Correct answer: B. Separation of duties splits sensitive tasks so that collusion would be required to commit and hide wrongdoing. -
'Residual risk' is best described as:
Correct answer: B. Residual risk is what remains after controls reduce inherent risk; management then decides whether to accept it.