• Katy Morgan

Introduction to ISC2 Certified Information Systems Security Professional (CISSP) Exam

The ISC2 Exam is challenging and thorough preparation is essential for success. This exam study guide is designed to help you prepare for the CISSP certification exam. It contains a detailed list of the topics covered on the Professional exam, as well as a detailed list of preparation resources. These study guide for the ISC2 Information Systems Security Professional will help guide you through the study process for your certification.


ISC2 Certified Information Systems Security Professional (CISSP), ISC2 Certification, CISSP Online Test, CISSP Questions, CISSP Quiz, CISSP, CISSP Certification Mock Test, ISC2 CISSP Certification, CISSP Practice Test, CISSP Study Guide, ISC2 CISSP Question Bank

CISSP ISC2 Information Systems Security Professional Exam Summary


Exam Name: ISC2 Certified Information Systems Security Professional (CISSP)

Exam Code: CISSP

Exam Price: $599 (USD)

Duration: 360 mins

Number of Questions: 250

Passing Score: 700/1000

Schedule Exam: Pearson VUE

Sample Questions: ISC2 CISSP Sample Questions

Recommended Practice: ISC2 CISSP Certification Practice Exam


Exam Syllabus: CISSP ISC2 Certified Information Systems Security Professional (CISSP)


1. Security and Risk Management (16%)

- Confidentiality, integrity and availability concepts

- Security governance principles

- Compliance

- Legal and regulatory issues

- Professional ethics

- Security policies, standards, procedures and guidelines

2. Asset Security (10%)

- Information and asset classification

- Ownership (e.g., data owners, system owners)

- Protect privacy

- Appropriate retention

- Data security controls

- Handling requirements (e.g., markings, labels, storage)

3. Security Engineering (12%)

- Engineering processes using secure design principles

- Fundamental concepts of security models

- Security evaluation models

- Security capabilities of information systems

- Security architectures, designs and solution elements vulnerabilities

- Web-based systems vulnerabilities

- Mobile systems vulnerabilities

- Embedded devices and cyber-physical systems vulnerabilities

- Cryptography

- Site and facility design secure principles

- Physical security

4. Communication and Network Security (12%)

- Secure network architecture design (e.g., IP & non-IP protocols, segmentation)

- Secure network components

- Secure communication channels

- Network attacks

5. Identity and Access Management (13%)

- Physical and logical assets control

- Identification and authentication of people and devices

- Identity as a service (e.g., cloud identity)

- Third-party identity services (e.g., on-premise)

- Access control attacks

- Identity and access provisioning lifecycle (e.g., provisioning review)

6. Security Assessment and Testing (11%)

- Assessment and test strategies

- Security process data (e.g., management and operational controls)

- Security control testing

- Test outputs (e.g., automated, manual)

- Security architecture vulnerabilities

7. Security Operations (16%)

- Investigations support and requirements

- Logging and monitoring activities

- Provisioning of resources

- Foundational security operations concepts

- Resource protection techniques

- Incident management

- Preventative measures

- Patch and vulnerability management

- Change management processes

- Recovery strategies

- Disaster recovery processes and plans

- Business continuity planning and exercises

- Physical security

- Personnel safety concerns

8. Software Development Security (10%)

- Security in the software development lifecycle

- Development environment security controls

- Software security effectiveness

- Acquired software security impact


ISC2 CISSP Certification Sample Questions and Answers


To make you familiar with ISC2 Information Systems Security Professional (CISSP ) certification exam structure, we have prepared this sample question set. We suggest you to try our Sample Questions for CISSP Certification to test your understanding of ISC2 CISSP process with real ISC2 certification exam environment.


CISSP ISC2 Information Systems Security Professional Sample Questions:-


01. The process for developing an ISCM strategy and implementing an ISCM program is?

a) Define, analyze, implement, establish, respond, review and update

b) Analyze, implement, define, establish, respond, review and update

c) Define, establish, implement, analyze, respond, review and update

d) Implement, define, establish, analyze, respond, review and update


02. What are the seven main categories of access control?

a) Detective, corrective, monitoring, logging, recovery, classification, and directive

b) Directive, deterrent, preventative, detective, corrective, compensating, and recovery

c) Authorization, identification, factor, corrective, privilege, detective, and directive

d) Identification, authentication, authorization, detective, corrective, recovery, and directive


03. Ann installs a new Wireless Access Point (WAP) and users are able to connect to it. However, once connected, users cannot access the Internet. Which of the following is the MOST likely cause of the problem?

a) The signal strength has been degraded and latency is increasing hop count.

b) An incorrect subnet mask has been entered in the WAP configuration.

c) The signal strength has been degraded and packets are being lost.

d) Users have specified the wrong encryption type and packets are being rejected.


04. Qualitative risk assessment is earmarked by which of the following?

a) Ease of implementation and it can be completed by personnel with a limited understanding of the risk assessment process

b) Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics used for calculation of risk

c) Detailed metrics used for calculation of risk and ease of implementation

Can be completed by personnel with a limited understanding of the risk assessment d) d) process and detailed metrics used for the calculation of risk


05. Which of the following security models is primarily concerned with how the subjects and objects are created and how subjects are assigned rights or privileges?

a) Bell–LaPadula

b) Biba-Integrity

c) Chinese Wall

d) Graham–Denning


06. Before applying a software update to production systems, it is MOST important that

a) Full disclosure information about the threat that the patch addresses is available

b) The patching process is documented

c) The production systems are backed up

d) An independent third party attests the validity of the patch


07. While an Enterprise Security Architecture (ESA) can be applied in many different ways, it is focused on a few key goals. Identify the proper listing of the goals for the ESA:

a) It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a fixed approach to current and future threats and also the needs of peripheral functions

b) It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages new technology investments, it provides a flexible approach to current and future threats and also the needs of core functions

c) It represents a complex, short term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a flexible approach to current and future threats and also the needs of core functions

d) It represents a simple, long term view of control, it provides a unified vision for common security controls, it leverages existing technology investments, it provides a flexible approach to current and future threats and also the needs of core functions


08. Technical evaluation of assurance to ensure that security requirements have been met is known as?

a) Accreditation

b) Certification

c) Validation

d) Verification


09. A potential vulnerability of the Kerberos authentication server is

a) Single point of failure

b) Asymmetric key compromise

c) Use of dynamic passwords

d) Limited lifetimes for authentication credentials


10. Which of the following can BEST be used to capture detailed security requirements?

a) Threat modeling, covert channels, and data classification

b) Data classification, risk assessments, and covert channels

c) Risk assessments, covert channels, and threat modeling

d) Threat modeling, data classification, and risk assessments


Answers:-


Answer 1 :- C

Answer 2 :- B

Answer 3 :- B

Answer 4 :- A

Answer 5 :- D

Answer 6 :- C

Answer 7 :- D

Answer 8 :- B

Answer 9 :- A

Answer 10:- D

11 views0 comments