Practice CISSP Asset Security questions with full explanations on every answer.
Start practicing
Asset Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A government contractor handles classified information up to the Secret level. The company's data classification policy recently changed, requiring that all documents marked as 'Confidential' be reclassified as 'Secret' after review. Who is ultimately accountable for ensuring that reclassification is performed correctly?
2An organization's data retention policy requires that financial records be kept for seven years. After that period, the records must be destroyed in a manner that prevents reconstruction. Which of the following is the best sanitization method for paper records containing sensitive financial data?
3A company collects PII from European customers for order processing. Under GDPR, they engage a third-party logistics provider to handle shipping. Which role does the logistics provider typically assume in this scenario?
4A healthcare organization must decommission an old server containing patient health information (PHI) stored on solid-state drives (SSDs). Standard overwriting techniques are ineffective for SSDs due to wear-leveling and bad block mapping. Which sanitization method is most appropriate for these drives?
5An organization wants to implement a data classification scheme for internal use. Which of the following is an example of a commercial data classification label?
6A database administrator (DBA) is responsible for implementing access controls and backup procedures for a customer database containing PII. The DBA reports to the data owner regarding security measures. Which role best describes the DBA's responsibilities?
7An organization is implementing privacy by design in a new application that collects user location data. Which practice best aligns with the data minimization principle?
8A financial institution is preparing to dispose of magnetic tape backups containing transaction records. The tapes are no longer needed for retention. Which sanitization method is most effective for rendering the data unrecoverable on magnetic tape?
9Which phase of the data lifecycle involves the removal of data from active storage and placement into long-term storage for potential future use?
10A company's software asset management team discovers an unauthorized copy of a licensed application installed on several employee workstations. What is the primary risk associated with this finding?
11A data warehouse contains anonymized customer transaction data used for analytics. The anonymization process removed direct identifiers and applied k-anonymity with k=10. An attacker obtains the dataset and attempts to re-identify individuals using auxiliary information. Which of the following best describes the residual privacy risk?
12An organization's data retention policy specifies that customer records must be retained for five years after the end of the business relationship. After that period, what should be done with the data according to best practices?
13What is the primary purpose of a configuration management database (CMDB) in asset management?
14A company uses differential privacy to release aggregate statistics from a dataset containing sensitive employee information. Which of the following is true regarding differential privacy?
15An organization is required to declassify a document that was previously classified as 'Secret' under government guidelines. What process must be followed before the document can be released to the public?
16A multinational corporation is implementing a data classification policy for commercial data. Which TWO labels are commonly used in commercial classification schemes? (Select TWO.)
17An organization is developing a new application that collects and processes European customers' personal data. To comply with the privacy by design principles under GDPR, which THREE measures should be implemented? (Select THREE.)
18A security professional is tasked with sanitizing a set of hard drives that contain sensitive corporate data. The organization wants to ensure that data cannot be recovered, even by advanced forensic methods. According to NIST SP 800-88, which THREE methods are considered appropriate for sanitization? (Select THREE.)
19A government contractor handles documents classified as 'Secret.' Which of the following represents the correct handling of these documents when they are no longer needed?
20A company is implementing a data classification scheme. Which category should be assigned to internal memos about employee benefit plans that are not intended for public disclosure?
21An organization wants to ensure that data is protected throughout its lifecycle. Which step in the data lifecycle is most critical for enforcing data retention policies?
22Which role is ultimately accountable for the classification of data within an organization?
23A company must destroy a set of hard drives containing sensitive customer data. The drives are magnetic (HDDs). Which destruction method provides the highest assurance of data irrecoverability?
24Under the GDPR, which role is responsible for determining the purposes and means of processing personal data?
25An organization is implementing privacy by design for a new application that processes PII. Which practice BEST aligns with the data minimization principle?
26Which type of data is considered sensitive PII and requires enhanced protection?
27A security administrator needs to ensure that data stored on a server is unrecoverable after decommissioning. The server uses SSDs. Which sanitization method is MOST appropriate?
28A company has a data retention policy requiring customer transaction records to be kept for 7 years. After 7 years, the data should be destroyed. Which phase of the data lifecycle governs this action?
29Which term describes the process of modifying data so that it cannot be attributed to a specific individual without additional information that is kept separately?
30An organization uses a configuration management database (CMDB). Which of the following is the PRIMARY purpose of a CMDB?
31A company is designing a database that will contain personally identifiable information (PII). To reduce privacy risk, they decide to add controlled noise to query results. This technique is known as:
32A data custodian is responsible for implementing controls to protect data. Which TWO of the following are typical responsibilities of a data custodian? (Select 2)
33An organization is developing a privacy program. Which THREE of the following are core principles of privacy by design? (Select 3)
34A government contractor handles data classified as 'Secret'. According to government data classification levels, which of the following is the correct order from most restrictive to least restrictive?
35A data owner has classified a dataset as 'Confidential' in a commercial organization. Which of the following best describes the primary responsibility of the data owner for this dataset?
36A financial institution stores customer PII, including Social Security numbers (SSNs). Under privacy regulations, SSNs are considered sensitive PII. Which of the following techniques would best reduce the risk of re-identification while preserving the utility of the data for statistical analysis?
37An organization is decommissioning a server containing magnetic hard drives that stored sensitive data. The data has been backed up to tape and the drives are to be reused. Which media sanitization method is most appropriate to ensure data cannot be recovered while preserving the drives for reuse?
38Under GDPR, a company processes personal data on behalf of a data controller. Which role does the company fulfill?
39Which phase of the data lifecycle includes the act of securely deleting data that is no longer needed, in accordance with retention policies?
40During an audit, it is discovered that a database containing personally identifiable information (PII) has been retained for 10 years beyond the regulatory requirement. The data owner has not approved the retention extension. Which data lifecycle principle is primarily being violated?
41A company wants to ensure that data labeled 'Internal Use Only' is not inadvertently disclosed to unauthorized parties. What is the most effective way to communicate handling requirements to employees?
42Which of the following is the primary purpose of a configuration management database (CMDB) in asset management?
43An organization uses full disk encryption on all laptops containing sensitive data. A laptop is to be decommissioned, and the data must be sanitized. The laptop's SSD cannot be overwritten reliably due to wear-leveling. Which method is most appropriate?
44A data breach has occurred involving a database that contains personally identifiable information (PII). As part of incident response, the organization needs to identify all roles responsible for data protection. Which TWO roles are primarily accountable for data classification and protection requirements according to typical data governance frameworks?
45A company is implementing a data retention policy for customer records. Which THREE factors should be considered when determining retention periods?
46An organization is reviewing its media sanitization procedures. Which TWO methods are considered acceptable for sanitizing solid-state drives (SSDs) according to NIST SP 800-88 guidelines?
The Asset Security domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.
The Courseiva CISSP question bank contains 46 questions in the Asset Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Asset Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included