Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity Architecture and Engineering
CISSPFree — No Signup

Security Architecture and Engineering

Practice CISSP Security Architecture and Engineering questions with full explanations on every answer.

60questions

Start practicing

Security Architecture and Engineering — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice Security Architecture and Engineering questions

10Q20Q30Q50Q

All CISSP Security Architecture and Engineering questions (60)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security architect is designing a system for a military intelligence agency where data classification labels (Top Secret, Secret, Confidential, Unclassified) are mandatory. Users are cleared to a specific level and must not read data above their clearance. Which security model enforces this type of access control?

2

A financial application requires strict integrity controls to prevent unauthorized modifications. The security team implements a model where users cannot write data to higher integrity levels (no write up) and cannot read data from lower integrity levels (no read down). Which model is being applied?

3

Which access control model allows data owners to grant or revoke access to resources they own, typically implemented using ACLs?

4

A security architect is selecting a cryptographic algorithm for encrypting data at rest in a backup system. The system requires strong security with a block cipher, and the organization mandates using a NIST-approved algorithm with key sizes of 128, 192, or 256 bits. Which algorithm should be selected?

5

An organization is implementing a PKI for internal use. To ensure that certificate revocation status is checked in real-time without relying on periodic CRL downloads, which mechanism should be used?

6

A security engineer is analyzing a vulnerability where an attacker can cause a buffer overflow on the stack. Which mitigation technique randomizes memory addresses to make it harder for the attacker to predict the location of shellcode or return addresses?

7

Which of the following is a primary function of a Trusted Platform Module (TPM)?

8

A security architect is evaluating hypervisor security for a multi-tenant cloud environment. Which type of hypervisor is considered more secure because it runs directly on the hardware without a host operating system, reducing the attack surface?

9

Which physical security design principle emphasizes that the physical environment should be designed to discourage criminal activity by using natural surveillance, access control, and territorial reinforcement?

10

A security analyst discovers that an application allows a user to read a file they just wrote before the file's integrity is verified, due to a gap between the time of check and time of use. This is an example of which vulnerability?

11

A security architect is designing a system that must prevent conflicts of interest when a consultant works for two competing clients. Which security model ensures that the consultant cannot access data from one client if they have already accessed data from the other?

12

Which component of a trusted computing base (TCB) implements the reference monitor concept by enforcing access control decisions for all subjects and objects in the system?

13

A security architect is evaluating access control models for a healthcare system where users have specific roles (e.g., doctor, nurse, admin) and permissions are assigned based on those roles. However, the architect also wants to incorporate attributes such as time of day, patient consent status, and device type. Which TWO models should be combined to meet these requirements?

14

A security engineer is investigating a covert channel in a system. Which TWO types of covert channels could be used to leak information from a high-security to a low-security process?

15

An organization is implementing a defense-in-depth strategy for a data center. Which THREE of the following are examples of physical security controls that align with layered defense?

16

A government agency requires a security model that prevents users from reading documents at a higher classification level and from writing to documents at a lower classification level. Which model enforces these constraints?

17

An organization implements a security model where users can only read objects at or below their security clearance, and can only write to objects at or above their clearance. This model primarily ensures:

18

A financial institution must ensure that transactions are well-formed and enforce separation of duties to prevent fraud. Which security model best addresses these requirements?

19

Which access control model allows the owner of a resource to grant or deny access to other users?

20

An organization uses a system where access decisions are based on user attributes (e.g., job title, clearance), resource attributes (e.g., classification), and environmental factors (e.g., time of day). This is an example of:

21

A security team is investigating a vulnerability where an attacker can intercept and modify data as it moves between processes within a CPU's secure enclave. Which technology is designed to protect against such attacks by creating a trusted execution environment?

22

Which cryptographic algorithm is a symmetric block cipher widely used for encrypting sensitive data, with key sizes of 128, 192, or 256 bits?

23

A security architect is deploying a public key infrastructure (PKI) and wants to ensure that certificate revocation status is verified efficiently without relying on a centralized CRL distribution point. Which technique should be used?

24

An organization deploys a hypervisor to host multiple virtual machines. To mitigate the risk of VM escape attacks, which of the following is the most effective security measure?

25

A software developer is concerned about buffer overflow vulnerabilities. Which combination of mitigations makes it most difficult for an attacker to exploit a stack-based buffer overflow?

26

Which type of covert channel uses the timing of events or operations to transmit information?

27

A security architect is designing a physical security system for a data center. Which of the following is an example of a layered physical control at the perimeter?

28

A security analyst is evaluating access control models for a healthcare organization that needs to enforce both confidentiality and integrity. Which TWO models should be considered? Select two.

29

A company is designing a secure application that requires hardware-based key storage and remote attestation. Which THREE technologies provide hardware root of trust? Select three.

30

A security engineer is hardening a system against side-channel attacks that exploit variations in execution time or power consumption. Which TWO mitigations are specifically designed to counter such attacks? Select two.

31

A government agency requires a security model that prevents users from reading documents classified above their clearance level and from writing classified information to lower-level systems. Which model enforces these constraints?

32

An organization requires a commercial integrity model where users cannot modify data in higher integrity levels and cannot read data from lower integrity levels. Which model should they implement?

33

Which access control model allows the data owner to determine who can access their resources, typically using Access Control Lists (ACLs)?

34

A security architect is implementing a system that must prevent conflicts of interest for a consulting firm serving competing clients. Which security model is best suited for this requirement?

35

A company is deploying a hypervisor to run multiple virtual servers. To minimize the risk of VM escape attacks, which type of hypervisor should they choose and what hardening measure is most effective?

36

An organization wants to implement a security mechanism that ensures all accesses are mediated and cannot be bypassed, is tamperproof, and is small enough to be verified. This describes which concept?

37

Which cryptographic algorithm is an example of a symmetric stream cipher?

38

A security analyst is investigating a potential data leak via covert channels. Which of the following is an example of a timing covert channel?

39

A software vulnerability allows an attacker to overwrite a return address on the stack to execute arbitrary code. What mitigation technique randomizes the memory layout to prevent the attacker from predicting target addresses?

40

A company wants to ensure that only authorized software can run on its laptops. They decide to use a hardware component that validates the boot process by measuring each component before it loads. Which technology is being used?

41

Which physical security concept uses natural surveillance, territorial reinforcement, and access control to deter crime in built environments?

42

In a PKI hierarchy, a relying party needs to verify a certificate's validity. To reduce latency and improve privacy, which mechanism allows the relying party to obtain the revocation status without contacting the CA directly for each verification?

43

A security architect is designing a system to protect against side-channel attacks that exploit electromagnetic emanations. Which TWO controls are most effective?

44

A security engineer is hardening a web application against race condition vulnerabilities. Which TWO techniques are effective mitigations?

45

A financial institution is implementing a Clark-Wilson integrity model. Which THREE components are essential to this model?

46

A security architect is designing a system for a government agency that requires strict confidentiality controls. Data must be classified at multiple levels (e.g., Top Secret, Secret, Confidential). Users at a lower classification should not be able to read data at a higher classification, and users at a higher classification should not be able to write data to a lower classification. Which security model enforces these rules?

47

A company is implementing an access control system where permissions are granted based on attributes such as user role, department, time of day, and device trust score. This approach allows for fine-grained policies that can adapt to context. Which access control model is being used?

48

A security engineer is evaluating a system that uses a Trusted Platform Module (TPM) for secure boot. The TPM measures the boot components and stores the measurements in Platform Configuration Registers (PCRs). Which of the following is a primary security goal achieved by this process?

49

An organization is implementing a Public Key Infrastructure (PKI) to support secure email and web communications. The PKI includes a root CA, intermediate CAs, and end-entity certificates. Which of the following best describes the role of the root CA in this hierarchy?

50

During a security audit, a vulnerability scanner reports a buffer overflow vulnerability in a legacy application. The application runs on a system with Data Execution Prevention (DEP/NX) enabled and Address Space Layout Randomization (ASLR) active. Which of the following is the most likely impact of these mitigations on a typical stack-based buffer overflow exploit?

51

A security architect is designing a physical security perimeter for a data center. Which of the following is an example of Crime Prevention Through Environmental Design (CPTED) principle?

52

An organization is evaluating a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in a file access routine. The routine checks if a user has permission to open a file, then later opens the file. Which of the following best describes the potential exploitation?

53

A security analyst is investigating a potential covert timing channel in a system. Which of the following characteristics best describes this type of channel?

54

A cloud service provider uses a Type 1 hypervisor to host multiple virtual machines (VMs) for different customers. Which of the following is a primary security concern specific to this architecture?

55

A security architect is designing a system that must ensure integrity of commercial transactions. Which of the following models are specifically focused on integrity? (Choose TWO)

56

A security engineer is hardening a system against buffer overflow attacks. Which of the following are effective mitigations? (Choose THREE)

57

A company is implementing a PKI to support secure web browsing. Which of the following are commonly used to enhance the security of certificate validation? (Choose TWO)

58

Which of the following are characteristics of a Trusted Execution Environment (TEE)? (Choose TWO)

59

A security architect is evaluating physical security controls for a facility handling sensitive data. Which of the following are examples of layered physical security controls? (Choose THREE)

60

In the context of the Clark-Wilson integrity model, which of the following are key elements? (Choose TWO)

Practice all 60 Security Architecture and Engineering questions

Other CISSP exam domains

Security and Risk ManagementAsset SecuritySecurity OperationsCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Frequently asked questions

What does the Security Architecture and Engineering domain cover on the CISSP exam?

The Security Architecture and Engineering domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security Architecture and Engineering questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 60 questions in the Security Architecture and Engineering domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Architecture and Engineering for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Architecture and Engineering questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security Architecture and Engineering domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM