Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPDomainsSecurity Architecture and Engineering
CISSPFree — No Signup

Security Architecture and Engineering

Practice CISSP Security Architecture and Engineering questions with full explanations on every answer.

64questions

Start practicing

Security Architecture and Engineering — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISSP Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice Security Architecture and Engineering questions

10Q20Q30Q50Q

All CISSP Security Architecture and Engineering questions (64)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

2

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

3

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

4

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

5

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

6

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

7

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

8

Which TWO of the following are principles of the Bell-LaPadula security model?

9

Which THREE of the following are valid countermeasures against buffer overflow attacks?

10

Which TWO of the following are examples of physical security controls?

11

A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?

12

Drag and drop the steps for setting up a VPN using IPsec in tunnel mode in the correct order.

13

Match each PKI component to its function.

14

A security architect is evaluating security models for a multilevel secure system. Which model enforces the * property (no write down) and is typically used for confidentiality?

15

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

16

An organization requires that all data stored in a cloud object storage service be encrypted at rest using customer-managed keys. Which encryption option should be implemented?

17

In the context of physical security, which of the following is an example of a preventive control?

18

A company is implementing a secure software development lifecycle (SSDLC). Which of the following is a key activity during the design phase?

19

Which of the following describes the concept of 'least privilege' in the context of access control?

20

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

21

Which of the following is a primary advantage of using a hardware security module (HSM) over software-based key storage?

22

A company is deploying a new application that processes personally identifiable information (PII) in a hybrid cloud environment. The security architect needs to ensure that encryption keys are never exposed to the cloud provider. Which solution should be recommended?

23

A user reports that a VPN client cannot connect to the corporate gateway. The exhibit shows an excerpt from the client log. What does this indicate?

24

A security analyst is troubleshooting a web application that is incorrectly blocking valid login requests. The WAF rule in the exhibit is the only rule configured. What is the probable issue?

25

During a security audit, it is discovered that the database server is also accepting connections from the web server. Which of the following is the most likely misconfiguration?

26

Which TWO of the following are principles of the zero trust security model? (Select TWO.)

27

Which THREE of the following are common security design principles? (Select THREE.)

28

Which THREE of the following are examples of asymmetric cryptographic algorithms? (Select THREE.)

29

Which security model focuses on preventing unauthorized access by enforcing a 'no read up, no write down' rule?

30

In a public key infrastructure (PKI), which component is responsible for issuing and revoking digital certificates?

31

Which of the following is the primary purpose of a hardware security module (HSM)?

32

A security architect is designing a system that must enforce the principle of least privilege at the operating system level. Which mechanism should be implemented to grant processes only the minimal permissions required for their tasks?

33

An organization is implementing a defense-in-depth strategy for its web application. Which of the following is an example of a compensating control?

34

In a zero trust architecture, which component is responsible for continuously verifying the trustworthiness of a device before granting access to resources?

35

A security engineer is reviewing the architecture of a system that uses the Bell-LaPadula model. The system has subjects with security clearances and objects with classifications. To prevent covert timing channels, which additional control should be implemented?

36

An organization is migrating to a microservices architecture and wants to secure inter-service communication. Which approach is most aligned with the principle of securing the pipeline?

37

A system is designed to meet the Common Criteria EAL4 evaluation. Which of the following is a required component for this level?

38

A security architect is considering secure design principles. Which two principles are essential for a defense-in-depth strategy? (Select TWO.)

39

An organization is implementing role-based access control (RBAC). Which two components are fundamental to the RBAC model? (Select TWO.)

40

A cloud security architect is designing a system that must comply with the principle of data sovereignty. Which three controls should be implemented? (Select THREE.)

41

Refer to the exhibit. What is the effect of this ACL when applied inbound to an interface?

42

Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?

43

Refer to the exhibit. Which security model does this policy enforce?

44

A security architect is designing a cryptographic system for a high-security environment where data must be encrypted both at rest and in transit, with granular access control. The system must be efficient for large volumes of data. Which approach is most appropriate?

45

A company is implementing a secure multi-tenant cloud environment. The primary security requirement is that tenants cannot access each other's data even if the hypervisor is compromised. Which architecture best meets this requirement?

46

A security architect is selecting an access control model for a system that must prevent users from reading objects at a higher classification level. Which model enforces this property?

47

A large organization needs to deploy a Public Key Infrastructure (PKI) for thousands of devices and users. A key requirement is the ability to revoke certificates in real time when a device is lost or compromised. Which solution is most appropriate?

48

A company is designing secure boot for IoT devices to ensure only trusted firmware runs. The devices have limited resources. Which mechanism provides the highest assurance of boot integrity?

49

A health records system requires that doctors can write new records but cannot modify existing ones, and integrity is maintained through separation of duties. Which security model best fits this requirement?

50

Which TWO principles are fundamental to a defense-in-depth security architecture?

51

A company needs to protect data at rest in a cloud storage system. Which THREE encryption methods are appropriate for this purpose?

52

Which THREE are core principles of secure system design?

53

A large financial institution is migrating its core banking system to a private cloud. The architecture must protect against data leakage between different business units sharing the same physical infrastructure. The system uses a hypervisor and virtual machines. Each business unit has its own security classification. The security requirement is that no VM belonging to a lower classification should be able to read data from a higher classification VM, even if the hypervisor is compromised. The architect proposes using mandatory access control at the hypervisor level. However, the IT team notes that a hypervisor compromise could bypass MAC. Additionally, they need to ensure that data at rest is encrypted and keys are stored securely. Which of the following would BEST meet the requirement?

54

A government agency requires a new secure document management system that enforces mandatory access control with the properties that users cannot read documents at a higher classification and cannot write documents to a lower classification (to prevent data leaking). The system must also support different categories (compartments) within the same classification level, and a user with access to one compartment should not be able to access another compartment unless explicitly allowed. The architect is considering the Bell-LaPadula model. However, the Bell-LaPadula model's *-property (no write-down) addresses the write issue, but there is also a need to handle compartment isolation. Which additional model or mechanism should be incorporated to ensure compartment isolation?

55

A small business wants to implement a secure wireless network for its office. They have a limited budget and want to ensure that data in transit is encrypted and that only authorized devices can connect. The office has 20 employees and a few guests. The business owner has heard about WPA2 and WPA3. They are concerned about security but also about compatibility with older devices. Which of the following is the BEST recommendation for a security architect?

56

A multinational corporation is developing a new cloud-based collaboration platform that handles sensitive intellectual property. The platform must ensure end-to-end encryption (E2EE) so that even the cloud provider cannot access the data. Users communicate via chat and file sharing. The architect proposes using a hybrid encryption scheme where each user has a public/private key pair, and for each message, a random symmetric key is used to encrypt the message, which is then encrypted with the recipient's public key. However, there is a requirement for the company to be able to lawfully intercept communications in case of a court order. This conflicts with E2EE. Which design can satisfy both confidentiality and lawful interception?

57

A company is implementing a digital signature system to ensure non-repudiation. The security architect must select a hash function that meets the required security properties. Which THREE of the following are necessary properties for the hash function?

58

Refer to the exhibit. A database administrator implements the configuration shown to protect sensitive data. What is the most significant security flaw?

59

A financial services company is migrating its customer relationship management (CRM) system to a public cloud provider. The CRM contains personally identifiable information (PII) and financial transaction records. The security architect must design a solution that ensures data confidentiality and integrity both at rest and in transit, while complying with PCI DSS requirements. The cloud provider offers a key management service (KMS) that can generate and store encryption keys, a hardware security module (HSM) in the cloud, and a certificate authority for TLS certificates. The architect needs to select the appropriate encryption methods and access controls. The company's security policy requires encryption keys to be rotated every 90 days and stored separately from the data. The cloud provider's KMS supports automatic key rotation, but the HSM requires manual intervention. The CRM application uses a database that supports transparent data encryption (TDE) with keys stored in the KMS, and the application also requires TLS for all network connections. Which course of action best meets all requirements?

60

Refer to the exhibit. A security analyst observes the audit log entry while troubleshooting a file access issue. The application is running under the myapp_t domain. Which action should the analyst take to resolve the issue while adhering to the principle of least privilege?

61

Refer to the exhibit. An auditor identifies a non-compliance issue regarding the cryptographic key lifecycle. Which policy requirement has been violated?

62

Refer to the exhibit. A security administrator is reviewing CloudTrail logs for unusual activity. Which aspect of this event is potentially concerning from a key management perspective?

63

Refer to the exhibit. A system administrator reports that SSH public key authentication is failing for a non-root user. The user's public key is correctly placed in ~/.ssh/authorized_keys. Which PAM configuration issue is most likely causing the failure?

64

Refer to the exhibit. A security analyst detects unusual process creation. Which attack technique is most likely being observed?

Practice all 64 Security Architecture and Engineering questions

Other CISSP exam domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementCommunication and Network SecurityAsset SecuritySecurity Operations

Frequently asked questions

What does the Security Architecture and Engineering domain cover on the CISSP exam?

The Security Architecture and Engineering domain covers the key concepts tested in this area of the CISSP exam blueprint published by ISC2. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISSP domains — no account required.

How many Security Architecture and Engineering questions are in the CISSP question bank?

The Courseiva CISSP question bank contains 64 questions in the Security Architecture and Engineering domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Architecture and Engineering for CISSP?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Architecture and Engineering questions for CISSP?

Yes — the session launcher on this page draws questions exclusively from the Security Architecture and Engineering domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISSP domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CCCCSPCAS-004CISM