Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPExam Questions

ISC2 · Free Practice Questions · Last reviewed May 2026

CISSP Exam Questions and Answers

48real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

125 exam questions
240 min time limit
Pass: 700/1000 / 1000
8 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Security and Risk Management2. Security Architecture and Engineering3. Communication and Network Security4. Security Assessment and Testing5. Identity and Access Management6. Software Development Security7. Asset Security8. Security Operations
1

Domain 1: Security and Risk Management

All Security and Risk Management questions
Q1
mediumFull explanation →

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

A

Accept the risk of non-compliance as a cost of doing business and set aside a contingency fund for fines.

B

Assign legal counsel to review local laws and implement a one-time compliance checklist.

C

Create a uniform global privacy policy that satisfies all jurisdictions with minimal adjustments.

D

Adopt a privacy-by-design framework and conduct a Data Protection Impact Assessment (DPIA) before launching operations.

Correct - Privacy-by-design and DPIA ensure compliance is built into processes.

Why: Option D is correct because a privacy-by-design framework ensures data protection is embedded into systems and processes from the outset, while a Data Protection Impact Assessment (DPIA) systematically identifies and mitigates privacy risks specific to the new jurisdiction. This proactive, risk-based approach aligns with regulatory requirements like the GDPR and demonstrates due diligence, reducing the likelihood of non-compliance and operational disruption.
Q2
hardFull explanation →

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

A

Block all access to public cloud storage services from corporate devices.

B

Implement mandatory security awareness training focusing on data handling procedures.

C

Deploy a Data Loss Prevention (DLP) solution that monitors and controls sharing of sensitive data.

Correct - DLP provides automated controls to prevent data leakage.

D

Encrypt all sensitive data at rest and in transit to render shared data useless.

Why: Option C is correct because a Data Loss Prevention (DLP) solution provides automated, policy-based monitoring and control of sensitive data being shared via public cloud storage links. Unlike awareness training (which relies on human behavior) or blanket blocking (which hinders productivity), DLP can inspect content in real time using pattern matching, fingerprinting, or exact data matching to prevent unauthorized sharing before it occurs, directly addressing the root cause of inadvertent exposure.
Q3
easyFull explanation →

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

A

Adopting a template from a similar organization to save time.

B

Aligning the policy with business objectives and risk appetite.

Correct - Policy must support business needs and address real risks.

C

Ensuring the policy is enforceable with technical controls.

D

Basing the policy solely on regulatory compliance requirements.

Why: Option B is correct because a security policy must be aligned with the organization's business objectives and risk appetite to ensure it supports operations without imposing unnecessary restrictions. For a small business, this balance is critical—overly strict controls can hinder productivity, while weak controls increase risk. The policy should reflect the specific threats and tolerances of the business, not generic templates or compliance-only checklists.
Q4
hardFull explanation →

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

A

$300,000

B

$250,000

Correct - reduction in ALE ($450,000) minus cost ($200,000) = $250,000.

C

$450,000

D

$200,000

Why: The net benefit is calculated as the reduction in ALE minus the cost of the control. The original ALE is $500,000, and after implementing flood barriers the ALE drops to $50,000, a reduction of $450,000. Subtracting the $200,000 cost of the barriers yields a net benefit of $250,000. This aligns with the CISSP risk management formula: Net Benefit = (ALE_old - ALE_new) - Cost_of_control.
Q5
mediumFull explanation →

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

A

Identify recovery strategies for critical systems.

B

Conduct a business impact analysis (BIA) to prioritize critical business functions.

Correct - BIA determines criticality and recovery time objectives.

C

Develop a testing schedule for the BCP.

D

Perform a risk assessment to identify potential threats.

Why: The first step in the BCP process is to conduct a Business Impact Analysis (BIA) to identify and prioritize critical business functions and their dependencies. Without the BIA, you cannot determine which systems require recovery strategies or what recovery time objectives (RTOs) and recovery point objectives (RPOs) are needed. The BIA provides the quantitative and qualitative basis for all subsequent BCP decisions.
Q6
easyFull explanation →

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

A

To ensure appropriate protection measures are applied to data based on its value and sensitivity.

Correct - classification drives the level of protection needed.

B

To satisfy regulatory requirements for data retention.

C

To facilitate data sharing across departments without restrictions.

D

To simplify the process of granting access to users.

Why: Data classification is the foundational process of assigning a sensitivity label (e.g., Public, Internal, Confidential, Restricted) to information assets. The primary reason is to ensure that appropriate security controls—such as encryption, access control lists (ACLs), and data loss prevention (DLP) policies—are applied proportionally to the data's value and sensitivity, aligning with the principle of defense in depth and risk management.

Want more Security and Risk Management practice?

Practice this domain
2

Domain 2: Security Architecture and Engineering

All Security Architecture and Engineering questions
Q1
mediumFull explanation →

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

A

Export the key in plaintext and store it in a safe

B

Replicate the HSM configuration to another HSM in a different location

C

Use the HSM's key-wrapping function to encrypt the key and store the wrapped key in a secure offsite facility

Key wrapping maintains the same cryptographic boundary and offsite storage provides redundancy.

D

Store an encrypted copy on a local server in the same data center

Why: Option C is correct because key-wrapping (also known as key encryption) uses a dedicated wrapping key within the HSM to encrypt the target key, ensuring the key never leaves the HSM in plaintext. The wrapped key can be safely stored offsite and later unwrapped only by an authorized HSM, preserving the same cryptographic protection as the primary storage. This method aligns with NIST SP 800-57 guidelines for secure key backup and escrow.
Q2
hardFull explanation →

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A

Full disk encryption (FDE) with a strong passphrase

B

Trusted Platform Module (TPM)

C

Hypervisor-based isolation

D

Intel Software Guard Extensions (SGX)

SGX creates hardware-enforced enclaves that isolate code and data even from the OS.

Why: Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.
Q3
easyFull explanation →

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

A

The certificate uses RSA 1024-bit key

B

The server supports TLS 1.0

TLS 1.0 is deprecated and has known vulnerabilities.

C

The server does not support HTTP/2

D

The server enables TLS session tickets

Why: TLS 1.0 is a deprecated protocol with known vulnerabilities, including susceptibility to BEAST and POODLE attacks, which can allow an attacker to decrypt intercepted traffic. While a 1024-bit RSA key is weak, the most immediate and significant risk is the use of an outdated protocol that is actively exploited in the field. Disabling TLS 1.0 and enforcing TLS 1.2 or higher is the critical first step to secure data in transit.
Q4
mediumFull explanation →

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

A

Use mobile device management (MDM) to create a secure container for corporate apps and data

Containerization isolates corporate data and allows selective wipe.

B

Require employees to use company-issued devices only

C

Disable camera and microphone on the device

D

Full device encryption with remote wipe capability

Why: A secure container (often implemented via MDM with app wrapping or per-app VPN) creates an encrypted, isolated partition on the device for corporate apps and data. This ensures that if the device is lost or stolen, the corporate data remains encrypted and inaccessible without the container's authentication, while personal apps and data outside the container remain untouched, thus minimizing privacy impact.
Q5
hardFull explanation →

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

A

Randomize the address space layout (ASLR)

B

Implement stack canaries in all user-space applications

C

Reduce the number of system calls and IPC mechanisms

D

Use cache partitioning or cache coloring to isolate process caches

Cache partitioning prevents cross-process cache timing attacks.

Why: D is correct because cache partitioning or cache coloring directly addresses the root cause of side-channel attacks in a microkernel environment: shared CPU caches. By isolating each process's cache footprint, an attacker cannot infer sensitive data (e.g., cryptographic keys) through timing variations or cache occupancy measurements, which is a fundamental architectural mitigation.
Q6
easyFull explanation →

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

A

Fingerprint scanner and password

B

Password and one-time passcode sent via SMS

SMS OTP is inexpensive and easy to deploy.

C

Smart card and PIN

D

Password and security questions

Why: Option B is correct because it combines a password (something you know) with a one-time passcode sent via SMS (something you have), satisfying the definition of multifactor authentication. SMS-based OTP is cost-effective and easy to deploy for a small business, as it requires no additional hardware or complex infrastructure, leveraging existing mobile networks.

Want more Security Architecture and Engineering practice?

Practice this domain
3

Domain 3: Communication and Network Security

All Communication and Network Security questions
Q1
mediumFull explanation →

A security engineer is troubleshooting a network where internal users can access internet websites but cannot reach the company's external VPN server (IP 203.0.113.50, UDP port 500). The firewall rule for VPN traffic is correctly configured. What is the most likely cause?

A

The VPN server is using TCP port 443 instead of UDP 500.

B

The firewall rule is applied to the wrong interface.

C

The firewall is stateful and blocking the return traffic.

D

The VPN server is not listening on UDP port 500.

If the server does not have the VPN service running, it won't respond, causing the client to time out.

Why: Option D is correct because the symptom—internal users can reach internet websites but cannot reach the external VPN server—indicates a host-level issue rather than a network or firewall problem. Since the firewall rule for VPN traffic is correctly configured and other traffic flows normally, the most likely cause is that the VPN server itself is not listening on UDP port 500, which is the standard port for IPsec IKE (Internet Key Exchange) traffic. This could be due to a misconfiguration, service failure, or the server being configured to use a different port or protocol.
Q2
hardFull explanation →

A network architect is designing a secure connection between two data centers across an untrusted WAN. The requirement is to encrypt all traffic and authenticate both endpoints. Which protocol should be used?

A

SSH

B

IPsec tunnel mode

IPsec tunnel mode encrypts and authenticates entire packets between gateways.

C

MPLS

D

SSL/TLS

Why: IPsec tunnel mode is the correct choice because it encrypts the entire IP packet, including the original IP header, and encapsulates it within a new IP header for secure transport across an untrusted WAN. It also provides mutual authentication of both endpoints using IKE (Internet Key Exchange) with pre-shared keys or certificates, satisfying the requirement for encrypting all traffic and authenticating both data centers.
Q3
easyFull explanation →

A network administrator notices that users in the accounting department can access the internet but are unable to access the internal payroll server (10.10.10.50). The firewall rule allows traffic from the accounting subnet (10.10.20.0/24) to the payroll server. What is the most likely issue?

A

DNS is not resolving the payroll server's IP address.

B

The payroll server's default gateway does not have a route back to 10.10.20.0/24.

Without a return route, packets from the server cannot reach the accounting subnet.

C

The firewall rule is applied to the outbound interface only.

D

The accounting subnet is blocked by an implicit deny rule.

Why: The most likely issue is that the payroll server's default gateway does not have a route back to the accounting subnet (10.10.20.0/24). Even if the firewall permits outbound traffic from the accounting subnet to the payroll server, the return traffic from the server must be routed back through the firewall or a router that knows how to reach 10.10.20.0/24. Without a return route, the server's response packets are dropped, causing a one-way communication failure.
Q4
mediumFull explanation →

A company uses WPA2-Enterprise with EAP-TLS for wireless access. An employee reports that a new laptop cannot connect to the wireless network, while older laptops work fine. The employee has installed the correct client certificate. What is the most likely cause?

A

The wireless network uses WPA2-PSK instead of WPA2-Enterprise.

B

The RADIUS server's certificate is not trusted by the new laptop.

EAP-TLS mutual authentication requires the client to trust the server's certificate.

C

The client certificate is not correctly associated with the user account.

D

The laptop does not support MSCHAPv2.

Why: In WPA2-Enterprise with EAP-TLS, mutual authentication requires the client to validate the RADIUS server's certificate. If the new laptop does not trust the RADIUS server's certificate (e.g., its CA root certificate is missing or expired), the EAP-TLS handshake will fail, preventing connection. Older laptops likely have the necessary root CA installed, while the new laptop does not.
Q5
hardFull explanation →

A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?

A

Rule: Source interface Inside, Source any, Destination 10.0.0.10, Port 80, Action allow

B

Rule: Source interface Outside, Source any, Destination 10.0.0.10, Port 80, Action allow

This correctly allows inbound HTTP from internet to DMZ web server.

C

Rule: Source interface Outside, Source 192.168.1.0/24, Destination 10.0.0.10, Port 80, Action allow

D

Rule: Source interface DMZ, Source any, Destination 10.0.0.10, Port 80, Action allow

Why: Option B is correct because HTTP traffic from the internet arrives on the outside interface, and the firewall rule must match the source interface (Outside), allow any source IP, and specify the destination IP (10.0.0.10) and port 80. This permits inbound web traffic to the DMZ web server while maintaining security boundaries.
Q6
easyFull explanation →

An organization wants to ensure that employees can securely access internal applications from home. They deploy a VPN solution. Which VPN type provides the strongest encryption and is most commonly used for remote access?

A

IPsec with IKEv2 and AES-256

This provides strong encryption and is widely used for remote access.

B

MPLS Layer 3 VPN

C

L2TP without encryption

D

PPTP

Why: IPsec with IKEv2 and AES-256 provides the strongest encryption for remote access VPNs. IKEv2 offers improved security features like mobility and multi-homing support, while AES-256 is a symmetric cipher with a 256-bit key that is currently considered unbreakable by brute force. This combination is widely deployed for secure client-to-site connections.

Want more Communication and Network Security practice?

Practice this domain
4

Domain 4: Security Assessment and Testing

All Security Assessment and Testing questions
Q1
mediumFull explanation →

A security analyst runs a vulnerability scan against a web application and receives a report listing several critical vulnerabilities. However, the development team argues that many of these findings are false positives. Which of the following is the BEST next step for the analyst?

A

Re-scan the application with the same settings to confirm the results.

B

Manually verify a sample of the findings to confirm true vs. false positives.

Manual verification helps identify false positives and prioritize real vulnerabilities.

C

Escalate all critical findings to management immediately.

D

Retune the vulnerability scanner to reduce false positives and re-scan.

Why: Option B is correct because manual verification is the definitive method to distinguish true positives from false positives in vulnerability scanning. Automated scanners can produce false positives due to factors like incomplete service fingerprinting or reliance on banner grabbing, which may not reflect actual exploitability. The analyst must validate a representative sample of findings against the actual application behavior and configuration before taking further action.
Q2
hardFull explanation →

A company is implementing a continuous monitoring program for its cloud infrastructure. Which of the following metrics would be MOST useful for detecting unauthorized changes to production systems?

A

Network throughput between application tiers.

B

Average CPU load across all systems.

C

Number of failed login attempts per hour.

D

Configuration drift from a known good baseline.

Configuration drift detection directly identifies unauthorized changes to system settings.

Why: Configuration drift from a known good baseline is the most effective metric for detecting unauthorized changes because it directly compares the current state of production systems against a secure, approved baseline (e.g., using tools like AWS Config, Azure Policy, or Chef InSpec). Any deviation—such as altered file permissions, unexpected services, or modified registry keys—triggers an alert, enabling rapid detection of unauthorized modifications. This aligns with continuous monitoring principles in cloud security, focusing on integrity rather than performance or access patterns.
Q3
easyFull explanation →

A security assessor is conducting a penetration test and needs to identify live hosts on a network without causing disruption. Which of the following techniques should the assessor use FIRST?

A

ARP scan to discover hosts on the local subnet.

B

Ping sweep using ICMP echo requests.

Ping sweep is a standard, non-disruptive host discovery technique.

C

Vulnerability scan of all IP addresses in the target range.

D

Full TCP port scan on common ports.

Why: A ping sweep using ICMP echo requests (ICMP Type 8) is the most appropriate first step for identifying live hosts on a network because it is a standard, low-disruption method that quickly determines host availability. ICMP echo requests are typically allowed by default on many networks and do not initiate full protocol handshakes or service interactions, minimizing the risk of triggering alarms or causing instability. This aligns with the penetration testing methodology of starting with passive or low-impact reconnaissance before escalating to more intrusive techniques.
Q4
mediumFull explanation →

A security team is planning a social engineering test for their organization. Which of the following scenarios would BEST assess the effectiveness of security awareness training?

A

Sending a phishing email that mimics a common internal communication.

Phishing emails directly test the awareness training provided to employees.

B

Calling employees and pretending to be IT support to obtain passwords.

C

Attempting to tailgate into a secure facility.

D

Searching through trash bins for sensitive documents.

Why: Sending a phishing email that mimics a common internal communication directly tests whether employees can recognize and report a realistic social engineering attempt, which is the primary goal of security awareness training. This scenario evaluates the human firewall by simulating the most prevalent attack vector—email-based phishing—and measures the effectiveness of training in reducing click-through rates and increasing reporting behavior.
Q5
hardFull explanation →

A financial institution is required to perform regular penetration tests on its online banking platform. The testing must be as realistic as possible while minimizing risk to production data. Which of the following approaches BEST meets these requirements?

A

Conduct the test on the production environment using anonymized production data.

B

Use an automated vulnerability scanner on the production environment.

C

Perform the test during off-peak hours on the production system with read-only access.

D

Build a replica of the production environment and test against it with realistic attack scenarios.

A replica environment allows full attack simulation without risking production data.

Why: Option D is correct because building a replica (staging) environment allows the penetration test to simulate realistic attack scenarios without any risk to production data or system availability. This approach ensures the test can include destructive or disruptive techniques (e.g., SQL injection, privilege escalation) that would be unsafe on a live system, while still accurately reflecting the production architecture and configurations.
Q6
easyFull explanation →

A security auditor is reviewing the results of a recently completed internal vulnerability scan. The scan report shows several hosts with the same vulnerability. Which of the following actions should the auditor take FIRST?

A

Manually verify the vulnerability on a sample of affected hosts.

Manual verification confirms the finding and reduces false positives.

B

Immediately apply patches to all affected hosts.

C

Remove the hosts from the network until the vulnerability is resolved.

D

Re-run the scan with a different scanner.

Why: The auditor must first manually verify the vulnerability on a sample of affected hosts because automated vulnerability scans can produce false positives due to factors like incomplete banner grabbing, outdated plugin signatures, or network-level interference. Confirming the finding ensures that subsequent remediation efforts are based on accurate, validated data, preventing wasted resources on non-existent issues.

Want more Security Assessment and Testing practice?

Practice this domain
5

Domain 5: Identity and Access Management

All Identity and Access Management questions
Q1
mediumFull explanation →

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

A

Biometric data cannot be revoked or changed if compromised

Biometric traits are permanent; once stolen, they cannot be replaced.

B

High false acceptance rate leading to unauthorized access

C

Low user acceptance due to privacy concerns

D

Increased login time compared to password authentication

Why: Biometric data, such as fingerprint templates, is immutable and permanently tied to the individual. Once compromised, the user cannot simply 'reset' their fingerprint like a password, rendering the authentication factor permanently insecure for that user across all systems where it is used. This non-repudiation and revocation failure represents the most significant long-term risk to the organization's identity management infrastructure.
Q2
hardFull explanation →

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

A

The system clocks on the IdP and SP are significantly out of sync

SAML assertions include timestamps; clock skew leads to validation failure.

B

The SP is configured to require a specific SAML attribute not present in the assertion

C

The IdP server for the subsidiary is temporarily unreachable

D

The SAML certificate used by the SP has expired

Why: SAML 2.0 relies on timestamps (NotBefore and NotOnOrAfter) within the assertion for validity. If the system clocks on the identity provider (IdP) and service provider (SP) are significantly out of sync, the SP will reject the assertion as expired or not yet valid, even though the IdP logs show successful authentication. This is the most common cause of assertion validation failures in cross-domain SSO deployments.
Q3
easyFull explanation →

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

A

Compare new passwords against a list of known compromised passwords

This prevents use of common passwords from breach data.

B

Set maximum password length to 8 characters

C

Require password changes every 30 days

D

Enforce a minimum of one uppercase, one lowercase, one digit, and one special character

Why: NIST SP 800-63B explicitly recommends checking passwords against a list of known compromised passwords (e.g., from previous breaches) rather than enforcing arbitrary complexity rules. This approach directly mitigates credential stuffing and dictionary attacks by rejecting passwords that have already been exposed, while avoiding user frustration from frequent changes or complex composition requirements.
Q4
mediumFull explanation →

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

A

Share the Purchasing Manager's account credentials with the user

B

Temporarily assign the 'Purchasing Approver' role to the user with an expiration date

This grants needed access for a limited time, maintaining least privilege.

C

Modify the 'Accounts Payable' role to include purchase order approval permissions

D

Create a new role with the exact permissions needed and assign it to the user

Why: Option B is correct because it follows the principle of least privilege by temporarily assigning the 'Purchasing Approver' role to the user with an expiration date, ensuring that the elevated permissions are automatically revoked after the leave period. This approach maintains RBAC integrity without permanently altering role definitions or sharing credentials.
Q5
hardFull explanation →

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

A

Convert the account to a group Managed Service Account (gMSA)

B

Set a very long, complex password and store it in a password manager

C

Decommission the legacy application and migrate to a modern alternative that supports secure authentication

Eliminates the risk entirely by removing the service account.

D

Disable the account and create a new service account with limited privileges

Why: Option D is correct because the best security is to decommission the account and modernize the application. Option A is wrong because group Managed Service Accounts (gMSAs) require Windows Server 2012 or later and application support. Option B is wrong because a long, complex password still has risk of theft and is not automatically rotated. Option C is wrong because disabling the account would break the application.
Q6
easyFull explanation →

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

A

Password and PIN

B

Hardware token and mobile phone

C

Smart card and fingerprint

Smart card (possession) + fingerprint (inherence) = two factors.

D

Password and SMS code

Why: Option C is correct because a smart card is a physical device that you possess (something you have), and a fingerprint is a biometric characteristic unique to you (something you are). This combination satisfies the multi-factor authentication requirement by using two distinct factors from different categories, which is more secure than using two factors from the same category.

Want more Identity and Access Management practice?

Practice this domain
6

Domain 6: Software Development Security

All Software Development Security questions
Q1
easyFull explanation →

A development team is adopting a secure SDLC. Which phase should include threat modeling to identify potential security vulnerabilities early?

A

Implementation

B

Design

Threat modeling is a design-time activity that helps identify and address security threats before implementation.

C

Testing

D

Requirements gathering

Why: Threat modeling is a structured activity that identifies potential threats, vulnerabilities, and attack vectors against a system. It is most effective during the Design phase because architectural decisions, data flow diagrams, trust boundaries, and component interactions are being defined, allowing security controls to be built in rather than bolted on later. Performing threat modeling here aligns with the 'shift left' principle of secure SDLC, reducing cost and effort compared to retrofitting security after implementation.
Q2
mediumFull explanation →

A software company uses a third-party library that has a known critical vulnerability. The library is used extensively and rewriting the code would take months. What is the BEST immediate action to reduce risk?

A

Remove the library from the codebase immediately

B

Disable the vulnerable feature in the library

C

Increase logging and monitoring to detect exploitation attempts

D

Implement a Web Application Firewall (WAF) rule to block exploitation

A WAF can provide virtual patching to mitigate the vulnerability in transit.

Why: Option D is correct because implementing a Web Application Firewall (WAF) rule to block exploitation provides an immediate, compensating control that mitigates the known vulnerability without requiring code changes. This is the best immediate action because it buys time for a permanent fix while reducing risk, aligning with the principle of defense in depth. The WAF can inspect HTTP/HTTPS traffic for attack patterns (e.g., SQL injection, path traversal) specific to the vulnerable library and block malicious requests at the application layer.
Q3
hardFull explanation →

During a code review, a developer encounters the following code snippet in a Java web application used to authenticate users:

String query = "SELECT * FROM users WHERE username = '" + request.getParameter("user") + "' AND password = '" + request.getParameter("pass") + "'";

Which of the following is the MOST effective remediation?

A

Use regular expressions to validate the username and password inputs

B

Encode the input using HTML entity encoding before inclusion in the query

C

Escape single quotes in the input parameters

D

Replace the concatenated query with a prepared statement and bind parameters

Prepared statements ensure user input is treated as data, not executable SQL.

Why: Option D is correct because prepared statements with parameterized queries separate SQL logic from user input, preventing SQL injection entirely. In Java, using PreparedStatement with bind variables (e.g., `ps.setString(1, user)`) ensures the database treats input as data, not executable code, which is the only reliable defense against SQL injection attacks.
Q4
easyFull explanation →

An organization is migrating from a waterfall to an Agile development methodology. Which of the following is a key security advantage of Agile?

A

Security testing is performed only at the end of the project

B

Security issues can be addressed incrementally throughout development

Agile's short cycles allow for prompt remediation of security findings.

C

Security requirements are finalized upfront

D

Security documentation is minimized to reduce overhead

Why: In Agile development, security testing and remediation are integrated into each iteration (sprint), allowing teams to identify and fix vulnerabilities incrementally rather than waiting until the end. This continuous feedback loop reduces the risk of late-stage security surprises and aligns with the principle of 'shifting left' on security.
Q5
mediumFull explanation →

A company is deploying a containerized application using Kubernetes. Which practice BEST ensures the security of the container images?

A

Scan images for vulnerabilities and use minimal base images

Vulnerability scanning and minimal images reduce risk.

B

Restrict containers from running as root

C

Use the latest version of the base image without scanning

D

Enable container escape protection

Why: Scanning container images for known vulnerabilities (e.g., using Trivy, Clair, or Snyk) and using minimal base images (e.g., Alpine or distroless) directly reduces the attack surface and eliminates unnecessary packages that may contain exploitable flaws. This practice is foundational to secure software supply chain management and aligns with the principle of least functionality in containerized environments.
Q6
hardFull explanation →

A development team is implementing a microservices architecture. Which of the following is the BEST approach to secure inter-service communication?

A

Use JSON Web Tokens (JWT) for each request

B

Use API keys transmitted in HTTP headers

C

Place all services behind a single API gateway

D

Implement mutual TLS (mTLS) between services

mTLS provides strong authentication and encryption for inter-service communication.

Why: Mutual TLS (mTLS) is the best approach because it provides both encryption and bidirectional authentication between services, ensuring that only authorized services can communicate. Unlike token-based methods, mTLS verifies the identity of both the client and server using X.509 certificates, which is critical in a zero-trust microservices environment where network boundaries are porous.

Want more Software Development Security practice?

Practice this domain
7

Domain 7: Asset Security

All Asset Security questions
Q1
mediumFull explanation →

A financial institution is implementing a data retention policy to comply with regulatory requirements. The policy must ensure that transaction records are retained for 7 years and then securely destroyed. Which of the following is the BEST approach to implement this policy?

A

Encrypt all records and destroy the encryption keys after 7 years

B

Automatically purge records using a data management tool that overwrites data after the retention period

Automated purging ensures consistent and timely destruction, reducing human error and ensuring compliance.

C

Move records to a separate archive and delete the directory pointers

D

Manually review and delete records after 7 years

Why: Option B is correct because automated purging using a data management tool that overwrites data ensures that the records are securely destroyed at the end of the retention period, meeting both regulatory compliance and data sanitization requirements. Overwriting (e.g., using DoD 5220.22-M or NIST SP 800-88 standards) prevents data recovery by replacing the storage media's bits with patterns, making it a reliable method for secure destruction in a financial institution's automated environment.
Q2
hardFull explanation →

During a security audit, it is discovered that a company's data classification labels are inconsistently applied across different departments. Which of the following is the BEST long-term solution to ensure consistent data classification?

A

Conduct annual retraining on data classification policies

B

Implement automated data classification tools that apply labels based on content and context

Automation reduces human error and ensures consistent application of classification labels.

C

Adopt a single classification level for all data to eliminate confusion

D

Assign a data owner in each department to manually review and classify data

Why: Automated data classification tools use content inspection (e.g., regex patterns, keyword matching) and contextual analysis (e.g., file location, creator, metadata) to consistently apply labels across the enterprise. This eliminates human error and variability between departments, ensuring uniform enforcement of the classification policy without relying on manual interpretation or periodic training.
Q3
easyFull explanation →

An organization wants to protect sensitive data stored on laptops. Which of the following is the MOST effective control to prevent data loss if a laptop is stolen?

A

BIOS password

B

Asset tracking software

C

Full-disk encryption (FDE)

FDE encrypts the entire drive, making data inaccessible without the key.

D

Remote wipe capability

Why: Full-disk encryption (FDE) renders the data on the laptop unreadable without the decryption key, even if the storage drive is removed and analyzed. This is the most effective preventive control against data loss from theft because it protects data at rest regardless of physical access to the device.
Q4
mediumFull explanation →

A healthcare organization is moving patient records to a cloud storage service. Which of the following is the MOST important requirement to ensure data security and compliance with HIPAA?

A

Multi-factor authentication for all cloud access

B

Encryption of data in transit using TLS 1.2

C

A signed Business Associate Agreement (BAA) with the cloud provider

A BAA is required under HIPAA to ensure the cloud provider handles PHI appropriately.

D

Encryption of data at rest using AES-256

Why: Under HIPAA, a covered entity must have a signed Business Associate Agreement (BAA) with any cloud service provider that creates, receives, maintains, or transmits protected health information (PHI). Without a BAA, the provider is not contractually bound to safeguard PHI, making the organization non-compliant regardless of technical controls. While encryption and MFA are important security measures, they cannot substitute for the legal and regulatory requirement of a BAA.
Q5
hardFull explanation →

A company is decommissioning a data center and needs to dispose of hard drives that contained highly confidential financial data. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A

Overwriting the drives with multiple passes of random data

B

Shredding the drives into small pieces

Physical destruction makes data recovery physically impossible.

C

Degaussing the drives

D

Overwriting the drives with a single pass of zeros

Why: Shredding the drives into small pieces physically destroys the platters, making data recovery impossible regardless of the storage technology (e.g., HDD vs. SSD). This method provides the highest assurance because it eliminates any possibility of reading residual magnetic or solid-state data, even with advanced forensic tools like electron microscopy.
Q6
mediumFull explanation →

Which TWO of the following are essential components of a data classification policy? (Select two.)

A

Data retention periods for each classification level

B

Roles and responsibilities for data classification

Defining who is responsible for classifying data is essential.

C

Definition of classification levels (e.g., public, confidential, secret)

Classification levels are a core component of the policy.

D

Methods for secure data destruction

E

Encryption standards for each classification level

Why: Roles and responsibilities are essential because a data classification policy must clearly define who is accountable for classifying data, who can assign classification levels, and who is responsible for maintaining the labels. Without this, classification efforts become inconsistent and unenforceable, leading to security gaps. The CISSP emphasizes that governance requires clear assignment of ownership and decision-making authority for data assets.

Want more Asset Security practice?

Practice this domain
8

Domain 8: Security Operations

All Security Operations questions
Q1
mediumFull explanation →

A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?

A

Analyze the log events to identify the attack pattern and implement additional controls such as MFA

Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.

B

Increase the account lockout threshold

C

Ignore the event as it is likely a false positive

D

Disable the user account being targeted

Why: Option A is correct because the changing source IP indicates a distributed attack, likely a password spraying or brute-force attempt from multiple compromised hosts. Analyzing log events helps identify the attack pattern (e.g., timing, targeted accounts, source IP ranges) so you can implement additional controls like MFA, which mitigates credential-based attacks regardless of source IP changes. Account lockout alone is insufficient when attackers rotate IPs, as lockout policies are per-account and per-source, not adaptive to distributed sources.
Q2
hardFull explanation →

A SOC analyst receives an alert for a suspicious outbound connection from a server in the DMZ to an external IP on port 443. The server is a web application server that should only communicate internally. The analyst checks the process and finds it is 'svchost.exe' running from a non-standard path. What is the most appropriate immediate action?

A

Isolate the server from the network

Isolation stops the malicious outbound connection and prevents further damage, allowing for later forensic analysis.

B

Initiate a full incident response investigation

C

Disregard the alert because svchost.exe is a legitimate Windows process

D

Terminate the suspicious process

Why: Option A is correct because isolating the server immediately contains the threat, preventing potential data exfiltration or lateral movement from a compromised host. The suspicious outbound connection from a DMZ server to an external IP on port 443 (HTTPS) combined with 'svchost.exe' running from a non-standard path strongly indicates malware masquerading as a legitimate Windows process. In security operations, containment is the priority before investigation to minimize damage.
Q3
easyFull explanation →

During a security audit, an organization discovers that several employees are sharing a single generic account to access a critical database. Which principle of security operations is being violated?

A

Accountability

Account sharing removes the ability to trace actions to an individual, violating accountability.

B

Separation of duties

C

Defense in depth

D

Least privilege

Why: Accountability requires that each individual user be uniquely identified and their actions traceable. Sharing a generic account breaks this chain because the audit logs cannot attribute specific database operations (e.g., SELECT, UPDATE, DELETE) to a particular employee, making it impossible to hold anyone responsible for misuse or errors.
Q4
hardFull explanation →

A security engineer is designing a new SIEM correlation rule to detect potential data exfiltration. The rule should trigger when a single internal host sends more than 10 MB of data to an external IP address within a 5-minute window, but only if the external IP is not on a whitelist of known business partners. Which approach best minimizes false positives while ensuring effective detection?

A

Apply the rule to all internal hosts with the same threshold

B

Trigger only when the destination IP is in a threat intelligence feed of known malicious IPs

C

Use a baseline of normal traffic per host and trigger only when the volume exceeds the baseline by a significant margin

Baselines allow the rule to adapt to each host's typical behavior, reducing false positives while detecting anomalies.

D

Set a static threshold of 10 MB for all hosts, but exclude traffic to common cloud storage providers

Why: Option C is correct because using a baseline of normal traffic per host adapts to different users' behaviors, reducing false positives from legitimate large transfers. Option A is wrong because applying the rule to all internal hosts would generate many false positives from servers that routinely transfer large files. Option B is wrong because a static threshold does not account for varying normal usage. Option D is wrong because excluding only known partner IPs may miss exfiltration to unknown but legitimate external services.
Q5
easyFull explanation →

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

A

The employee did not enable encryption (e.g., BitLocker To Go) after formatting

Encryption is a separate step that must be explicitly enabled, e.g., via BitLocker To Go.

B

The USB drive hardware does not support encryption

C

The operating system does not support encryption of removable media

D

The employee used the wrong file system (FAT32 vs NTFS)

Why: Option A is correct because BitLocker To Go, the native encryption feature for removable drives in Windows, is not automatically enabled when a USB drive is formatted. The employee must explicitly enable encryption (e.g., via BitLocker To Go in Control Panel or by right-clicking the drive and selecting 'Turn on BitLocker') after formatting. Without this step, the drive remains unencrypted, violating the security policy.
Q6
mediumFull explanation →

An organization is implementing a new backup strategy for its critical servers. The backup must support rapid restoration of individual files and allow for a recovery point objective (RPO) of no more than 15 minutes. Which backup method should be used for daily operations?

A

Full backup every 24 hours

B

Continuous data protection (CDP)

CDP captures every write, enabling restoration to any point within seconds, meeting the RPO.

C

Differential backup every 6 hours

D

Incremental backup every 4 hours

Why: Continuous data protection (CDP) is the only backup method that can guarantee a recovery point objective (RPO) of 15 minutes or less because it captures every write to disk in real time or near-real time, enabling restoration to any point within the protection window. Full, differential, and incremental backups all rely on periodic snapshots, which inherently introduce gaps that exceed a 15-minute RPO unless the interval is shorter than 15 minutes, which is impractical for daily operations.

Want more Security Operations practice?

Practice this domain

Frequently asked questions

How many questions are on the CISSP exam?

The CISSP exam has 125 questions and must be completed in 240 minutes. The passing score is 700/1000.

What types of questions appear on the CISSP exam?

Scenario-based management and technical questions across security governance, risk, architecture, identity, network, application, and operations domains.

How are CISSP questions organised by domain?

The exam covers 8 domains: Security and Risk Management, Security Architecture and Engineering, Communication and Network Security, Security Assessment and Testing, Identity and Access Management, Software Development Security, Asset Security, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CISSP exam questions?

No. These are original exam-style practice questions written against the official ISC2 CISSP exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 175 CISSP questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CISSP questionsTake a timed practice test