Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Architecture and Engineering practice sets

CISSP Security Architecture and Engineering • Complete Question Bank

CISSP Security Architecture and Engineering — All Questions With Answers

Complete CISSP Security Architecture and Engineering question bank — all 0 questions with answers and detailed explanations.

60
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Architecture and Engineering/All Questions
Question 1mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system for a military intelligence agency where data classification labels (Top Secret, Secret, Confidential, Unclassified) are mandatory. Users are cleared to a specific level and must not read data above their clearance. Which security model enforces this type of access control?

Question 2mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A financial application requires strict integrity controls to prevent unauthorized modifications. The security team implements a model where users cannot write data to higher integrity levels (no write up) and cannot read data from lower integrity levels (no read down). Which model is being applied?

Question 3easymultiple choice
Study the full ACL explanation →

Which access control model allows data owners to grant or revoke access to resources they own, typically implemented using ACLs?

Question 4mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is selecting a cryptographic algorithm for encrypting data at rest in a backup system. The system requires strong security with a block cipher, and the organization mandates using a NIST-approved algorithm with key sizes of 128, 192, or 256 bits. Which algorithm should be selected?

Question 5hardmultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is implementing a PKI for internal use. To ensure that certificate revocation status is checked in real-time without relying on periodic CRL downloads, which mechanism should be used?

Question 6hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security engineer is analyzing a vulnerability where an attacker can cause a buffer overflow on the stack. Which mitigation technique randomizes memory addresses to make it harder for the attacker to predict the location of shellcode or return addresses?

Question 7easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which of the following is a primary function of a Trusted Platform Module (TPM)?

Question 8mediummultiple choice
Study the full virtualization explanation →

A security architect is evaluating hypervisor security for a multi-tenant cloud environment. Which type of hypervisor is considered more secure because it runs directly on the hardware without a host operating system, reducing the attack surface?

Question 9mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Which physical security design principle emphasizes that the physical environment should be designed to discourage criminal activity by using natural surveillance, access control, and territorial reinforcement?

Question 10hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security analyst discovers that an application allows a user to read a file they just wrote before the file's integrity is verified, due to a gap between the time of check and time of use. This is an example of which vulnerability?

Question 11mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system that must prevent conflicts of interest when a consultant works for two competing clients. Which security model ensures that the consultant cannot access data from one client if they have already accessed data from the other?

Question 12easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which component of a trusted computing base (TCB) implements the reference monitor concept by enforcing access control decisions for all subjects and objects in the system?

Question 13mediummulti select
Read the full Security Architecture and Engineering explanation →

A security architect is evaluating access control models for a healthcare system where users have specific roles (e.g., doctor, nurse, admin) and permissions are assigned based on those roles. However, the architect also wants to incorporate attributes such as time of day, patient consent status, and device type. Which TWO models should be combined to meet these requirements?

Question 14hardmulti select
Read the full Security Architecture and Engineering explanation →

A security engineer is investigating a covert channel in a system. Which TWO types of covert channels could be used to leak information from a high-security to a low-security process?

Question 15mediummulti select
Read the full Security Architecture and Engineering explanation →

An organization is implementing a defense-in-depth strategy for a data center. Which THREE of the following are examples of physical security controls that align with layered defense?

Question 16mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A government agency requires a security model that prevents users from reading documents at a higher classification level and from writing to documents at a lower classification level. Which model enforces these constraints?

Question 17mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization implements a security model where users can only read objects at or below their security clearance, and can only write to objects at or above their clearance. This model primarily ensures:

Question 18hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A financial institution must ensure that transactions are well-formed and enforce separation of duties to prevent fraud. Which security model best addresses these requirements?

Question 19easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which access control model allows the owner of a resource to grant or deny access to other users?

Question 20mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization uses a system where access decisions are based on user attributes (e.g., job title, clearance), resource attributes (e.g., classification), and environmental factors (e.g., time of day). This is an example of:

Question 21hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security team is investigating a vulnerability where an attacker can intercept and modify data as it moves between processes within a CPU's secure enclave. Which technology is designed to protect against such attacks by creating a trusted execution environment?

Question 22easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which cryptographic algorithm is a symmetric block cipher widely used for encrypting sensitive data, with key sizes of 128, 192, or 256 bits?

Question 23mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is deploying a public key infrastructure (PKI) and wants to ensure that certificate revocation status is verified efficiently without relying on a centralized CRL distribution point. Which technique should be used?

Question 24hardmultiple choice
Study the full virtualization explanation →

An organization deploys a hypervisor to host multiple virtual machines. To mitigate the risk of VM escape attacks, which of the following is the most effective security measure?

Question 25mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A software developer is concerned about buffer overflow vulnerabilities. Which combination of mitigations makes it most difficult for an attacker to exploit a stack-based buffer overflow?

Question 26easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which type of covert channel uses the timing of events or operations to transmit information?

Question 27easymultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a physical security system for a data center. Which of the following is an example of a layered physical control at the perimeter?

Question 28mediummulti select
Read the full Security Architecture and Engineering explanation →

A security analyst is evaluating access control models for a healthcare organization that needs to enforce both confidentiality and integrity. Which TWO models should be considered? Select two.

Question 29mediummulti select
Read the full Security Architecture and Engineering explanation →

A company is designing a secure application that requires hardware-based key storage and remote attestation. Which THREE technologies provide hardware root of trust? Select three.

Question 30mediummulti select
Read the full Security Architecture and Engineering explanation →

A security engineer is hardening a system against side-channel attacks that exploit variations in execution time or power consumption. Which TWO mitigations are specifically designed to counter such attacks? Select two.

Question 31mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A government agency requires a security model that prevents users from reading documents classified above their clearance level and from writing classified information to lower-level systems. Which model enforces these constraints?

Question 32mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization requires a commercial integrity model where users cannot modify data in higher integrity levels and cannot read data from lower integrity levels. Which model should they implement?

Question 33easymultiple choice
Study the full ACL explanation →

Which access control model allows the data owner to determine who can access their resources, typically using Access Control Lists (ACLs)?

Question 34mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is implementing a system that must prevent conflicts of interest for a consulting firm serving competing clients. Which security model is best suited for this requirement?

Question 35hardmultiple choice
Study the full virtualization explanation →

A company is deploying a hypervisor to run multiple virtual servers. To minimize the risk of VM escape attacks, which type of hypervisor should they choose and what hardening measure is most effective?

Question 36mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization wants to implement a security mechanism that ensures all accesses are mediated and cannot be bypassed, is tamperproof, and is small enough to be verified. This describes which concept?

Question 37easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which cryptographic algorithm is an example of a symmetric stream cipher?

Question 38mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security analyst is investigating a potential data leak via covert channels. Which of the following is an example of a timing covert channel?

Question 39hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A software vulnerability allows an attacker to overwrite a return address on the stack to execute arbitrary code. What mitigation technique randomizes the memory layout to prevent the attacker from predicting target addresses?

Question 40mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A company wants to ensure that only authorized software can run on its laptops. They decide to use a hardware component that validates the boot process by measuring each component before it loads. Which technology is being used?

Question 41easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which physical security concept uses natural surveillance, territorial reinforcement, and access control to deter crime in built environments?

Question 42hardmultiple choice
Read the full Security Architecture and Engineering explanation →

In a PKI hierarchy, a relying party needs to verify a certificate's validity. To reduce latency and improve privacy, which mechanism allows the relying party to obtain the revocation status without contacting the CA directly for each verification?

Question 43mediummulti select
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system to protect against side-channel attacks that exploit electromagnetic emanations. Which TWO controls are most effective?

Question 44mediummulti select
Read the full Security Architecture and Engineering explanation →

A security engineer is hardening a web application against race condition vulnerabilities. Which TWO techniques are effective mitigations?

Question 45hardmulti select
Read the full Security Architecture and Engineering explanation →

A financial institution is implementing a Clark-Wilson integrity model. Which THREE components are essential to this model?

Question 46mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system for a government agency that requires strict confidentiality controls. Data must be classified at multiple levels (e.g., Top Secret, Secret, Confidential). Users at a lower classification should not be able to read data at a higher classification, and users at a higher classification should not be able to write data to a lower classification. Which security model enforces these rules?

Question 47easymultiple choice
Read the full Security Architecture and Engineering explanation →

A company is implementing an access control system where permissions are granted based on attributes such as user role, department, time of day, and device trust score. This approach allows for fine-grained policies that can adapt to context. Which access control model is being used?

Question 48hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security engineer is evaluating a system that uses a Trusted Platform Module (TPM) for secure boot. The TPM measures the boot components and stores the measurements in Platform Configuration Registers (PCRs). Which of the following is a primary security goal achieved by this process?

Question 49mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is implementing a Public Key Infrastructure (PKI) to support secure email and web communications. The PKI includes a root CA, intermediate CAs, and end-entity certificates. Which of the following best describes the role of the root CA in this hierarchy?

Question 50hardmultiple choice
Read the full Security Architecture and Engineering explanation →

During a security audit, a vulnerability scanner reports a buffer overflow vulnerability in a legacy application. The application runs on a system with Data Execution Prevention (DEP/NX) enabled and Address Space Layout Randomization (ASLR) active. Which of the following is the most likely impact of these mitigations on a typical stack-based buffer overflow exploit?

Question 51easymultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a physical security perimeter for a data center. Which of the following is an example of Crime Prevention Through Environmental Design (CPTED) principle?

Question 52mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is evaluating a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in a file access routine. The routine checks if a user has permission to open a file, then later opens the file. Which of the following best describes the potential exploitation?

Question 53mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security analyst is investigating a potential covert timing channel in a system. Which of the following characteristics best describes this type of channel?

Question 54hardmultiple choice
Study the full virtualization explanation →

A cloud service provider uses a Type 1 hypervisor to host multiple virtual machines (VMs) for different customers. Which of the following is a primary security concern specific to this architecture?

Question 55mediummulti select
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system that must ensure integrity of commercial transactions. Which of the following models are specifically focused on integrity? (Choose TWO)

Question 56hardmulti select
Read the full Security Architecture and Engineering explanation →

A security engineer is hardening a system against buffer overflow attacks. Which of the following are effective mitigations? (Choose THREE)

Question 57mediummulti select
Read the full Security Architecture and Engineering explanation →

A company is implementing a PKI to support secure web browsing. Which of the following are commonly used to enhance the security of certificate validation? (Choose TWO)

Question 58easymulti select
Read the full Security Architecture and Engineering explanation →

Which of the following are characteristics of a Trusted Execution Environment (TEE)? (Choose TWO)

Question 59mediummulti select
Read the full Security Architecture and Engineering explanation →

A security architect is evaluating physical security controls for a facility handling sensitive data. Which of the following are examples of layered physical security controls? (Choose THREE)

Question 60hardmulti select
Read the full Security Architecture and Engineering explanation →

In the context of the Clark-Wilson integrity model, which of the following are key elements? (Choose TWO)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 25 Questions→CISSP Practice Test 2 — 25 Questions→CISSP Practice Test 3 — 25 Questions→CISSP Practice Test 4 — 25 Questions→CISSP Practice Test 5 — 25 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Security and Risk ManagementAsset SecuritySecurity OperationsSecurity Architecture and EngineeringCommunication and Network SecuritySecurity Assessment and TestingSoftware Development SecurityIdentity and Access Management

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Architecture and Engineering setsAll Security Architecture and Engineering questionsCISSP Practice Hub