Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Architecture and Engineering practice sets

CISSP Security Architecture and Engineering • Complete Question Bank

CISSP Security Architecture and Engineering — All Questions With Answers

Complete CISSP Security Architecture and Engineering question bank — all 0 questions with answers and detailed explanations.

64
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security Architecture and Engineering/All Questions
Question 1mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

Question 2hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

Question 3easymultiple choice
Read the full Security Architecture and Engineering explanation →

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

Question 4mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

Question 5hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

Question 6easymultiple choice
Read the full NAT/PAT explanation →

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

Question 7mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

Question 8mediummulti select
Read the full Security Architecture and Engineering explanation →

Which TWO of the following are principles of the Bell-LaPadula security model?

Question 9hardmulti select
Read the full Security Architecture and Engineering explanation →

Which THREE of the following are valid countermeasures against buffer overflow attacks?

Question 10easymulti select
Read the full Security Architecture and Engineering explanation →

Which TWO of the following are examples of physical security controls?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?

Question 12mediumdrag order
Read the full VPN explanation →

Drag and drop the steps for setting up a VPN using IPsec in tunnel mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediummatching
Read the full Security Architecture and Engineering explanation →

Match each PKI component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and revokes certificates

Verifies identity before certificate issuance

List of revoked certificates

Binds a public key to an identity

Question 14easymultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is evaluating security models for a multilevel secure system. Which model enforces the * property (no write down) and is typically used for confidentiality?

Question 15easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

Question 16easymultiple choice
Read the full Security Architecture and Engineering explanation →

An organization requires that all data stored in a cloud object storage service be encrypted at rest using customer-managed keys. Which encryption option should be implemented?

Question 17easymultiple choice
Read the full Security Architecture and Engineering explanation →

In the context of physical security, which of the following is an example of a preventive control?

Question 18mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A company is implementing a secure software development lifecycle (SSDLC). Which of the following is a key activity during the design phase?

Question 19mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Which of the following describes the concept of 'least privilege' in the context of access control?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

Question 21mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Which of the following is a primary advantage of using a hardware security module (HSM) over software-based key storage?

Question 22hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A company is deploying a new application that processes personally identifiable information (PII) in a hybrid cloud environment. The security architect needs to ensure that encryption keys are never exposed to the cloud provider. Which solution should be recommended?

Question 23hardmultiple choice
Read the full VPN explanation →

A user reports that a VPN client cannot connect to the corporate gateway. The exhibit shows an excerpt from the client log. What does this indicate?

Exhibit

ERROR: Certificate verification failed: unable to get local issuer certificate
Question 24hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security analyst is troubleshooting a web application that is incorrectly blocking valid login requests. The WAF rule in the exhibit is the only rule configured. What is the probable issue?

Exhibit

SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_URI "/login" "phase:2,deny,msg:'Login attempt detected'"
Question 25hardmultiple choice
Read the full Security Architecture and Engineering explanation →

During a security audit, it is discovered that the database server is also accepting connections from the web server. Which of the following is the most likely misconfiguration?

Exhibit

Architecture Diagram Description: The system is composed of three tiers: web server in DMZ, application server in internal network, database server in secured network. All traffic between tiers must be encrypted using TLS. The database server only accepts connections from the application server on port 3306.
Question 26easymulti select
Read the full Security Architecture and Engineering explanation →

Which TWO of the following are principles of the zero trust security model? (Select TWO.)

Question 27mediummulti select
Read the full Security Architecture and Engineering explanation →

Which THREE of the following are common security design principles? (Select THREE.)

Question 28hardmulti select
Read the full Security Architecture and Engineering explanation →

Which THREE of the following are examples of asymmetric cryptographic algorithms? (Select THREE.)

Question 29easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which security model focuses on preventing unauthorized access by enforcing a 'no read up, no write down' rule?

Question 30easymultiple choice
Read the full Security Architecture and Engineering explanation →

In a public key infrastructure (PKI), which component is responsible for issuing and revoking digital certificates?

Question 31easymultiple choice
Read the full Security Architecture and Engineering explanation →

Which of the following is the primary purpose of a hardware security module (HSM)?

Question 32mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a system that must enforce the principle of least privilege at the operating system level. Which mechanism should be implemented to grant processes only the minimal permissions required for their tasks?

Question 33mediummultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is implementing a defense-in-depth strategy for its web application. Which of the following is an example of a compensating control?

Question 34mediummultiple choice
Read the full Security Architecture and Engineering explanation →

In a zero trust architecture, which component is responsible for continuously verifying the trustworthiness of a device before granting access to resources?

Question 35hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A security engineer is reviewing the architecture of a system that uses the Bell-LaPadula model. The system has subjects with security clearances and objects with classifications. To prevent covert timing channels, which additional control should be implemented?

Question 36hardmultiple choice
Read the full Security Architecture and Engineering explanation →

An organization is migrating to a microservices architecture and wants to secure inter-service communication. Which approach is most aligned with the principle of securing the pipeline?

Question 37hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A system is designed to meet the Common Criteria EAL4 evaluation. Which of the following is a required component for this level?

Question 38easymulti select
Read the full Security Architecture and Engineering explanation →

A security architect is considering secure design principles. Which two principles are essential for a defense-in-depth strategy? (Select TWO.)

Question 39mediummulti select
Read the full Security Architecture and Engineering explanation →

An organization is implementing role-based access control (RBAC). Which two components are fundamental to the RBAC model? (Select TWO.)

Question 40hardmulti select
Read the full Security Architecture and Engineering explanation →

A cloud security architect is designing a system that must comply with the principle of data sovereignty. Which three controls should be implemented? (Select THREE.)

Question 41easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. What is the effect of this ACL when applied inbound to an interface?

Exhibit

access-list 100 deny tcp host 10.1.1.2 any eq 80
access-list 100 permit tcp any any eq 80
access-list 100 deny ip any any
Question 42mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A security analyst finds these logs on a Linux server. What is the most likely cause of these events?

Exhibit

Feb 10 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Feb 10 10:23:48 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Feb 10 10:23:50 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Question 43hardmultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. Which security model does this policy enforce?

Exhibit

The TSF shall enforce the Access Control SFP on all subjects and objects covered by the following rules:
(a) Subjects with a security level less than the object's security level are denied read access.
(b) Subjects with a security level greater than the object's security level are denied write access.
Question 44mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is designing a cryptographic system for a high-security environment where data must be encrypted both at rest and in transit, with granular access control. The system must be efficient for large volumes of data. Which approach is most appropriate?

Question 45hardmultiple choice
Study the full virtualization explanation →

A company is implementing a secure multi-tenant cloud environment. The primary security requirement is that tenants cannot access each other's data even if the hypervisor is compromised. Which architecture best meets this requirement?

Question 46easymultiple choice
Read the full Security Architecture and Engineering explanation →

A security architect is selecting an access control model for a system that must prevent users from reading objects at a higher classification level. Which model enforces this property?

Question 47mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A large organization needs to deploy a Public Key Infrastructure (PKI) for thousands of devices and users. A key requirement is the ability to revoke certificates in real time when a device is lost or compromised. Which solution is most appropriate?

Question 48hardmultiple choice
Read the full Security Architecture and Engineering explanation →

A company is designing secure boot for IoT devices to ensure only trusted firmware runs. The devices have limited resources. Which mechanism provides the highest assurance of boot integrity?

Question 49easymultiple choice
Read the full Security Architecture and Engineering explanation →

A health records system requires that doctors can write new records but cannot modify existing ones, and integrity is maintained through separation of duties. Which security model best fits this requirement?

Question 50mediummulti select
Read the full Security Architecture and Engineering explanation →

Which TWO principles are fundamental to a defense-in-depth security architecture?

Question 51hardmulti select
Read the full Security Architecture and Engineering explanation →

A company needs to protect data at rest in a cloud storage system. Which THREE encryption methods are appropriate for this purpose?

Question 52easymulti select
Read the full Security Architecture and Engineering explanation →

Which THREE are core principles of secure system design?

Question 53hardmultiple choice
Study the full virtualization explanation →

A large financial institution is migrating its core banking system to a private cloud. The architecture must protect against data leakage between different business units sharing the same physical infrastructure. The system uses a hypervisor and virtual machines. Each business unit has its own security classification. The security requirement is that no VM belonging to a lower classification should be able to read data from a higher classification VM, even if the hypervisor is compromised. The architect proposes using mandatory access control at the hypervisor level. However, the IT team notes that a hypervisor compromise could bypass MAC. Additionally, they need to ensure that data at rest is encrypted and keys are stored securely. Which of the following would BEST meet the requirement?

Question 54mediummultiple choice
Read the full Security Architecture and Engineering explanation →

A government agency requires a new secure document management system that enforces mandatory access control with the properties that users cannot read documents at a higher classification and cannot write documents to a lower classification (to prevent data leaking). The system must also support different categories (compartments) within the same classification level, and a user with access to one compartment should not be able to access another compartment unless explicitly allowed. The architect is considering the Bell-LaPadula model. However, the Bell-LaPadula model's *-property (no write-down) addresses the write issue, but there is also a need to handle compartment isolation. Which additional model or mechanism should be incorporated to ensure compartment isolation?

Question 55easymultiple choice
Read the full wireless explanation →

A small business wants to implement a secure wireless network for its office. They have a limited budget and want to ensure that data in transit is encrypted and that only authorized devices can connect. The office has 20 employees and a few guests. The business owner has heard about WPA2 and WPA3. They are concerned about security but also about compatibility with older devices. Which of the following is the BEST recommendation for a security architect?

Question 56hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is developing a new cloud-based collaboration platform that handles sensitive intellectual property. The platform must ensure end-to-end encryption (E2EE) so that even the cloud provider cannot access the data. Users communicate via chat and file sharing. The architect proposes using a hybrid encryption scheme where each user has a public/private key pair, and for each message, a random symmetric key is used to encrypt the message, which is then encrypted with the recipient's public key. However, there is a requirement for the company to be able to lawfully intercept communications in case of a court order. This conflicts with E2EE. Which design can satisfy both confidentiality and lawful interception?

Question 57mediummulti select
Read the full NAT/PAT explanation →

A company is implementing a digital signature system to ensure non-repudiation. The security architect must select a hash function that meets the required security properties. Which THREE of the following are necessary properties for the hash function?

Question 58hardmultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A database administrator implements the configuration shown to protect sensitive data. What is the most significant security flaw?

Exhibit

USE master;
CREATE DATABASE ENCRYPTION KEY WITH ALGORITHM = AES_256 ENCRYPTION BY PASSWORD = 'P@ssw0rd!';
ALTER DATABASE SalesDB SET ENCRYPTION ON;
Question 59easymultiple choice
Read the full Security Architecture and Engineering explanation →

A financial services company is migrating its customer relationship management (CRM) system to a public cloud provider. The CRM contains personally identifiable information (PII) and financial transaction records. The security architect must design a solution that ensures data confidentiality and integrity both at rest and in transit, while complying with PCI DSS requirements. The cloud provider offers a key management service (KMS) that can generate and store encryption keys, a hardware security module (HSM) in the cloud, and a certificate authority for TLS certificates. The architect needs to select the appropriate encryption methods and access controls. The company's security policy requires encryption keys to be rotated every 90 days and stored separately from the data. The cloud provider's KMS supports automatic key rotation, but the HSM requires manual intervention. The CRM application uses a database that supports transparent data encryption (TDE) with keys stored in the KMS, and the application also requires TLS for all network connections. Which course of action best meets all requirements?

Question 60hardmultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A security analyst observes the audit log entry while troubleshooting a file access issue. The application is running under the myapp_t domain. Which action should the analyst take to resolve the issue while adhering to the principle of least privilege?

Exhibit

// Security-constrained model in SELinux policy
policy_module(myapp, 1.0.0)

type myapp_t;
type myapp_exec_t;
init_daemon_domain(myapp_t, myapp_exec_t)

allow myapp_t self:capability { dac_override };
allow myapp_t self:process { fork };
allow myapp_t myapp_data_t:file { read write create open };

// Audit log snippet
AUDIT: type=AVC msg=audit(1633028000.123:456): avc:  denied  { read } for  pid=1234 comm="myapp" name="shadow" dev="dm-0" ino=789 scontext=system_u:system_r:myapp_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Question 61mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. An auditor identifies a non-compliance issue regarding the cryptographic key lifecycle. Which policy requirement has been violated?

Exhibit

Cryptographic Key Usage Policy (excerpt):
Key Type: Asymmetric (RSA 2048)
Purpose: Digital Signatures
Storage: HSM
Backup: Encrypted backup to secure offsite
Rotation: Every 2 years
Destruction: Upon compromise or retirement, key must be destroyed using NIST SP 800-57 approved methods.

Recent Audit Finding:
- Key #12345 was discovered to have been exported from HSM to a plaintext file on a backup server.
- The key was later restored to the HSM for continued use.
- The backup server was not encrypted at rest.
Question 62hardmultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A security administrator is reviewing CloudTrail logs for unusual activity. Which aspect of this event is potentially concerning from a key management perspective?

Exhibit

// AWS CloudTrail log event (truncated)
{
    "eventVersion": "1.08",
    "userIdentity": {
        "arn": "arn:aws:iam::123456789012:role/AdminRole",
        "principalId": "AROAEXAMPLEID:admin"
    },
    "eventTime": "2023-08-15T14:30:00Z",
    "eventSource": "kms.amazonaws.com",
    "sourceIPAddress": "192.0.2.10",
    "userAgent": "signer.amazonaws.com",
    "requestParameters": {
        "keyId": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
        "signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256",
        "messageType": "DIGEST",
        "message": "base64-encoded-digest"
    },
    "responseElements": null,
    "eventName": "Sign",
    "readOnly": true,
    "resources": [{
        "ARN": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
        "accountId": "123456789012"
    }],
    "recipientAccountId": "123456789012"
}
Question 63mediummultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A system administrator reports that SSH public key authentication is failing for a non-root user. The user's public key is correctly placed in ~/.ssh/authorized_keys. Which PAM configuration issue is most likely causing the failure?

Exhibit

// /etc/pam.d/sshd configuration
#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_nologin.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    required     pam_loginuid.so
session    include      system-auth

// /etc/ssh/sshd_config excerpt
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
Question 64hardmultiple choice
Read the full Security Architecture and Engineering explanation →

Refer to the exhibit. A security analyst detects unusual process creation. Which attack technique is most likely being observed?

Exhibit

// Windows Security Event Log excerpt
Log Name: Security
Event ID: 4672 (Special Logon)
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeTcbPrivilege

Event ID: 4688 (Process Creation)
Process Name: C:\Windows\System32\cmd.exe
Command Line: cmd.exe /c whoami
Parent Process: C:\Windows\System32\lsass.exe

Event ID: 4672 (Special Logon)
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Privileges: SeDebugPrivilege, SeTcbPrivilege

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Architecture and Engineering setsAll Security Architecture and Engineering questionsCISSP Practice Hub