Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security and Risk Management practice sets

CISSP Security and Risk Management • Complete Question Bank

CISSP Security and Risk Management — All Questions With Answers

Complete CISSP Security and Risk Management question bank — all 0 questions with answers and detailed explanations.

75
Questions
Free
No signup
Certifications/CISSP/Practice Test/Security and Risk Management/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is expanding its operations into a new country with strict data protection laws. The company needs to ensure compliance while maintaining operational efficiency. Which of the following is the BEST approach to manage this risk?

Question 2hardmultiple choice
Read the full Security and Risk Management explanation →

A company's security team discovers that an employee inadvertently shared sensitive customer data via a public cloud storage link. The incident response team contains the breach and notifies affected customers. Which of the following risk management strategies would BEST prevent recurrence?

Question 3easymultiple choice
Read the full Security and Risk Management explanation →

A small business wants to implement a security policy that balances protection with usability. Which of the following is the MOST important factor when developing the policy?

Question 4hardmultiple choice
Read the full Security and Risk Management explanation →

During a risk assessment, a company identifies that its primary data center is located in a flood-prone area. The estimated annual loss expectancy (ALE) for a flood event is $500,000. Installing flood barriers costs $200,000 and reduces the ALE to $50,000. What is the net benefit of implementing the flood barriers?

Question 5mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is developing a business continuity plan (BCP) for its critical IT systems. Which of the following is the FIRST step in the BCP process?

Question 6easymultiple choice
Read the full Security and Risk Management explanation →

A security manager is tasked with classifying data based on its sensitivity. Which of the following is the PRIMARY reason for data classification?

Question 7hardmultiple choice
Read the full Security and Risk Management explanation →

A company is considering outsourcing its customer support operations to a third-party vendor. Which of the following should be the PRIMARY risk management activity before finalizing the contract?

Question 8mediummultiple choice
Read the full Security and Risk Management explanation →

An organization needs to ensure that its employees understand their responsibilities regarding information security. Which of the following is the MOST effective way to achieve this?

Question 9mediummulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

Question 10hardmulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are valid risk treatment options according to ISO 31000? (Select exactly 3)

Question 11easymulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are examples of administrative controls? (Select exactly 2)

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A data classification policy is shown. A database contains a field labeled 'SSN' that matches the pattern for 'employee_id'. What action should be applied to the SSN field?

Exhibit

Refer to the exhibit.
```
Policy: data_classification
{
  "rules": [
    {
      "pattern": "credit_card_number",
      "classification": "restricted",
      "action": "encrypt"
    },
    {
      "pattern": "employee_id",
      "classification": "internal",
      "action": "mask"
    },
    {
      "pattern": "public_info",
      "classification": "public",
      "action": "none"
    }
  ]
}
```
Question 13mediummultiple choice
Read the full Security and Risk Management explanation →

Based on the exhibit, what security control is being demonstrated?

Exhibit

Refer to the exhibit.
```
Error log:
2025-03-15 14:23:45 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:47 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:49 ERROR Authentication failed for user 'admin' from IP 192.168.1.100. Reason: Invalid credentials.
2025-03-15 14:23:51 ERROR Account locked for user 'admin' due to multiple failed attempts.
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

You are the CISO of a medium-sized healthcare organization that recently migrated patient records to a cloud-based EHR system. The system stores Protected Health Information (PHI) and is subject to HIPAA regulations. Three months after migration, the compliance team reports that the EHR vendor experienced a data breach exposing 5,000 patient records due to a misconfigured database. Your organization's contract with the vendor includes a clause that holds the vendor liable for breaches caused by their negligence. However, the vendor is refusing to pay the full cost of breach notification and credit monitoring, citing a limitation of liability clause that caps damages at $100,000. The actual costs are estimated at $500,000. Your organization's cyber insurance policy has a $250,000 deductible and covers losses up to $1 million, but excludes losses due to vendor negligence. You need to manage this risk effectively. Which of the following is the BEST course of action?

Question 15mediummultiple choice
Read the full Security and Risk Management explanation →

You are the security manager for a financial services firm that processes credit card transactions. The company is required to comply with PCI DSS. During a recent internal audit, you discover that the network segmentation between the cardholder data environment (CDE) and the corporate network is not properly implemented. Specifically, a firewall rule allows unrestricted traffic from the corporate network to the CDE. This exposes sensitive cardholder data to potential unauthorized access. The IT manager argues that this rule is necessary for business operations because several applications need to access the CDE for reporting purposes. You need to address this risk while minimizing business disruption. Which of the following is the BEST course of action?

Question 16mediumdrag order
Read the full Security and Risk Management explanation →

Drag and drop the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediummatching
Read the full Security and Risk Management explanation →

Match each security control to its category (preventive, detective, corrective).

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Preventive

Detective

Corrective

Preventive

Detective

Question 18mediummultiple choice
Read the full Security and Risk Management explanation →

A company is conducting a risk assessment and needs to prioritize risks based on both likelihood and impact. The risk management team decides to use a quantitative approach. Which of the following is a key advantage of using quantitative risk analysis over qualitative risk analysis?

Question 19easymultiple choice
Read the full Security and Risk Management explanation →

An organization is developing a business continuity plan (BCP). The IT department has identified a critical application that must be restored within 4 hours of a disruption. Which metric defines the maximum acceptable time that the application can be unavailable?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is establishing a security governance framework. The board of directors wants to ensure that information security strategy aligns with business objectives. Which role is primarily responsible for integrating security into the organization's strategic decision-making?

Question 21mediummultiple choice
Read the full Security and Risk Management explanation →

Based on the firewall log entry, what is the most likely cause of the denied traffic?

Exhibit

Refer to the exhibit.

Firewall Log Entry (May 5, 2025 14:23:45):
  Action: Deny
  Protocol: TCP
  Src IP: 10.0.0.25
  Src Port: 44321
  Dst IP: 203.0.113.50
  Dst Port: 443
  Rule ID: 105
  Reason: No matching rule
Question 22easymultiple choice
Read the full Security and Risk Management explanation →

Based on the exhibit, which security objective is this policy primarily designed to protect?

Exhibit

Refer to the exhibit.

Security Policy (JSON format):
{
  "PolicyName": "DataEncryptionPolicy",
  "Scope": "All data at rest on production servers",
  "Control": "AES-256 encryption must be applied",
  "Compliance Standard": "PCI DSS 3.2.1",
  "Enforcement": "Automated via system configuration"
}
Question 23hardmultiple choice
Read the full Security and Risk Management explanation →

Based on the SIEM correlation rule, what behavior is this rule designed to detect?

Exhibit

Refer to the exhibit.

SIEM Correlation Rule:
rule BruteForceDetection
{
  meta:
    description = "Detect multiple failed logins from same source"
  strings:
    $loginFailed = "Authentication failed" nocase
  condition:
    #loginFailed > 5 within 120 seconds
}
Question 24mediummultiple choice
Read the full Security and Risk Management explanation →

During a business impact analysis (BIA), a department manager states that a critical process cannot be interrupted for more than 2 hours. However, the current backup system requires 8 hours to restore. What is the most appropriate risk management action?

Question 25easymultiple choice
Read the full Security and Risk Management explanation →

An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?

Question 26hardmultiple choice
Read the full Security and Risk Management explanation →

A company's risk assessment identifies a high likelihood of a data breach due to outdated encryption standards. The cost to upgrade encryption is $50,000, and the estimated loss from a breach is $2,000,000. The risk manager decides to implement the upgrade. Which risk treatment option is being applied?

Question 27easymulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are key indicators that a security awareness training program is effective? (Choose two.)

Question 28mediummulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are control families defined in NIST SP 800-53? (Choose three.)

Question 29hardmulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are essential components of a quantitative risk analysis formula? (Choose two.)

Question 30mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a security program and wants to ensure it meets legal and regulatory requirements. The security manager is reviewing the concept of due care. Which best describes due care in the context of information security?

Question 31hardmultiple choice
Read the full Security and Risk Management explanation →

A company is outsourcing its customer support operations to a third-party vendor. The vendor will have access to sensitive customer data. Which of the following should be the primary security requirement in the contract with the vendor?

Question 32easymultiple choice
Read the full Security and Risk Management explanation →

During a risk communication session, the security team needs to present risk analysis results to executive management. Which approach is most effective for this audience?

Question 33mediummultiple choice
Read the full Security and Risk Management explanation →

A security manager is conducting a risk assessment for a new cloud application. The manager needs to estimate the potential financial loss from a data breach. Which approach should be used?

Question 34hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company must comply with the EU General Data Protection Regulation (GDPR) for processing personal data of EU citizens. The company's data protection officer (DPO) has been appointed but reports to the Chief Marketing Officer (CMO). Which compliance issue is most critical?

Question 35easymultiple choice
Read the full Security and Risk Management explanation →

During a business impact analysis (BIA), the team identifies that the customer service application must be restored within 4 hours of a disruption. What is the term for this metric?

Question 36mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is developing a security governance framework to align with business objectives. Which group should have ultimate authority and responsibility for the cybersecurity program?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst discovers that an employee shared confidential customer data with an unauthorized third party. The analyst reports this to the CISO, who decides to terminate the employee. Which ethical principle from the (ISC)² Code of Ethics is most directly violated by the employee?

Question 38easymultiple choice
Read the full Security and Risk Management explanation →

A company has implemented data classification labels such as 'Public', 'Internal', 'Confidential', and 'Restricted'. Which control is most appropriate for protecting 'Confidential' data?

Question 39mediummultiple choice
Read the full Security and Risk Management explanation →

A business is evaluating risk treatment options for a high-likelihood, low-impact risk. The cost of mitigation exceeds the potential loss. Which risk treatment strategy is most appropriate?

Question 40hardmultiple choice
Read the full Security and Risk Management explanation →

A financial institution is required to retain customer transaction records for seven years under regulatory mandates. The institution is facing a lawsuit and must preserve all relevant data. What legal concept applies?

Question 41easymultiple choice
Read the full NAT/PAT explanation →

A business continuity coordinator is planning a test of the disaster recovery plan. Which type of test involves a walk-through of the plan with key stakeholders without actually invoking the technical recovery?

Question 42mediummulti select
Read the full Security and Risk Management explanation →

Which TWO are examples of administrative controls in an information security program?

Question 43easymulti select
Read the full Security and Risk Management explanation →

Which TWO are essential components of a security policy framework?

Question 44hardmulti select
Read the full Security and Risk Management explanation →

Which THREE are key components of a business continuity plan (BCP)?

Question 45mediummultiple choice
Study the full ACL explanation →

Refer to the exhibit. The network administrator applies this access control list to the inbound interface of a router connecting to the internet. Which type of access control model is being implemented?

Exhibit

Refer to the exhibit.

access-list 101 permit tcp any host 192.168.1.10 eq 443
access-list 101 permit tcp any host 192.168.1.10 eq 80
access-list 101 deny ip any any log
Question 46hardmultiple choice
Read the full Security and Risk Management explanation →

Refer to the exhibit. A cloud security architect is designing access control for an S3 bucket. This policy is attached to an IAM role. Which access control model does this policy primarily implement?

Exhibit

Refer to the exhibit.

{
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::corporate-bucket/*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalTag/department": "finance"
    }
  }
}
Question 47easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A security analyst reviews this syslog entry from a firewall. The firewall's ACL is configured to deny all traffic by default except what is explicitly permitted. This is an example of which security principle?

Exhibit

Refer to the exhibit.

Syslog entry:
Mar 15 14:23:01 firewall: %SEC-6-IPACCESSLOGP: list 100 denied udp 10.0.0.5(1234) -> 192.168.1.1(53) 5 packets
Question 48easymultiple choice
Read the full Security and Risk Management explanation →

A small business wants to implement a risk management framework. Which approach is best for identifying risks?

Question 49mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation must comply with GDPR and CCPA. Which data protection strategy should they prioritize?

Question 50hardmultiple choice
Read the full Security and Risk Management explanation →

During a risk assessment, a critical asset has a vulnerability with a CVSS score of 9.0. Which risk treatment strategy is most appropriate if the cost to mitigate exceeds the asset's value?

Question 51easymultiple choice
Read the full Security and Risk Management explanation →

An organization is developing an information security policy. Which of the following should be included?

Question 52easymultiple choice
Read the full Security and Risk Management explanation →

A company experiences a data breach. Which step should be taken first according to best practices?

Question 53hardmultiple choice
Read the full Security and Risk Management explanation →

A security manager is evaluating risk treatment options for a high-impact, low-probability risk. Which approach is most appropriate?

Question 54easymultiple choice
Read the full Security and Risk Management explanation →

Which security control is most effective for preventing unauthorized access to a data center?

Question 55mediummultiple choice
Read the full Security and Risk Management explanation →

An organization is implementing a security awareness program. Which topic should be emphasized most?

Question 56hardmultiple choice
Read the full Security and Risk Management explanation →

A company is merging with another and must integrate security policies. What is the first step?

Question 57mediummulti select
Read the full Security and Risk Management explanation →

A security manager is selecting controls to protect sensitive data. Which TWO are examples of administrative controls?

Question 58hardmulti select
Read the full Security and Risk Management explanation →

A risk assessment identifies several threats. Which THREE are considered external threats?

Question 59easymulti select
Read the full Security and Risk Management explanation →

Which TWO documents are considered foundational for an information security program?

Question 60mediummultiple choice
Read the full Security and Risk Management explanation →

Refer to the exhibit. Which security risk does this policy primarily introduce?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::mybucket/*"
    }
  ]
}
Question 61mediummultiple choice
Read the full Security and Risk Management explanation →

Refer to the exhibit. A security analyst finds the above in a configuration file stored in a public GitHub repository. What is the most immediate risk?

Exhibit

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----
Question 62hardmultiple choice
Read the full NAT/PAT explanation →

You are the chief information security officer (CISO) of a large healthcare organization that handles protected health information (PHI). The organization has recently been acquired by a larger conglomerate, and the new parent company mandates that all subsidiaries adopt a single, unified risk management framework based on NIST SP 800-39. Your current framework is ISO 27005-based and has been effective for years. During the transition, you discover that the parent company's framework requires quantitative risk analysis for all critical assets, while your team has been primarily using qualitative analysis due to lack of accurate financial data. Moreover, the parent company expects all risk assessments to be completed within 30 days, a timeframe your team considers unrealistic given the number of assets. Several key stakeholders are concerned about the additional resource burden and potential disruption to operations. You need to propose a course of action that balances compliance with the parent company's mandate while maintaining operational effectiveness and minimizing risk to patient data.

Question 63easymultiple choice
Read the full Security and Risk Management explanation →

A small business wants to ensure compliance with GDPR for its customer data. What is the initial action required to comply with GDPR?

Question 64mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is evaluating risk treatment options for a identified high-impact, low-probability risk. The risk is below the organization's risk appetite threshold. Which is the most appropriate action?

Question 65hardmultiple choice
Read the full Security and Risk Management explanation →

During a merger, the security teams of two companies are integrating their networks. The acquiring company has a high-security classification system (e.g., Top Secret, Secret, Confidential), while the acquired company uses a lower classification (e.g., Internal, Public). Which approach best ensures secure data handling during integration?

Question 66mediummulti select
Read the full Security and Risk Management explanation →

Which TWO of the following are considered mandatory elements of an organization's security policy framework?

Question 67hardmulti select
Read the full Security and Risk Management explanation →

Which THREE of the following are primary objectives of a risk management program?

Question 68easymultiple choice
Read the full Security and Risk Management explanation →

An organization has implemented a password policy requiring a minimum of 8 characters, including uppercase, lowercase, numbers, and special characters. Despite annual security awareness training, a recent audit revealed that 60% of employees are using passwords that can be cracked within hours. The organization is also experiencing a high number of account compromises due to credential stuffing attacks. The security team is considering various controls to reduce the risk. Which of the following would be the MOST effective in addressing the identified issues?

Question 69mediummultiple choice
Read the full Security and Risk Management explanation →

A financial institution is migrating its customer data to a cloud environment. The cloud provider offers encryption at rest and in transit using AES-256 and TLS 1.2+. The compliance team requires that the organization maintain full control of encryption keys to meet regulatory obligations such as PCI DSS and local banking laws. The data is highly sensitive and includes personally identifiable information (PII). Which solution should the security architect recommend?

Question 70hardmultiple choice
Read the full NAT/PAT explanation →

A large healthcare organization is subject to both HIPAA and GDPR. They are creating a data retention policy for electronic protected health information (ePHI) concerning European patients. HIPAA requires retention for 6 years from creation or last effective date, while GDPR requires that personal data not be kept longer than necessary for the purpose, with a general guideline of retaining for the duration of the relationship plus a reasonable period. The organization wants to minimize storage costs while ensuring compliance. Which approach should they take?

Question 71mediummultiple choice
Read the full NAT/PAT explanation →

An organization's risk assessment identified a vulnerability in a legacy system that cannot be patched because the vendor no longer supports it. The system processes sensitive customer data and is critical for daily operations. The risk is rated as high likelihood and high impact. The organization has a moderate risk appetite. Which risk treatment is most appropriate?

Question 72easymultiple choice
Read the full Security and Risk Management explanation →

A company wants to ensure that its security policy is effectively enforced across all departments. Currently, the policy is published on the intranet and included in the employee handbook. However, the security team notices that many employees are not following the policy, leading to security incidents. Which of the following would be the most effective way to improve policy enforcement?

Question 73mediummulti select
Read the full Security and Risk Management explanation →

An organization is conducting a Business Impact Analysis (BIA) as part of its business continuity planning. Which THREE of the following are essential components of a BIA? (Choose three.)

Question 74hardmultiple choice
Read the full Security and Risk Management explanation →

Refer to the exhibit. The risk manager is reviewing this risk register entry. According to the organization's risk appetite, which states that residual risks must be low or below, what is the most appropriate recommendation?

Exhibit

Risk Register Entry:
- Asset: Financial Database Server
- Threat: SQL Injection
- Vulnerability: Unpatched web application
- Likelihood: High (3)
- Impact: Critical (5)
- Risk Score: 15 (High)
- Existing Controls: WAF, Input validation
- Control Effectiveness: Partial
- Residual Risk: Medium (10)
Question 75easymultiple choice
Read the full Security and Risk Management explanation →

A large financial institution is finalizing its annual risk treatment plan based on a recent enterprise risk assessment. The risk appetite statement approved by the board specifies that the organization will accept only low residual risks for financial loss, but is willing to accept moderate risks for reputational damage if cost-benefit justifies. The risk register includes the following findings: 1) A critical SQL injection vulnerability in the online banking portal with high likelihood and critical impact; current controls include a web application firewall (WAF) that is not fully tuned. 2) Use of outdated TLS 1.0 encryption on internal communications between data centers; likelihood is medium, impact is low. 3) Lack of background checks for third-party vendors with access to sensitive data; likelihood is low, impact is moderate. 4) A single point of failure in the primary data center's power supply; likelihood is low, impact is critical. 5) An incident response plan that has not been tested in two years; likelihood is medium, impact is moderate. The CISO must prioritize actions for the upcoming quarter. What is the most appropriate first step?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CISSP Practice Test 1 — 10 Questions→CISSP Practice Test 2 — 10 Questions→CISSP Practice Test 3 — 10 Questions→CISSP Practice Test 4 — 10 Questions→CISSP Practice Test 5 — 10 Questions→CISSP Practice Exam 1 — 20 Questions→CISSP Practice Exam 2 — 20 Questions→CISSP Practice Exam 3 — 20 Questions→CISSP Practice Exam 4 — 20 Questions→Free CISSP Practice Test 1 — 30 Questions→Free CISSP Practice Test 2 — 30 Questions→Free CISSP Practice Test 3 — 30 Questions→CISSP Practice Questions 1 — 50 Questions→CISSP Practice Questions 2 — 50 Questions→CISSP Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecuritySecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security and Risk Management setsAll Security and Risk Management questionsCISSP Practice Hub