20+ practice questions focused on Security Architecture and Engineering — one of the most tested topics on the Certified Information Systems Security Professional CISSP exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Security Architecture and Engineering PracticeAn organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?
Explanation: Option C is correct because key-wrapping (also known as key encryption) uses a dedicated wrapping key within the HSM to encrypt the target key, ensuring the key never leaves the HSM in plaintext. The wrapped key can be safely stored offsite and later unwrapped only by an authorized HSM, preserving the same cryptographic protection as the primary storage. This method aligns with NIST SP 800-57 guidelines for secure key backup and escrow.
A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?
Explanation: Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.
A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?
Explanation: TLS 1.0 is a deprecated protocol with known vulnerabilities, including susceptibility to BEAST and POODLE attacks, which can allow an attacker to decrypt intercepted traffic. While a 1024-bit RSA key is weak, the most immediate and significant risk is the use of an outdated protocol that is actively exploited in the field. Disabling TLS 1.0 and enforcing TLS 1.2 or higher is the critical first step to secure data in transit.
An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?
Explanation: A secure container (often implemented via MDM with app wrapping or per-app VPN) creates an encrypted, isolated partition on the device for corporate apps and data. This ensures that if the device is lost or stolen, the corporate data remains encrypted and inaccessible without the container's authentication, while personal apps and data outside the container remain untouched, thus minimizing privacy impact.
A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?
Explanation: D is correct because cache partitioning or cache coloring directly addresses the root cause of side-channel attacks in a microkernel environment: shared CPU caches. By isolating each process's cache footprint, an attacker cannot infer sensitive data (e.g., cryptographic keys) through timing variations or cache occupancy measurements, which is a fundamental architectural mitigation.
+15 more Security Architecture and Engineering questions available
Practice all Security Architecture and Engineering questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Security Architecture and Engineering. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Security Architecture and Engineering questions on the CISSP frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Security Architecture and Engineering is tested as part of the Certified Information Systems Security Professional CISSP blueprint. Practicing with targeted Security Architecture and Engineering questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CISSP practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Security Architecture and Engineering is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Security Architecture and Engineering practice session with instant scoring and detailed explanations.
Start Security Architecture and Engineering Practice →