Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISSPTopicsSecurity Architecture and Engineering
Free · No Signup RequiredISC2 · CISSP

CISSP Security Architecture and Engineering Practice Questions

20+ practice questions focused on Security Architecture and Engineering — one of the most tested topics on the Certified Information Systems Security Professional CISSP exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security Architecture and Engineering Practice

Exam Domains

Software Development SecuritySecurity Assessment and TestingIdentity and Access ManagementSecurity and Risk ManagementSecurity Architecture and EngineeringCommunication and Network SecurityAsset SecurityAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security Architecture and Engineering Questions

Practice all 20+ →
1.

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

A.Export the key in plaintext and store it in a safe
B.Replicate the HSM configuration to another HSM in a different location
C.Use the HSM's key-wrapping function to encrypt the key and store the wrapped key in a secure offsite facility
D.Store an encrypted copy on a local server in the same data center

Explanation: Option C is correct because key-wrapping (also known as key encryption) uses a dedicated wrapping key within the HSM to encrypt the target key, ensuring the key never leaves the HSM in plaintext. The wrapped key can be safely stored offsite and later unwrapped only by an authorized HSM, preserving the same cryptographic protection as the primary storage. This method aligns with NIST SP 800-57 guidelines for secure key backup and escrow.

2.

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A.Full disk encryption (FDE) with a strong passphrase
B.Trusted Platform Module (TPM)
C.Hypervisor-based isolation
D.Intel Software Guard Extensions (SGX)

Explanation: Intel Software Guard Extensions (SGX) is the correct choice because it provides hardware-enforced isolation of memory regions (enclaves) that remain confidential and integrity-protected even if the operating system or hypervisor is compromised. SGX encrypts enclave memory on-die and decrypts it only within the CPU, preventing any privileged software from reading or tampering with the data.

3.

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

A.The certificate uses RSA 1024-bit key
B.The server supports TLS 1.0
C.The server does not support HTTP/2
D.The server enables TLS session tickets

Explanation: TLS 1.0 is a deprecated protocol with known vulnerabilities, including susceptibility to BEAST and POODLE attacks, which can allow an attacker to decrypt intercepted traffic. While a 1024-bit RSA key is weak, the most immediate and significant risk is the use of an outdated protocol that is actively exploited in the field. Disabling TLS 1.0 and enforcing TLS 1.2 or higher is the critical first step to secure data in transit.

4.

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

A.Use mobile device management (MDM) to create a secure container for corporate apps and data
B.Require employees to use company-issued devices only
C.Disable camera and microphone on the device
D.Full device encryption with remote wipe capability

Explanation: A secure container (often implemented via MDM with app wrapping or per-app VPN) creates an encrypted, isolated partition on the device for corporate apps and data. This ensures that if the device is lost or stolen, the corporate data remains encrypted and inaccessible without the container's authentication, while personal apps and data outside the container remain untouched, thus minimizing privacy impact.

5.

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

A.Randomize the address space layout (ASLR)
B.Implement stack canaries in all user-space applications
C.Reduce the number of system calls and IPC mechanisms
D.Use cache partitioning or cache coloring to isolate process caches

Explanation: D is correct because cache partitioning or cache coloring directly addresses the root cause of side-channel attacks in a microkernel environment: shared CPU caches. By isolating each process's cache footprint, an attacker cannot infer sensitive data (e.g., cryptographic keys) through timing variations or cache occupancy measurements, which is a fundamental architectural mitigation.

+15 more Security Architecture and Engineering questions available

Practice all Security Architecture and Engineering questions

How to master Security Architecture and Engineering for CISSP

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security Architecture and Engineering. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security Architecture and Engineering questions on the CISSP frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CISSP Security Architecture and Engineering questions are on the real exam?

The exact number varies per candidate. Security Architecture and Engineering is tested as part of the Certified Information Systems Security Professional CISSP blueprint. Practicing with targeted Security Architecture and Engineering questions ensures you can handle any format or difficulty that appears.

Are these CISSP Security Architecture and Engineering practice questions free?

Yes. Courseiva provides free CISSP practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security Architecture and Engineering one of the harder CISSP topics?

Difficulty is subjective, but Security Architecture and Engineering is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security Architecture and Engineering practice session with instant scoring and detailed explanations.

Start Security Architecture and Engineering Practice →

Topic Info

Topic

Security Architecture and Engineering

Exam

CISSP

Questions available

20+