Certified Information Systems Security Professional CISSP (CISSP) — Questions 601675

990 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A security analyst is conducting a vulnerability scan of a web application. The scan identifies several vulnerabilities, but the analyst wants to minimize false positives. Which type of vulnerability scan would be most appropriate?

A.External scan
B.Passive scan
C.Authenticated scan
D.Unauthenticated scan
AnswerC

Authenticated scans use credentials to access the application, providing a more accurate assessment and fewer false positives.

Why this answer

An authenticated scan uses valid credentials to log into the target system, allowing the scanner to access deeper configuration details and patch levels. This reduces false positives by distinguishing between vulnerabilities that are actually present and those that appear due to incomplete visibility, such as missing patches that are actually applied but not visible to an unauthenticated scanner.

Exam trap

The trap here is that candidates often assume an unauthenticated scan is more thorough because it tests from an attacker's perspective, but they miss that authenticated scans provide the internal visibility needed to eliminate false positives by verifying actual patch levels and configurations.

How to eliminate wrong answers

Option A is wrong because an external scan is performed from outside the network boundary and typically lacks internal context, leading to a higher rate of false positives due to incomplete visibility of internal services and configurations. Option B is wrong because a passive scan only monitors network traffic without actively probing systems, so it cannot verify the presence of vulnerabilities and often generates false positives from observed but unconfirmed behaviors. Option D is wrong because an unauthenticated scan does not use credentials, so it cannot access restricted areas of the application or system, resulting in many false positives from assumptions about missing patches or misconfigurations that may not actually exist.

602
MCQhard

During a SOC 2 audit, the auditor evaluates controls over a period of time to assess their operating effectiveness. Which type of SOC report is being performed?

A.SOC 2 Type II
B.SOC 1 Type I
C.SOC 3
D.SOC 2 Type I
AnswerA

SOC 2 Type II evaluates controls over a period of time for operating effectiveness.

Why this answer

SOC 2 Type II reports assess the operating effectiveness of controls over a period of time, while Type I reports are at a point in time.

603
MCQhard

To enforce separation of duties in a CI/CD pipeline, what architectural principle should be implemented?

A.Allow all developers to deploy their own code to production
B.Use a single approval gate without role distinction
C.Grant a single DevOps team full access to both source code and deployment
D.Require different permissions for committing code vs. deploying to production
AnswerD

Separates responsibilities between development and operations.

Why this answer

Option D is correct because separation of duties in a CI/CD pipeline requires distinct permissions for code commits and production deployments. This ensures that no single individual can introduce and deploy malicious code without oversight, aligning with the principle of least privilege and auditability. By enforcing role-based access control (RBAC) with separate pipelines for build and release, organizations mitigate the risk of unauthorized changes reaching production.

Exam trap

The trap here is that candidates often confuse 'DevOps' with 'no separation of duties,' assuming a single team should have full access to both code and deployment, when in fact the CISSP requires distinct roles even in agile pipelines to maintain accountability and audit trails.

How to eliminate wrong answers

Option A is wrong because allowing all developers to deploy their own code to production violates separation of duties, removing any independent review or approval gate and increasing the risk of unauthorized or flawed code reaching production. Option B is wrong because a single approval gate without role distinction fails to enforce different responsibilities between developers and operators, allowing the same person who commits code to approve its deployment, which undermines the control. Option C is wrong because granting a single DevOps team full access to both source code and deployment eliminates the separation between development and operations roles, creating a conflict of interest and bypassing the principle of least privilege.

604
MCQmedium

A company wants to ensure that data labeled 'Internal Use Only' is not inadvertently disclosed to unauthorized parties. What is the most effective way to communicate handling requirements to employees?

A.Using data loss prevention (DLP) software
B.Implementing a data classification policy and training employees on labeling and handling procedures
C.Encrypting all data at rest
D.Restricting access to the data through role-based access control
AnswerB

Policy and training are key to communicating requirements.

Why this answer

Clear labeling and documented handling procedures ensure employees know how to treat data appropriately.

605
Multi-Selecteasy

Which TWO of the following are examples of risk response strategies?

Select 2 answers
A.Risk acceptance
B.Risk analysis
C.Risk identification
D.Risk avoidance
E.Risk communication
AnswersA, D

Accepting the risk after evaluation.

Why this answer

Risk avoidance involves eliminating the risk by not performing the activity. Risk transfer shifts the risk to another party, such as through insurance.

606
MCQhard

A security architect is reviewing a software design that uses a third-party library for XML parsing. The library is known to be vulnerable to XML External Entity (XXE) attacks. The architect recommends replacing the library. What is the primary risk of XXE attacks that the architect wants to avoid?

A.Disclosure of sensitive files from the server
B.Remote code execution by injecting malicious XML
C.Denial of service (DoS) from entity expansion
D.Cross-site scripting (XSS) delivered via XML response
AnswerA

XXE can read internal files like /etc/passwd or perform server-side request forgery.

Why this answer

XXE attacks exploit XML parsers that process external entities, allowing an attacker to read sensitive files from the server (e.g., /etc/passwd) by referencing them in the entity definition. The primary risk is unauthorized data disclosure, as the parser may include the file content in the response or error message. This directly violates confidentiality, a core security objective.

Exam trap

Cisco often tests the distinction between the primary risk (data disclosure) and secondary risks (DoS, SSRF, or RCE), so candidates mistakenly choose denial of service (Option C) because they recall the 'billion laughs' attack, but the question explicitly asks for the primary risk of XXE.

How to eliminate wrong answers

Option B is wrong because remote code execution via XML is not a direct consequence of XXE; while XXE can sometimes lead to SSRF or file inclusion, it does not inherently execute arbitrary code. Option C is wrong because denial of service from entity expansion (e.g., billion laughs attack) is a separate threat known as XML Bomb or Billion Laughs Attack, not the primary risk of XXE. Option D is wrong because cross-site scripting (XSS) is a client-side injection attack delivered via HTML/JavaScript, not a direct result of server-side XXE processing.

607
MCQeasy

A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?

A.Implement a self-service password reset (SSPR) with identity verification.
B.Increase the password expiration period to 180 days.
C.Use single sign-on for all applications.
D.Reduce the password complexity requirements.
AnswerA

Allows users to reset passwords securely without help desk intervention.

Why this answer

Self-service password reset (SSPR) with identity verification directly addresses the root cause of help desk calls—forgotten passwords—by allowing users to reset their own passwords after proving their identity via pre-registered methods (e.g., SMS, security questions, or biometrics). This reduces operational overhead while maintaining security through multi-factor verification and policy enforcement, unlike options that weaken security or fail to address the frequency of resets.

Exam trap

The trap here is that candidates often choose SSO (Option C) thinking it eliminates all password-related issues, but they overlook that SSO still requires a primary password and does not address forgotten-password requests for that single credential.

How to eliminate wrong answers

Option B is wrong because increasing the password expiration period to 180 days reduces the frequency of forced changes but does nothing to help users who forget their current password; it may even increase the risk of forgotten passwords due to longer intervals between use. Option C is wrong because single sign-on (SSO) reduces the number of passwords a user must remember but does not eliminate the need for the primary password; if that password is forgotten, the help desk still receives requests, and SSO introduces a single point of failure. Option D is wrong because reducing password complexity requirements weakens security by making passwords easier to guess or brute-force, violating the principle of defense in depth and increasing the risk of unauthorized access.

608
MCQmedium

During a forensic investigation, the investigator must ensure that evidence is properly handled and documented. What is the primary purpose of maintaining a chain of custody?

A.To speed up the investigation process
B.To document who accessed the evidence and when
C.To encrypt the evidence at rest
D.To store evidence in a fireproof safe
AnswerB

This ensures accountability and prevents tampering.

Why this answer

Chain of custody ensures evidence integrity and admissibility in legal proceedings.

609
Multi-Selectmedium

A security architect is reviewing a web application's design and identifies several potential vulnerabilities. Which TWO of the following are effective mitigations for cross-site scripting (XSS) attacks?

Select 2 answers
A.Enabling Content Security Policy (CSP)
B.Using CSRF tokens
C.Disabling client-side scripts entirely
D.Implementing parameterized queries
E.Using output encoding
AnswersA, E

CSP restricts script execution sources.

Why this answer

Output encoding ensures user input is treated as data, and Content Security Policy (CSP) restricts sources of executable scripts. Input validation can help but is not as effective alone; whitelist validation is emphasized, but output encoding and CSP are primary defenses.

610
Multi-Selecthard

Which THREE of the following are common methods used in security assessment and testing? (Select exactly 3.)

Select 3 answers
A.Risk analysis
B.Penetration testing
C.Security auditing
D.Forensic analysis
E.Vulnerability scanning
AnswersB, C, E

Penetration testing is a common assessment method.

Why this answer

Penetration testing is a common method in security assessment and testing that simulates real-world attacks to identify exploitable vulnerabilities. Unlike vulnerability scanning, which only identifies potential weaknesses, penetration testing actively exploits them to validate security controls and measure the impact of a breach.

Exam trap

The trap here is that candidates confuse risk analysis (a management activity) with security testing, or mistake forensic analysis (a reactive process) for a proactive assessment method, leading them to select options outside the three correct ones (penetration testing, security auditing, vulnerability scanning).

611
MCQeasy

A company's security policy requires that all removable media be encrypted. An employee plugs in a USB drive and is prompted to format it before use. After formatting, the drive is not encrypted. What is the most likely reason?

A.The employee did not enable encryption (e.g., BitLocker To Go) after formatting
B.The USB drive hardware does not support encryption
C.The operating system does not support encryption of removable media
D.The employee used the wrong file system (FAT32 vs NTFS)
AnswerA

Encryption is a separate step that must be explicitly enabled, e.g., via BitLocker To Go.

Why this answer

Option A is correct because BitLocker To Go, the native encryption feature for removable drives in Windows, is not automatically enabled when a USB drive is formatted. The employee must explicitly enable encryption (e.g., via BitLocker To Go in Control Panel or by right-clicking the drive and selecting 'Turn on BitLocker') after formatting. Without this step, the drive remains unencrypted, violating the security policy.

Exam trap

The trap here is that candidates assume formatting a drive automatically applies encryption (e.g., thinking BitLocker is enabled by default), when in fact encryption must be explicitly activated after formatting.

How to eliminate wrong answers

Option B is wrong because modern USB drives, even basic ones, support encryption at the software level (e.g., BitLocker To Go) regardless of hardware encryption capabilities; the policy requires encryption, which can be achieved via software. Option C is wrong because Windows (the most common OS for such scenarios) fully supports encryption of removable media via BitLocker To Go, which is available in Pro, Enterprise, and Education editions. Option D is wrong because the file system (FAT32 vs NTFS) does not determine encryption; BitLocker To Go works with both, though NTFS is recommended for full feature support, and the lack of encryption is due to the employee not enabling it, not the file system choice.

612
Multi-Selecteasy

Which TWO of the following are security principles that should be applied during software development? (Select TWO)

Select 2 answers
A.Least privilege
B.Security through obscurity
C.Defense in depth
D.Single point of failure
E.Fail open
AnswersA, C

Least privilege ensures users and processes have only the minimum necessary permissions.

Why this answer

Options A and C are correct. Defense in depth (A) and least privilege (C) are fundamental security principles. Option B is wrong because single point of failure is a risk, not a principle.

Option D is wrong because fail open is insecure; fail closed is preferred. Option E is wrong because security through obscurity is not a reliable principle.

613
Multi-Selectmedium

Which THREE of the following are valid methods to reduce the risk of data exfiltration via removable media in a high-security environment?

Select 3 answers
A.Disable USB ports via group policy and physically lock cases
B.Require annual security awareness training on data handling
C.Use full disk encryption on all endpoints
D.Deploy endpoint DLP agents that block copy operations to removable media based on content
E.Implement data classification and labeling policies to raise awareness
AnswersA, D, E

Effective and enforceable control that physically prevents use of removable media.

Why this answer

Disabling USB ports via Group Policy (using administrative templates to set 'Removable Storage: Deny write access' to 'Enabled') combined with physically locking cases (e.g., using case locks or cable locks to prevent unauthorized access to internal USB headers) provides a dual-layer preventive control. This directly eliminates the attack vector by removing both logical and physical access to removable media, which is the most effective method in a high-security environment.

Exam trap

The trap here is that candidates often confuse full disk encryption (a data-at-rest protection) with a data exfiltration prevention control, failing to recognize that encryption does not block the copy operation itself.

614
MCQeasy

Which digital forensics tool is specifically designed for memory forensics?

A.Volatility
B.Wireshark
C.EnCase
D.FTK
AnswerA

Volatility specializes in memory forensics.

Why this answer

Volatility is an open-source framework for extracting artifacts from RAM dumps.

615
Multi-Selectmedium

Which TWO of the following are effective methods for detecting unauthorized access to a network? (Choose two.)

Select 2 answers
A.Vulnerability scanner
B.Antivirus software
C.Security information and event management (SIEM)
D.Firewall rule review
E.Intrusion detection system (IDS)
AnswersC, E

Correlates logs from multiple sources to detect incidents.

Why this answer

A SIEM aggregates and correlates logs from multiple sources (e.g., firewalls, servers, IDS) in real time, enabling detection of anomalous patterns indicative of unauthorized access. It provides centralized visibility and alerting that can identify a breach even when individual logs appear benign.

Exam trap

The trap here is that candidates confuse vulnerability scanning (proactive) with intrusion detection (reactive), or assume antivirus covers network-level threats, when in fact neither provides real-time monitoring of network access attempts.

616
MCQeasy

A security analyst reviews the syslog configuration exhibit. What is the primary security concern with this configuration?

A.The remote syslog server is not configured to receive logs
B.Logs are sent in clear text to the remote syslog server
C.The logging level for authentication is set to 'none'
D.Local7 and mail logs are being sent to different destinations
AnswerB

UDP syslog is unencrypted.

Why this answer

The configuration shows syslog messages being sent to a remote server using UDP port 514 without any encryption or authentication mechanism. By default, syslog over UDP transmits all log data in clear text, meaning any attacker with network access can intercept and read sensitive information such as failed login attempts, user names, or system events. This violates the confidentiality principle and is the primary security concern because it exposes potentially sensitive audit data in transit.

Exam trap

The trap here is that candidates often focus on the logging levels or destinations (options C and D) as misconfigurations, but the real vulnerability is the clear-text transmission of logs over an unencrypted channel, which is a classic confidentiality risk in syslog implementations.

How to eliminate wrong answers

Option A is wrong because the configuration explicitly specifies a remote syslog server IP address and port, and the syslog protocol does not require the server to pre-acknowledge receipt; the client will send logs regardless of server readiness. Option C is wrong because the exhibit shows 'auth.*' being logged to the remote server, and the 'none' level is not a valid syslog severity level; the configuration uses standard severity levels like 'info' and 'debug', and authentication logging is clearly enabled. Option D is wrong because sending different facility logs to different destinations is a common and valid practice for log segregation, and it does not introduce a security vulnerability; the concern is the lack of encryption, not the distribution of logs.

617
Drag & Dropmedium

Drag and drop the steps for conducting a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threat/vulnerability identification, likelihood/impact determination, risk calculation, and treatment recommendations.

618
Multi-Selecteasy

Which THREE of the following are recognized roles in asset security?

Select 3 answers
A.Data custodian
B.Data owner
C.Data processor
D.Data subject
E.Data auditor
AnswersA, B, C

Data custodian implements controls on behalf of owner.

Why this answer

The data custodian (A) is responsible for implementing and maintaining security controls according to the data owner's directives, such as applying encryption, managing backups, and enforcing access controls. This role is recognized in asset security because it bridges policy and operational execution, ensuring the CIA triad is maintained on the stored or processed data.

Exam trap

The trap here is that candidates confuse the data subject (a GDPR-defined individual) with a security role, or mistakenly think the data auditor is a primary asset security role, when the CISSP framework explicitly lists only data owner, data custodian, and data processor as the recognized roles in asset security.

619
MCQmedium

A financial institution is preparing to dispose of magnetic tape backups containing transaction records. The tapes are no longer needed for retention. Which sanitization method is most effective for rendering the data unrecoverable on magnetic tape?

A.Cryptographic erasure
B.Degaussing
C.Overwriting with zeros
D.Physical destruction by incineration
AnswerB

Correct. Degaussing neutralizes the magnetic field and erases data on magnetic tape.

Why this answer

Degaussing uses a strong magnetic field to erase data on magnetic media, including tapes, and is highly effective for sanitization.

620
Multi-Selecthard

A security engineer is hardening a system against buffer overflow attacks. Which of the following are effective mitigations? (Choose THREE)

Select 3 answers
A.Address Space Layout Randomization (ASLR)
B.Data Execution Prevention (DEP/NX)
C.Using unpatched software
D.Stack canaries
E.Disabling ASLR
AnswersA, B, D

Correct. ASLR randomizes memory addresses.

Why this answer

ASLR randomizes memory addresses, DEP prevents code execution on the stack/heap, and stack canaries detect buffer overflows before control data is corrupted.

621
MCQmedium

In Kerberos authentication, what is the purpose of the Ticket Granting Ticket (TGT)?

A.To prove the user's identity to the Ticket Granting Service (TGS)
B.To store the user's password hash
C.To encrypt all communication between client and server
D.To authenticate the user to the resource server directly
AnswerA

The TGT is presented to the TGS to obtain service tickets.

Why this answer

The TGT is obtained from the AS and used to request service tickets from the TGS without re-entering credentials.

622
MCQmedium

An organization is required to retain security logs for a minimum of one year to meet compliance regulations. Which practice is most directly related to this requirement?

A.Log review frequency
B.Log format standardization
C.Centralized log management
D.Log retention requirements
AnswerD

Retention requirements dictate how long logs are stored.

Why this answer

The requirement to retain security logs for a minimum of one year is directly about the duration logs must be stored. Option D, 'Log retention requirements,' is the practice that defines this storage duration, ensuring compliance with regulations such as PCI DSS or SOX. This is a policy-driven specification of how long logs are kept, not how they are reviewed, formatted, or collected.

Exam trap

The trap here is that candidates often confuse 'log retention requirements' with 'centralized log management,' thinking that centralization inherently includes retention, but retention is a separate policy that must be explicitly defined and configured regardless of where logs are stored.

How to eliminate wrong answers

Option A is wrong because log review frequency concerns how often logs are analyzed (e.g., daily or weekly), not how long they are stored; it addresses operational monitoring, not retention duration. Option B is wrong because log format standardization (e.g., syslog RFC 5424 or W3C Extended Log Format) ensures consistency for parsing and analysis, but does not dictate the retention period. Option C is wrong because centralized log management (e.g., using a SIEM like Splunk or ELK stack) aggregates logs from multiple sources for correlation and storage, but the retention period is a separate policy that defines how long logs are kept in that central repository.

623
Multi-Selecthard

Which THREE of the following are valid techniques to ensure software integrity during the build and deployment process? (Select THREE.)

Select 3 answers
A.Implementing role-based access control on the build server
B.Using cryptographic hashes (e.g., SHA-256) to verify files
C.Continuous integration automated builds
D.Performing checksum verification after deployment
E.Code signing with a trusted certificate
AnswersB, D, E

Hashes detect unauthorized changes.

Why this answer

Cryptographic hashes like SHA-256 produce a unique fixed-size digest of a file's contents. By comparing the hash of a built artifact against a known-good hash, you can detect any unauthorized modification, corruption, or tampering that occurred during the build or deployment process. This directly ensures software integrity by verifying that the file has not been altered.

Exam trap

The trap here is confusing process controls (like RBAC or CI automation) with integrity verification mechanisms; candidates often think that restricting access or automating builds inherently ensures the software hasn't been tampered with, but only cryptographic techniques like hashing and signing provide direct integrity assurance.

624
MCQmedium

A software development company uses a continuous integration/continuous deployment (CI/CD) pipeline that automatically builds and deploys code to production after passing automated tests. The code repository contains proprietary algorithms and customer data. A recent incident was traced to an attacker who injected malicious code into a library that was pulled from a public package repository during the build process. The company wants to prevent similar supply chain attacks without significantly slowing development. Which of the following is the BEST course of action?

A.Require all developers to perform manual code review of every third-party library before inclusion
B.Perform static application security testing (SAST) on the entire codebase including libraries
C.Increase the frequency of vulnerability scanning on the production environment and delay deployment of any library that has a deprecation notice
D.Implement a private repository that mirrors approved open-source libraries and enforces signature verification and hash checks before allowing use
AnswerD

A private mirror with integrity checks ensures only verified packages are used, blocking malicious ones from the public repo.

Why this answer

Option D is correct because implementing a private repository that mirrors only approved, vetted open-source libraries with enforced signature verification and hash checks directly addresses supply chain attacks by ensuring that only trusted, integrity-verified code enters the build pipeline. This approach prevents malicious code from public repositories from being pulled automatically, without requiring manual review of every library (which would slow development) or relying on post-build scanning that cannot prevent the initial injection. It aligns with the principle of secure software supply chain management by establishing a trusted source of components.

Exam trap

ISC2 often tests the distinction between reactive security controls (like SAST or vulnerability scanning) and proactive supply chain controls (like private repositories with integrity verification), and the trap here is that candidates may choose SAST (option B) because it sounds technical and comprehensive, but it fails to prevent the initial injection of malicious code during the build process.

How to eliminate wrong answers

Option A is wrong because requiring manual code review of every third-party library is impractical and would significantly slow development, defeating the goal of not slowing the pipeline; it also does not scale for large numbers of dependencies and is error-prone. Option B is wrong because performing SAST on the entire codebase including libraries would detect vulnerabilities in the code but cannot prevent the initial injection of malicious code during the build process, as SAST analyzes source code after it is already in the repository, not during the pull from a public package repository. Option C is wrong because increasing vulnerability scanning frequency on the production environment and delaying deployment of libraries with deprecation notices does not prevent the initial injection of malicious code into the build; it only identifies issues after deployment and introduces delays that conflict with the goal of not slowing development.

625
Multi-Selecteasy

During a security assessment, an organization wants to ensure that its web application is resistant to common attacks. Which THREE testing types should be included?

Select 3 answers
A.Input validation testing
B.Network segmentation testing
C.Load testing
D.Authentication testing
E.Session management testing
AnswersA, D, E

Identifies injection and XSS vulnerabilities.

Why this answer

Input validation testing (A) is correct because it directly addresses common web application attacks such as SQL injection, cross-site scripting (XSS), and command injection by ensuring that all user-supplied data is properly sanitized, validated, and encoded before processing. Without rigorous input validation, an attacker can manipulate input fields to execute arbitrary code or access unauthorized data, making this a foundational security control in the OWASP Top 10.

Exam trap

ISC2 often tests the distinction between security testing types and operational or performance testing, so candidates mistakenly choose load testing because they confuse 'resistance to attacks' with 'resistance to high traffic' (e.g., DDoS), but load testing does not assess application-layer vulnerabilities.

626
MCQhard

A cloud service provider uses a Type 1 hypervisor to host multiple virtual machines (VMs) for different customers. Which of the following is a primary security concern specific to this architecture?

A.Virtual machine escape from one guest to the hypervisor or other guests
B.Inability to patch the hypervisor without downtime
C.Performance degradation due to resource sharing
D.Lack of support for legacy operating systems
AnswerA

Correct. VM escape is a top security risk for hypervisors.

Why this answer

A VM escape attack occurs when an attacker breaks out of a VM to access the hypervisor or other VMs. This is a critical risk in multi-tenant environments.

627
MCQmedium

Based on the firewall log entry, what is the most likely cause of the denied traffic?

A.No firewall rule explicitly permits traffic from 10.0.0.25 to 203.0.113.50 on port 443.
B.The source IP is attempting a port scan on the destination.
C.The destination port should be 80 instead of 443.
D.The destination server's SSL certificate has expired.
AnswerA

The reason 'No matching rule' indicates no permit rule exists for this flow.

Why this answer

The firewall log entry shows a packet from source IP 10.0.0.25 to destination IP 203.0.113.50 on destination port 443 (HTTPS) being denied. The most likely cause is that no firewall rule explicitly permits this traffic. Firewalls operate on a default-deny or explicit-permit model; if no rule matches the source, destination, and port, the packet is dropped.

This is a fundamental principle of access control lists (ACLs) and stateful inspection.

Exam trap

The trap here is that candidates may confuse network-layer denial with application-layer issues (like SSL certificates) or misinterpret a single denied packet as evidence of a port scan, when the core concept is that firewalls enforce explicit permit rules and deny all other traffic by default.

How to eliminate wrong answers

Option B is wrong because a single denied packet on port 443 does not indicate a port scan; port scans typically involve multiple packets to different ports in rapid succession, and the log entry shows only one denied packet. Option C is wrong because the destination port being 80 (HTTP) instead of 443 (HTTPS) is irrelevant to the cause of denial; the firewall denies traffic based on its rules, not on whether the port is 'correct' for the service. Option D is wrong because SSL certificate expiration is an application-layer issue that occurs after a TCP connection is established; the firewall denies the packet at the network or transport layer before any TLS handshake can occur.

628
MCQhard

Refer to the exhibit. Which security model does this policy enforce?

A.Biba
B.Brewer-Nash
C.Bell-LaPadula
D.Clark-Wilson
AnswerC

Correct. BLP enforces no read up and no write down.

Why this answer

The Bell-LaPadula model enforces a mandatory access control policy based on the 'no read up, no write down' principle, which directly corresponds to the exhibit's rule that a subject at a given security level cannot read objects at a higher level (Simple Security Property) and cannot write to objects at a lower level (Star Property). This is the only model among the options that specifically addresses confidentiality through hierarchical classification levels and the prevention of information flow from higher to lower security levels.

Exam trap

ISC2 often tests the confusion between Bell-LaPadula (confidentiality, no read up/no write down) and Biba (integrity, no read down/no write up), so candidates mistakenly pick Biba when they see a policy about preventing information flow from high to low, not realizing the direction of the rules is reversed.

How to eliminate wrong answers

Option A is wrong because the Biba model enforces integrity, not confidentiality, using 'no read down, no write up' rules, which is the opposite of the exhibit's policy. Option B is wrong because the Brewer-Nash (Chinese Wall) model prevents conflicts of interest by dynamically controlling access based on previously accessed datasets, not by static hierarchical classification levels. Option D is wrong because the Clark-Wilson model focuses on integrity through well-formed transactions and separation of duties, not on confidentiality-based read/write restrictions across security levels.

629
MCQeasy

An information security manager is implementing an asset classification policy. Which of the following is the primary purpose of classifying information assets?

A.To track the physical location of all assets
B.To apply appropriate security controls based on asset sensitivity
C.To determine the monetary value of each asset
D.To identify the legal owner of each asset
AnswerB

Classification drives the level of protection needed for each asset.

Why this answer

The primary purpose of classifying information assets is to assign a level of sensitivity (e.g., confidential, internal, public) so that appropriate security controls—such as encryption, access control lists, and data loss prevention rules—can be applied proportionally. This ensures that resources are focused on protecting the most critical data, aligning with the principle of cost-effective risk management.

Exam trap

The trap here is that candidates confuse the purpose of classification with asset inventory or valuation, but the CISSP emphasizes that classification is fundamentally about applying the right security controls based on sensitivity, not about tracking, pricing, or ownership.

How to eliminate wrong answers

Option A is wrong because tracking physical location is a function of asset inventory and management, not classification; classification focuses on the data's sensitivity, not its physical whereabouts. Option C is wrong because while classification may inform valuation, its primary purpose is not to determine monetary value—that is a separate financial or risk assessment activity. Option D is wrong because identifying the legal owner is a matter of asset ownership and accountability, which is related but secondary; classification is about the data's sensitivity level, not who owns it.

630
Multi-Selectmedium

A company is implementing a PKI to support secure web browsing. Which of the following are commonly used to enhance the security of certificate validation? (Choose TWO)

Select 2 answers
A.OCSP stapling
B.Certificate revocation lists (CRLs)
C.Certificate pinning
D.Self-signed root certificates
E.Wildcard certificates
AnswersA, C

Correct. OCSP stapling improves timeliness and reduces CA load.

Why this answer

OCSP stapling allows the server to present a timestamped OCSP response, reducing load on CA. Certificate pinning associates a host with a specific certificate or public key to prevent MITM attacks.

631
MCQmedium

A healthcare organization is moving patient records to a cloud storage service. Which of the following is the MOST important requirement to ensure data security and compliance with HIPAA?

A.Multi-factor authentication for all cloud access
B.Encryption of data in transit using TLS 1.2
C.A signed Business Associate Agreement (BAA) with the cloud provider
D.Encryption of data at rest using AES-256
AnswerC

A BAA is required under HIPAA to ensure the cloud provider handles PHI appropriately.

Why this answer

Under HIPAA, a covered entity must have a signed Business Associate Agreement (BAA) with any cloud service provider that creates, receives, maintains, or transmits protected health information (PHI). Without a BAA, the provider is not contractually bound to safeguard PHI, making the organization non-compliant regardless of technical controls. While encryption and MFA are important security measures, they cannot substitute for the legal and regulatory requirement of a BAA.

Exam trap

The trap here is that candidates often focus on technical security controls like encryption or MFA, overlooking the foundational legal and regulatory requirement of a signed Business Associate Agreement, which is the non-negotiable first step for HIPAA compliance with a cloud provider.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is a strong access control but does not address the contractual and legal obligations required by HIPAA for business associates; it is a security best practice, not a compliance requirement. Option B is wrong because encryption of data in transit using TLS 1.2 protects data during transmission but does not ensure the cloud provider is legally bound to protect PHI as a business associate; HIPAA mandates a BAA regardless of transport encryption. Option D is wrong because encryption of data at rest using AES-256 protects stored data but, like the other technical controls, does not satisfy the HIPAA requirement for a signed BAA with the cloud provider.

632
MCQmedium

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

A.Share the Purchasing Manager's account credentials with the user
B.Temporarily assign the 'Purchasing Approver' role to the user with an expiration date
C.Modify the 'Accounts Payable' role to include purchase order approval permissions
D.Create a new role with the exact permissions needed and assign it to the user
AnswerB

This grants needed access for a limited time, maintaining least privilege.

Why this answer

Option B is correct because it follows the principle of least privilege by temporarily assigning the 'Purchasing Approver' role to the user with an expiration date, ensuring that the elevated permissions are automatically revoked after the leave period. This approach maintains RBAC integrity without permanently altering role definitions or sharing credentials.

Exam trap

The trap here is that candidates often choose Option D (creating a new role) because they think it follows least privilege, but they overlook that RBAC best practice is to reuse existing roles with temporary assignments rather than proliferating roles, which violates role-mining principles and adds administrative overhead.

How to eliminate wrong answers

Option A is wrong because sharing the Purchasing Manager's account credentials violates the principle of non-repudiation and accountability, as actions cannot be attributed to the correct user, and it bypasses RBAC entirely. Option C is wrong because modifying the 'Accounts Payable' role to include purchase order approval permissions would permanently grant those rights to all users in that role, violating least privilege and potentially creating a segregation of duties conflict. Option D is wrong because creating a new role with exact permissions is unnecessarily complex and violates RBAC role-mining best practices; it is better to reuse an existing role (Purchasing Approver) with a temporary assignment than to proliferate roles.

633
MCQhard

A network engineer is configuring a firewall to allow HTTP traffic from the internet to a web server (10.0.0.10). The firewall has three interfaces: outside (ISP), DMZ (10.0.0.0/24), and inside (192.168.1.0/24). The web server is in the DMZ. Which rule is correct?

A.Rule: Source interface Inside, Source any, Destination 10.0.0.10, Port 80, Action allow
B.Rule: Source interface Outside, Source any, Destination 10.0.0.10, Port 80, Action allow
C.Rule: Source interface Outside, Source 192.168.1.0/24, Destination 10.0.0.10, Port 80, Action allow
D.Rule: Source interface DMZ, Source any, Destination 10.0.0.10, Port 80, Action allow
AnswerB

This correctly allows inbound HTTP from internet to DMZ web server.

Why this answer

Option B is correct because HTTP traffic from the internet arrives on the outside interface, and the firewall rule must match the source interface (Outside), allow any source IP, and specify the destination IP (10.0.0.10) and port 80. This permits inbound web traffic to the DMZ web server while maintaining security boundaries.

Exam trap

ISC2 often tests the concept that firewall rules must specify the correct source interface (ingress zone) rather than just the source IP, leading candidates to mistakenly choose rules that match the destination but not the traffic's entry point.

How to eliminate wrong answers

Option A is wrong because the source interface is Inside (192.168.1.0/24), which would allow traffic from the internal network, not from the internet. Option C is wrong because the source is restricted to 192.168.1.0/24, which is the internal subnet, not the internet; this would block legitimate external HTTP requests. Option D is wrong because the source interface is DMZ, which would only allow traffic originating from within the DMZ itself, not from the internet.

634
Multi-Selecthard

Which TWO of the following are best practices for securing containerized applications? (Select exactly 2.)

Select 2 answers
A.Mounting the host filesystem to persist logs
B.Running the container process as a non-root user
C.Cleaning the certificate store to prevent MITM
D.Exposing port 22 for SSH debugging in production
E.Using minimal base images such as Alpine or scratch
AnswersB, E

Non-root user reduces privilege escalation risk.

Why this answer

Running the container process as a non-root user is a fundamental security best practice because containers share the host kernel; if an attacker compromises a container running as root, they may escape to the host with root privileges. By using a non-root user (e.g., via the USER directive in a Dockerfile), you enforce the principle of least privilege and reduce the attack surface significantly.

Exam trap

The trap here is that candidates often confuse 'persisting logs' (Option A) as a security measure, but in container security, mounting the host filesystem is a major isolation violation, not a best practice.

635
Multi-Selecthard

A company is implementing PCI DSS compliance. Which THREE requirements are part of the PCI DSS? (Select THREE)

Select 3 answers
A.Use only approved encryption algorithms for stored data
B.Implement multi-factor authentication for all employees
C.Encrypt transmission of cardholder data across open, public networks
D.Restrict physical access to cardholder data
E.Install and maintain a firewall configuration to protect cardholder data
AnswersC, D, E

This is Requirement 4.

Why this answer

PCI DSS has 12 requirements including installing firewalls, encrypting cardholder data, and restricting physical access. Implementing MFA for all users is not a specific requirement (though it may be part of access control).

636
MCQmedium

A security engineer reviews the S3 bucket policy in the exhibit. What is the most significant security issue with this configuration?

A.The resource ARN does not specify a version ID
B.The policy does not enforce encryption in transit
C.The bucket allows public read access to all objects
D.The policy lacks an explicit deny statement
AnswerC

The policy grants read access to anyone, exposing sensitive data.

Why this answer

The S3 bucket policy in the exhibit grants "Effect": "Allow" with "Principal": "*" and "Action": "s3:GetObject" on the bucket ARN. This configuration effectively makes all objects in the bucket publicly readable over the internet, which is a severe data exposure risk. Option C correctly identifies this as the most significant security issue because it violates the principle of least privilege and can lead to unauthorized access to sensitive data.

Exam trap

The trap here is that candidates may focus on missing technical details like version IDs or encryption conditions, but the most critical security flaw is the explicit public read access granted to all objects, which directly leads to data exposure.

How to eliminate wrong answers

Option A is wrong because S3 bucket policies apply to all versions of objects unless a specific version ID is required; omitting a version ID does not inherently create a security vulnerability. Option B is wrong because S3 bucket policies do not enforce encryption in transit (HTTPS); that is controlled by the bucket's policy condition using "aws:SecureTransport" or by enabling S3 Block Public Access settings, and the absence of such a condition is not the most significant issue here. Option D is wrong because an explicit deny statement is not required for security; the default implicit deny (deny by default) applies to any action not explicitly allowed, and the problem is the overly permissive allow statement, not the lack of an explicit deny.

637
MCQhard

A company collects PII from European customers for order processing. Under GDPR, they engage a third-party logistics provider to handle shipping. Which role does the logistics provider typically assume in this scenario?

A.Data controller
B.Data custodian
C.Data processor
D.Data subject
AnswerC

Correct. The logistics provider is a data processor processing data on behalf of the controller.

Why this answer

A data processor processes personal data on behalf of the data controller (the company). The logistics provider handles data for shipping but does not determine purposes or means.

638
Multi-Selectmedium

A security team is reviewing network segmentation strategies. Which TWO of the following are benefits of using VLANs? (Select TWO.)

Select 2 answers
A.They provide encryption of network traffic
B.They allow logical grouping of devices regardless of physical location
C.They can reduce broadcast traffic
D.They eliminate the need for firewalls
E.They provide inherent protection against ARP spoofing
AnswersB, C

VLANs group devices based on configuration, not physical location.

Why this answer

VLANs operate at Layer 2 (Data Link Layer) and allow network administrators to segment devices into distinct broadcast domains based on logical criteria such as department or function, regardless of their physical location on the network. This logical grouping reduces the scope of broadcast traffic because broadcasts are confined to the VLAN, not the entire physical network. By containing broadcasts, VLANs improve network performance and security by limiting unnecessary traffic and isolating potential threats.

Exam trap

The trap here is that candidates often confuse VLANs with security mechanisms like encryption or firewalls, mistakenly believing VLANs provide confidentiality or replace perimeter defenses, when in fact VLANs only offer logical segmentation at Layer 2.

639
MCQmedium

An organization has implemented a new SIEM system. What is the most critical factor for its effectiveness?

A.The cost of the solution
B.The speed of data ingestion
C.The ability to correlate events
D.The number of log sources integrated
AnswerC

Correlation enables identification of patterns and incidents across multiple sources.

Why this answer

The most critical factor for a SIEM's effectiveness is its ability to correlate events across diverse log sources to detect complex attack patterns, such as a lateral movement chain or a multi-stage exploit. Without correlation, a SIEM is merely a log aggregator, unable to distinguish a true security incident from isolated benign events. Correlation engines apply rule-based or statistical analysis (e.g., using Sigma rules or machine learning) to identify relationships between seemingly unrelated log entries, which is the core value proposition of a SIEM.

Exam trap

The trap here is that candidates often mistake 'speed of data ingestion' or 'number of log sources' as the primary success factor, confusing operational metrics with the analytical core of a SIEM, which is correlation.

How to eliminate wrong answers

Option A is wrong because the cost of the solution does not directly impact the SIEM's analytical capability; a high-cost SIEM can still be ineffective if its correlation logic is weak or misconfigured. Option B is wrong because while data ingestion speed is important for real-time monitoring, it is not the most critical factor; a SIEM that ingests data quickly but lacks correlation logic will still fail to detect sophisticated attacks. Option D is wrong because the number of log sources integrated is secondary to the quality of correlation; integrating many sources without proper normalization and correlation rules leads to noise and alert fatigue, not improved detection.

640
MCQhard

A Change Advisory Board (CAB) is evaluating a request to implement a critical security patch. Which RACI element is typically assigned to the CAB for the 'Approve' activity?

A.Responsible
B.Informed
C.Consulted
D.Accountable
AnswerD

The CAB is accountable for the approval decision.

Why this answer

In RACI, 'Accountable' means the person ultimately answerable for the decision. The CAB is accountable for approving changes.

641
MCQeasy

A data owner has classified a dataset as 'Confidential' in a commercial organization. Which of the following best describes the primary responsibility of the data owner for this dataset?

A.Determining the data's classification and ensuring it is labeled appropriately
B.Ensuring the data is accurate and complete
C.Implementing technical controls to protect the data
D.Performing daily backups of the data
AnswerA

The data owner classifies data and determines handling requirements.

Why this answer

The data owner is accountable for data classification and assigning protection requirements, while the custodian implements controls.

642
MCQhard

A security analyst notes that a recent penetration test successfully exploited a vulnerability in a legacy application that cannot be patched. The analyst recommends implementing network segmentation to limit the application's exposure. This recommendation is an example of:

A.Risk mitigation
B.Risk acceptance
C.Risk avoidance
D.Risk transfer
AnswerA

Network segmentation reduces the impact, mitigating the risk.

Why this answer

Implementing network segmentation to limit exposure of an unpatched legacy application is a classic example of risk mitigation. By isolating the application on a separate network segment (e.g., using VLANs or firewall rules), the analyst reduces the likelihood or impact of a successful exploit, even though the underlying vulnerability remains unpatched. This directly aligns with the CISSP definition of risk mitigation: applying controls to reduce risk to an acceptable level.

Exam trap

The trap here is confusing risk mitigation with risk avoidance — candidates often think that any action taken to address a vulnerability is avoidance, but avoidance requires eliminating the risk entirely (e.g., removing the application), whereas mitigation reduces but does not eliminate the risk.

How to eliminate wrong answers

Option B (Risk acceptance) is wrong because risk acceptance involves formally acknowledging the risk and deciding not to take any action, whereas the analyst is actively implementing a control (segmentation). Option C (Risk avoidance) is wrong because risk avoidance would mean discontinuing the application or removing it entirely to eliminate the risk, not isolating it. Option D (Risk transfer) is wrong because risk transfer shifts the financial burden of a loss to a third party (e.g., via insurance or outsourcing), not implementing a technical control like segmentation.

643
MCQhard

A network administrator has configured private VLANs on a switch. The host in this port is part of PVLAN 100, and its associated secondary PVLAN is 200. What is the expected behavior for traffic from this host to other hosts in the same primary VLAN 100?

A.It cannot communicate with any other host
B.It can communicate only with other hosts in the same secondary VLAN 200
C.It can communicate with the promiscuous port only
D.It can communicate with all hosts in primary VLAN 100
AnswerC

Private VLAN host ports can only communicate with the promiscuous port in the same primary VLAN.

Why this answer

In a private VLAN (PVLAN) configuration, a host in a community or isolated secondary VLAN cannot communicate with other hosts in the same primary VLAN unless they share the same secondary VLAN. However, the question specifies that the host is in PVLAN 100 and its associated secondary PVLAN is 200, but does not state that the host is in a community VLAN; the only way a host in a secondary VLAN can communicate with any other host is via the promiscuous port (typically connected to a router or firewall). Since the host is in an isolated secondary VLAN (or community without a matching community), it can only send traffic to the promiscuous port, which then forwards it as needed.

Exam trap

ISC2 often tests the misconception that a host in a private VLAN can communicate with all other hosts in the same primary VLAN, but the correct behavior is that host-to-host communication is restricted to the same secondary VLAN (if community) or only to the promiscuous port (if isolated), and the question's phrasing 'associated secondary PVLAN is 200' implies an isolated VLAN unless stated otherwise.

How to eliminate wrong answers

Option A is wrong because a host in a private VLAN can communicate with the promiscuous port, so it is not completely isolated from all hosts. Option B is wrong because the host is in secondary VLAN 200, but the question does not indicate that any other hosts are in the same secondary VLAN 200; even if they were, the host could communicate with them only if the secondary VLAN is a community VLAN, but the default behavior for an isolated VLAN (which is typical when only one secondary VLAN is assigned) is to block all host-to-host communication within the same secondary VLAN. Option D is wrong because private VLANs explicitly prevent hosts in different secondary VLANs from communicating with each other, and even hosts in the same secondary VLAN (if isolated) cannot communicate directly; only the promiscuous port can communicate with all hosts in the primary VLAN.

644
Multi-Selectmedium

Which TWO of the following are key components of an Information Security Governance framework? (Select exactly 2)

Select 2 answers
A.Incident response team structure
B.Risk management processes
C.Strategic alignment of security with business objectives
D.Penetration testing schedule
E.Vendor contract negotiation
AnswersB, C

Correct - Risk management is a governance responsibility.

Why this answer

Risk management processes are a core component of an Information Security Governance framework because they provide the structured methodology for identifying, assessing, and mitigating risks to the organization's information assets. This aligns with the ISO/IEC 27001 standard, which mandates a risk-based approach to establishing, implementing, and maintaining an information security management system (ISMS). Without formal risk management, governance lacks the data-driven foundation to prioritize security investments and controls.

Exam trap

The trap here is that candidates confuse operational security activities (like incident response teams or penetration testing) with governance-level components, which are strategic, policy-driven, and focused on oversight and alignment rather than execution.

645
MCQmedium

An LDAP distinguished name (DN) includes the attribute 'CN=John Doe,OU=Sales,DC=company,DC=com'. What does 'CN' stand for?

A.Country Name
B.Common Name
C.Certificate Name
D.Container Name
AnswerB

CN is Common Name.

Why this answer

CN stands for Common Name, which typically represents the user's name or the hostname of a device.

646
MCQmedium

Which type of scanning provides the most comprehensive view of an organization's vulnerabilities by allowing the scanner to log into systems and access detailed configuration information?

A.External scan
B.Passive scan
C.Authenticated scan
D.Unauthenticated scan
AnswerC

Authenticated scans have privileged access for complete visibility.

Why this answer

Authenticated scans use credentials to access system internals, providing deeper insight than unauthenticated scans.

647
MCQmedium

A company must destroy a set of hard drives containing sensitive customer data. The drives are magnetic (HDDs). Which destruction method provides the highest assurance of data irrecoverability?

A.Overwriting with a single pass of zeros
B.Physical destruction by drilling
C.Degaussing
D.Cryptographic erasure
AnswerC

Degaussing renders magnetic media completely unreadable.

Why this answer

Degaussing disrupts the magnetic field on HDDs, making data unrecoverable, and is considered highly effective for magnetic media.

648
Multi-Selecthard

Under the GDPR, which THREE of the following are rights of data subjects? (Select THREE.)

Select 3 answers
A.Right to erasure (right to be forgotten)
B.Right to ignore processing
C.Right to sell data
D.Right to data portability
E.Right to access
AnswersA, D, E

Data subjects can request deletion of their data under certain conditions.

Why this answer

GDPR grants data subjects rights including the right to access, right to erasure ('right to be forgotten'), and right to data portability. The right to sell data is not a GDPR right, and the right to ignore processing is not a formal right.

649
MCQhard

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

A.The user is a member of the Remote Desktop Users group
B.The user is not a member of the local Users group or Administrators group
C.The user is a member of a group that is denied local logon
D.The user is denied logon through Remote Desktop Services
AnswerB

Domain Users are not in the local Users group; local logon is only allowed for Administrators and local Users.

Why this answer

The user 'jdoe' can log on via RDP but not locally because the default security policy on a domain-joined Windows server grants the 'Allow log on locally' right only to the local Administrators group and the local Users group. Since 'jdoe' is a member of Domain Users, which is mapped to the local Users group on a domain-joined server, the user should normally have local logon rights. However, the exhibit shows GPO results that likely indicate the local Users group has been removed from the 'Allow log on locally' policy, or the user is not actually a member of the local Users group (e.g., the server is configured to not map Domain Users to the local Users group).

The most direct reason is that the user is not a member of either the local Users group or the local Administrators group, which are the only groups granted local logon by default.

Exam trap

The trap here is that candidates assume Domain Users automatically have local logon rights on all domain-joined servers, but a GPO can explicitly remove the local Users group from the 'Allow log on locally' policy, effectively blocking all standard domain users from interactive logon.

How to eliminate wrong answers

Option A is wrong because the user can log on via RDP, which requires membership in the Remote Desktop Users group (or having the 'Allow log on through Remote Desktop Services' right); if the user were a member of that group, it would not prevent local logon. Option C is wrong because there is no evidence in the scenario that the user is a member of a group explicitly denied local logon via the 'Deny log on locally' policy; the GPO results would show such a denial if it existed. Option D is wrong because the user can log on via RDP, so they are not denied logon through Remote Desktop Services; the issue is specifically with local logon, not remote logon.

650
Multi-Selectmedium

During a forensic investigation, which TWO of the following are essential steps to maintain chain of custody?

Select 2 answers
A.Storing evidence on a shared network drive
B.Encrypting the evidence file to prevent viewing
C.Labeling evidence with date, time, and collector's name
D.Performing a hash of the evidence immediately
E.Documenting each person who handled the evidence
AnswersC, E

Labeling is a key step in establishing chain of custody.

Why this answer

Chain of custody requires documenting every transfer of evidence and ensuring it is signed and secured.

651
Multi-Selecthard

A company is designing a disaster recovery strategy for its e-commerce platform. The platform requires an RTO of 2 hours and an RPO of 15 minutes. Which TWO strategies would BEST meet these requirements?

Select 2 answers
A.Tape backup restoration
B.Cloud DR with continuous data replication
C.Cold site
D.Hot site with real-time replication
E.Warm site
AnswersB, D

Cloud DR can spin up quickly and continuous replication meets RPO.

Why this answer

Hot site and cloud DR with continuous replication can meet aggressive RTO/RPO.

652
MCQeasy

A data classification scheme includes Public, Internal, Confidential, and Restricted. Which classification requires the highest level of protection?

A.Restricted
B.Internal
C.Public
D.Confidential
AnswerA

Restricted is the highest classification, requiring maximum protection.

Why this answer

Restricted is the highest classification level in this scheme, indicating data that would cause severe damage to the organization if disclosed. It requires the strongest access controls, encryption (e.g., AES-256 for data at rest, TLS 1.3 for data in transit), and strict need-to-know policies. This aligns with the principle of protecting data based on its sensitivity and the potential impact of unauthorized disclosure.

Exam trap

The trap here is that candidates often confuse 'Confidential' with the highest level because it sounds more restrictive than 'Restricted', but in this scheme 'Restricted' is explicitly the top tier, requiring the most stringent controls.

How to eliminate wrong answers

Option B (Internal) is wrong because Internal data is intended for internal use only but does not require the highest level of protection; its compromise would cause moderate damage, not severe. Option C (Public) is wrong because Public data is intended for unrestricted disclosure and requires the lowest level of protection, often with no access controls. Option D (Confidential) is wrong because Confidential data requires a high level of protection but is still below Restricted; its compromise would cause serious damage, but not the most severe impact.

653
MCQmedium

A security analyst observes a network attack where an attacker sends forged ARP messages to associate the attacker's MAC address with the IP address of the default gateway. This attack occurs at which layer of the OSI model?

A.Layer 3 – Network
B.Layer 1 – Physical
C.Layer 4 – Transport
D.Layer 2 – Data Link
AnswerD

ARP operates at Layer 2, and ARP spoofing manipulates MAC-to-IP mappings.

Why this answer

ARP operates at Layer 2 (Data Link) because it maps IP addresses (Layer 3) to MAC addresses (Layer 2) and is encapsulated directly within an Ethernet frame, not an IP packet. The attack described—ARP spoofing—forges ARP replies to poison the target's ARP cache, which is a Layer 2 function. Therefore, the attack occurs at Layer 2 of the OSI model.

Exam trap

The trap here is that candidates see 'IP address' in the question and incorrectly associate it with Layer 3 (Network), forgetting that ARP is a Layer 2 protocol that resolves Layer 3 addresses to Layer 2 addresses.

How to eliminate wrong answers

Option A is wrong because Layer 3 (Network) handles IP routing and packet forwarding, not MAC address resolution; ARP is not an IP protocol and does not use IP headers. Option B is wrong because Layer 1 (Physical) deals with raw bit transmission over media (e.g., voltage, cables), not with logical addressing or frame-level manipulation. Option C is wrong because Layer 4 (Transport) manages end-to-end communication (e.g., TCP/UDP ports, segmentation), and ARP has no concept of ports or transport-layer headers.

654
MCQmedium

Refer to the exhibit. An auditor identifies a non-compliance issue regarding the cryptographic key lifecycle. Which policy requirement has been violated?

A.Encrypted backup requirement
B.HSM storage requirement
C.Key destruction upon compromise
D.Key rotation interval
AnswerA

The policy requires encrypted backup, but the key was stored in plaintext.

Why this answer

The policy states that backup must be encrypted. The key was exported to a plaintext file on an unencrypted backup server, violating the confidentiality requirement. The key was also restored and continued in use, which may be acceptable if it was not compromised, but the backup method is non-compliant.

655
Multi-Selecteasy

Which TWO of the following are key elements of a disaster recovery plan (DRP)?

Select 2 answers
A.Communication and notification procedures
B.Standard operating procedures for daily tasks
C.Patch management schedules
D.Recovery priorities and order of restoration
E.Business impact analysis (BIA) results
AnswersA, D

Essential for coordinating recovery.

Why this answer

A and D are correct. A is correct because a DRP must include communication procedures to notify stakeholders. D is correct because the DRP should outline the order in which systems are restored (recovery priorities).

B is incorrect because the BIA itself is separate, though its outputs inform the DRP. C is incorrect because the DRP is not focused on daily operations but on recovery. E is incorrect because patch management is part of ongoing maintenance.

656
MCQeasy

An analyst reviews the exhibit showing Windows security event logs. What activity should be investigated as a potential data exfiltration attempt?

A.The user reading the PII file at 09:23:45
B.The sequence of events on the same file by the same user
C.The user deleting the PII file at 09:25:00 using cmd.exe
D.The user writing to the PII file at 09:24:10
AnswerC

Deleting a PII file using command prompt is unusual and could indicate an attempt to cover tracks.

Why this answer

Option C is correct because deleting a PII file via cmd.exe (command-line interface) shortly after reading and writing to it is a classic indicator of data exfiltration. The attacker likely read the sensitive data, wrote a copy or staged it, then used cmd.exe to delete the original file to cover tracks and avoid detection by file access audits. This sequence—read, write, delete via command line—is anomalous for normal user behavior and strongly suggests intentional removal of evidence after data theft.

Exam trap

The trap here is that candidates focus on the individual actions (read, write, delete) rather than the sequence and the tool used (cmd.exe), missing that the combination of read, write, and command-line deletion is the hallmark of a data exfiltration attempt.

How to eliminate wrong answers

Option A is wrong because reading a PII file at 09:23:45 is a normal business activity and does not alone indicate exfiltration; many users legitimately access sensitive files. Option B is wrong because a sequence of events on the same file by the same user is not inherently suspicious—it could be routine editing or review; the specific combination of read, write, and delete via cmd.exe is what raises concern. Option D is wrong because writing to a PII file at 09:24:10 could be legitimate modification or saving work; without the subsequent anomalous deletion via command line, it is not a clear exfiltration attempt.

657
MCQhard

A development team is fixing a stored cross-site scripting (XSS) vulnerability in a web application that displays user comments. The application stores comments in a database and renders them in HTML. Which of the following is the most secure approach to prevent XSS?

A.Use Content Security Policy (CSP) headers to restrict script execution
B.Sanitize input by removing all HTML tags before storing
C.Apply output encoding based on the context (e.g., HTML entity encoding)
D.Store comments in a separate domain to isolate them
AnswerC

Context-aware encoding prevents script execution.

Why this answer

Output encoding (C) is the most secure approach because it neutralizes malicious scripts at the point of rendering, ensuring that user-controlled data is treated as text rather than executable code. For HTML contexts, HTML entity encoding (e.g., `<script>`) prevents the browser from interpreting injected tags, regardless of how the data was stored. This aligns with the defense-in-depth principle and is the primary mitigation for stored XSS as recommended by OWASP.

Exam trap

Cisco often tests the misconception that input sanitization (removing tags) is the best approach, but the CISSP emphasizes that output encoding is the definitive control because it works regardless of how data enters the system and preserves data integrity for legitimate use.

How to eliminate wrong answers

Option A is wrong because CSP is a defense-in-depth layer that can restrict script execution, but it does not fix the root cause—malicious data remains in the database and could still be exploited if CSP is misconfigured or bypassed (e.g., via JSONP or older browser versions). Option B is wrong because removing all HTML tags before storing destroys legitimate formatting (e.g., bold, lists) and is overly restrictive; a more nuanced sanitization (e.g., whitelist-based) is possible, but output encoding is still needed as a final safeguard. Option D is wrong because storing comments on a separate domain does not prevent XSS—the comments are still rendered in the original application's HTML context, and the same-domain origin policy does not block script execution from injected content.

658
Multi-Selectmedium

Which TWO are examples of administrative controls in an information security program?

Select 2 answers
A.Background checks
B.Encryption algorithms
C.Security awareness training
D.Firewall rules
E.Access control lists (ACLs)
AnswersA, C

Background checks are administrative, part of personnel security.

Why this answer

Background checks are an administrative control because they are part of the personnel security policy and procedures that manage human risk. They are implemented through HR processes and documented policies, not through technical systems, and they help verify the trustworthiness of individuals before granting access to sensitive information.

Exam trap

The trap here is that candidates often confuse administrative controls with technical controls, mistakenly thinking that any security measure that 'controls' access (like ACLs or firewall rules) is administrative, when in fact they are technical controls implemented in systems.

659
Multi-Selecteasy

Which TWO of the following are principles of the data minimization concept under privacy regulations such as GDPR?

Select 2 answers
A.Ensure personal data is accurate and kept up to date
B.Collect only the personal data that is directly relevant and necessary for the specified purpose
C.Store personal data for as long as possible for future analysis
D.Limit the processing of personal data to only what is necessary for the intended purpose
E.Provide individuals with access to their data upon request
AnswersB, D

This is the core of data minimization.

Why this answer

Option B is correct because data minimization under GDPR (Article 5(1)(c)) requires that personal data collected be 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.' This principle directly mandates collecting only the data that is directly relevant and necessary for the specified purpose, preventing over-collection and reducing privacy risk.

Exam trap

ISC2 often tests the distinction between the seven GDPR principles (lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; accountability) and the data subject rights (access, rectification, erasure, etc.), so candidates mistakenly select a right like access as a minimization principle.

660
Multi-Selecthard

Which TWO of the following are differences between OAuth 2.0 and OpenID Connect (OIDC)?

Select 2 answers
A.OAuth 2.0 supports device code grant, OIDC does not
B.OAuth 2.0 is for authorization, while OIDC is for authentication
C.OIDC is XML-based, while OAuth 2.0 is JSON-based
D.OIDC uses JSON Web Tokens (JWT) for ID tokens, while OAuth 2.0 does not define a token format
E.OAuth 2.0 requires a client secret, OIDC does not
AnswersB, D

OAuth 2.0 grants access, OIDC authenticates users.

Why this answer

Option B is correct because OAuth 2.0 is fundamentally an authorization framework (RFC 6749) that grants delegated access to resources, while OpenID Connect (OIDC) is an authentication layer built on top of OAuth 2.0 (specified in OpenID Connect Core 1.0) that verifies the end-user's identity. OIDC extends OAuth 2.0 by adding an ID token (a JWT) that contains claims about the authenticated user, whereas OAuth 2.0 alone does not provide identity information.

Exam trap

Cisco often tests the misconception that OAuth 2.0 is for authentication and OIDC is for authorization, or that they are interchangeable, when in fact OAuth 2.0 is strictly authorization and OIDC is authentication built on top of it.

661
MCQhard

An organization is migrating to a new application that uses serialized objects to transfer data between services. The security team is concerned about insecure deserialization attacks. Which of the following controls is most effective in preventing deserialization vulnerabilities?

A.Applying cryptographic integrity checks (e.g., HMAC) to serialized objects
B.Implementing input validation on deserialized data
C.Using a allowlist of classes allowed to be deserialized
D.Running deserialization in a sandboxed environment
AnswerA

Integrity checks verify that the data hasn't been altered.

Why this answer

Integrity checks (e.g., digital signatures) ensure that serialized data has not been tampered with, preventing malicious objects from being deserialized.

662
MCQmedium

A network administrator is deploying a wireless network for a small business and wants to ensure strong security. Which of the following is the best choice for authentication in a WPA3 Personal network?

A.EAP-TLS
B.TKIP
C.Simultaneous Authentication of Equals (SAE)
D.Pre-shared key (PSK)
AnswerC

SAE provides forward secrecy and protects against offline dictionary attacks.

Why this answer

Simultaneous Authentication of Equals (SAE) is the correct choice because WPA3 Personal replaces the vulnerable Pre-Shared Key (PSK) handshake with SAE, which provides a secure key exchange resistant to offline dictionary attacks. SAE uses a Dragonfly handshake based on a zero-knowledge proof, ensuring that even if an attacker captures the handshake, they cannot brute-force the password without being present for each guess.

Exam trap

The trap here is that candidates often confuse WPA2 Personal (PSK) with WPA3 Personal, assuming PSK is still acceptable, but the exam expects you to know that WPA3 Personal mandates SAE as the authentication method, not PSK.

How to eliminate wrong answers

Option A is wrong because EAP-TLS is an enterprise authentication method requiring a RADIUS server and client certificates, which is overkill and not designed for WPA3 Personal (home/small business) mode. Option B is wrong because TKIP is a legacy encryption protocol deprecated by Wi-Fi Alliance since 2012; it is not used in WPA3 and is vulnerable to attacks like MIC key recovery. Option D is wrong because Pre-shared key (PSK) is the WPA2 Personal method that uses a 4-way handshake vulnerable to offline dictionary attacks, whereas WPA3 Personal mandates SAE to eliminate that vulnerability.

663
MCQmedium

Refer to the exhibit. An application running on this server uses HTTPS (port 443). What is the most likely impact of the current firewall rules on the application?

A.Clients will only be able to connect from IP addresses in the 10.0.0.0/8 range.
B.The application will function normally as HTTP is allowed.
C.Clients will be unable to connect to the application because HTTPS is not explicitly allowed.
D.All HTTPS traffic will be logged and then dropped.
AnswerC

Only port 80 is allowed; port 443 is blocked by the default DROP policy.

Why this answer

Option C is correct because the firewall rules only explicitly permit HTTP (port 80) and deny all other traffic by default. HTTPS uses port 443, which is not listed in the permitted rules, so the firewall will block the connection. Without an explicit allow rule for port 443, the application cannot function over HTTPS.

Exam trap

The trap here is that candidates assume HTTPS is a subset of HTTP or that allowing HTTP implicitly allows HTTPS, but they are separate TCP ports and require distinct firewall rules.

How to eliminate wrong answers

Option A is wrong because the exhibit does not show any source IP restriction; the rules allow HTTP from any source, not just 10.0.0.0/8. Option B is wrong because the application uses HTTPS (port 443), not HTTP (port 80); allowing HTTP does not enable HTTPS traffic. Option D is wrong because the firewall rules do not specify logging for HTTPS traffic; the default implicit deny will silently drop packets without logging unless a log action is explicitly configured.

664
Multi-Selecthard

Which THREE are essential elements of a Transport Layer Security (TLS) handshake? (Choose three.)

Select 3 answers
A.Key generation
B.Cipher suite negotiation
C.Certificate exchange
D.User authentication
E.Session ticket exchange
AnswersA, B, C

The handshake derives symmetric encryption keys.

Why this answer

Key generation is essential because during a TLS handshake, the client and server derive session keys using the pre-master secret exchanged via asymmetric encryption (e.g., RSA or Diffie-Hellman). These keys are then used for symmetric encryption of the session, ensuring confidentiality and integrity. Without key generation, no secure communication channel can be established.

Exam trap

The trap here is that candidates often confuse optional features like session resumption (session tickets) or client authentication as mandatory handshake elements, when in fact the three essential components are cipher suite negotiation, certificate exchange, and key generation.

665
MCQmedium

Refer to the exhibit. The file data.txt contains PII. What is the most likely security issue indicated by the logs?

A.The HTTP 200 status indicates the file is corrupted
B.The file permissions restrict access to root only
C.The file is being overwritten by unauthorized users
D.The file is being accessed by multiple IPs, potentially indicating data exfiltration
AnswerD

Multiple GET requests from different IPs to a PII file is suspicious.

Why this answer

The log shows the same file data.txt being accessed from multiple distinct IP addresses (10.0.0.1, 10.0.0.2, 10.0.0.3) with HTTP 200 success responses. This pattern of repeated successful reads from different sources is a classic indicator of data exfiltration, where an attacker or malicious insider is copying sensitive PII to multiple external hosts. The HTTP 200 status confirms the file was successfully retrieved each time, ruling out corruption or access failures.

Exam trap

The trap here is that candidates focus on the HTTP 200 status or file permissions as the issue, rather than recognizing that repeated successful reads from multiple IPs is the hallmark of data exfiltration.

How to eliminate wrong answers

Option A is wrong because an HTTP 200 status code means the request succeeded and the file was delivered intact, not corrupted; corruption would typically result in a 500-series error or checksum mismatch. Option B is wrong because the logs show successful reads (HTTP 200) from multiple IPs, which would be impossible if file permissions restricted access to root only; the file is clearly readable by the web server process. Option C is wrong because the logs show GET requests (reads), not PUT/POST/DELETE operations, so the file is being read, not overwritten; overwriting would require write operations and different HTTP methods.

666
Multi-Selectmedium

According to the ISC2 Code of Ethics, which TWO canons are listed in the correct order of priority (highest to lowest)?

Select 2 answers
A.Protect society
B.Act honorably
C.Provide diligent service
D.Act honestly
E.Advance the profession
AnswersA, B

First canon.

Why this answer

The order is: Protect society, Act honourably, Provide diligent service, Advance the profession.

667
MCQeasy

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

A.Fingerprint scanner and password
B.Password and one-time passcode sent via SMS
C.Smart card and PIN
D.Password and security questions
AnswerB

SMS OTP is inexpensive and easy to deploy.

Why this answer

Option B is correct because it combines a password (something you know) with a one-time passcode sent via SMS (something you have), satisfying the definition of multifactor authentication. SMS-based OTP is cost-effective and easy to deploy for a small business, as it requires no additional hardware or complex infrastructure, leveraging existing mobile networks.

Exam trap

The trap here is that candidates may incorrectly assume that any two different authentication methods automatically constitute MFA, forgetting that MFA requires factors from at least two distinct categories (knowledge, possession, inherence), and that cost-effectiveness and ease of deployment are key constraints in this scenario.

How to eliminate wrong answers

Option A is wrong because a fingerprint scanner (something you are) and a password (something you know) are two different factors, but fingerprint scanners are typically more expensive and complex to deploy, making them less cost-effective for a small business. Option C is wrong because a smart card (something you have) and a PIN (something you know) are two factors, but smart cards require card readers and provisioning infrastructure, increasing cost and deployment complexity. Option D is wrong because a password and security questions are both 'something you know' factors, which does not constitute multifactor authentication; security questions are a single factor and are often weak due to publicly discoverable answers.

668
MCQeasy

A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?

A.The user's mother's maiden name is not stored in the HR system.
B.The technician is using shared secrets that are not effective for strong authentication.
C.The help desk should be using multi-factor authentication.
D.The user's identity is being verified using information that is not unique to the user.
AnswerB

Mother's maiden name is a shared secret that can be easily obtained through social engineering.

Why this answer

Option A is correct because relying on shared secrets like mother's maiden name is weak authentication. Option B is incorrect because the information may be unique but is not secret. Option C is incorrect, while MFA is better, the most significant issue is the use of weak shared secrets.

Option D is incorrect; the information may still be stored.

669
MCQeasy

A network administrator is configuring a firewall that examines the source and destination IP addresses, port numbers, and protocol (TCP/UDP) of each packet without considering the state of the connection. Which type of firewall is being deployed?

A.Packet filter firewall
B.Next-generation firewall
C.Stateful inspection firewall
D.Application proxy firewall
AnswerA

Packet filter firewalls are stateless and filter based on L3/L4 headers only.

Why this answer

A packet filter firewall operates at Layer 3 (Network) and Layer 4 (Transport) of the OSI model, making decisions based solely on static header fields such as source/destination IP addresses, port numbers, and protocol type (TCP/UDP). It does not track connection state or session context, which matches the description of examining each packet independently. This is the defining characteristic of a stateless packet filter, as opposed to stateful or application-layer firewalls.

Exam trap

The trap here is that candidates often confuse 'stateless packet filtering' with 'stateful inspection' because both examine IP/port/protocol, but the key differentiator is the lack of connection state tracking, which the question explicitly states by saying 'without considering the state of the connection.'

How to eliminate wrong answers

Option B is wrong because a next-generation firewall (NGFW) integrates deep packet inspection (DPI), intrusion prevention (IPS), and application-level awareness beyond simple header fields, which is not described in the scenario. Option C is wrong because a stateful inspection firewall maintains a connection state table and tracks the state of active sessions (e.g., TCP handshake sequence numbers), which the question explicitly says is not being considered. Option D is wrong because an application proxy firewall (or application-level gateway) terminates and re-creates connections at Layer 7, inspecting application payloads (e.g., HTTP, FTP commands), far exceeding the simple header-only examination described.

670
MCQeasy

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

A.It eliminates the need for encryption
B.It replaces the need for a web application firewall
C.It allows direct database access to services
D.It provides a centralized point for authentication and rate limiting
AnswerD

Correct. API gateways enforce security policies centrally.

Why this answer

An API gateway acts as a single entry point for all client requests in a microservices architecture. It centralizes cross-cutting security concerns such as authentication (e.g., validating OAuth 2.0 tokens or JWT) and rate limiting (e.g., enforcing requests per second per client), offloading these tasks from individual microservices. This reduces attack surface and ensures consistent enforcement of security policies across the entire system.

Exam trap

The trap here is that candidates may assume an API gateway provides comprehensive security (like a WAF) or replaces encryption, when in fact it is a centralized policy enforcement point for authentication and traffic management, not a substitute for dedicated security controls like encryption or a WAF.

How to eliminate wrong answers

Option A is wrong because an API gateway does not eliminate the need for encryption; in fact, it typically terminates TLS (e.g., HTTPS) and may require encryption between the gateway and backend services (e.g., mTLS). Option B is wrong because an API gateway does not replace a web application firewall (WAF); a WAF provides deep packet inspection for application-layer attacks (e.g., SQL injection, XSS) at Layer 7, which an API gateway is not designed to perform. Option C is wrong because an API gateway does not allow direct database access to services; it routes requests to microservices, which themselves should access databases through controlled interfaces, not directly expose databases to clients.

671
Multi-Selecteasy

Which TWO of the following are valid reasons to implement network segmentation?

Select 2 answers
A.To isolate sensitive data and systems from the rest of the network.
B.To eliminate single points of failure.
C.To contain broadcast traffic and improve performance.
D.To reduce network latency.
E.To simplify routing tables.
AnswersA, C

Limits exposure of critical assets.

Why this answer

Network segmentation isolates sensitive data and systems by creating separate broadcast domains or VLANs, restricting unauthorized access and lateral movement. This is a core security principle for protecting critical assets, as it limits the attack surface and enforces access controls between segments.

Exam trap

The trap here is that candidates confuse network segmentation with performance optimization techniques like load balancing or redundancy, leading them to incorrectly select options that address latency or fault tolerance rather than the primary security and broadcast containment benefits.

672
Multi-Selecthard

A company is preparing for a PCI DSS assessment. Which TWO of the following are likely to be required as part of the assessment?

Select 2 answers
A.Monthly internal vulnerability scans
B.SOC 2 Type II report
C.Annual penetration test of all systems
D.Annual on-site assessment by a QSA
E.Quarterly external vulnerability scans by an ASV
AnswersD, E

PCI DSS requires an annual on-site assessment by a Qualified Security Assessor.

Why this answer

PCI DSS requires external ASV vulnerability scans quarterly and an annual on-site assessment by a QSA.

673
Multi-Selectmedium

Which TWO of the following are examples of non-repudiation controls? (Select two)

Select 2 answers
A.Firewall rules
B.Encryption of data at rest
C.Audit logs with timestamps
D.Digital signatures
E.Biometric authentication
AnswersC, D

Audit logs create a record of events that can be used to prove actions.

Why this answer

Non-repudiation ensures that a party cannot deny an action. Digital signatures and audit logs with timestamps provide evidence of actions.

674
MCQeasy

What is the primary purpose of a Web Application Firewall (WAF) in a deployment environment?

A.Encrypting all web traffic
B.Filtering malicious HTTP traffic
C.Managing user authentication
D.Performing vulnerability scanning
AnswerB

WAF inspects and blocks malicious requests.

Why this answer

A WAF filters, monitors, and blocks HTTP traffic to and from a web application. It helps protect against common web attacks like SQL injection, XSS, and CSRF by analyzing traffic at the application layer.

675
MCQmedium

During an incident, a forensic analyst needs to preserve volatile data from a live Windows server. Which command should be used first to collect memory and network connection information?

A.Run ipconfig /all
B.Run tasklist /v
C.Use a forensic tool to capture the contents of RAM
D.Perform a clean shutdown
AnswerC

Memory is the most volatile data.

Why this answer

Option C is correct because volatile data, such as the contents of RAM, is lost when the system is powered off. Capturing RAM first preserves critical evidence like running processes, network connections, and encryption keys. Network connection information can be extracted from the memory dump, so a dedicated forensic tool (e.g., FTK Imager, WinPmem) is the priority before any command-line queries that alter system state.

Exam trap

The trap here is that candidates often choose ipconfig or tasklist because they are familiar Windows commands, but they fail to recognize that these commands do not capture the most volatile data (RAM) and can alter the system state, violating the order of volatility.

How to eliminate wrong answers

Option A is wrong because ipconfig /all only displays static network configuration (IP addresses, DNS servers) and does not capture volatile memory or active network connections; it also modifies the system state minimally but is not the first priority. Option B is wrong because tasklist /v lists running processes but does not capture memory contents or network connections, and it can alter the state of the system by interacting with the process list. Option D is wrong because performing a clean shutdown destroys all volatile data in RAM, including network connections and process information, which is the opposite of preservation.

Page 8

Page 9 of 14

Page 10