CISSP · topic practice

Security Architecture and Engineering practice questions

Practise Certified Information Systems Security Professional CISSP Security Architecture and Engineering practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Architecture and Engineering

What the exam tests

What to know about Security Architecture and Engineering

Security Architecture and Engineering questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Architecture and Engineering exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Architecture and Engineering questions

20 questions · select your answer, then reveal the explanation

A security architect is designing a system for a military intelligence agency where data classification labels (Top Secret, Secret, Confidential, Unclassified) are mandatory. Users are cleared to a specific level and must not read data above their clearance. Which security model enforces this type of access control?

A financial application requires strict integrity controls to prevent unauthorized modifications. The security team implements a model where users cannot write data to higher integrity levels (no write up) and cannot read data from lower integrity levels (no read down). Which model is being applied?

Question 3easymultiple choice
Study the full ACL explanation →

Which access control model allows data owners to grant or revoke access to resources they own, typically implemented using ACLs?

A security architect is selecting a cryptographic algorithm for encrypting data at rest in a backup system. The system requires strong security with a block cipher, and the organization mandates using a NIST-approved algorithm with key sizes of 128, 192, or 256 bits. Which algorithm should be selected?

An organization is implementing a PKI for internal use. To ensure that certificate revocation status is checked in real-time without relying on periodic CRL downloads, which mechanism should be used?

A security engineer is analyzing a vulnerability where an attacker can cause a buffer overflow on the stack. Which mitigation technique randomizes memory addresses to make it harder for the attacker to predict the location of shellcode or return addresses?

Which of the following is a primary function of a Trusted Platform Module (TPM)?

Question 8mediummultiple choice
Study the full virtualization explanation →

A security architect is evaluating hypervisor security for a multi-tenant cloud environment. Which type of hypervisor is considered more secure because it runs directly on the hardware without a host operating system, reducing the attack surface?

Which physical security design principle emphasizes that the physical environment should be designed to discourage criminal activity by using natural surveillance, access control, and territorial reinforcement?

A security analyst discovers that an application allows a user to read a file they just wrote before the file's integrity is verified, due to a gap between the time of check and time of use. This is an example of which vulnerability?

A security architect is designing a system that must prevent conflicts of interest when a consultant works for two competing clients. Which security model ensures that the consultant cannot access data from one client if they have already accessed data from the other?

Which component of a trusted computing base (TCB) implements the reference monitor concept by enforcing access control decisions for all subjects and objects in the system?

A security architect is evaluating access control models for a healthcare system where users have specific roles (e.g., doctor, nurse, admin) and permissions are assigned based on those roles. However, the architect also wants to incorporate attributes such as time of day, patient consent status, and device type. Which TWO models should be combined to meet these requirements?

A security engineer is investigating a covert channel in a system. Which TWO types of covert channels could be used to leak information from a high-security to a low-security process?

An organization is implementing a defense-in-depth strategy for a data center. Which THREE of the following are examples of physical security controls that align with layered defense?

A government agency requires a security model that prevents users from reading documents at a higher classification level and from writing to documents at a lower classification level. Which model enforces these constraints?

An organization implements a security model where users can only read objects at or below their security clearance, and can only write to objects at or above their clearance. This model primarily ensures:

A financial institution must ensure that transactions are well-formed and enforce separation of duties to prevent fraud. Which security model best addresses these requirements?

Which access control model allows the owner of a resource to grant or deny access to other users?

An organization uses a system where access decisions are based on user attributes (e.g., job title, clearance), resource attributes (e.g., classification), and environmental factors (e.g., time of day). This is an example of:

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Architecture and Engineering sessions

Start a Security Architecture and Engineering only practice session

Every question in these sessions is drawn from the Security Architecture and Engineering domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Architecture and Engineering?
Security Architecture and Engineering questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Architecture and Engineering questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Architecture and Engineering domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.