CISSP · topic practice

Security Architecture and Engineering practice questions

Practise Certified Information Systems Security Professional CISSP Security Architecture and Engineering practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Architecture and Engineering

What the exam tests

What to know about Security Architecture and Engineering

Security Architecture and Engineering questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Architecture and Engineering exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Architecture and Engineering questions

20 questions · select your answer, then reveal the explanation

An organization is implementing a hardware security module (HSM) to manage cryptographic keys. The security architect requires that keys be backed up securely and that the backup process ensures the same level of protection as the primary key storage. Which backup method best meets this requirement?

A security architect is designing a secure enclave for processing highly sensitive data. The architecture must ensure that even if the operating system is compromised, the enclave's memory contents remain confidential and integrity-protected. Which technology should be used?

A company deploys a web application that uses TLS to protect data in transit. The security team discovers that the server supports TLS 1.0 and uses a 1024-bit RSA certificate. What is the most significant security concern?

An organization is implementing a bring-your-own-device (BYOD) policy. The security architect must ensure that corporate data on the device is protected from unauthorized access if the device is lost or stolen, while minimizing impact on user privacy. Which solution is most appropriate?

A security architect is reviewing a system that uses a microkernel operating system. The architect is concerned about potential side-channel attacks between processes. Which mitigation is most effective at the architecture level?

Question 6easymultiple choice
Read the full NAT/PAT explanation →

A small business wants to implement multifactor authentication (MFA) for remote access to its internal network. The solution must be cost-effective and easy to deploy. Which combination is most appropriate?

An organization is designing a disaster recovery site. The primary data center is located in a region prone to earthquakes. The recovery site must be far enough away to avoid the same seismic zone but close enough to minimize latency. Which site selection criteria is most important?

Which TWO of the following are principles of the Bell-LaPadula security model?

Which THREE of the following are valid countermeasures against buffer overflow attacks?

Which TWO of the following are examples of physical security controls?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company has a hybrid cloud environment with on-premises servers and a public cloud provider. The security team recently discovered that an attacker exfiltrated sensitive customer data from a cloud storage bucket. The investigation reveals that the bucket was configured with a bucket policy that allowed anonymous read access. The security architect must redesign the architecture to prevent such incidents. The company uses AWS for cloud services. The architect proposes the following: (1) Enable AWS CloudTrail and Amazon GuardDuty for monitoring. (2) Implement AWS Identity and Access Management (IAM) roles for applications instead of long-term access keys. (3) Use AWS Key Management Service (KMS) to encrypt data at rest. (4) Configure a VPC with a NAT gateway and private subnets for all compute resources. (5) Implement S3 bucket policies that deny all access unless explicitly allowed by a specific IAM role. During a review, the chief information security officer (CISO) points out that one of these measures does not directly address the root cause of the incident. Which measure is least effective in preventing unauthorized access to S3 buckets?

Question 12mediumdrag order
Read the full VPN explanation →

Drag and drop the steps for setting up a VPN using IPsec in tunnel mode in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each PKI component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Issues and revokes certificates

Verifies identity before certificate issuance

List of revoked certificates

Binds a public key to an identity

A security architect is evaluating security models for a multilevel secure system. Which model enforces the * property (no write down) and is typically used for confidentiality?

Which of the following is a primary benefit of using an application programming interface (API) gateway in a microservices architecture from a security perspective?

An organization requires that all data stored in a cloud object storage service be encrypted at rest using customer-managed keys. Which encryption option should be implemented?

In the context of physical security, which of the following is an example of a preventive control?

A company is implementing a secure software development lifecycle (SSDLC). Which of the following is a key activity during the design phase?

Which of the following describes the concept of 'least privilege' in the context of access control?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A security engineer is designing a cryptographic solution to ensure data integrity and non-repudiation. Which combination should be used?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Architecture and Engineering sessions

Start a Security Architecture and Engineering only practice session

Every question in these sessions is drawn from the Security Architecture and Engineering domain — nothing else.

Related practice questions

Related CISSP topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CISSP exam test about Security Architecture and Engineering?
Security Architecture and Engineering questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Architecture and Engineering questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Architecture and Engineering domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CISSP topics?
Use the topic links above to move to related areas, or go back to the CISSP question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CISSP exam covers. They are not copied from any real exam or dump site.