CISSP Official (ISC)2 Practice Tests
Full-length practice tests covering all CISSP domains for the ultimate in exam prep
The CISSP Official (ISC)2 Practice Tests is a major resource for CISSP candidates, providing 1300 unique practice questions. The first part of the book provides 100 questions per domain so you can practice on any domains you know you need to brush up on. After that, you get two unique 250-question practice exams to help you master the material and practice simulated exam taking well in advance of the exam. The two practice exams cover all exam domains, and are included in identical proportion to the exam itself to help you gauge the relative importance of each topic covered. As the only official practice tests endorsed by the (ISC)2, this book gives you the advantage of full and complete preparation: coverage includes Security and Risk Management; Asset Security; Security Engineering; Communication and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; and Software Development Security. These practice tests align with the 2015 version of the exam to ensure up-to-date preparation, and are designed to simulate what you'll see on exam day.
The CISSP credential signifies a body of knowledge and a set of guaranteed skills that put you in demand in the marketplace. This book is your ticket to achieving this prestigious certification, by helping you test what you know against what you need to know.
- Align your preparation with the 2015 CISSP Body of Knowledge
- Test your knowledge of all exam domains
- Identify areas in need of further study
- Gauge your progress throughout your exam preparation
The Certified Information Systems Security Professional exam is refreshed every few years to ensure that candidates are up-to-date on the latest security topics and trends. Currently-aligned preparation resources are critical, and periodic practice tests are one of the best ways to truly measure your level of understanding. The CISSP Official (ISC)2 Practice Tests is your secret weapon for success, and the ideal preparation tool for the savvy CISSP candidate.
Chapter 1 Security and Risk Management (Domain 1) 1
Chapter 2 Asset Security (Domain 2) 25
Chapter 3 Security Engineering (Domain 3) 47
Chapter 4 Communication and Network Security (Domain 4) 71
Chapter 5 Identity and Access Management (Domain 5) 93
Chapter 6 Security Assessment and Testing (Domain 6) 115
Chapter 7 Security Options (Domain 7) 137
Chapter 8 Software Development Security (Domain 8) 159
Chapter 9 Practice Test 1 183
Chapter 10 Practice Test 2 237
Appendix Answers to Review Questions 289
ABOUT THE AUTHORS
Mike Chapple, Ph.D., CISSP, is Senior Director for IT Service Delivery at the University of Notre Dame. In the past he was CIO of Brand Institute and an information security researcher with the NSA and USAF. His primary areas of expertise include network intrusion and access controls. Mike is the author of more than 25 books including CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, 7th Edition.
David Seidl, CISSP, GPEN, GCIH is the Senior Director for Campus Technology Services at the University of Notre Dame. During his IT career, he has served in a variety of technical and information security roles including leading Notre Dame's information security team as Notre Dame's Director of Information Security. He currently teaches a popular course on networking and security for Notre Dame's Mendoza College of Business, and has written books on information security and cyberwarfare.
Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.
|8||63||Errata in Text
Add "to protect the application"? at the end of the question
|3||67||Errata in Text
In answer choice D for the question 86 currently reads:
|3||68||Errata in Text
In Chap3/Q92, the text currently reads:
for more than a few minutes
for an extended period of time
|3||68||Errata in Text
In the body of the question 92 currently reads:
"for more than a few minutes"
"for an extended period of time"
|85||Errata in Text
The text currently reads in Chap4/Q65:
Chris needs to design a firewall architecture that can support separately a DMZ, a database, and a private internal network. What type of design should he use, and how many firewalls does he need?
Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need?
|5||94||Errata in Text
In Chap5/Q2, the text currently reads:
Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not have in-house identity management staff, and does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
Rephrase question for greater clarity on this
|5||98||Errata in Text
In Chap5/Q19, the question and answer should read:
19. What tasks must the client perform before it can use the TGT?
A. It must generate a hash of the TGT and decrypt the symmetric key.
B. It must accept the TGT and decrypt the symmetric key.
C. It must decrypt the TGT and the symmetric key.
D. It must send a valid response using the symmetric key to the KDC and must install the TGT.
|6||122||Errata in Text
In Chap6/Q32, the text should read:
32. Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable due to the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?
A. Uninstall and reinstall the patch.
B. Ask the information security team to flag the system as patched and not vulnerable.
C. Update the version information in the web server’s configuration.
D. Review the vulnerability report and use alternate remediation options.
|6||126||Errata in Text
In Question 51, currently reads:
It should be:
|7||152||Errata in Text
In Chap7/Q68, the question text currently reads:
At this point in the incident response process, what term best describes what has occurred in Ann’s organization:
Now that Ann understands that an attack has taken place that violates her organization’s security policy, what term best describes what has occurred in Ann’s organization
|7||156||Errata in Text
In Chap7/Q86, the text should read:
Change the 9 in choice B to 19. Same correction in the solution description
|169, 367||Errata in Text
In Chap8/Q48, the text currently reads:
Let’s make two changes.
First, make the word NOT in the question all caps.
Second, change the solution description to
This question is asking you to identify the blocking rule that should NOT be set on the firewall. Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the Internet, so packets containing private IP addresses should be blocked from leaving the network.
|9||186||Errata in Text
Change choice C to XTACACS. In the solution, change “TACACS” to “XTACACS”
|199||Errata in Text
Please change choice A from MTO to MTD
|205||Errata in Text
In PracTest1/Q102, the text currently reads:
The primary symptom is that packets are occasionally taking too long to travel from their source to their destination.
The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets.
|216||Errata in Text
In PracTest1/Q151, the text currently reads:
|227||Errata in Text
This is an error in the preface to questions 210-213. Please change it to read that “Questions 210-212 refer to the following scenario” instead of questions 210-213.
|230||Errata in Text
Please change the question to “In what type of trusted recovery process is the system able to recover without administrator intervention but the system may suffer some loss of data?”
|231||Errata in Text
We need to change this question a bit.
Please change the question to:
Alex would like to ask all of his staff to sign an agreement that they will not share his organization’s intellectual property with unauthorized individuals. What type of agreement should Alex ask employees to sign?
And the solution to:
B. Nondisclosure agreements (NDAs) prohibit employees from sharing sensitive information without authorization, even after their employment ends. They may also apply to business partners, contractors, customers and others. Service level agreements (SLAs) and operating level agreements (OLAs) specify the parameters of service that a vendor provides to a customer. Data loss prevention (DLP) technology prevents data loss but is a technical, rather than a policy control.
|233||Errata in Text
Add the following sentence between “region” and “What” in the question:
“Individual employees are cleared to know about the movement of an individual aircraft but they are not cleared to know about the overall mission.”
|251||Errata in Text
Please change question to read:
69. Chris is conducting a risk assessment for his organization and determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?
|251||Errata in Text
73. Michelle is in charge of her organization’s mobile device management efforts, and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?
Mandatory passcodes and application management
Full device encryption and mandatory passcodes
Remote wipe and GPS tracking
Enabling GPS tracking and full device encryption
Answer should read:
B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or wifi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for re-sale
|283||Errata in Text
PracTest2/Q231, the text currently reads:
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that allows it. What access control principle is key to this behavior?
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that prevents it. What access control principle is key to this behavior?
|Appendix||302||Errata in Text
In Appendix A: Chap2/Q38:
Change answer text to read:
C. We know that the data classification will not be the top level classification, “Confidential” because the loss of the data would not cause severe damage. This means we have to choose between private (PHI) and sensitive (confidential). Calling this private due to the patient’s personal health information fits the classification scheme, giving us the correct answer.
|Appendix A||304||Errata in Text
In Appendix A/Chap2/Q56:
Correct answer should be D.
Change answer A option to read “A. FAA”
New answer text:
The U.S. Department of Commerce oversees Safe Harbor. Only U.S. organizations subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DOT) are permitted to participate in Safe Harbor.
|Appendix||305||Errata in Text
In Appendix A/Chap2/Q65:
This is correct. Answer should be B.
|Appendix||314||Errata in Text
The text currently reads in Appendix A/Chap3/Q55:
“electrical fires” in the answer text
|325||Errata in Text
In Chap4/Q78, the text currently reads:
The correct speed for ISDN is 64 or 128 Kbps not 64 or 128 “Mbps.” Feedback matches source docs and print PDF in BPA.
This should read Kbps, ISDN is 64 or 128 Kbps
|326||Errata in Text
In Appendix A/Chap4/Q83:
Answer should be C, Stateful inspection firewalls
B. Stateful packet inspection firewalls are known as second-generation firewalls. UTM, or Unified Threat Management is a concept used in next generation firewalls, packet filters are called first generation firewalls, and application level gateway firewalls are known as third generation firewalls.
|6||349||Errata in Text
In Chap6/Q83, the text should read:
B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors (and thus, “fuzzers can’t reproduce errors” is not an issue), but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.
|364||Errata in Text
Appendix A /Chap8/Q20:
In the solution, change “Repeatable” to “Managed”
|10||409||Errata in Text
Answers appendix, page 409, answer to Chapter 10 practice test 2, question 103
|417||Errata in Text
Change answer text to:
B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Wednesday at noon. Differential backups include all files that have changed since the most recent full backup, so the contents of Wednesday’s backup contain all of the data that would be contained in Monday and Tuesday’s backups, making the Monday and Tuesday backups irrelevant for this scenario.
|Appendix||419||Errata in Text
The Answer and Explanation for this question 210 should be the following:
C. When a client connects to a service server (SS), it sends the following two messages:
. the client-to-server ticket, encrypted using service's secret key
. A new authenticator, including the client ID and timestamp which is encrypted using the Client/Server session key.
|7||Errata in text
The title of chapter 7 is wrong.
Correct title should be "Security Operations"
It is wrong in the TOC, chapter opener and running heads.
|2||33||Errata in text
Question 37: Please change the question to "What encryption technology would be appropriate for HIPAA documents in transit?". Please change answer choice A to BitLocker
|Appendix||37||Errata in text
Answer remains C. Change answer description to "TLS is a modern encryption method used to encrypt and protect data in transit. BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security."
|10||250||Errata in text
practice test 2-question 65 : add ", assuming it is renewed as many times as possible?" to the end of the question
|10||250||Errata in text
practice test 2 - question 65 choice D should be: "The client creates a service ticket and sends it to the server"