Skip to main content

CISSP Official (ISC)2 Practice Tests

CISSP Official (ISC)2 Practice Tests

Mike Chapple, David Seidl

ISBN: 978-1-119-25229-0

Jul 2016

456 pages

$26.99

Description

Full-length practice tests covering all CISSP domains for the ultimate in exam prep

The CISSP Official (ISC)2 Practice Tests is a major resource for CISSP candidates, providing 1300 unique practice questions. The first part of the book provides 100 questions per domain so you can practice on any domains you know you need to brush up on. After that, you get two unique 250-question practice exams to help you master the material and practice simulated exam taking well in advance of the exam. The two practice exams cover all exam domains, and are included in identical proportion to the exam itself to help you gauge the relative importance of each topic covered. As the only official practice tests endorsed by the (ISC)2, this book gives you the advantage of full and complete preparation: coverage includes Security and Risk Management; Asset Security; Security Engineering; Communication and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; and Software Development Security. These practice tests align with the 2015 version of the exam to ensure up-to-date preparation, and are designed to simulate what you'll see on exam day.

The CISSP credential signifies a body of knowledge and a set of guaranteed skills that put you in demand in the marketplace. This book is your ticket to achieving this prestigious certification, by helping you test what you know against what you need to know.

  • Align your preparation with the 2015 CISSP Body of Knowledge
  • Test your knowledge of all exam domains
  • Identify areas in need of further study
  • Gauge your progress throughout your exam preparation

The Certified Information Systems Security Professional exam is refreshed every few years to ensure that candidates are up-to-date on the latest security topics and trends. Currently-aligned preparation resources are critical, and periodic practice tests are one of the best ways to truly measure your level of understanding. The CISSP Official (ISC)2 Practice Tests is your secret weapon for success, and the ideal preparation tool for the savvy CISSP candidate.

Related Resources

Instructor

Request an Evaluation Copy for this title

ntroduction xi

Chapter 1 Security and Risk Management (Domain 1) 1

Chapter 2 Asset Security (Domain 2) 25

Chapter 3 Security Engineering (Domain 3) 47

Chapter 4 Communication and Network Security (Domain 4) 71

Chapter 5 Identity and Access Management (Domain 5) 93

Chapter 6 Security Assessment and Testing (Domain 6) 115

Chapter 7 Security Options (Domain 7) 137

Chapter 8 Software Development Security (Domain 8) 159

Chapter 9 Practice Test 1 183

Chapter 10 Practice Test 2 237

Appendix Answers to Review Questions 289

Index 425

ChapterPageDetailsDatePrint Run
863Errata in Text
In Chap3/Q69:
Add to protect the application ? at the end of the question
11-Jan-17

367Errata in Text
In answer choice D for the question 86 currently reads:
external
Should read:
integrity
18-Jan-17

368Errata in Text
In Chap3/Q92, the text currently reads:
for more than a few minutes
Should read:
for an extended period of time
11-Jan-17

368Errata in Text
In the body of the question 92 currently reads:
for more than a few minutes
should be:
for an extended period of time
18-Jan-17

85Errata in Text
The text currently reads in Chap4/Q65:
Chris needs to design a firewall architecture that can support separately a DMZ, a database, and a private internal network. What type of design should he use, and how many firewalls does he need?
Should read:
Chris needs to design a firewall architecture that can support a DMZ, a database, and a private internal network in a secure manner that separates each function. What type of design should he use, and how many firewalls does he need?
11-Jan-17

594Errata in Text
In Chap5/Q2, the text currently reads:
Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
Should read:
Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not have in-house identity management staff, and does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
Note:
Rephrase question for greater clarity on this
11-Jan-17

598Errata in Text
In Chap5/Q19, the question and answer should read:
19. What tasks must the client perform before it can use the TGT?
A. It must generate a hash of the TGT and decrypt the symmetric key.
B. It must accept the TGT and decrypt the symmetric key.
C. It must decrypt the TGT and the symmetric key.
D. It must send a valid response using the symmetric key to the KDC and must install the TGT.
11-Jan-17

6122Errata in Text
In Chap6/Q32, the text should read:
32. Earlier this year, the information security team at Jim’s employer identified a vulnerability in the web server that Jim is responsible for maintaining. He immediately applied the patch and is sure that it installed properly, but the vulnerability scanner has continued to incorrectly flag the system as vulnerable due to the version number it is finding even though Jim is sure the patch is installed. Which of the following options is Jim’s best choice to deal with the issue?
A. Uninstall and reinstall the patch.
B. Ask the information security team to flag the system as patched and not vulnerable.
C. Update the version information in the web server’s configuration.
D. Review the vulnerability report and use alternate remediation options.
11-Jan-17

6126Errata in Text
In Question 51, currently reads:
assistance
It should be:
assistant
2-Sep-16

7152Errata in Text
In Chap7/Q68, the question text currently reads:
At this point in the incident response process, what term best describes what has occurred in Ann’s organization:
Should read:
Now that Ann understands that an attack has taken place that violates her organization’s security policy, what term best describes what has occurred in Ann’s organization
11-Jan-17

7156Errata in Text
In Chap7/Q86, the text should read:
Change the 9 in choice B to 19. Same correction in the solution description
11-Jan-17

169, 367Errata in Text
In Chap8/Q48, the text currently reads:
Let’s make two changes.
First, make the word NOT in the question all caps.
Second, change the solution description to
This question is asking you to identify the blocking rule that should NOT be set on the firewall. Packets with public IP addresses will routinely be allowed to enter the network, so you should not create a rule to block them, making this the correct answer. Packets with internal source addresses should never originate from outside the network so they should be blocked from entering the network. Packets with external source addresses should never be found on the internal network, so they should be blocked from leaving the network. Finally, private IP addresses should never be used on the Internet, so packets containing private IP addresses should be blocked from leaving the network.
11-Jan-17

9186Errata in Text
In PracTest1/Q14
Change choice C to XTACACS. In the solution, change “TACACS” to “XTACACS”
11-Jan-17

199Errata in Text
In PracTest1/Q75:
Please change choice A from MTO to MTD
11-Jan-17

205Errata in Text
In PracTest1/Q102, the text currently reads:
The primary symptom is that packets are occasionally taking too long to travel from their source to their destination.
Should read:
The primary symptom is that packets are occasionally taking too long to travel from their source to their destination. The length of this delay changes for individual packets.
11-Jan-17

216Errata in Text
In PracTest1/Q151, the text currently reads:
tornado
Should read:
fire
11-Jan-17

227Errata in Text
In PracTest1/Q213:
This is an error in the preface to questions 210-213. Please change it to read that “Questions 210-212 refer to the following scenario” instead of questions 210-213.
11-Jan-17

230Errata in Text
In PracTest1/Q223:
Please change the question to “In what type of trusted recovery process is the system able to recover without administrator intervention but the system may suffer some loss of data?”
11-Jan-17

231Errata in Text
In PracTest1/Q229:
We need to change this question a bit.
Please change the question to:
Alex would like to ask all of his staff to sign an agreement that they will not share his organization’s intellectual property with unauthorized individuals. What type of agreement should Alex ask employees to sign?
A. SLA
B. NDA
C. OLA
D. DLP
And the solution to:
B. Nondisclosure agreements (NDAs) prohibit employees from sharing sensitive information without authorization, even after their employment ends. They may also apply to business partners, contractors, customers and others. Service level agreements (SLAs) and operating level agreements (OLAs) specify the parameters of service that a vendor provides to a customer. Data loss prevention (DLP) technology prevents data loss but is a technical, rather than a policy control.
11-Jan-17

233Errata in Text
In PracTest1/Q238
Add the following sentence between “region” and “What” in the question:
“Individual employees are cleared to know about the movement of an individual aircraft but they are not cleared to know about the overall mission.”
11-Jan-17

251Errata in Text
In PracTest2/Q69:
Please change question to read:
69. Chris is conducting a risk assessment for his organization and determined the amount of damage that a single flood could be expected to cause to his facilities. What metric has Chris identified?
11-Jan-17

251Errata in Text
PracTest2/Q73:
Replacement question:
73. Michelle is in charge of her organization’s mobile device management efforts, and handles lost and stolen devices. Which of the following recommendations will provide the most assurance to her organization that data will not be lost if a device is stolen?
Mandatory passcodes and application management
Full device encryption and mandatory passcodes
Remote wipe and GPS tracking
Enabling GPS tracking and full device encryption
Answer should read:
B. While full device encryption doesn’t guarantee that data cannot be accessed, it provides Michelle’s best option for preventing data from being lost with a stolen device when paired with a passcode. Mandatory passcodes and application management can help prevent application based attacks and unwanted access to devices, but won’t keep the data secure if the device is lost. Remote wipe and GPS location is useful if the thief allows the device to connect to a cellular or wifi network. Unfortunately, many modern thieves immediately take steps to ensure that the device will not be trackable or allowed to connect to a network before they capture data or wipe the device for re-sale
11-Jan-17

283Errata in Text
PracTest2/Q231, the text currently reads:
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that allows it. What access control principle is key to this behavior?
Should read:
Ben has built an access control list that lists the objects that his users are allowed to access. When users attempt to access an object that they don’t have rights to, they are denied access, even though there isn’t a specific rule that prevents it. What access control principle is key to this behavior?
11-Jan-17

Appendix302Errata in Text
In Appendix A: Chap2/Q38:
Change answer text to read:
C. We know that the data classification will not be the top level classification, “Confidential” because the loss of the data would not cause severe damage. This means we have to choose between private (PHI) and sensitive (confidential). Calling this private due to the patient’s personal health information fits the classification scheme, giving us the correct answer.
10-Jan-17

Appendix A304Errata in Text
In Appendix A/Chap2/Q56:
Correct answer should be D.
Change answer A option to read “A. FAA”
New answer text:
The U.S. Department of Commerce oversees Safe Harbor. Only U.S. organizations subject to the jurisdiction of the Federal Trade Commission (FTC) or U.S. air carriers and ticket agents subject to the jurisdiction of the Department of Transportation (DOT) are permitted to participate in Safe Harbor.
11-Jan-17

Appendix305Errata in Text
In Appendix A/Chap2/Q65:
This is correct. Answer should be B.
11-Jan-17

Appendix314Errata in Text
The text currently reads in Appendix A/Chap3/Q55:
flammable gasses
Should read:
“electrical fires” in the answer text
11-Jan-17

325Errata in Text
In Chap4/Q78, the text currently reads:
The correct speed for ISDN is 64 or 128 Kbps not 64 or 128 “Mbps.” Feedback matches source docs and print PDF in BPA.
Should read:
This should read Kbps, ISDN is 64 or 128 Kbps
11-Jan-17

326Errata in Text
In Appendix A/Chap4/Q83:
Answer should be C, Stateful inspection firewalls
B. Stateful packet inspection firewalls are known as second-generation firewalls. UTM, or Unified Threat Management is a concept used in next generation firewalls, packet filters are called first generation firewalls, and application level gateway firewalls are known as third generation firewalls.
11-Jan-17

6349Errata in Text
In Chap6/Q83, the text should read:
B. Finding severe bugs is not a fault—in fact, fuzzing often finds important issues that would otherwise have been exploitable. Fuzzers can reproduce errors (and thus, “fuzzers can’t reproduce errors” is not an issue), but typically don’t fully cover the code—code coverage tools are usually paired with fuzzers to validate how much coverage was possible. Fuzzers are often limited to simple errors because they won’t handle business logic or attacks that require knowledge from the application user.
11-Jan-17

364Errata in Text
Appendix A /Chap8/Q20:
In the solution, change “Repeatable” to “Managed”
11-Jan-17

10409Errata in Text
Answers appendix, page 409, answer to Chapter 10 practice test 2, question 103
Authorization
Should be
Authentication.
21-Mar-17

417Errata in Text
Appendix A/PracTest2/Q182:
Change answer text to:
B. To restore the system to as current a state as possible, Tara must first apply Sunday’s full backup. She may then apply the most recent differential backup, from Wednesday at noon. Differential backups include all files that have changed since the most recent full backup, so the contents of Wednesday’s backup contain all of the data that would be contained in Monday and Tuesday’s backups, making the Monday and Tuesday backups irrelevant for this scenario.
11-Jan-17

Appendix419Errata in Text
The Answer and Explanation for this question 210 should be the following:
C. When a client connects to a service server (SS), it sends the following two messages:
. the client-to-server ticket, encrypted using service's secret key
. A new authenticator, including the client ID and timestamp which is encrypted using the Client/Server session key.
18-Jan-17

7Errata in text
The title of chapter 7 is wrong.
Correct title should be Security Operations
It is wrong in the TOC, chapter opener and running heads.
3-Oct-16

233Errata in text
Question 37: Please change the question to What encryption technology would be appropriate for HIPAA documents in transit? . Please change answer choice A to BitLocker
27-Feb-2018

Appendix37Errata in text
Answer remains C. Change answer description to TLS is a modern encryption method used to encrypt and protect data in transit. BitLocker is a full disk encryption technology used for data at rest. DES and SSL are both outdated encryption methods and should not be used for data that requires high levels of security.
27-Feb-2018

10250Errata in text
practice test 2-question 65 : add , assuming it is renewed as many times as possible? to the end of the question
27-Feb-2018

10250Errata in text
practice test 2 - question 65 choice D should be: The client creates a service ticket and sends it to the server
27-Feb-2018