Security and Risk Management for CISSP

Sample Practice Questions

1. Question 1

   Physical assets defined in an organization's business impact analysis (BIA) could include which of the following?
   1. A. Personal belongings of organizational staff members
   2. B. Disaster recovery (DR) line-item revenues
   3. C. Cloud-based applications
   4. D. Supplies kept off-site a remote facility
   Explanation

   The correct answer is: D. Supplies kept off-site a remote facility.

   A BIA classifies the resources critical processes depend on, and physical assets are tangible items the organization can touch, move, or store, which includes supplies kept off-site at a remote facility because they are real-world items required to sustain or resume operations. Personal belongings of staff are owned by individuals, not the organization, and fall outside the asset inventory the BIA covers. Disaster-recovery line-item revenues are financial values forecast for accounting purposes, not physical assets at all; they are projections, not tangibles. Cloud-based applications are intangible information assets delivered as a service; they belong in the BIA's information- or service-asset categories but not as physical assets. Off-site supplies satisfy the tangibility test and the operational relevance test that define physical assets in a BIA.

2. Question 2

   What is the PRIMARY reason for criminal law being difficult to enforce when dealing with cybercrime?
   1. A. Jurisdiction is hard to define.
   2. B. Law enforcement agencies are understaffed.
   3. C. Extradition treaties are rarely enforced.
   4. D. Numerous language barriers exist.
   Explanation

   The correct answer is: A. Jurisdiction is hard to define..

   Cybercrime routinely traverses national borders in seconds, so the threshold question of which sovereign body has the authority to investigate, charge, and adjudicate becomes the dominant enforcement obstacle; jurisdictional ambiguity over the location of the offender, the infrastructure used, the victim, and the harm produced is what stalls or defeats most prosecutions. Treaties such as the Budapest Convention exist precisely to address this primary problem. Staffing constraints at law-enforcement agencies are real but secondary; even well-resourced agencies cannot prosecute crimes outside their jurisdiction. Extradition treaties do exist and are used; the problem is that they presume an enforceable jurisdictional claim has already been established. Language barriers complicate international cooperation but are operational friction, not the threshold legal barrier. The root cause is the difficulty of defining jurisdiction in the first place.

3. Question 3

   What process facilitates the balance of operational and economic costs of protective measures with gains in mission capability?
   1. A. Performance testing
   2. B. Risk assessment
   3. C. Security audit
   4. D. Risk management
   Explanation

   The correct answer is: D. Risk management.

   Risk management is the discipline that explicitly balances the operational and economic costs of protective measures against the mission capability gained, by identifying risks, quantifying their likelihood and impact, selecting cost-effective treatments, and tracking residual risk over time. NIST SP 800-39 and ISO 31000 both anchor this balancing function as the core of the discipline. Performance testing measures whether systems meet performance criteria and has no balancing role between cost of protection and mission gain. Risk assessment is one phase within risk management that identifies and evaluates risks; it produces the inputs but does not by itself execute the cost-versus-mission balancing decisions. A security audit verifies compliance with controls and policies after the fact and provides assurance evidence rather than the strategic balancing function the question describes. Risk management is the encompassing process that performs the balance.

4. Question 4

   In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed?
   1. A. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review.
   2. B. Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.
   3. C. Ensure the business continuity policy, controls, processes, and procedures have been implemented.
   4. D. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established.
   Explanation

   The correct answer is: C. Ensure the business continuity policy, controls, processes, and procedures have been implemented..

   The Plan-Do-Check-Act cycle that ISO 22301 and ISO 27001 adopt assigns specific verbs to each phase, and Do is the implementation phase: policy, controls, processes, and procedures defined during Plan are operationalized and put into productive use. Establishing those policies, objectives, controls, and procedures in the first place is the Plan phase, not Do. Monitoring performance against objectives, reporting to management, and authorizing remediation is the Check phase, which provides the evidence base for management review. Taking corrective action on the basis of management review and continually improving the BCMS belongs to Act, which closes the loop by feeding lessons back into the next cycle. Mapping the verbs cleanly to the phases is the key discriminator on PDCA questions.

5. Question 5

   A criminal organization is planning an attack on a government network. Which of the following scenarios presents the HIGHEST risk to the organization?
   1. A. Organization loses control of their network devices.
   2. B. Network is flooded with communication traffic by the attacker.
   3. C. Network management communications is disrupted.
   4. D. Attacker accesses sensitive information regarding the network topology.
   Explanation

   The correct answer is: A. Organization loses control of their network devices..

   From the criminal organization's perspective, the highest risk is the scenario that most directly defeats the mission, and losing control of their own network devices does exactly that: without command and control over their infrastructure, the planned attack cannot be coordinated, the attackers expose themselves to detection and takedown, and the operation collapses. Flooding the attacker's network with traffic from outside parties would also degrade operations but is less likely to cause loss of operational control of the devices themselves. Disruption of network management communications is impactful but typically a temporary, recoverable condition; control can be re-established once communications are restored. An attacker accessing sensitive information about the criminal organization's network topology is an exposure risk but does not by itself prevent execution of the planned attack. Loss of device control is the most severe mission-defeating outcome.

Other CISSP domains

• Asset Security (46 questions)
• Communication and Network Security (58 questions)
• Identity and Access Management (IAM) (55 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Security Operations (68 questions)
• Software Development Security (57 questions)