Security Assessment and Testing for CISSP

Sample Practice Questions

1. Question 1

   When assessing the audit capability of an application, which of the following activities is MOST important?
   1. A. Identify procedures to investigate suspicious activity.
   2. B. Determine if audit records contain sufficient information.
   3. C. Verify if sufficient storage is allocated for audit records.
   4. D. Review security plan for actions to be taken in the event of audit failure.
   Explanation

   The correct answer is: B. Determine if audit records contain sufficient information..

   The audit capability of an application is judged first by whether the records it produces contain enough information to support after-the-fact investigation, attribution, and reconstruction of events. NIST SP 800-53 control AU-3 explicitly requires audit records to contain identifiers for the event type, when it occurred, where it occurred, the source, the outcome, and the identity of any subject involved, and without that content the rest of the audit chain has nothing useful to operate on. Procedures to investigate suspicious activity depend on the records existing first, so they are downstream. Sufficient storage matters but is irrelevant if the records themselves are inadequate. Reviewing the security plan for actions on audit failure addresses resilience of the logging mechanism but does not bear on the analytical value of the records. Confirming sufficient information in the audit records is the highest-leverage activity.

2. Question 2

   When reviewing vendor certifications for handling and processing of company data, which of the following is the BEST Service Organization Controls (SOC) certification for the vendor to possess?
   1. A. SOC 1 Type 1
   2. B. SOC 2 Type 1
   3. C. SOC 2 Type 2
   4. D. SOC 3
   Explanation

   The correct answer is: C. SOC 2 Type 2.

   For evaluating a vendor that handles and processes company data, SOC 2 Type 2 is the strongest standard third-party attestation because it covers the AICPA Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy and provides an independent opinion on whether those controls were operating effectively over an audit period of typically six to twelve months. This combination of relevant subject matter and operating-effectiveness testing is what risk teams require for ongoing data-handling assurance. SOC 1 Type 1 covers financial reporting controls at a point in time, which is the wrong subject and the weaker testing depth. SOC 2 Type 1 covers the right subject matter but only as a point-in-time design opinion, so it cannot demonstrate that controls actually worked over time. SOC 3 summarizes a SOC 2 for public distribution and lacks the detail to support a vendor risk decision. SOC 2 Type 2 is the right certification to require.

3. Question 3

   What industry-recognized document could be used as a baseline reference that is related to data security and business operations or conducting a security assessment?
   1. A. Service Organization Control (SOC) 1 Type 2
   2. B. Service Organization Control (SOC) 1 Type 1
   3. C. Service Organization Control (SOC) 2 Type 2
   4. D. Service Organization Control (SOC) 2 Type 1
   Explanation

   The correct answer is: C. Service Organization Control (SOC) 2 Type 2.

   A SOC 2 Type 2 report is the AICPA attestation that addresses the Trust Services Criteria of security, availability, processing integrity, confidentiality, and privacy, and a Type 2 report opines on the operating effectiveness of those controls over an audit period, typically six to twelve months. This makes it the recognized baseline reference for evaluating how a service organization protects data and supports business operations, and it is the artifact commonly required during third-party security assessments. SOC 1 Type 2 evaluates controls over financial reporting rather than data security, so it does not provide a baseline for an information-security assessment. SOC 1 Type 1 provides only a point-in-time design opinion on financial controls and is even less applicable. SOC 2 Type 1 covers the right subject matter but only at a moment in time and does not establish operating effectiveness, which weakens its value as a baseline. SOC 2 Type 2 is the correct reference.

4. Question 4

   Which reporting type requires a service organization to describe its system and define its control objectives and controls that are relevant to users' internal control over financial reporting?
   1. A. Statement on Auditing Standards (SAS) 70
   2. B. Service Organization Control 1 (SOC1)
   3. C. Service Organization Control 2 (SOC2)
   4. D. Service Organization Control 3 (SOC3)
   Explanation

   The correct answer is: B. Service Organization Control 1 (SOC1).

   Service Organization Control 1 reports, governed by SSAE-18 in the United States, exist specifically to provide user entities and their financial auditors with assurance over controls at a service organization that are relevant to the user entity's Internal Control over Financial Reporting. The service organization must describe its system, document its control objectives, and identify the controls that meet those objectives in support of ICFR. SAS 70 was the predecessor standard that has been superseded since 2011 by SSAE-16 and then SSAE-18, so it is no longer the current reporting type for new engagements. SOC 2 reports are issued under the AICPA Trust Services Criteria and address security, availability, processing integrity, confidentiality, and privacy, not financial reporting. SOC 3 is a general-use summary of a SOC 2 and similarly does not target ICFR. SOC 1 is the only correct match.

5. Question 5

   When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases?
   1. A. Planning
   2. B. Risk assessment
   3. C. Due diligence
   4. D. Requirements
   Explanation

   The correct answer is: A. Planning.

   An SDLC audit typically begins with a planning phase, which is universally one of the high-level audit phases listed by ISACA and similar bodies. During planning the audit team defines scope, objectives, criteria, methodology, key stakeholders, and the work plan, including which SDLC stages and artifacts will be examined. Without this foundation the rest of the engagement cannot proceed in a defensible way. Risk assessment is one possible activity inside the planning phase or a separate phase later in the engagement, but it is not the top-level audit phase name. Due diligence is a term used in mergers and acquisitions or vendor onboarding rather than as a phase of an SDLC audit. Requirements is a phase of the SDLC under audit, not a phase of the audit itself, so it is the wrong level of abstraction. Planning is the correct high-level audit phase.

Other CISSP domains

• Asset Security (46 questions)
• Communication and Network Security (58 questions)
• Identity and Access Management (IAM) (55 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Operations (68 questions)
• Software Development Security (57 questions)