Security Operations for CISSP

Sample Practice Questions

1. Question 1

   Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?
   1. A. File Integrity Checker
   2. B. Security information and event management (SIEM) system
   3. C. Audit Logs
   4. D. Intrusion detection system (IDS)
   Explanation

   The correct answer is: A. File Integrity Checker.

   File integrity monitoring tools, such as Tripwire or OSSEC, are the dedicated control for detecting unauthorized content modification because they maintain cryptographic hashes of a known-good baseline and alert when any tracked file deviates, satisfying NIST SP 800-53 SI-7 software and information integrity requirements. A SIEM aggregates and correlates events from many sources and can ingest FIM alerts, but the underlying detection of the change comes from the FIM agent, not the SIEM itself. Audit logs record actions performed against objects but do not by themselves prove that file contents differ from an authorized baseline. An IDS inspects network or host activity for attack patterns rather than performing baseline-versus-current content comparison on files.

2. Question 2

   Which of the following is included in change management?
   1. A. Technical review by business owner
   2. B. User Acceptance Testing (UAT) before implementation
   3. C. Cost-benefit analysis (CBA) after implementation
   4. D. Business continuity testing
   Explanation

   The correct answer is: B. User Acceptance Testing (UAT) before implementation.

   User acceptance testing performed before implementation is an explicit step of formal change management because it confirms that a change satisfies business requirements and is fit for purpose in the hands of end users prior to promotion to production, feeding directly into the CAB approval decision. Technical review by the business owner alone is not the structured testing activity; business owners typically authorize rather than execute technical validation. A cost-benefit analysis performed after implementation is a financial review that does not validate that the change works as intended. Business continuity testing is a separate program activity exercising recovery capabilities and is not embedded in the routine change-management lifecycle for individual changes.

3. Question 3

   Which application type is considered high risk and provides a common way for malware and viruses to enter a network?
   1. A. Instant messaging or chat applications
   2. B. Peer-to-Peer (P2P) file sharing applications
   3. C. E-mail applications
   4. D. End-to-end applications
   Explanation

   The correct answer is: B. Peer-to-Peer (P2P) file sharing applications.

   Peer-to-peer file sharing is the highest-risk class among the listed application types because it routinely pulls executables and media from untrusted peers, bypasses egress filtering with dynamic ports and encryption, and exposes shared local directories to outside access, making it a perennial vector for malware and data leakage. Instant messaging applications carry risk but are typically centrally brokered and easier to monitor and filter. Email is a major delivery vector but is generally protected by anti-malware gateways, sandboxing, and modern email authentication so it is no longer the least defended channel. End-to-end applications is a descriptive label about communication topology rather than an application class with a defined risk profile of its own.

4. Question 4

   Which of the following is the PRIMARY purpose of installing a mantrap within a facility?
   1. A. Control traffic
   2. B. Control air flow
   3. C. Prevent piggybacking
   4. D. Prevent rapid movement
   Explanation

   The correct answer is: C. Prevent piggybacking.

   A mantrap, also called an access vestibule, is designed to defeat piggybacking and tailgating by enclosing one person in a small interlocked chamber where the inner door will not open until the outer door has closed and identity has been verified, often through a second authentication factor such as a PIN, biometric, or weight sensor. Controlling traffic generically is too broad a description for the specific concept the mantrap enforces, and most access points control traffic without addressing the tailgating problem. Controlling airflow is a function of HVAC and pressurization design rather than an access-control objective, although pressurized vestibules exist for clean-room reasons unrelated to security. Preventing rapid movement is incidental to the mantrap's geometry but is not its design purpose; the goal is one-person-at-a-time identity verification, which CPTED treats as the canonical countermeasure to piggybacking.

5. Question 5

   In a disaster recovery (DR) test, which of the following would be a trait of crisis management?
   1. A. Process
   2. B. Anticipate
   3. C. Strategic
   4. D. Wide focus
   Explanation

   The correct answer is: A. Process.

   Crisis management is fundamentally process-driven, executing predefined activation, communication, escalation, and decision-making procedures so that responders act consistently under stress with defined roles and authorities. Anticipation describes preparation work that precedes the crisis, more characteristic of risk management and BCP development than of crisis management itself. Strategic framing describes business continuity planning at the enterprise level, which sets direction rather than executing during an event. Wide focus characterizes business continuity, which spans people, processes, technology, and external relationships, whereas crisis management narrows to immediate response actions structured by process.

Other CISSP domains

• Asset Security (46 questions)
• Communication and Network Security (58 questions)
• Identity and Access Management (IAM) (55 questions)
• Security and Risk Management (75 questions)
• Security Architecture and Engineering (71 questions)
• Security Assessment and Testing (54 questions)
• Software Development Security (57 questions)