CISSP exam questions on physical security

TEST CODE: 001000024042010
CISSP EXAMINATION
QUESTIONS & ANSWERS
STATEMENT OF CONFIDENTIALITY: This booklet or any of the information contained in it are

not to be DISCLOSED without explicit consent from the examiners
CISSP
Physical Security
Security Management
Operations Security
1 - 20
21 -40
41 -60
61 80
81 -100
101 - 120
121 - 140
141 160
161 180
181 - 190
191 - 220
221 - 250
Confidential
2 / 58
CISSP
1.
Which of the following represents a prolonged high voltage?

A. A power spike
B. A power surge
C. A power fault
D. A power sag
B. A power surge is a prolonged high voltage. A power spike is a momentary high voltage. A power fault is a momentary
power out and a power sag is a momentary low voltage. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide,
McGraw-Hill/Osborne, 2002, chapter 6: Physical Security (page 299).
2.
The main risks that physical security components combat are all of the following EXCEPT:
A. SYN flood
B. physical damage
C. theft
D. availability
A. SYN flood is not a physical security issue. The main risks that physical security components combat are theft,
interruptions to services, physical damage, compromised system integrity, and unauthorized disclosure of information.
From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, page 291.
3.
Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories
building?
A. Basement
B. Ground floor
C. Third floor
D. Sixth floor
C. Information processing facilities should not be located on the top floors of buildings in case of a fire or in the basements
in case of floods. They should be located at the core of a building to provide protection from natural disasters or bombs
and provide easier access to emergency crewmembers if necessary. Source: HARRIS, Shon, All-In-One CISSP Certification
Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical security (page 288)
4.
Which of the following is currently the most recommended water system for a computer room?
A. preaction
B. wet pipe
C. dry pipe
D. deluge
A. Preaction combines both the dry and wet pipe systems and allows manual intervention before a full discharge of water
on the equipment occurs. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains
of Computer Security, page 334.
5.
A prolonged power supply that is below normal voltage is a:

A. brownout
B. blackout
C. surge
D. fault
A. A prolonged power supply that is below normal voltage is a brownout. From: HARRIS, Shon, All-In-One CISSP Certification
Exam Guide, McGraw-Hill/Osborne, 2002, page
6.
Which of the following questions is less likely to help in assessing physical and environmental protection?
Confidential
3 / 58
CISSP
A. Are entry codes changed periodically?

B. Are appropriate fire suppression and prevention devices installed and working ?
C. Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic
information?
D. Is physical access to data transmission lines controlled?
C. Physical security and environmental security are part of operational controls, and are measures taken to protect
systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All
the questions above are useful in assessing physical and environmental protection except for the one regarding processes
that ensuring that unauthorized individuals cannot access information, which is more a production control. Source:
SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology
Systems, November 2001 (Pages A-21 to A-24).
7.
A prolonged high voltage is a:

A. spike
B. blackout
C. surge
D. fault
C. A prolonged high voltage is a surge. From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGrawHill/Osborne, 2002, page 299.
8.
According to ISC2, what should be the fire rating for the walls of an information processing facility?
A. All walls must have a one-hour minimum fire rating
B. All walls must have a one-hour minimum fire rating, except for walls to adjacent rooms where records such as paper and
media are stored, which should have a two-hour minimum fire rating
C. All walls must have a two-hour minimum fire rating
D. All walls must have a two-hour minimum fire rating, except for walls to adjacent rooms where records such as paper and
media are stored, which should have a three-hour minimum fire rating
B. The walls must be a floor to ceiling slab with a one-hour minimum fire rating. Any adjacent walls where records such as
paper, media, etc. must have a two-hour minimum fire rating. Source: Chris Hare's CISSP Study Notes on Physical Security,
based on ISC2 CBK document.
9.
Devices that supply power when the commercial utility power system fails are called which of the following?
A. power conditioners
B. uninterruptible power supplies
C. power filters
D. power dividers
B. uninterruptible power supplies
10. A momentary high voltage is a:

A. spike
B. blackout
C. surge
D. fault
A. A momentary high voltage is a spike. From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGrawHill/Osborne, 2002, page 299.
11. Which issue when selecting a facility site deals with the surrounding terrain, building markings and signs, and high or low
population in the area?
Confidential
4 / 58
CISSP
A. surrounding area and external entities

B. natural disasters
C. accessibility
D. visibility
D. Items critical to selecting a facility site for visibility are: surrounding terrain, building markings and signs, types of
neighbors, and high or low population in the area.
12. Which of the following is the preferred way to suppress an electrical fire?
A. CO2 or Halon
B. CO2, soda acid, or Halon
C. water or soda acid
D. co2 or soda acid
A. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
page 335.
It must be noted that Halon is now banned in most country or cities.
13. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical
areas should be illuminated up to?
A. Nine feet high and three feet out
B. Eight feet high and three feet out
C. Eight feet high and two feet out
D. Nine feet high and two feet out
C. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical
areas should be illuminated eight feet high and two feet out (referred to as two-feet candles that reach eight feet in
height). It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of two foot-candles.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 325.
14. Which fire class can water be most appropriate for?
A. Class A fires
B. Class B fires
C. Class C fires
D. Class D fires
A. Water is appropriate for class A (common combustibles) fires. Class B fires (liquid) are best handled by CO2, soda acid or
Halon. Class C fires (electrical) are best handled by CO2 and Halon. Fire class D is used for combustible metals like
magnesium.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 3)
15. Which of the following statements pertaining to fire suppression systems is true?
A. Halon is commonly used because it is highly effective in the fact that it interferes with the chemical combustion of the
elements within a fire
B. Gas masks provide an effective protection against use of CO2 systems.
C. CO2 systems are effective because they suppress the oxygen supply required to sustain the fire.
D. Soda acid is an effective fire suppression method for class C (electrical) fires
C. CO2 systems are effective because they suppress the oxygen supply required to sustain the fire. Since oxygen is
removed, it can be potentially lethal and gas masks do not provide protection against CO2. These systems are more
appropriate for unattended facilities. At the Montreal Protocol of 1987, Halon has been designated an ozone-depleting
substance and production was stopped January 1st, 1994. Companies that still have Halon systems have been asked to
replace them with nontoxic extinguishers. Soda acid is an effective fire suppression method for common combustibles and
Confidential
5 / 58
CISSP
liquids, but not for electrical fires.

Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical Security
(page 313).
16. In a dry pipe system, there is no water standing in the pipe - it is being held back by what type of valve?
A. Relief valve
B. Emergency valve
C. Release valve
D. Clapper valve
D. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
2001, John Wiley & Sons, Page 336.
And: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: GOLD EDITION, John Wiley & Sons, 2002, page 471.
17. Which of the following statements pertaining to air conditioning for an information processing facility is correct?
A. The AC units must be controllable from outside the area.
B. The AC units must keep negative pressure in the room so that smoke and other gases are forced out of the room.
C. The AC units must be on the same power source as the equipment in the room to allow for easier shutdown.
D. The AC units must be dedicated to the information processing facility.
D. The AC units used in a information processing facility (computer room) must be dedicated and controllable from within
the area. They must be on an independent power source from the rest of the room and have a dedicated Emergency Power
Off switch. It is positive, not negative pressure that forces smoke and other gases out of the room.
Source: Chris Hare's CISSP Study Notes on Physical Security, based on ISC2 CBK document.
18. Which of the following statements pertaining to secure information processing facilities is incorrect?
A. Walls should have an acceptable fire rating
B. Windows should be protected with bars
C. Doors must resist forcible entry
D. Location and type of fire suppression systems should be known
B. Windows are normally not acceptable in the data center. If they do exist, however, they must be translucent and
shatterproof.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John
Wiley & Sons, 2001, Chapter 10: Physical security (page 329).
19. What can be defined as a momentary low voltage?
A. Spike
B. Sag
C. Fault
D. Brownout
B. A sag is a momentary low voltage. A spike is a momentary high voltage. A fault is a momentary power out and a
brownout is a prolonged power supply that is below normal voltage.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 6: Physical security
(page 299).
20. Which of the following questions is less likely to help in assessing physical and environmental protection
A. Are sensitive data files encrypted on all portable systems?
B. Are deposits and withdrawals of tapes and other storage media from the library authorized and logged?
C. Are computer monitors located to eliminate viewing by unauthorized persons?
D. Are procedures in place to determine compliance with password policies?
Confidential
6 / 58
CISSP
D. Physical security and environmental security are part of operational controls, and are measures taken to protect
the questions above are useful in assessing physical and environmental protection except for procedures regarding
password policies, which are operational controls related to data integrity.
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology
21. If risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause
loss or damage to the assets" then risk has all of the following elements EXCEPT?
A. An impact on assets based on threats and vulnerabilities
B. Controls addressing the threats
C. Threats to and vulnerabilities of processes and/or assets
D. Probabilities of the threats
B. Threats, impact and probabilities are all elements of risk. Controls are developed to address the risk and hence are not,
of themselves, an element of risk.
Source: Information Systems Audit and Control Association Certified Information Systems Auditor 2002 review manual,
Chapter 1: The IS Audit Process (page 26).
22. What are the three fundamental principles of security?
A. Accountability, confidentiality and integrity
B. Confidentiality, integrity and availability
C. Integrity, availability and accountability
D. Availability, accountability and confidentiality
B. There are several objectives of a security program, but the main three principles in all programs are confidentiality,
integrity and availability.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security
Management Practices (page 62).
23. What can best be defined as high-level statements, beliefs, goals and objectives?
A. Standards
B. Policies
C. Guidelines
D. Procedures
B. Policies are high-level statements, beliefs, goals and objectives and the general means for their attainment for a specific
subject area. Standards are mandatory activities, action, rules or regulations designed to provide policies with the support
structure and specific direction they require to be effective. Guidelines are more general statements of how to achieve the
policies objectives by providing a framework within which to implement procedures. Procedures spell out the specific steps
of how the policy and supporting standards and how guidelines will be implemented.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999
24. What is the difference between Advisory and Regulatory security policies?
A. there is no difference between them
B. regulatory policies are high level policy, while advisory policies are very detailed
C. Advisory policies provide recommendations
D. Advisory policies are mandated while Regulatory policies are not
C. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
John Wiley & Sons, 2001, Chapter 1: Security Management Practices.
25. What is the main responsibility of information owner?
Confidential
7 / 58
CISSP
A. making the determination to decide what level of classification the information requires
B. running regular backups
C. audit the users when they access to the information
D. periodically checking the validity and accuracy for all data in the information system
A. Making the determination to decide what level of classification the information requires is the main responsibility of the
information owner. Running regular backups is the responsibility of custodian.
Wiley & Sons, 2001, Chapter 1: Security Management Practices.
26. Which must bear the primary responsibility for determining the level of protection needed for information systems
resources?
A. IS security specialists
B. Senior Management
C. Seniors security analysts
D. systems auditors
B. Executive or senior-level management is assigned the overall responsibility for the security of information. Senior
management may delegate the function of security, but they are viewed as the end of the food chain where liability is
concerned."
Wiley & Sons, 2001, Chapter 1: Security Management Practices (page 14).
27. Which of the following represents an ALE calculation?
A. Gross loss expectancy X loss frequency.
B. Asset value X loss expectancy.
C. Total cost of loss + actual replacement value.
D. Single loss expectancy X annualized rate of occurrence.
D. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
28. The preliminary steps to security planning include all of the following EXCEPT which of the following?
A. Establish objectives.
B. List planning assumptions.
C. Establish a security audit function.
D. Determine alternate courses of action
C. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
29. According to private sector data classification levels, how would salary levels and medical information be classified?
A. Public
B. Sensitive
C. Private
D. Confidential
C. Private is used for information that is considered of a personal nature and is intended for company use only. Its
disclosure could adversely affect the company or its employees. Salary levels and medical records would be classified as
private.
30. Which of the following would be defined as an absence or weakness of safeguard that could be exploited?
A. A threat
Confidential
8 / 58
CISSP
B. A vulnerability
C. A risk
D. An exposure
B. A vulnerability characterizes the absence or weakness of a safeguard that could be exploited. A threat is any potential
danger. A risk is the probability that a threat will exploit a vulnerability and an exposure is an instance of being exposed to
losses from a threat agent.
31. Which of the following embodies all the detailed actions that personnel are required to follow?
A. Standards
B. Guidelines
C. Procedures
D. Baselines
C. Procedures embody the detailed steps that are followed to perform a specific task. Standards specify how a technology
should be used in a uniform way. Guidelines refer to methodologies, but they are recommended, not mandatory. Baselines
provide the minimum level of security necessary throughout the organization.
32. Which of the following is not a part of a risk analysis?
A. Identify risks
B. Quantify the impact of potential threats
C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure
D. Choose the best countermeasure
D. A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic
balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure
is not part of the risk analysis.
33. Computer security should be first and foremost which of the following:
A. Cover all identified risks.
B. Be cost-effective.
C. Be examined in both monetary and non-monetary terms.
D. Be proportionate to the value of IT systems.
B. Computer security should be first and foremost cost-effective. The costs and benefits of security should be carefully
examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected
benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the IT systems and to
the severity, probability, and extent of potential harm. Requirements for security vary, depending upon the particular IT
system. Therefore it does not make sense for computer security to cover all identified risks when the cost of the measures
exceeds the value of the systems they are protecting.
Source: SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and Technology (NIST), NIST Special
Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September
1996 (page 6).
34. Which of the following is the weakest link in a security system?
A. People
B. Software
C. Communications
Confidential
9 / 58
CISSP
D. Hardware
A. Choices b, c, and d can be strengthen and counted on (for the most part) to remain consistent if properly protected.
People are fallible. Most security intrusions are caused by employees. People get tired, careless, and greedy. They are not
reliable. Security professionals must install adequate prevention and detection controls and properly train all systems users
(if possible).
35. Which one of the following individuals has PRIMARY responsibility for determining the classification level of
information?
A. Security manager
B. User
C. Owner
D. Auditor
C. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
36. Why do many organizations require every employee to take a mandatory vacation of a week or more?
A. To reduce the opportunity for an employee to commit an improper or illegal act
B. To lead to greater productivity through a better quality of life for the employee
C. To provide proper cross training for another employee.
D. To allow more employees to have a better understanding of the overall system
A. Mandatory vacations in which someone other than the regular employee performs the job function reduces the
opportunity to commit improper or illegal acts, and it allows discovering any fraudulent activity that could have been taking
place. Other choices could be organizational benefits from a mandatory vacation policy, but not the reason why it is
established.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual,
Chapter 2: Management, Planning and Organization of IS (page 65).
37. Which of the following department managers would be best suited to oversee the development of an information
security policy?
A. Information systems
B. Human resources
C. Business operations
D. Security administration
C. Since it relates to people and information technology, human resources, security and IS managers would provide input to
the policy, as well as information, but given the responsibility business users have for their data, the development should
be overseen by a business area manager.
38. Making sure that the data has not been changed unintentionally, due to an accident or malice is:
A. Integrity
B. Confidentiality
C. Availability
D. Auditability
A. Integrity is defined as making sure that the data has not been changed unintentionally, due to an accident or malice.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
39. Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Confidential
10 / 58
CISSP
A. Information systems security professionals

B. Data owners
C. Data custodians
D. Information systems auditors
D. Information systems auditors are responsible for providing reports to the senior management on the effectiveness of
the security controls by conducting regular, independent audits. They also examine whether the security policies comply
with stated security objectives.
40. Who is responsible for initiating corrective actions when there are security violations?
A. Information systems auditor
B. Security administrator
C. Management
D. Data owners
C. Management is responsible for protecting all assets that are directly or indirectly under their control. They must ensure
that employees understand their obligations to protect the company's assets, and implement security in accordance with
the company policy. Finally, management is responsible for initiating corrective actions when there are security violations.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
41. Which of the following security controls might force an operator into collusion with personnel assigned organizationally
within a different function in order to gain access to unauthorized data?
A. Limiting the local access of operations personnel
B. Job rotation of operations personnel
C. Management monitoring of audit logs
D. Enforcing regular password changes
A. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
42. Which of the following are functions that are compatible in a properly segregated environment?
A. Security administration and quality assurance
B. Security administration and data entry
C. Security administration and application programming
D. Application programming and data entry
A. The objective of separation of duties is to ensure that no one person has complete control over a transaction, allowing
unauthorized operations to go through undetected. Quality assurance can be an additional responsibility of the security
administrator. Security administration is incompatible with data entry and application programming since the security
administrator would be in a position to openly introduce fraudulent or malicious data or code, thus causing damage to the
organization. Application programming and data entry are incompatible functions because a programmer could have an
application process fraudulently introduced data without it being noticed.
43. Which of the following refers to the data left on the media after the media has been erased?
A. remanence
B. recovery
C. sticky bits
D. semi-hidden
Confidential
11 / 58
CISSP
page 226.
44. When it comes to magnetic media sanitization, what difference can be made between clearing and purging information?
A. Clearing completely erases the media whereas purging only removes file headers, allowing the recovery of files
B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against
laboratory attack
C. They both involve rewriting the media
D. Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable
to a keyboard attack
B. The removal of information from a storage medium is called sanitization. Different kinds of sanitization provide different
levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by a keyboard
attack) and purging (rendering it unrecoverable against laboratory attack). There are three general methods of purging
media: overwriting, degaussing, and destruction.
1996 (page 26).
45. Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are
examples of:
A. Deterrent controls
B. Output controls
C. Information flow controls
D. Asset controls
B. Output controls are used for two things: for verifying the integrity and protecting the confidentiality of an output. These
are examples of proper output controls.
Wiley & Sons, 2001, Chapter 6: Operations Security (page 218).
46. Which of the following is not a component of a Operations Security "triples"?
A. Asset
B. Threat
C. Vulnerability
D. Risk
D. The Operations Security domain is concerned with triples - threats, vulnerabilities and assets.
47. Which of the following should be performed by an operator?
A. Changing profiles
B. Approving changes
C. Adding and removal of users
D. Installing system software
D. Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a
properly segregated environment.
Source: MOSHER, Richard & ROTHKE, Ben, CISSP CBK Review presentation on domain 7
48. Which of the following exposures associated with the spooling of sensitive reports for offline printing could be
considered the MOST serious?
Confidential
12 / 58
CISSP
A. Sensitive data may be read by operators

B. Data can be altered without authorization
C. Output would be lost in case of system failure
D. Other unauthorized copies of reports could be printed
D. Spooling for offline printing may enable additional copies to be printed unless controlled.
Chapter 3: Technical Infrastructure and Operational Practices (page 139).
49. Which of the following is not a proper component of Media Viability Controls?
A. Storage
B. Writing
C. Handling
D. Marking
B. Media Viability Controls include marking, handling and storage.
2001, John Wiley & Sons, Page 231
50. Which of the following questions is less likely to help in assessing identification and authentication controls?
A. Is a current list maintained and approved of authorized users and their access?
B. Are passwords changed at least every ninety days or earlier if needed?
C. Are inactive user identifications disabled after a specified period of time?
D. Is there a process for reporting incidents?
D. Identification and authentication is a technical measure that prevents unauthorized people (or unauthorized processes)
from entering an IT system. Access control usually requires that the system be able to identify and differentiate among
users. Reporting incidents is more related to incident response capability (operational control) than to identification and
authentication (technical control).
51. Operations Security seeks to primarily protect against which of the following?
A. object reuse
B. facility disaster
C. compromising emanations
D. asset threats
D. A threat is any circumstance or event with the potential to cause harm. The most important reason for identifying your
threats is to know from what do the assets need protection and what is the likelihood that a threat will occur. Threats
cannot be eliminated, but can be anticipated, and safeguards put in place to minimize their impact.
Operations Security provides audit and monitoring for mechanisms, tools and facilities which permit the identification of
security events and documentation of subsequent corrective actions.
Source: State of Nebraska - Information Security Systems (ISS) Security Officer Instruction Guide.
And Jim and Sandy Lockwood, Notes on IT and Telecommunications - Computer Operations Security.
52. Fault tolerance countermeasures are designed to combat threats to which of the following?
A. an uninterruptible power supply
B. backup and retention capability
C. design reliability
D. data integrity
C. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation
Confidential
13 / 58
CISSP
53. Which of the following questions is less likely to help in assessing controls over audit trails?
A. Does the audit trail provide a trace of user actions?
B. Are incidents monitored and tracked until resolved?
C. Is access to online logs strictly controlled?
D. Is there separation of duties between security personnel who administer the access control function and those who
administer the audit trail?
B. Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction
with appropriate tools and procedures, audit trails can provide individual accountability, a means to reconstruct events,
detect intrusions, and identify problems. Audit trail controls are considered technical controls. Monitoring and tracking of
incidents is more an operational control related to incident response capability.
54. Which of the following is not a valid reason to use external penetration service firms rather than corporate resources?
A. They are more cost-effective
B. They offer a lack of corporate bias
C. They use highly talented ex-hackers
D. They insure a more complete reporting
C. Two points are important to consider when it comes to ethical hacking: integrity and independence. By not using an
ethical hacking firm that hires or subcontracts to ex-hackers of others who have criminal records, an entire subset of risks
can be avoided by an organization. Also, it is not cost-effective for a single firm to fund the effort of the ongoing research
and development, systems development, and maintenance that is needed to operate state-of-the-art proprietary and open
source testing tools and techniques. External penetration firms are more effective than internal penetration testers
because they are not influenced by any previous system security decisions, knowledge of the current system environment,
or future system security plans. Moreover, an employee performing penetration testing might be reluctant to fully report
security gaps.
Wiley & Sons, 2001, Appendix F: The Case for Ethical Hacking (page 517).
55. When two operators review and approve the work of each other, this is known as?
A. Dual Control
B. Two-man Control
C. Two-fold Control
D. Twin Control
B. In the concept of Two-man Control, two operators review and approve the work of each other. The concept of Dual
Control means that both operators are needed to complete a sensitive task.
56. Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards
that enforces protection at each stage in the system's life cycle?
A. life cycle assurance
B. operational assurance
C. covert timing assurance
D. covert storage assurance
page 219.
Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002 (pages 252, 812).
57. A periodic review of user account management should not determine:
Confidential
14 / 58
CISSP
A. Conformity with the concept of least privilege

B. Whether active accounts are still being used
C. Strength of user-chosen passwords
D. Whether management authorizations are up-to-date
C. User account management ensures that all active accounts are still being used, and that they only allow access to
needed resources in order to perform tasks corresponding to up-to-date management authorizations. The strength of user
passwords is beyond the scope of a simple user account management review, since it requires specific tools to try and
crack the password file/database through either a dictionary or brute-force attack in order to check the strength of
passwords.
1996 (page 28).
58. Which of the following is not concerned with configuration management?
A. Hardware
B. Software
C. Documentation
D. They all are concerned with configuration management
D. According to the CISSP seminar definition, Configuration Management is defined as "Controlling modifications to
Hardware, Firmware, Software and Documentation." It aims at protecting against improper modification.
Source: Clment Dupuis' CISSP Study Notes on Operations Security, based on ISC2 CBK document.
59. Which one of the following functions provides the least effective organizational reporting structure for the Information
Systems Security function?
A. IS quality assurance
B. IS resource management
C. IS operations
D. Corporate security
C. In order to offer more independence and get more attention from management, an IT/IS security function should be
independent from IT/IS and ideally report directly to the CEO. If it were to report to IT/IS, operations is probably the last
function the IS Security function should be reporting to.
60. Which of the following is NOT an element of software control?
A. secure software development
B. software testing
C. safe software storage
D. anti-virus management
page 229.
61. The Physical Security domain addresses three areas that can be utilized to physically protect an enterprise's resources
and sensitive information. Which of the following is not one of these areas?
A. Threats
B. Countermeasures
C. Vulnerabilities
D. Risks
Confidential
15 / 58
CISSP
62. What physical characteristic does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The pattern of light receptors at the back of the eye
D. The pattern of blood vessels at the back of the eye
D. The retina, a thin nerve (1/50th of an inch) on the back of the eye, is the part of the eye which senses light and transmits
impulses through the optic nerve to the brain - the equivalent of film in a camera. Blood vessels used for biometric
identification are located along the neural retina, the outermost of retina's four cell layers.
Reference: Retina Scan Technology.
63. Which of the following risk will most likely affect confidentiality, integrity and availability?
A. Physical damage
B. Unauthorized disclosure of information
C. Loss of control over system
D. Physical theft
D. Physical theft will most likely affect confidentiality, integrity and availability. Physical damage will affect availability,
unauthorized disclosure will certainly affect confidentiality and loss of control will most likely affect integrity.
64. At which temperature does damage start occurring to magnetic media?
A. 100 degrees
B. 125 degrees
C. 150 degrees
D. 175 degrees
A. Magnetic media are affected from 100 degrees. Disks are damaged at 150 degrees, computer equipment at 175 degrees.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 10.
65. Which of the following is the most costly countermeasure to reducing physical security risks?
A. procedural controls
B. hardware devices
C. electronic systems
D. personnel
D. One drawback of guards is that the cost of maintaining a guard function either internally or through an external service is
expensive.
66. Which of the following is not a physical control for physical security?
A. lighting
B. fences
C. training
D. facility construction materials
C. Some physical controls include fences, lights, locks, and facility construction materials. Some administrative controls
include facility selection and construction, facility management, personnel controls, training, and emergency response and
procedures.
From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, pages 282-283.
Also: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John
Wiley & Sons, 2001, Chapter 10: Physical Security (pages 339-340).
Confidential
16 / 58
CISSP
67. A momentary power outage is a:

A. spike
B. blackout
C. surge
D. fault
D. A momentary power outage is a fault.
68. Which of the following is a class C fire?
A. electrical
B. liquid
C. common combustibles
D. soda acid
page 335.
69. Which of the following fire extinguishing systems is currently the most recommended water system for a computer
room?
A. Wet pipe
B. Dry pipe
C. Deluge
D. Preaction
D. The preaction system combines both the dry and wet pipe systems, by first releasing the water into the pipes when heat
is detected (dry pipe), then releasing the water flow when the link is the nozzle melts (wet pipe). This allows manual
intervention before a full discharge of water on the equipment occurs. This is currently the most recommended water
system for a computer room.
70. Critical areas should be lighted:
A. Eight feet high and two feet out
B. Eight feet high and four feet out
C. Ten feet high and four feet out
D. Ten feet high and six feet out
A. Lighting should be used to discourage intruders and provide safety for personnel, entrances, parking areas and critical
sections. Critical areas should be illuminated 8 feet high and 2 feet out.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 4)
71. Question? What fencing height is likely to stop a determined intruder?
A. 3' to 4' high
B. 6' to 7' high
C. 8' high and above with strands of barbed wire
D. No fence can stop a determined intruder
D. Although an 8' high fence with strands of barbed wire is likely to deter most intruders, a fence in itself cannot stop a
determined intruder.
Confidential
17 / 58
CISSP
72. Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection
of cables, and the backing up of files are some of the examples of:
A. Administrative controls
B. Logical controls
C. Technical controls
D. Physical controls
D. Physical controls incorporate guards and building security in general, such as the locking of doors, securing of server
rooms or laptops, the protection of cables, and the backing up of files.
73. Which of the following is a proximity identification device that does not require action by the user and works by
responding with an access code to signals transmitted by a reader?
A. A passive system sensing device
B. A transponder
C. A card swipe
D. A smart card
B. A transponder is a proximity identification device that does not require action by the user. The reader transmits signals
to the device and the device responds with an access code. These transponder devices contain a radio receiver and
transmitter, a storage place for the access code, control logic, and a battery. A passive device only uses the power from the
reader to detect the presence of the card. Card swipes and smart cards are not proximity identification devices.
(page 323).
74. Under what conditions would the use of a Class C fire extinguisher be preferable to a Class A extinguisher?
A. When the fire involves paper products
B. When the fire is caused by flammable products
C. When the fire involves electrical equipment
D. When the fire is in an enclosed area
John Wiley & Sons, 2001, Chapter 10: Physical security (page 335).
75. Which of the following questions is less likely to help in assessing physical access controls?
A. Does management regularly review the list of persons with physical access to sensitive facilities?
B. Is the operating system configured to prevent circumvention of the security software and application controls?
C. Are keys or other access devices needed to enter the computer room and media library?
D. Are visitors to sensitive areas signed in and escorted?
B. Physical security and environmental security are part of operational controls, and are measures taken to protect
the questions above are useful in assessing physical access controls except for the one regarding operating system
configuration, which is a logical access control.
76. The ideal operating humidity range is defined as 40 percent to 60 percent. Low humidity (less than 40 percent) can
produce what type of problem on computer parts?
A. Static electricity
B. Electro-plating
Confidential
18 / 58
CISSP
C. Energy-plating
D. Element-plating
77. The most prevalent cause of computer center fires is which of the following?
A. AC equipment
B. electrical distribution systems
C. heating systems
D. natural causes
B. electrical distribution systems
78. What category of water sprinkler system is currently the most recommended water system for a computer room?
A. Dry Pipe sprinkler system
B. Wet Pipe sprinkler system
C. Preaction sprinkler system
D. Deluge sprinkler system
79. Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to
maintain the proper personnel environment as well as to sustain data operations. Which of the following is not an
element that can threaten power systems?
A. Noise
B. Humidity
C. Brownouts
D. UPS
80. Which of the following is NOT a system-sensing wireless proximity card?
A. magnetically striped card
B. passive device
C. field-powered device
D. transponder
A. Magnetically striped cards are digitally encoded cards.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, page
342.
81. What can be best defined as the examination of threat sources against system vulnerabilities to determine the threats
for a particular system in a particular operational environment?
A. Risk management
B. Risk analysis
C. Threat analysis
D. Due diligence
C. Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a
particular system in a particular operational environment. Risk analysis is the process of identifying the risks to system
Confidential
19 / 58
CISSP
security and determining the probability of occurrence, the resulting impact, and the additional safeguards that mitigate
this impact. Risk analysis is synonymous with risk assessment and part of risk management, which is the ongoing process of
assessing the risk to mission/business as part of a risk-based approach used to determine adequate security for a system by
analyzing the threats and vulnerabilities and selecting appropriate, cost-effective controls to achieve and maintain an
acceptable level or risk.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27,
Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2001 (page B-3).
82. What is called the probability that a threat to an information system will materialize?
A. Threat
B. Risk
C. Vulnerability
D. Hole
B. Risk: The potential for harm or loss to an information system or network; the probability that a threat will materialize.
2001, John Wiley & Sons, Pages 16, 32.
83. Three key things that must be considered for the planning and implementation of access control mechanisms do not
include:
A. threats to the system
B. the system's vulnerability to threats to the system
C. the system's vulnerability to viruses
D. the risk that the threat may materialize
C. Three things that must be considered for the planning and implementation of access control mechanisms are the threats
to the system, the system's vulnerability to these threats, and the risk that the threat may materialize
84. Which of the following is a physical control?
A. Monitoring of system activity
B. Environmental controls
C. Identification and authentication methods
D. Logical access control mechanisms
B. Environmental controls are considered physical controls. Monitoring of system activity is an administrative control.
Identification and authentication methods and Logical access control mechanisms are technical controls.
See also: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
John Wiley & Sons, 2001, Chapter 10: Physical Security (page 331).
85. Which of the following statements pertaining to quantitative risk analysis is false?
A. It can be automated
B. It involves complex calculations
C. It requires a high volume of information
D. It involves a lot of guesswork
D. A quantitative risk analysis involves little guesswork, as opposed to a qualitative risk analysis.
Confidential
20 / 58
CISSP
86. Which of the following questions should any user not be able to answer regarding their organization's information
security policy?
A. Who is involved in establishing the security policy?
B. Where is the organization's security policy defined?
C. What are the actions that need to be performed in case of a disaster?
D. Who is responsible for monitoring compliance to the organization's security policy?
C. Actions to be performed in case of a disaster are not normally part of an information security policy but of a Disaster
Recovery Plan (DRP). Only personnel implicated in the plan should have a copy of the Disaster Recovery Plan whereas
everyone should be aware of the contents of the organization's information security policy.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Appendix B,
Practice-Level Policy Considerations (page 398).
87. Which data classification should apply to commercial trade secrets?
A. Sensitive
B. Confidential
C. Private
D. Secret
B. The disclosure of trade secrets could seriously affect a company; therefore the information would be classified as
confidential, for use within the company only. Sensitive refers to information that require higher than normal assurance of
accuracy and completeness. Private is for personal information and secret is used in military organizations.
88. Which of the following describe elements that create reliability and stability in networks and systems and which assures
that connectivity is accessible when needed?
A. Availability
B. Acceptability
C. confidentiality
D. Integrity
A. This concept refers to the elements that create reliability and stability in networks and systems, which assures that
connectivity is accessible when needed, allowing authorized users to access the network or systems.
89. All except which of the follow are not used to ensure integrity?
A. firewall services
B. communications security management
C. intrusion detection services
D. compliance monitoring services
D. Some of the elements used to ensure integrity are
* Firewall services
* Communications Security Management
* Intrusion detection services
90. Which of the following should be given technical security training?
A. Operators
B. Security practitioners and information systems auditors
C. IT support personnel and system administrators
Confidential
21 / 58
CISSP
D. Senior managers, functional managers and business unit managers

C. There should be technical security training for IT support personnel and system administrators, security-related job
training for operators, awareness training for specific departments or personnel groups with security sensitive positions,
security training for senior managers, functional managers and business unit managers, and advanced InfoSec training for
security practitioners and information system auditors.
Source: WALLHOFF, John, CBK#3 Security management practices (CISSP Study Guide), April 2002 (page 4).
91. Who should measure the effectiveness of security related controls in an organization?
A. the local security specialist
B. the business manager
C. the systems auditor
D. the central security manager
C. Information systems auditors are responsible for providing reports to the senior management on the effectiveness of the
security controls.
92. Why would an information security policy require that communications test equipment be controlled?
A. The equipment is susceptible to damage
B. The equipment can be used to browse information passing on a network
C. The equipment must always be available for replacement if necessary
D. The equipment can be used to reconfigure the network multiplexers
B. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation
93. Which of the following best allows risk management results to be used knowledgeably?
A. A vulnerability analysis
B. A likelihood assessment
C. An uncertainty analysis
D. A threat identification
C. Risk management consists of two primary and one underlying activity; risk assessment and risk mitigation are the
primary activities and uncertainty analysis is the underlying one. After having performed risk assessment and mitigation, an
uncertainty analysis should be performed. Risk management must often rely on speculation, best guesses, incomplete data,
and many unproven assumptions. A documented uncertainty analysis allows the risk management results to be used
knowledgeably. A vulnerability analysis, likelihood assessment and threat identification are all parts of the collection and
analysis of data part of the risk assessment, one of the primary activities of risk management.
1996 (pages 19-21).
94. Who designed the InfoSec Assessment Methodology (IAM)?
A. The Internet Activities Board (IAB)
B. The NSA's Information Systems Security Organization (ISSO)
C. The International Standardization Organization (ISO)
D. The National Institute of Standards and Technology (NIST)
B. As a result of Presidential Decision Directive #63, forming the National Infrastructure Protection Center (NIPC), the
National Security Agency's Information Systems Security Organization (ISSO) instituted a program intended to improve the
overall level of security protection of America's computing infrastructure. To help achieve this goal, the ISSO designed the
InfoSec Assessment Methodology (IAM). The IAM process is a high-level (level I) security assessment. It is a non-intrusive,
standardized baseline analysis of the InfoSec posture of an automated process. The heart of the IAM is the creation of the
Confidential
22 / 58
CISSP
Organizational Criticality Matrix. In this chart, all relevant automated systems are assigned impact attributes (high, medium
of low) based on their estimated effect on the CIA triad to the Organization.
Wiley & Sons, 2001, Appendix E: The NSA InfoSec Assessment methodology (page 507).
95. Which of the following is not a responsibility of a database administrator?
A. Maintaining databases
B. Implementing access rules to databases
C. Reorganizing databases
D. Providing access authorization to databases
D. The data owner, not the database administrator, is responsible for accurate use of the information and should normally
provide authorization for users to gain access to computerized information. The database administrator (DBA) handles
technical matters, not access authorization to data.
96. Which of the following should NOT be a role of the Security Administrator?
A. Authorizing access rights
B. Implementing security rules
C. Ensuring that local policies have been authorized by management
D. Allocating access rights
A. For proper segregation of duties, the security administrator should not be responsible for authorizing access rights. This
is usually the responsibility of user management/data owner.
97. IT security measures should:
A. Be complex
B. Be tailored to meet organizational security goals.
C. Make sure that every asset of the organization is well protected.
D. Not be developed in a layered fashion.
B. In general, IT security measures are tailored according to an organization's unique needs. While numerous factors, such
as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the
mission or business from IT security-related, negative impacts. Because IT security needs are not uniform, system designers
and security practitioners should consider the level of trust when connecting to other external networks and internal subdomains. Recognizing the uniqueness of each system allows a layered security strategy to be used - implementing lower
assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical
areas.
The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer
exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating
or replacing a simple mechanism becomes a less intensive process.
Security designs should consider a layered approach to address or protect against a specific threat or to reduce a
vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion
detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Adding
good password controls and adequate user training improves the system's security posture even more.
The need for layered protections is especially important when commercial-off-the-shelf (COTS) products are used. Practical
experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree
of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series,
requiring additional work by attackers to accomplish their goals.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology (NIST), NIST Special Publication 800-27,
Engineering Principles for Information Technology Security (A Baseline for Achieving Security) , June 2001 (pages 9-10).
Confidential
23 / 58
CISSP
98. What is the goal of the Maintenance phase in a common development process of a security policy?
A. to review of the document on the specified review date
B. publication within the organization
C. to write proposal to management that states the objectives of the policy
D. to present document to approving body
A. "publication within the organization" is the goal of the Publication Phase "write proposal to management that states the
objectives of the policy" is part of Initial and Evaluation Phase "Present document to approving body" is part of Approval
Phase.
Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002,
Auerbach Publications.
Also: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John
Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 286).
99. What is the main purpose of a security policy?
A. to transfer the responsibility for the information security to all users of the organization
B. to provide the management direction and support for information security
C. to provide detailed steps for performing specific actions
D. to provide a common framework for all development activities
B. "to provide detailed steps for performing specific actions" is the purpose of this procedure. Source: BS 7799:1999 Part 2:
Specification for information security management systems.
100. Which of the following would violate the Due Care concept?
A. Security policy being outdated
B. Data owners not laying out the foundation of data protection
C. Network administrator not taking mandatory two-week vacation as planned
D. Latest security patches for servers only being installed once a week
B. Due care is when the necessary steps to help protect the company and its resources from possible risks have been taken.
If the information owner does not lay out the foundation od data protection and ensure that the directives are being
enforced, this would violate the due care concept. Due diligence is practiced by activities that make sure that the
protection mechanisms are continually maintained and operational. The security policy being outdated would be an
example of violating the due diligence concept. Any reason could force a network administrator to delay planned vacation.
Not taking any vacation would probably violate the company's security policy, thus violating of the due diligence concept.
Security patches only being installed periodically could only mean a violation of the due diligence concept if the security
policy specified that patches should be installed as soon as available.
Management Practices (pages 60, 99).
101. Configuration Management is a requirement for the following level(s) of the Orange Book?
A. B3 and A1
B. B1, B2 and B3
C. A1
D. B2, B3, and A1
D. Configuration Management is a requirement only for B2, B3, and A1.
102. According to the Orange Book, which security level is the first to require trusted recovery?
A. A1
B. B2
C. B3
Confidential
24 / 58
CISSP
D. B1
C. Trusted recovery ensures that security is not breached when a system crash or other system failure occurs. When the
system crashes, it must be able to restart without compromising its required protection scheme and to recover and
rollback without being compromised after the failure. Trusted recovery is only required for B3 and A1 level systems.
Also: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD.
December 1985.
103. When backing up an applications system's data, which of the following is a key question to be answered first?
A. When to make backups
B. Where to keep backups
C. What records to backup
D. How to store backups
C. For a proper backup procedure, first consider
- WHAT to backup, then
- HOW to store the backups, then
- WHERE to store the backups, and finally
- WHEN to make backups.
104. Intrusion Detection (ID) and Response is not a:
A. preventive control
B. detective control
C. monitoring control
D. reactive control
A. Intrusion Detection (ID) and Response is the task of monitoring systems for evidence of an intrusion or an inappropriate
usage. It is more a detective than a preventive control.
105. Which of the following ensures that security is not breached when a system crash or other system failure occurs?
A. trusted recovery
B. hot swappable
C. redundancy
D. secure boot
page 222.
106. Which of the following is not a technique used for monitoring?
A. Penetration testing
B. Intrusion detection
C. Violation processing (using clipping levels)
D. Countermeasures testing
D. Monitoring techniques include Intrusion detection, Penetration testing and Violation processing using clipping levels.
107. Which of the following is a communication path that is not protected by the system's normal security mechanisms?
Confidential
25 / 58
CISSP
A. A trusted path
B. A protection domain
C. A covert channel
D. A maintenance hook
C. A covert channel is an unintended communication path within a system; therefore it is not protected by the system's
normal security mechanisms. Covert channels are a secret way to convey information. Covert channels a addressed from
TCSEC level B2. A trusted path is the protected channel that allows a user to access the Trusted Computing Base (TCB)
without being compromised by other processes or users. A protection domain consists of the execution and memory space
assigned to each process. A maintenance hook is a hardware or software mechanism that was installed to permit system
maintenance and to bypass the system's security protections.
108. Which of the following should not be performed by an operator?
A. Mounting disk or tape
B. Backup and recovery
C. Data entry
D. Handling hardware
C. Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data
entry personnel.
Source: MOSHER, Richard & ROTHKE, Ben, CISSP CBK Review presentation on domain 7.
109. According to the Orange Book, trusted facility management is not required for which of the following security levels?
A. B1
B. B2
C. B3
D. A1
A. Trusted facility management is defined as the assignment of a specific individual to administer the security-related
functions of a system. Trusted facility management is an assurance requirement only for highly secure systems (B2, B3 and
A1), but many systems evaluated a lower security levels are structured to try to meet this requirement. Trusted facility
management is closely related to the concept of least privilege, and also related to the administrative concepts of
separation of duties and need-to-know.
December 1985
110. Which of the following is not appropriate in addressing object reuse?
A. Degaussing magnetic tapes when they're no longer needed
B. Deleting files on disk before reusing the space
C. Clearing memory blocks before they are allocated to a program or data
D. Clearing buffered pages, documents, or screens from the local memory of a terminal or printer
B. Object reuse requirements, applying to systems rated CTSEC C2 and above, are used to protect files, memory, and other
objects in a trusted system from being accidentally accessed by users who are not authorized to access them. Deleting files
on disk merely erases file headers in a directory structure. It does not clear data from the disk surface, thus making files still
recoverable. All other options involve clearing used space, preventing any unauthorized access.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (page 119).
111. It is a violation of the "separation of duties" principle when which of the following individuals access the security
systems software?
Confidential
26 / 58
CISSP
A. security administrator
B. security analyst
C. systems auditor
D. systems programmer
D. systems programmer
112. Which of the following rules is less likely to support the concept of least privilege?
A. The number of administrative accounts should be kept to a minimum
B. Administrators should use regular accounts when performing routine operations like reading mail
C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible
D. Only data to and from critical systems and applications should be allowed through the firewall
D. Least privilege is a basic tenet of computer security that means users should be given only those rights required to do
their jobs. The last option is a distracter. Critical systems or applications do not necessarily need to have traffic go through a
firewall. Even if they did, only the minimum required services should be allowed. Systems that are not deemed critical may
also need to have traffic go through the firewall.
Source: National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute Network Security Guide,
February 2002, page 9
113. Which trusted facility management concept implies that two operators must review and approve the work of each
other?
A. Two-man control
B. Dual control
C. Double control
D. Segregation control
A. In the concept of two-man control, two operators review and approve the work of each other. The concept of dual
control means that both operators are needed to complete a sensitive task. Both are concepts related to segregation (or
separation) of duties.
114. In what way can violation clipping levels assist in violation tracking and analysis?
A. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis
of why the violations occurred
B. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are
deemed to be security relevant
C. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access
to user codes with a privileged status
D. Clipping levels enable a security administrator to view all reductions in security levels which have been made to user
codes which have incurred violations
A. Computer operations and system development
B. System development and change management
C. Change/problem and quality assurance
D. Security administration and change management
C. Change/problem and quality assurance and two compatible functions that would not compromise control or violate
segregation of duties. The roles of security administration and change management are incompatible functions because the
level of security administration access rights could allow changes to go undetected. Computer operations and system
Confidential
27 / 58
CISSP
development are incompatible since it would be possible for an operator to run a program that they had amended. System
development and change management are incompatible because the combination of system development and change
management would allow program modifications to bypass change control approvals.
116. An electrical device (AC or DC) which can generate coercive magnetic force for the purpose of reducing magnetic flux
density to zero on storage media or other magnetic media is called:
A. a magnetic field
B. a degausser
C. magnetic remanence
D. magnetic saturation
B. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
117. Which of the following is NOT a countermeasure to traffic analysis?
A. Padding messages
B. Eavesdropping
C. Sending noise
D. Covert channel analysis
B. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security,
John Wiley & Sons, 2001, page 238.
118. Which of the following is used to interrupt opportunity to create collusion to subvert operation for fraudulent purposes?
A. Separation of duties
B. Rotation of duties
C. Principle of need-to-know
D. Principle of least privilege
B. According to the CISSP Seminar, the rotation of duties is used to interrupt opportunity to create collusion to subvert
operation for fraudulent purposes.
Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the
amount of time the subject is assigned to perform the task before being moved to a different task. Separation of duties is a
basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks
to separate individuals, thus limiting the effect a single person can have on a system. The need-to-know principle specifies
that a person must not only be cleared to access classified or other sensitive information, but have requirement for such
information to carry out assigned job duties. The principle of least privilege requires that each subject in a system be
granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks.
Source: Clment Dupuis' CISSP Study Notes on Operations Security, based on ISC2 CBK document.
119. Which of the following is not an example of an operational control?
A. backup and recovery
B. audit trails
C. contingency planning
D. operations procedures
B. Operational controls are controls over the hardware, the media used and the operators using these resources.
Operational controls are controls that are implemented and executed by people, they are most often procedures. Backup
and recovery, contingency planning and operations procedures are operational controls.
120. Which of the following questions is less likely to help in assessing controls over hardware and software maintenance?
A. Is access to all program libraries restricted and controlled?
Confidential
28 / 58
CISSP
B. Are integrity verification programs used by applications to look for evidences of data tampering, errors, and omissions?
C. Is there version control?
D. Are system components tested, documented, and approved prior to promotion to production?
B. Hardware and software maintenance access controls are used to monitor the installation of, and updates to, hardware
and software to ensure that the system functions as expected and that a historical record of changes is maintained.
Integrity verification programs are more integrity controls than software maintenance controls.
121. Which of the following is not EPA-approved replacements for Halon?
A. Water
B. Argon
C. NAF-S-III
D. Bromine
D. The following are EPA-approved replacements for Halon: FM-200, NAF-S-III, CEA-410, FE-13, Water, Inergen, Argon and
Argonite.
(page 313).
122. Guards are appropriate whenever the function required by the security program involves which of the following?
A. The use of discriminating judgment
B. The use of physical force
C. The operation of access control devices
D. The need to detect unauthorized access
A. "A guard can make the determinations that hardware or other automated security devices cannot make due to its ability
to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in
the environment. Guards are better at making value decisions at times of incidents. They are appropriate whenever
immediate, discriminating judgment is required by the security entity."
123. Examples of types of physical access controls include all except which of the following?
A. badges
B. locks
C. guards
D. passwords
D. Passwords are considered a Preventive/Technical (logical) control. All the rest are physical controls.
Wiley & Sons, 2001, Chapter 2: Access control systems (page 35).
124. The ideal operating humidity range is defined as 40 percent to 60 percent. High humidity (greater than 60 percent) can
produce what type of problem on computer parts?
A. Static electricity
B. Electro-plating
C. Energy-plating
D. Element-plating
Confidential
29 / 58
CISSP
125. Which type of fire extinguisher is most appropriate for an information processing facility?
A. Type B
B. Type A
C. Type D
D. Type C
D. Type C fire extinguishers deal with electrical fires. They are most likely to be found around an information processing
facility. Type A is for common combustibles and type B is for liquids (petroleum products and coolants). Type D is used
specifically for fighting flammable metal fires (eg: magnesium). Additionally, a type K fire extinguisher also exists.
(page 312)
126. Which is the last line of defense in a physical security sense?
A. people
B. interior barriers
C. exterior barriers
D. perimeter barriers
A. people is the last line of defense
127. Which of the following is NOT a precaution you can take to reduce static electricity?
A. power line conditioning
B. anti-static sprays
C. maintain proper humidity levels
D. anti-static flooring
A. Power line conditioning is a protective measure against noise. It helps to ensure the transmission of clean power.
334.
128. Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated by the difference
between the hot and ground wires?
A. common-mode noise
B. traverse-mode noise
C. transversal-mode noise
D. crossover-mode noise
A. Common-mode noise is electrical noise between the hot and ground wire and between the neutral and ground wire.
Common mode noise will disrupt the memory logic of the processor. Noise between neutral and ground creates problems
since the theoretical zero voltage between neutral and ground is utilized by microprocessors and digital logic control
systems as zero voltage reference. A voltage on the ground wire will disrupt the stored memory variables of today's fast
microprocessors. Common mode noise can be incorrectly interpreted as data. This noise can cause what appears to be
"software glitches", erratic performance of the equipment and partial or complete memory loss. Poor grounding also
contributes significantly to common mode noise and this dynamic situation can change with building age, material
corrosion, soil conditions and construction.
332.
129. The environment that must be protected includes all personnel, equipment, data, communication devices, power supply
and wiring. The necessary level of protection depends on the value of the data, the computer systems, and the company
assets within the facility. The value of these items can be determined by what type of analysis?
A. Critical-channel analysis
B. Covert channel analysis
C. Critical-path analysis
Confidential
30 / 58
CISSP
D. Critical-conduit analysis
C. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 281.
130. What is a common problem when using vibration detection devices for perimeter control?
A. They are vulnerable to non-adversarial disturbances
B. They can be defeated by electronic means
C. Signal amplitude is affected by weather conditions
D. They must be buried below the frost line
131. Which of the following is true about a "dry pipe" sprinkler system?
A. It is a substitute for carbon dioxide systems
B. It maximizes chances of accidental discharge of water
C. It minimizes chances of accidental discharge of water
D. It uses less water than "wet pipe" systems
C. A wet pipe system has automatic sprinklers attached to a piping network with piping under pressure at all times. The
sprinklers are actuated by the heat of a fire. A wet pipe system is generally used when there is no danger of the water in
the pipes freezing or when there are no special conditions that require a special purpose sprinkler system.
A dry pipe system is one in which the pipes are filled with pressurized air rather than water. The air uses a mechanical
advantage to hold back a device known as a dry pipe valve. A small amount of water, called priming water, is also inside the
dry contain either air or nitrogen under pressure. A dry pipe system is used in areas where the water in the pipes is subject
to freezing, and to minimize the chances of accidental discharge of water.
132. Which of the following measures would be the BEST deterrent to the theft of corporate information from a laptop which
was left in a hotel room?
A. Store all data on disks and lock them in an in-room safe
B. Remove the batteries and power supply from the laptop and store them separately from the computer
C. Install a cable lock on the laptop when it is unattended
D. Encrypt the data on the hard drive
D. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation
133. If the floor is a concrete slab, the concerns are the physical weight it can bear and its fire rating. Known as loading, this
type of floor must be capable of a live load of?
A. 250 pounds per square foot
B. 150 pounds per square foot
C. 350 pounds per square foot
D. 450 pounds per square foot
134. A prolonged power outage is a:
A. brownout
B. blackout
C. surge
D. fault
B. A prolonged power outage is a blackout. From: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGrawHill/Osborne, 2002, page 299.
Confidential
31 / 58
CISSP
135. What static charge is able to cause disk drive data loss?
A. 550 volts
B. 1000 volts
C. 1500 volts
D. 2000 volts
C. A static charge of 1500 volts is able to cause disk drive data loss. A charge of 1000 volts is likely to scramble monitor
display and a charge of 2000 volts can cause a system shutdown. It should be noted that charges of up to 20,000 volts or
more are possible under conditions of very low humidity with non-static-free carpeting.
Wiley & Sons, 2001, Chapter 10: Physical Security (page 333).
136. Which of the following is NOT a type of motion detector?
A. photoelectric sensor
B. wave pattern
C. capacitance
D. audio detector
A. Photoelectric sensors, along with dry contact switches, are a type of perimeter intrusion detector.
344.
And: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., page 311-312.
137. Which of the following suppresses the fuel supply of the fire?
A. soda acid
B. CO2
C. Halon
D. water
page 335.
It must be noted that Halon is now banned in most country or cities.
138. What mechanism automatically causes an alarm originating in a data center to be transmitted over the local municipal
fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters?
A. Central station alarm
B. Proprietary alarm
C. A remote station alarm
D. An auxiliary station alarm
D. Auxiliary station alarms automatically cause an alarm originating in a data center to be transmitted over the local
municipal fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters.
Central station alarms are operated by private security organizations. Proprietary alarms are similar to central stations
alarms except that monitoring is performed directly on the protected property. A remote station alarm is a direct
connection between the signal-initiating device at the protected property and the signal-receiving device located at a
remote station, such as the firehouse. A remote system differs from an auxiliary system in that it does not use the
municipal fire of police alarm circuits.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 11: Physical Security (page 211).
139. The "vulnerability of a facility" to damage or attack may be assessed by all of the following except:
A. Inspection
B. History of losses
Confidential
32 / 58
CISSP
C. Security controls
D. security budget
D. Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni.
140. While referring to Physical Security, what does Positive pressurization means?
A. The pressure inside your sprinkler system is greater than zero
B. The air goes out of a room when a door is opened and outside air does not go into the room
C. Causes the sprinkler system to go off
D. A series of measures that increase pressure on employees in order to make them more productive
B. Positive pressurization means that when an employee opens a door, the air goes out and outside air does not come in.
141. What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at
1,000,000$ from a threat that has an annualized rate of occurrence (ARO) of 5% and an exposure factor (EF) of 30%?
A. $300,000
B. $150,000
C. $15,000
D. $1,500
C. The cost of the countermeasure should not be greater than the cost of replacing the asset it protects. In this case, an
asset valued at 1,000,000$ with an exposure factor of 30% gives a single loss expectancy (SLE) of 300,000$ (dollar figure
assigned to a single event). With an annualized rate of occurrence (ARO) of 5% (annualized estimated frequency in which a
threat is expected to occur), the annualized loss expectancy (ALE) is: 300,000$ x .05 = 15,000 $. Therefore, 15,000$ is the
annually expected financial loss from the threat, thus the maximum amount that should be spent on measures to protect
an asset from that threat.
142. Which approach to a security program makes sure that the people actually responsible for protecting the company's
assets are driving the program?
A. The Delphi approach
B. The top-down approach
C. The bottom-up approach
D. The technology approach
B. A security program should use a top-down approach, meaning the initiation, support, and direction come from top
management and work their way down to middle management and staff members. A bottom-up approach would be if the
IT department tried to develop a security program without proper support from upper management. Delphi refers to a
technique used in group decision.
143. In the CIA triad, what does the letter A stand for?
A. Auditability
B. Accountability
C. Availability
D. Authentication
C. The CIA triad stands for Confidentiality, Integrity and Availability.
144. Related to information security, integrity is the opposite of which of the following?
Confidential
33 / 58
CISSP
A. abstraction
B. alteration
C. accreditation
D. application
B. Integrity is the opposite of "alteration." Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering
the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59
145. Which of the following is not a component of a Operations Security "triples"?
A. Asset
B. Threat
C. Vulnerability
D. Risk
D. The Operations Security domain is concerned with triples - threats, vulnerabilities and assets. Source: KRUTZ, Ronald L. &
VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page
216.
146. Within the realm of IT security, which of the following combinations best defines risk?
A. Threat coupled with a breach
B. Threat coupled with a vulnerability
C. Vulnerability coupled with an attack
D. Threat coupled with a breach of security
B. Threats are circumstances or actions with the ability to harm a system. They can destroy or modify data or result an a
DoS. Attacks are explicit attempts to violate security. Breaches get around security. It does not matter if a breach is
discovered or not. Vulnerabilities are weaknesses in policies, procedures, personnel management, hardware or software, or
facilities that may result in a harmful intrusion to an IT system. Vulnerabilities do not cause harm, but they leave the system
open to harm. The combination of a threat with a vulnerability increases the risk to the system of an intrusion.
147. Related to information security, the guarantee that the message sent is the message received is an example of which of
the following?
A. integrity
B. confidentiality
C. availability
D. identity
A. Integrity is the guarantee that the message sent is the message received, and that the message was not intentionally or
unintentionally altered.
148. Related to information security, confidentiality is the opposite of which of the following?
A. closure
B. disclosure
C. disposal
D. disaster
B. Confidentiality is the opposite of disclosure.
149. Which of the following is the best reason for the use of an automated risk analysis tool?
Confidential
34 / 58
CISSP
A. Much of the data gathered during the review cannot be reused for subsequent analysis.
B. Automated methodologies require minimal training and knowledge of risk analysis.
C. Most software tools have user interfaces that are easy to use
D. Minimal information gathering is required due to the amount of information built into the tool.
D. The Information Security Management Handbook, 4th Ed., p. 269-70 states: Threat Analysis. In manual approaches and
some automated tools, the analyst must determine what threats to consider in a particular risk assessment. Since there is
not, at present, a standard threat population and readily available threat statistics, this task can require a considerable
research effort. The best automated tools currently available include a well-researched threat population and associated
statistics. Using one of these tools virtually assures that no relevant threat is overlooked, and associated risks are accepted
as a consequence.
Another section states: Gathering this information independently, even for the experienced risk analyst, is no trivial task.
Weeks, if not months, of research and calculations will be required, and, without validation, results may be less than
credible.
On page 280 it states: ". . . Management will, of course, be most concerned about those vulnerabilities that could allow the
greatest loss expectancies for one or more threats, or those subject to regulatory or contractual compliance. The analyst, to
do this step manually, must first select appropriate safeguards for each targeted vulnerability; second map or confirm
mapping, safeguard/vulnerability pairs to all related threats; and third, determine, for each threat, the extent of asset risk
mitigation to be achieved by applying the safeguard. In other words, for each affected threat, determine whether the
selected safeguard(s) will reduce threat frequency, reduce threat exposure factors, or both, and to what degree. Done
manually, this step will consume many days or weeks of tedious work effort. Any "What if" assessment will be very timeconsuming as well. When this step is executed with the support of a knowledge-based expert automated tool, however,
only a few hours to a couple of days are expended, at most."
150. Who of the following is responsible for ensuring that proper controls are in place to address integrity, confidentiality,
and availability of IT systems and data?
A. Business and functional managers
B. IT Security practitioners
C. System and information owners
D. Chief information officer
C. The system and information owners are responsible for ensuring that proper controls are in place to address integrity,
confidentiality, and availability of the IT systems and data they own. IT security practitioners are responsible for proper
implementation of security requirements in their IT systems.
Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology
Systems, 2001 (page 6).
151. Making sure that the data is accessible when and where it is needed is which of the following?
A. confidentiality
B. integrity
C. acceptability
D. availability
D. Availability is making sure that the data is accessible when and where it is needed.
152. Security of computer-based information systems is which of the following?
A. technical issue
B. operational issue
C. management issue
D. training issue
C. management issue.
Confidential
35 / 58
CISSP
153. What will be Annualized Rate of Occurrence (ARO) of the treat "user input error", in the case that company employs 100
data entry clerks and every one of them make one input error each month?
A. 100
B. 120
C. 1
D. 1,200
D. If every one of the 100 clerks makes 1 error 12 times per year, it makes a total of 1200 errors. The annualized rate of
occurence (ARO) is a value that represents the estimated frequency in which a threat is expected to occur. The range can
be from 0.0 to a large number. Having an average of 1200 errors per year means an ARO of 1200.
Wiley & Sons, 2001, Chapter 1: Security Management Principles (page 17).
154. Which of the following is not a way for programmers to bypass normal security controls while developing their
software?
A. A back door
B. A trap door
C. A maintenance hook
D. A Trojan horse
D. Back doors, trap doors and maintenance hooks are used by programmers to allow bypassing of security controls in order
to maintain an application. These hooks should normally be removed before going into production. Trojan horses are
normally used by hackers, not by legitimate programmers.
155. Which of the following is an advantage of a qualitative over a quantitative risk analysis?
A. It prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities.
B. It provides specific quantifiable measurements of the magnitude of the impacts
C. It makes a cost-benefit analysis of recommended controls easier.
D. It can easily be automated.
A. The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate
improvement in addressing the vulnerabilities. It does not provide specific quantifiable measurements of the magnitude of
the impacts, therefore making a cost-analysis of any recommended controls difficult. Since it involves a lot of guesswork, it
can not be easily automated.
Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology
Systems, 2001 (page 23).
156. What is called an event or activity that has the potential to cause harm to the information systems or networks?
A. Vulnerability
B. Threat agent
C. Weakness
D. Threat
D. Threat: An event or activity that has the potential to cause harm to the information systems or networks.
2001, John Wiley & Sons, Pages 16, 32
157. Step-by-step instructions used to satisfy control requirements is called a:
A. policy
B. standard
C. guideline
D. procedure
Confidential
36 / 58
CISSP

158. The concept of integrity also contains which of the following?
A. Identity
B. nonrepudiation of a message source
C. Availability
D. Confidentiality
B. Integrity also contains the concept of nonrepudiation of a message source.
159. All risks must be:
A. Transferred
B. Eliminated
C. Identified
D. Insured for
C. Most importantly, all risks need to be properly identified. Then risks can either be accepted, reduced to an acceptable
level (with remaining residual risks), or transferred to a third party (through insurance coverage). All identified risks need
not be eliminated because it is rarely possible and not cost effective.
Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34,
Contingency Planning Guide for Information Technology Systems, December 2001 (page 7).
160. Which of the next are steps of a common development process of creating a security policy, standards and procedures?
A. design, development, publication, coding, testing
B. design, evaluation, approval, publication, implementation
C. initial and evaluation, development, approval, publication, implementation, maintenance
D. feasibility, development, approval, implementation, integration
C. The phases of common development process of security policy are initial and evaluation, development, approval,
publication, implementation, maintenance. Others are phases of software development process.
Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002,
Auerbach Publications.
161. According to the Orange Book, which security level is the first to require configuration management?
A. B2
B. B3
C. A1
D. B1
A. Configuration management is the process of tracking and approving chances to a system. It is only required for B2, B3
and A1 level systems, but because it is common sense, it is recommended for systems that are evaluated at lower levels.
December 1985 (also available here).
162. This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that
can take place before it is considered suspicious?
A. Checkpoint level
B. Ceiling level
Confidential
37 / 58
CISSP
C. Clipping level
D. Threshold level
163. The primary reason for enabling software audit trails is which of the following?
A. Improve system efficiency
B. Improve response time for users
C. Establish responsibility and accountability
D. Provide useful information to track down processing errors
C. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing
transactions through the system. The objective of enabling software to provide audit trails is not to improve system
efficiency, since it often involves additional processing which may reduce response time for users. While it does provide
useful information to track down processing errors, it is not the primary reason.
Chapter 1: The IS Audit Process.
164. Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them?
A. Overwriting the tapes
B. Initializing the tape labels
C. Erasing the tapes
D. Degaussing the tapes
D. The best way to handle obsolete magnetic tapes is to degauss them, because this action prevents the unauthorized or
accidental leak of information, and it also prevents from the reutilization of the obsolete tapes. Overwriting or erasing the
tapes may cause magnetic errors (considering they are obsolete), thus, inhibiting data integrity. Initializing the tape labels
could mean the potential reutilization in some cases.
Chapter 4: Protection of Information Assets.
165. Which of the following questions is less likely to help in assessing controls over production?
A. Are there processes for ensuring that only authorized users pick up, receive, or deliver input and output information and
media?
B. Are audit trails used for receipt of sensitive inputs/outputs?
C. Is media sanitized for reuse?
D. Are confidentiality or security agreements required for employees assigned to work with sensitive information?
D. Production and input/output controls are the operational controls related to the support of IT operations. Topics range
from a user help-desk to procedures for storing, handling and destroying media. A confidentiality or security agreement is
less related to production controls and more to personnel security controls.
166. Which of the following logical access exposures involves changing data before, or as it is entered into the computer?
A. Data diddling
B. Salami techniques
C. Trojan horses
D. Viruses
A. Data diddling involves changing data before, or as it is entered into the computer. The salami technique is a program
modification that slices off small amounts of money from a computerized transaction. A Trojan horse involves unauthorized
execution of a set of instructions. A virus is a self-reproducing program that can alter the system's operations in many ways.
Confidential
38 / 58
CISSP
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 10: Law,
Investigation, and Ethics (page 645).
167. The concept of the Trusted Computing Base (from the Orange Book) includes which of the following?
A. trusted hardware only
B. trusted software only
C. trusted hardware and software
D. trusted computer operators and system managers
C. The totality of protection mechanisms within a computer system including hardware, firmware, and software. The
combination is responsible for enforcing a security policy.
Source: VALLABHANENI, S. Rao, CISSP Examination Textbooks, Volume 1: Theory, SRV Professional Publications, 2002, page
470.
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 5: Security Models and
Architecture (pages 229-230, 251-255).
And: U.S. Department of Defense, Trusted Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD.
December 1985.
168. Which of the following is not an Orange Book-defined life cycle assurance requirement?
A. Security testing
B. Design specification and testing
C. Trusted distribution
D. System integrity
D. The life cycle assurance requirements specified in the Orange Book are: security testing, design specification and testing,
configuration management and trusted distribution. System integrity is also defined in the Orange Book but is an
operational assurance requirement, not a life cycle assurance requirement.
December 1985
169. Operation security requires the implementation of physical security to control which of the following?
A. unauthorized personnel access
B. incoming hardware
C. contingency conditions
D. evacuation procedures
A. unauthorized personnel access
170. Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to
remediate the incident's effects includes:
A. Intrusion Evaluation (IE) and Response
B. Intrusion Recognition (IR) and Response
C. Intrusion Protection (IP) and Response
D. Intrusion Detection (ID) and Response
D. This includes notifying the appropriate parties to take action in order to determine the extent of the severity of an
incident and to remediate the incident's effects.
171. Which of the following focuses on the basic features and architecture of a system?
Confidential
39 / 58
CISSP
A. operational assurance
B. life cycle assurance
C. covert channel assurance
D. level A1
A. Operational assurance addresses whether the system's technical features are being bypassed or have vulnerabilities and
whether required procedures are being followed. Organizations use two basic methods to maintain operational assurance:
A system audit is a one-time or periodic event to evaluate security. An audit can vary widely in scope: it may examine an
entire system for the purpose of reaccreditation or it may investigate a single anomalous event. Monitoring is an ongoing
activity that checks on the system, its users, or the environment.
Operational Assurance focuses on: System Architecture, System Integrity, Covert Channel Analysis (Storage/Timing),
Trusted Facility Management, Trusted Recovery.
219.
172. Which of the following is true related to network sniffing?
A. Sniffers allow an attacker to monitor data passing across a network
B. Sniffers alter the source address of a computer to disguise and exploit weak authentication methods
C. Sniffers take over network connections
D. Sniffers send IP fragments to a system that overlap with each other
A. Sniffers allow an attacker to monitor data passing across a network. Sniffers exploit characteristics of several data-link
technologies, including Token Ring and especially Ethernet. IP Spoofing is a network-based attack, which involves altering
the source address of a computer to disguise the attacker and exploit weak authentication methods. Session Hijacking tools
allow an attacker to take over network connections, kicking off the legitimate user or sharing a login. Malformed Packer
attacks are a type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many vendor
product implementations do not take into account all variations of user entries or packet types. If software handles such
errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending
IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set. Some unpatched
Windows and Linux systems will crash when the encounter such packets.
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 2,
Auerbach, NY, NY 2001, Chapter 22, Hacker Tools and Techniques by Ed Skoudis
173. What is the essential difference between a self-audit and an independent audit?
A. Tools used
B. Results
C. Objectivity
D. Competence
C. To maintain operational assurance, organizations use two basic methods: system audits and monitoring. Monitoring
refers to an ongoing activity whereas audits are one-time or periodic events and can be either internal or external. The
essential difference between a self-audit and an independent audit is objectivity, thus indirectly affecting the results of the
audit. Internal and external auditors should have the same level of competence and can use the same tools.
1996 (page 25).
174. The high availability of multiple all-inclusive, easy-to-use hacking tools that do not require much technical knowledge
has brought a growth in the number of which type of attackers?
A. Black hats
B. White hats
C. Script kiddies
D. Phreakers
Confidential
40 / 58
CISSP
C. Script kiddies are low- to moderately-skilled hackers using available scripts and tools to easily launch attacks against
victims. Black hats are malicious, skilled hackers. White hats are security professionals. Phreakers are telephone system
hackers.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 12: Operations
security (Page 827).
175. Which of the following is NOT a technique used to perform a penetration test?
A. sending noise
B. scanning and probing
C. war dialing
D. sniffing
A. Sending noise is a countermeasure to traffic analysis.
pages 233, 238.
176. Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a
magnetic tape, or a cassette?
A. Degaussing
B. Parity Bit Manipulation
C. Certification
D. Buffer overflow
A. Information is stored on a magnetic recording medium (ferric oxides, chromium dioxide, etc.) by magnetizing sections of
it from a local field, in most cases the recording process itself, the amplitude and frequency of which vary according to the
information it is carrying. This information is distributed along the recording track by the movement of the medium relative
to the recording head, be it rotary or linear. It is possible in most equipment to erase it by passing the medium across an
erase head but this normally would be in a time equal to record time. It is speedier and hence more practical to submit the
bulk of the medium to a field, which can be made to demagnetize it in one short operation. This is achieved by subjecting it
in bulk to a series of fields of alternating polarity and gradually decreasing strength. An equipment that does this is a
"Degausser" (otherwise known as a Bulk Eraser). Regardless of name, its function is to reduce to near zero the magnetic
flux stored in the magnetized medium. Flux density is measured in Gauss or Tesla.
Remember that delete, simply removes the file from the TOC or VTOC, it does not remove the file content.
Reference: What is degaussing
177. Which of the following functions is less likely to be performed by a typical security administrator?
A. Setting user clearances and initial passwords
B. Adding and removing system users
C. Setting or changing file sensitivity labels
D. Reviewing audit data
B. Of the above functions, adding and removing system users is less likely to be performed by a typical security
administrator and more by a system administrator or enhanced operator.
178. Hardware availability reports allow the identification of the following problems except for:
A. Inadequate training for operators
B. Excessive operating systems maintenance
C. User dissatisfaction
D. Inadequate hardware facilities
C. Hardware availability reports are hardware monitoring procedures that indicate the time periods during which the
computer is in operation and available for utilization by users. Downtime periods may indicate inadequate hardware
Confidential
41 / 58
CISSP
facilities, excessive operating system maintenance, lack of preventative maintenance, inadequate physical plants or
inadequate training for operators. User dissatisfaction is a rather consequence of systems unavailability.
179. What is the main objective of proper separation of duties?
A. To prevent employees from disclosing sensitive information
B. To ensure access controls are in place
C. To ensure that no single individual can compromise a system
D. To ensure that audit trails are not tampered with
C. The primary objective of proper separation of duties is to ensure that one person acting alone cannot compromise the
company's security in any way. A proper separation of duties does not prevent employees from disclosing information, nor
does it ensure that access controls are in place or that audit trails are not tampered with.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 12: Operations
Security (Page 808).
180. Which TCSEC (Orange Book) level requires the system to clearly identify functions of security administrator to perform
security-related functions?
A. C2
B. B1
C. B2
D. B3
D. TCSEC B2 level specifies that the system must support separate operator and administrator roles but only level B3 (and
A1) requires the system to clearly identify functions of security administrator to perform security-related functions.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Also: U.S. Department of Defense, Trusted
Computer System Evaluation Criteria (Orange Book), DOD 5200.28-STD. December 1985 (also available here).
181. The recording of events with a closed-circuit TV camera is considered a:
A. Preventative control
B. Detective control
C. Compensating control
D. Corrective control
B. Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to
enhance their surveillance ability and to record events for future analysis or prosecution. When events are monitored, it is
considered preventative whereas recording of events is considered detective in nature.
182. Which of the following protection devices is used for spot protection within a few inches of the object, rather than for
overall room security monitoring?
A. Wave pattern motion detectors
B. Capacitance detectors
C. Field-powered devices
D. Audio detectors
B. Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot
protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors.
Penetration of this field changes the electrical capacitance of the field enough to generate and alarm. Wave pattern motion
detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its
receiver. Field-powered devices are a type of personnel access control devices. Audio detectors simply monitor a room for
any abnormal sound wave generation and trigger an alarm.
Confidential
42 / 58
CISSP
183. Which of the following controls related to physical security is not an administrative control?
A. Personnel controls
B. Alarms
C. Training
D. Emergency response and procedures
B. Physical security involves administrative, technical and physical controls. All of the above are considered administrative
controls except for alarms, which are considered technical controls.
(page 283).
184. Which of the following related to physical security is not considered a technical control?
A. Access controls
B. Intrusion detection
C. Fire detection and suppression
D. Locks
D. Physical security involves administrative, technical and physical controls. All of the above are considered technical
controls except for locks, which are physical controls.
(page 283).
185. How should a doorway with automatic locks to a man-operated information processing facility be configured?
A. It should be configured to be fail-secure
B. It should be configured to be fail-safe
C. It should have a door delay cipher lock
D. It should not allow piggybacking
B. Access controls are meant to protect facilities and computers as well as people. In some situations, the objectives of
physical access controls and the protection of people's lives may come into conflict. In theses situations, a person's life
always takes precedence. Many physical security controls make entry into and out of a facility hard, if not impossible.
However, special consideration needs to be taken when this could affect lives. In an information processing facility,
different types of locks can be used and piggybacking should be prevented, but the issue here with automatic locks is that
they can either be configured as fail-safe or fail-secure. Since there should only be one access door to an information
processing facility, the automatic lock to the only door to a man-operated room must be configured to allow people out in
case of emergency, hence to be fail-safe (sometimes called fail-open), meaning that upon fire alarm activation or electric
power failure, the locking device unlocks. This is because the solinoid that maintains power to the lock to keep it in a locked
state fails and thus opens or unlocks the electronic lock. Fail Secure works just the other way. The lock device is in a locked
or secure state with no power applied. Upon authorized entry, a solinoid unlocks the lock temporarily. Thus in a Fail Secure
lock, loss of power of fire alarm activation causes the lock to remain in a secure mode.
(pages 318, 330).
186. Which of the following suppresses combustion through a chemical reaction that kills the fire?
A. Halon
B. CO2
C. water
D. soda acid
page 335. It must be noted that Halon is now banned in most country or cities.
Confidential
43 / 58
CISSP
187. To be in compliance with the Montreal Protocol, which of the following options can be taken to refill a Halon flooding
system in the event that Halon is fully discharged in the computer room?
A. Order an immediate refill with Halon 1201 from the manufacturer
B. Contact a Halon recycling bank to make arrangements for a refill
C. Order a different chlorofluorocarbon compound from the manufacturer
D. Order an immediate refill with Halon 1301 from the manufacturer
B. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
188. Which of the following is a class A fire?
A. common combustibles
B. liquid
C. electrical
D. Halon
page 335.
189. Physical security is accomplished through proper facility construction, fire and water protection, anti-theft mechanisms,
intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a
component that achieves this type of security?
A. Administrative control mechanisms
B. Integrity control mechanisms
C. Technical control mechanisms
D. Physical control mechanisms
B. Integrity control mechanisms
190. Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated by the difference
between the hot and neutral wires?
A. traverse-mode noise
B. common-mode noise
C. crossover-mode noise
D. transversal-mode noise
page 332.
191. Risk mitigation and risk reduction controls can be of which of the following types?
A. preventive, corrective and administrative
B. detective, corrective
C. preventive, detective, or corrective
D. Administrative, operational or logical
C. Controls can be preventive, detective, or corrective.
192. What would best define risk management?
A. The process of eliminating the risk
B. The process of assessing the risks
Confidential
44 / 58
CISSP
C. The process of reducing risk to an acceptable level

D. The process of transferring risk
C. Risk management is the process of reducing risk to an acceptable level and maintaining that level. Zero-risk does not
exist so it can never be completely eliminated. Transferring risk is one of the ways of handling a risk after a risk analysis has
been performed.
193. What is called a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information
systems or networks?
A. Vulnerability
B. Risk
C. Threat
D. Weakness
A. Vulnerability is a weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information
systems or networks.
2001, John Wiley & Sons, Pages 16, 32.
194. Who should decide how a company should approach security and what security measures should be implemented?
A. Senior management
B. Data owner
C. Auditor
D. The information security specialist
A. Information security specialists may have the technical knowledge of how security mechanisms should be implemented
and configured, but they should not be put in position of deciding what measures should be applied. This task is that of
senior management, who is responsible for security of the organization and the protection of its assets.
195. Preservation of confidentiality information systems requires that the information is not disclosed to:
A. Authorized person
B. Unauthorized persons or processes
C. Unauthorized persons
D. Authorized persons and processes
B. Confidentiality assures that the information is not disclosed to unauthorized persons or processes.
196. Which of the following would best classify as a management control?
A. Review of security controls
B. Personnel security
C. Physical and environmental protection
D. Documentation
A. Management controls focus on the management of the IT security system and the management of risk for a system.
They are techniques and concerns that are normally addressed by management. Routine evaluations and response to
identified vulnerabilities are important elements of managing the risk of a system, thus considered management controls.
Personnel security, physical and environmental protection and documentation are forms of operational controls.
Confidential
45 / 58
CISSP
Systems, November 2001 (Page A-7).
197. According to governmental data classification levels, how would answers to tests and health care information be
classified?
A. Unclassified
B. Sensitive but unclassified
C. Confidential
D. Private
B. Answers to tests and health care information are examples of information that could be designated as a minor secret,
but may not cause serious damage if disclosed. They could be considered Sensitive but Unclassified (SBU).
198. What can be defined as an event that could cause harm to the information systems?
A. A risk
B. A threat
C. A vulnerability
D. A weakness
B. A threat is an event or activity that has the potential to cause harm to the information systems. A risk is the probability
that a threat will materialize. A vulnerability, or weakness, is a lack of a safeguard, which may be exploited by a threat,
causing harm to the information systems.
Wiley & Sons, 2001, Chapter 1: Access Control Systems (page 32).
199. Which of the following tasks may be performed by the same person in a well-controlled information processing
facility/computer center?
A. System development and change management
B. System development and systems maintenance
C. Security administration and change management
D. Computer operations and system development
B. It is common for system development and maintenance to be undertaken by the same person. In both cases the
programmer requires access to the source code in the development environment, but should not be allowed access in the
production environment. Other choices are not correct. The roles of security administration and change management are
incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer
operations and system development are incompatible since it would be possible for an operator to run a program that
he/she had amended. The system development and change management task are incompatible because the combination
of system development and change control would allow program modifications to bypass change control approvals.
200. The absence or weakness in a system that may possibly be exploited is called a(n)?
A. Threat
B. Exposure
C. Vulnerability
D. Risk
C. A vulnerability is a weakness in a system that can be exploited by a threat.
Confidential
46 / 58
CISSP
201. What is a difference between Quantitative and Qualitative Risk Analysis?

A. qualitative uses strong mathematical formulas and quantitative not
B. fully qualitative analysis if not possible, while quantitative is
C. quantitative provides formal cost/benefit analysis and qualitative not
D. there is no difference between qualitative and quantitative analysis
John Wiley & Sons, 2001, Security management practices, pages 18-24.
202. Which of the following would best relate to resources being used only for intended purposes?
A. Confidentiality
B. Availability
C. Integrity
D. Reliability
B. Availability specifies that the information technology resource must be available on a timely basis to meet mission
requirements or to avoid substantial losses. Availability also includes ensuring that resources are used only for intended
purposes.
Systems, November 2001 (page 5).
203. Which of the following is most likely given the responsibility of the maintenance and protection of the data?
A. Data owner
B. Data custodian
C. User
D. Security administrator
B. The data custodian is given the responsibility of the maintenance and protection of the data. This role is usually filled by
the IT department, usually by the network administrator. The data owner is ultimately responsible for the protection and
use of the data but will delegate the responsibility of day-to-day maintenance to the data custodian.
204. What is reverse to the triple C.I.A. in risk management:
A. misuse, exposure, destruction
B. authorization, non-repudiation, integrity
C. disclosure, alteration, destruction
D. confidentiality, integrity, availability
C. The proper answer is: Disclosure, Alteration, and Destruction.
205. Which one of the following represents an ALE calculation?
A. single loss expectancy x annualized rate of occurrence
B. gross loss expectancy x loss frequency
C. actual replacement cost - proceeds of salvage
D. asset value x loss expectancy
A. The Quantitative Risk Model consists of three main factors: probability of loss, cost of loss, and annual loss expectancy
(ALE). The probability of loss is really a sum of the probabilities of different catastrophic events that range from partial
outages to severe interruptions. The cost of loss depends upon the level of interruption. For example, a partial building loss
affecting computer systems but leaving phone systems in operating condition has a much lower cost than a complete
building destruction. Therefore, the cost of loss is dependent upon the type of disaster.
Confidential
47 / 58
CISSP
206. In an organization, an Information Technology security function should:

A. Be a function within the information systems function of an organization.
B. Report directly to a specialized business unit such as legal, corporate security or insurance.
C. Be lead by a Chief Security Officer and report directly to the CEO.
D. Be independent but report to the Information Systems function.
C. In order to offer more independence and get more attention from management, an IT security function should be
independent from IT and report directly to the CEO. Having it report to a specialized business unit (e.g. legal) is not
recommended as it promotes a low technology view of the function and leads people to believe that it is someone else's
problem.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version 1.0, april 1999.
207. The major objective of system configuration management is which of the following?
A. system maintenance
B. system stability
C. system operations
D. system tracking
B. system stability
208. Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is
which of the following?
A. Confidentiality
B. Integrity
C. Availability
D. Capability
A. Confidentiality is the prevention of the intentional or unintentional unauthorized disclosure of contents.
209. Which of the following should NOT be addressed by employee termination practices?
A. Removal of the employee from active payroll files.
B. Return of access badges.
C. Employee bonding to protect against losses due to theft.
D. Deletion of assigned logon-ID and passwords to prohibit system access.
C. Employee bonding to protect against losses due to theft is an important hiring, not termination practice. It ensures that
the most effective and efficient staff is chosen and that the company is in compliance with legal recruitment requirements.
Other choices are all adequate termination practices.
210. Which of the following best defines add-on security?
A. Physical security complementing logical security measures.
B. Protection mechanisms implemented as an integral part of an information system.
C. Layer security.
D. Protection mechanisms implemented after an information system has become operational
D. The Internet Security Glossary (RFC2828) defines add-on security as "The retrofitting of protection mechanisms,
implemented by hardware or software, after the [automatic data processing] system has become operational."
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000
Confidential
48 / 58
CISSP
211. Making sure that only those who are supposed to access the data can access is:
A. Confidentiality
B. Capability
C. Integrity
D. Availability
A. Confidentiality is defined as making sure that only those who are supposed to access the data can access it.
212. How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk?
A. Reject the risk
B. Perform another risk analysis
C. Accept the risk
D. Reduce the risk
C. Rejecting the risk means denial of the risk. In this case, a risk analysis has shown that the cost of the countermeasure
outweighs the cost of the risk, so the risk can be accepted. If the company decides that the risk is too high too gamble with,
the risk could also be transferred by purchasing insurance.
213. Which of the following would be the first step in establishing an information security program?
A. Adoption of a corporate information security policy statement.
B. Development and implementation of an information security standards manual
C. Development of a security awareness-training program for employees.
D. Purchase of security access control software.
A. A policy statement reflects the intent and support provided by executive management for proper security, and
establishes a starting point for developing the security program.
Chapter 2: Management, Planning and Organization of IS.
214. Which of the following could be defined as the likelihood of a threat agent taking advantage of a vulnerability?
A. A risk
B. A residual risk
C. An exposure
D. A countermeasure
A. A risk is the probability that a threat will exploit a vulnerability. An exposure is an instance of being exposed to losses
from a threat agent. By applying countermeasures, an organization can reduce the overall risk to an acceptable level. The
remaining risk, after proper countermeasures have been applied, is known as residual risk.
215. Which of the following is the MOST important aspect relating to employee termination?
A. The details of employee have been removed from active payroll files.
B. Company property provided to the employee has been returned.
C. User ID and passwords of the employee have been deleted.
D. The related company staff are notified about the termination.
C. Logical access to information by a terminated employee is possible if user id and password of the terminated employee
has not been deleted. If user ID is not disabled or deleted, it is possible that the employee without physically visiting the
Confidential
49 / 58
CISSP
company can access the information.

Please note that this can also be seen in a different way: the most important thing to do could also be to inform others of
the person's termination, because even if user ID's and passwords are deleted, a terminated individual could simply socially
engineer their way back in by calling an individual he/she used to work with and ask them for access. If they do not know
he/she was terminated then they will more then likely let them back in.
216. Which of the following is less likely to assist in ensuring availability?
A. Backups and redundant disk systems
B. Regular system and security audits
C. Reliable and interoperable security processes and network security mechanisms
D. Acceptable log-ins and operating process performances
B. The implementation of regular system audits is the foundation of operational security controls monitoring. It assists the
monitoring function by helping to recognize patterns of abnormal behavior. Some of the elements that are used to ensure
availability are:
- Fault tolerance for data availability, such as backups and redundant disk systems
- Acceptable log-ins and operating process performances
- Reliable and interoperable security processes and network security mechanisms
2001, John Wiley & Sons, Pages 61, 234
217. Which of the following provides a minimum level of security acceptable for an environment?
A. A baseline
B. A standard
C. A procedure
D. A guideline
A. Baselines provide the minimum level of security necessary throughout the organization. Standards specify how hardware
and software products should be used throughout the organization. Procedures are detailed step-by-step instruction on
how to achieve certain tasks. Guidelines are recommendation actions and operational guides to personnel when a specific
standard does not apply. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 3: Security Management Practices (page 94).
218. In a properly segregated environment, which of the following tasks is compatible with the task of security administrator?
A. Applications programming
B. Quality assurance
C. Systems programming
D. Data entry
B. Quality assurance can also be an additional responsibility of the security administrator. The security administrator, being
responsible for application programming, systems programming or data entry, does not provide for proper segregation of
duties since he/she would be in a position to openly introduce fraudulent or malicious code or data causing damage to the
organization.
219. Which of the following is not a goal of integrity?
A. Prevention of the modification of information by unauthorized users.
B. Prevention of the unauthorized or unintentional modification of information by authorized users.
C. Preservation of the internal and external consistency.
D. Prevention of the modification of information by authorized users.
Confidential
50 / 58
CISSP
D. Integrity is addressed through the following three goals:

1. Prevention of the modification of information by unauthorized users.
2. Prevention of the unauthorized or unintentional modification of information by authorized users.
3. Preservation of the internal and external consistency.
220. Which of the following would be the first criteria to consider to determine the classification of an information object?
A. Value
B. Age
C. Useful life
D. Personal association
A. Value is the first commonly used criteria for classifying data in the private sector. If the information is valuable to an
organization or its competitors, it needs to be classified. Personal association might be a reason why information should be
classified. Age and useful life are used to determine if information should be declassified, for example after a
predetermined period has passed or after a replacement product is out.
221. Which of the following in not a critical security aspect of Operations Controls?
A. Controls over hardware
B. Data media used
C. Operators using resources
D. Environmental controls
D. Environmental controls are a part of Physical Security (Domain 10).
222. Unrestricted access to production programs should be given to which of the following?
A. maintenance programmers only
B. system owner, on request
C. no one
D. auditors
C. no one
223. The number of violations that will be accepted or forgiven before a violation record is produced is called which of the
following?
A. clipping level
B. acceptance level
C. forgiveness level
D. maximum level
A. The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is
exceeded is a violation record produced.
Source: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security Management, Computer Operations
Security, Chapter 9-1-1.
224. The continual effort of making sure that the correct polices, procedures and standards are in place and being followed is
described as what?
A. Due care
Confidential
51 / 58
CISSP
B. Due concern
C. Due diligence
D. Due practice
225. What security procedure forces an operator into collusion with an operator of a different category to have access to
unauthorized data?
A. Enforcing regular password changes
B. Management monitoring of audit logs
C. Limiting the specific accesses of operations personnel
D. Job rotation of people through different assignments
C. By limiting the specific accesses of operations personnel, an organization is enforcing separation of duties, and collusion
would be needed to have access to unauthorized data.
Management Practices (pages 107).
226. Which of the following should not be accessible by a computer operator?
A. Operations documentation
B. Computer console
C. Source code of applications
D. Information security guidelines
C. A computer operator should not be allowed access to source code of applications because it might allow finding ways to
circumvent controls implemented in applications they are operating.
227. Which of the following statements pertaining to ethical hacking is incorrect?
A. An organization should use ethical hackers who do not sell auditing, consulting, hardware, software, firewall, hosting,
and/or networking services
B. Testing should be done remotely
C. Ethical hacking should not involve writing to or modifying the target systems
D. Ethical hackers should never use tools that have the potential of exploiting vulnerabilities in the organization's IT system
D. Even though ethical hacking should not involve writing to or modifying the target systems or reducing its response time,
comprehensive penetration testing has to be performed using the most complete tools available. Numerous tools can be
used for ethical hacking, many of them having the potential of exploiting vulnerabilities and causing disruption to IT system.
It is up to the individuals performing the tests to be familiar with their use and to make sure that no such disruption can
happen. An ethical hacking firm's independence can be questioned if they sell security solutions. By performing tests
remotely, the ethical hacking firm emulates the hacker's approach more realistically.
Wiley & Sons, 2001, Appendix F: The Case for Ethical Hacking (page 520).
228. Which of the following is NOT a media viability control used to protect the viability of data storage media?
A. clearing
B. marking
C. handling
D. storage
A. Clearing refers to the overwriting of data media intended to be reused in the same organization.
Confidential
52 / 58
CISSP
pages 231, 348.

229. Which of the following files should the security administrator be restricted to READ only access?
A. Security parameters
B. User passwords
C. User profiles
D. System log
D. Security administrators must be able to read data on system logs to establish accountability for use of the system and to
identify any potential unauthorized access. No one should ever be allowed to write a log file as it may compromise the
evidential use of the data.
Chapter 3: Technical Infrastructure and Operational Practices.
230. According to the Orange Book, which security level is the first to require a system to support separate operator and
system administrator roles?
A. A1
B. B1
C. B2
D. B3
C. B2 security level requires that systems must support separate operator and system administrator roles. At B3 and A1,
systems must clearly identify the functions of the security administrator to perform the security-related functions.
December 1985
A. Data entry and job scheduling
B. Database administration and systems security
C. Systems analyst and application programming
D. Security administration and systems programming
C. The objective of separation of duties is to ensure that no one person has complete control over a transaction throughout
its initiation, authorization, recording, processing and reporting. Data entry and job scheduling are incompatible because a
data entry person could submit unauthorized jobs. Database administration and security administration are incompatible
because of possible manipulation of access privileges and rules for personal gain. Security administration is not compatible
with systems programming since the administrator would be in a position to openly introduce fraudulent or malicious code,
causing damage to the organization.
232. Who is responsible for setting user clearances to computer-based information?
A. Security administrators
B. Operators
C. Data owners
D. Data custodians
A. Security administrator functions include user-oriented activities such as setting user clearances, setting initial password,
setting other security characteristics for new users or changing security profiles for existing users. Data owners have the
ultimate responsibility for protecting data, thus determining proper user access rights to data.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation
Confidential
53 / 58
CISSP
233. What is the main issue with media reuse?

A. Degaussing
B. Data remanence
C. Media destruction
D. Purging
B. The main issue with media reuse is data remanence, where residual information still resides on a media that has been
erased. Degaussing, purging and destruction are ways to handle media that contains data that is no longer needed or used.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002 (page 5).
A. Application programming and computer operation
B. Systems programming and job control analysis
C. Access authorization and database administration
D. System development and systems maintenance
D. The goal is of separation of duties is to ensure that no single individual can compromise an application system's features
and its control functions. It is common for system development and maintenance to be undertaken by the same person. In
both cases the programmer requires access to the source code in the development environment, but should not be
allowed access in the production environment. A computer operator should not have the possibility of modifying
applications because they already have access to all resources of the systems and that would allow them to introduce
fraudulent changes. Systems programming is incompatible with job control analysis since a systems programmer could
change the job control parameters to run their own personal jobs. Access authorization is a responsibility of data owners,
not database administrators.
235. What setup should an administrator use for regularly testing the strength of user passwords?
A. A networked workstation so that the live password database can easily be accessed by the cracking program
B. A networked workstation so the password database can easily be copied locally and processed by the cracking program
C. A standalone workstation on which the password database is copied and processed by the cracking program
D. A password-cracking program is unethical; therefore it should not be used
C. Poor password selection is frequently a major security problem for any system's security. Administrators should obtain
and use password-guessing programs frequently to identify those users having easily guessed passwords. Because
password-cracking programs are very CPU intensive and can slow the system on which it is running, it is a good idea to
transfer the encrypted passwords to a standalone (not networked) workstation. Also, by doing the work on a nonnetworked machine, any results found will not be accessible by anyone unless they have physical access to that system.
Source: National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute Network Security Guide,
February 2002, page 8
236. What should a company do first when disposing of personal computers that once were used to store confidential data?
A. Overwrite all data on the hard disk with zeroes
B. Delete all data contained on the hard disk
C. Demagnetize the hard disk
D. Low level format the hard disk
C. Demagnetizing the hard disk is the best way to ensure that confidential data once stored on the hard disk cannot be
recovered. Overwriting data on the disk with zeroes or any random data could lead to some residual being left on the disk if
not done properly. Deleting data merely removes its reference in the file allocation table and the data can be recovered.
Low level formatting does not destroy data, only the file allocation table. Data can be reconstructed with the appropriate
software.
Chapter 4: Protection of Information Assets (page 195).
Confidential
54 / 58
CISSP
237. This type of control is used to ensure that transactions are properly entered into the system once. Elements of this type
of control may include counting data and time stamping it with the date it was entered or edited?
A. Processing Controls
B. Output Controls
C. Input Controls
D. Input/Output Controls
C. Input Controls are used to ensure that transactions are properly entered into the system once.
238. Which of the following is not an Orange Book-defined operational assurance requirement?
A. System architecture
B. Trusted facility management
C. Configuration management
D. Covert channel analysis
C. The operational assurance requirements specified in the Orange Book are: system architecture, system integrity, covert
channel analysis, trusted facility management and trusted recovery. Configuration management is also defined in the
Orange Book but is a life cycle assurance requirement, not an operational assurance requirement.
December 1985
239. What is the most secure way to dispose of information on a CD-ROM?
A. Sanitizing
B. Physical damage
C. Degaussing
D. Physical destruction
240. Configuration Management controls what?
A. Auditing of changes to the Trusted Computing Base
B. Control of changes to the Trusted Computing Base
C. Changes in the configuration access to the Trusted Computing Base
D. Auditing and controlling any changes to the Trusted Computing Base
D. "Configuration management involves identifying, controlling, accounting for, and auditing all changes made to the
baseline TCB, including hardware, firmware, and software...as well as all documentation, test plans, and other securityrelated system tools and facilities."(Computer Security Basics, pg. 145) This source code control systems such as CVS and
RCS can partially fulfill this requirement.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, 1991, pg. 145
241. Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or
externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the
system?
A. Detective Controls
B. Preventative Controls
C. Corrective Controls
D. Directive Controls
Confidential
55 / 58
CISSP
B. In the Operations Security domain, Preventative Controls are designed to prevent unauthorized intruders from internally
or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the
system.
242. Which of the following is the most commonly used technique to gather security-related information like passwords?
A. Network sniffers
B. Shoulder surfing
C. Social engineering
D. Dumpster diving
C. Social engineering is the most commonly used technique of all: getting information (like passwords) just by asking for
them.
243. Overwriting and/or degaussing is used to clear and purge all of the following except which of the following?
A. random access memory
B. read-only memory
C. magnetic core memory
D. magnetic hard disks
B. The process of degaussing is achieved by passing the magnetic media through a powerful magnet field to rearrange the
metallic particles, completely removing any resemblance of the previously recorded signal. Although this process is of
course simple in theory, in practice the vast variation of media formats and magnetic densities makes the correct
degaussing process quite different to achieve. The degausser is constructed in such a way as to enable the generated
magnetic field to be available to the media when it is transported through it, either by physically holding the media by hand
and moving it through the field or automatically conveyed by a belt transporter.
Different media demands varying magnetic field strengths therefore the coils that generate the magnetic field will also vary
depending on this requirement Generally speaking a coil in a degausser should have three to four times the energy rating
of the material being degaussed, this rating is measured in Oersteds after Hans Christian Oersted (1777-1851) who
discovered the magnetic qualities of electricity. Further degaussing efficiency can be achieved by using more than one coil
in multi-axial orientation; this produces a more effective degaussing field. Even better performance can be achieved by
rotating the coils during the degaussing process. Reference: All About Degaussers and Erasure of Magnetic Media
244. If an operating system permits executable objects to be used simultaneously by multiple users without a refresh of the
objects, what security problem is most likely to exist?
A. disclosure of residual data
B. unauthorized obtaining of a privileged execution state
C. data leakage through covert channels
D. denial of service through a deadly embrace
A. disclosure of residual data
245. Which of the following would be best suited to provide information during a review of the controls over the process of
defining IT service levels?
A. Systems programmer
B. Legal staff
C. Business unit manager
D. Programmer
C. Understanding the business requirements is key in defining the service levels. While each of the other entities listed may
provide some definition, the best choice here is the business unit manager, because of the broad knowledge that this
Confidential
56 / 58
CISSP
person has over the related requirements of the organization.

246. What is the most effective means of determining how controls are functioning within an operating system?
A. Interview with computer operator
B. Review of software control features and/or parameters
C. Review of operating system manual
D. Interview with product vendor
B. Various operating system software products provide parameters and options for the tailoring of the system and
activation of features such as activity logging. Parameters are important in determining how a system runs because they
allow a standard piece of software to be customized to diverse environments. The reviewing of software control features
and/or parameters is the most effective means of determining how controls are functioning within an operating system
and of assessing and operating system's integrity.
The operating system manual should provide information as to what settings can be used but will not likely give any hint as
to how parameters are actually set. The product vendor and computer operator are not necessarily aware of the detailed
setting of all parameters.
247. Which of the following yellow-book defined types of system recovery happens after a system fails in an uncontrolled
manner in response to a TCB or media failure and the system cannot be brought to a consistent state?
A. Recovery restart
B. System reboot
C. Emergency system restart
D. System cold start
D. The Yellow Book defines three types of system recovery. A system reboot is performed after shutting down the system
in a controlled manner in response to a TCB failure. An emergency system restart is done after a system fails in an
uncontrolled manner but consistency can be brought back automatically to the system. A system cold start takes place
when unexpected TCB or media failures take place and the recovery procedures cannot bring the system to a consistent
state. Intervention of administrative personnel is required to bring the system to a consistent state from maintenance
mode.
Source: Clment Dupuis' CISSP Study Notes on Operations Security, based on ISC2 CBK document
248. Which of the following is a detective control?
A. Segregation of duties
B. Back- up procedures
C. Audit trails
D. Physical access control
C. Audit trails capture information, which can be used for detecting errors. Therefore, they are considered to be detective
controls. Back-up procedures are corrective controls whereas segregation of duties and physical access controls are
examples of preventive controls.
Chapter 1: The IS Audit Process (page 30).
249. Which level of "least privilege" enables operators the right to modify data directly in its original location, in addition to
data copied from the original location?
A. Access Change
B. Read/Write
C. Access Rewrite
D. Access Modify
Confidential
57 / 58
CISSP
A. Least Privilege has three basic levels of privilege; read only, read/write and access change. Access Change is the highest
level, this level enables operators the right to modify data directly in its original location, in addition to data copied from
the original location.
250. Physically securing backup tapes from unauthorized access is obviously a security concern and is considered a function of
the:
A. Operations Security Domain
B. Operations Security Domain Analysis
C. Telecommunications and Network Security Domain
D. Business Continuity Planning and Disaster Recovery Planning
A. Physically securing the tapes from unauthorized access is obviously a security concern and is considered a function of the
Operations Security Domain.
Confidential
58 / 58

CISSP exam questions on physical security

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

CISSP exam questions on physical security

Загружено:

Авторское право:

Доступные форматы

TEST CODE: 001000024042010

STATEMENT OF CONFIDENTIALITY: This booklet or any of the information contained in it are

Which of the following represents a prolonged high voltage?

A prolonged power supply that is below normal voltage is a:

A. Are entry codes changed periodically?

A prolonged high voltage is a:

10. A momentary high voltage is a:

A. surrounding area and external entities

liquids, but not for electrical fires.

A. Information systems security professionals

A. Sensitive data may be read by operators

A. Conformity with the concept of least privilege

67. A momentary power outage is a:

D. Senior managers, functional managers and business unit managers

D. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

C. The process of reducing risk to an acceptable level

201. What is a difference between Quantitative and Qualitative Risk Analysis?

206. In an organization, an Information Technology security function should:

company can access the information.

D. Integrity is addressed through the following three goals:

pages 231, 348.

233. What is the main issue with media reuse?

person has over the related requirements of the organization.

Вам также может понравиться