Security and Risk Management Question CISSP Course Practice Test

Last Updated on May 16, 2024

Security and Risk Management Question CISSP Course: Try this CISSP (Certified Information Systems Security Professional) sample review practice test on Chapter 1: Security and Risk Management for ISC CISSP certification preparation.

Security and Risk Management This chapter presents the following:

• Security terminology and principles
• Protection control types
• Security frameworks, models, standards, and best practices
• Computer laws and crimes
• Intellectual property
• Data breaches
• Risk management
• Threat modeling
• Business continuity and disaster recovery
• Personnel security
• Security governance

Security and Risk Management

Q1. Alyssa is responsible for her organization’s security awareness program. She is concerned that changes in technology may make the content outdated. What control can she put in place to protect against this risk?

  • A. Gamification
  • B. Computer-based training
  • C. Content reviews
  • D. Live training
View Correct Answer
Answer Key: C 

Q2. Gavin is creating a report to management on his most recent risk assessment results. In his report, he would like to identify the remaining level of risk to the organization after adopting security controls. What term best describes this current level of risk?

  • A. Inherent risk
  • B. Residual risk
  • C. Control risk
  • D. Mitigated risk
View Correct Answer
Answer Key: B 

Q3. Which of the following contains the primary goals and objectives of security?

  • A. A network’s border perimeter
  • B. The CIA Triad
  • C. A stand-alone system
  • D. The internet
View Correct Answer
Answer Key: B

Q4. Vulnerabilities and risks are evaluated based on their threats against which of the following?

  • A. One or more of the CIA Triad principles
  • B. Data usefulness
  • C. Due care
  • D. Extent of liability
View Correct Answer
Answer Key: A

Q5. Which of the following is a CIA Triad principle that authorized subjects are granted timely and uninterrupted access to objects?

  • A. Identification
  • B. Availability
  • C. Encryption
  • D. Layering
View Correct Answer
Answer Key: B

Q6. Francine is a security specialist for an online service provider in the United States. She recently received a claim from a copyright holder that a user is storing information on her service that violates the third party’s copyright. What law governs the actions that Francine must take?

  • A. Copyright Act
  • B. Lanham Act
  • C. Digital Millennium Copyright Act
  • D. Gramm Leach Bliley Act
View Correct Answer
Answer Key: C

Q7. FlyAway Travel has offices in the European Union (EU) and the United States and regularly transfers personal information between those offices. They have recently received a request from an EU customer requesting that their account be terminated. Under the General Data Protection Regulation (GDPR), which requirement for processing personal information states that individuals may request that their data no longer be disseminated or processed?

  • A. The right to access
  • B. Privacy by design
  • C. The right to be forgotten
  • D. The right of data portability
View Correct Answer
Answer Key: C

Q8. After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?

  • A. Accept
  • B. Transfer
  • C. Reduce
  • D. Reject
View Correct Answer
Answer Key: B

Q9. Which of the following is not considered a violation of confidentiality?

  • A. Stealing passwords
  • B. Eavesdropping
  • C. Hardware destruction
  • D. Social engineering
View Correct Answer
Answer Key: C

Q10. Which of the following is not true?

  • A. Violations of confidentiality include human error.
  • B. Violations of confidentiality include management oversight.
    C. Violations of confidentiality are limited to direct intentional attacks.
  • D. Violations of confidentiality can occur when a transmission is not properly encrypted.
View Correct Answer
Answer Key: C

Q11. STRIDE is often used in relation to assessing threats against applications or operating systems. Which of the following is not an element of STRIDE?

  • A. Spoofing
  • B. Elevation of privilege
  • C. Repudiation
  • D. Disclosure
View Correct Answer
Answer Key: D

Q12. Which one of the following elements of information is not considered personally identifiable information that would trigger most United States (U.S.) state data breach laws?

  • A. Student identification number
  • B. Social Security number
  • C. Driver’s license number
  • D. Credit card number
View Correct Answer
Answer Key: C

Q13. Renee is speaking to her board of directors about their responsibilities to review cybersecurity controls. What rule requires that senior executives take personal responsibility for
information security matters?

  • A. Due diligence rule
  • B. Personal liability rule
    C. Prudent man rule
  • D. Due process rule
View Correct Answer
Answer Key: A

Q14. Henry recently assisted one of his co-workers in preparing for the CISSP exam. During this process, Henry disclosed confidential information about the content of the exam, in violation of Canon IV of the Code of Ethics: “Advance and protect the profession.” Who may bring ethics charges against Henry for this violation?

  • A. Anyone may bring charges.
  • B. Any certified or licensed professional may bring charges.
  • C. Only Henry’s employer may bring charges.
  • D. Only the affected employee may bring charges.
View Correct Answer
Answer Key: C

Q15. Wanda is working with one of her organization’s European Union business partners to facilitate the exchange of customer information. Wanda’s organization is located in the United States. What would be the best method for Wanda to use to ensure GDPR compliance?

  • A. Binding corporate rules
  • B. Privacy Shield
  • C. Standard contractual clauses
  • D. Safe harbor
View Correct Answer
Answer Key: B

Q16. Yolanda is the chief privacy officer for a financial institution and is researching privacy requirements related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?

  • A. GLBA
  • B. SOX
  • C. HIPAA
  • D. FERPA
View Correct Answer
Answer Key: C
Q17. All but which of the following items requires awareness for all individuals affected?
  • A. Restricting personal email
  • B. Recording phone conversations
  • C. Gathering information about surfing habits
  • D. The backup mechanism used to retain email messages
View Correct Answer
Answer Key: D
Q18. What element of data categorization management can override all other forms of access control?
  • A. Classification
  • B. Physical access
  • C. Custodian responsibilities
  • D. Taking ownership
View Correct Answer
Answer Key: D
Q19. What ensures that the subject of an activity or event cannot deny that the event occurred?
  • A. CIA Triad
  • B. Abstraction
  • C. Nonrepudiation
  • D. Hash totals
View Correct Answer
Answer Key: C
Q20. Which of the following is the most important and distinctive concept in relation to layered security?
  • A. Multiple
  • B. Series
  • C. Parallel
  • D. Filter
View Correct Answer
Answer Key: B

See also:

CISSP Practice Test & Preparation Guide 2024

Security and Risk Management Practice Test

Asset Security Practice Test

Security Architecture and Engineering Practice Test

Communication and Network Security Practice Test

Identity and Access Management (IAM) Practice Test

Security Assessment and Testing Practice Test

Security Operations Practice Test

Software Development Security Practice Test