The document outlines practice questions and answers for the CISSP exam, covering eight domains of cybersecurity including identity and access management, security assessment, security operations, and software development security. It emphasizes the importance of structured learning and includes explanations to clarify key concepts and mechanisms such as role-based access control and the purpose of vulnerability assessments. Infosectrain provides resources to aid in exam preparation, including training programs and support for aspiring CISSP candidates.

1. (Domains 5 to 8)
Exam Practice
Questions & Answers
CISSP

2. Table of Contents
CISSP Practice Exam Questions and Answers
Summary
Domain 5: Identity and Access Management (IAM) (13%)
Domain 6: Security Assessment and Testing (12%)
Domain 7: Security Operations (13%)
Domain 8: Software Development Security (10%)

3. CISSP Practice Exam Questions and Answers
Part-2
Domain 5 Identity and Access Management (IAM) (13%)
Q.1.
Q.2.
www.infosectrain.com 03
A company has discovered that an employee has been using a colleague’s
credentials to access sensitive information. What immediate action should
the company take to address this issue?
Ignore the issue as it is an internal matter
Terminate both employees involved
Conduct an investigation and enforce strict access control policies
Disable all user accounts temporarily
Answer: C. Conduct an investigation and enforce strict access control policies
Explanation: The first step is to conduct a comprehensive investigation to
identify the scope of the issue and assess any potential impacts or
unauthorized access.
Answer: C. Conduct an investigation and enforce strict access control policies
Explanation: The first step is to conduct a comprehensive investigation to
identify the scope of the issue and assess any potential impacts or
unauthorized access.
What is the purpose of a Single Sign-On (SSO) system?
To provide multi-factor authentication
To allow users to authenticate once and gain access to multiple systems
To monitor user activity on the network
To encrypt user passwords

4. www.infosectrain.com
Answer: B. To allow users to authenticate once and gain access to multiple
systems
Explanation: A Single Sign-On (SSO) system allows users to authenticate once
and access multiple systems or applications without the need to log in
separately for each, streamlining the user experience and enhancing security by
minimizing the number of credentials to manage.
Answer: B. To allow users to authenticate once and gain access to multiple
systems
Explanation: A Single Sign-On (SSO) system allows users to authenticate once
and access multiple systems or applications without the need to log in
separately for each, streamlining the user experience and enhancing security by
minimizing the number of credentials to manage.
Domain 5
04
Q.3. A healthcare organization needs to ensure that only authorized personnel
can access patient records. What access control mechanism should be
implemented to meet this requirement?
Role-Based Access Control (RBAC)
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Open Access Control
Answer: A. Role-Based Access Control (RBAC)
Explanation: Role-Based Access Control (RBAC) is an effective access control
mechanism that assigns permissions to users based on their roles within the
organization. This ensures that only authorized personnel can access
information based on their specific job functions and responsibilities.
Answer: A. Role-Based Access Control (RBAC)
Explanation: Role-Based Access Control (RBAC) is an effective access control
mechanism that assigns permissions to users based on their roles within the
organization. This ensures that only authorized personnel can access
information based on their specific job functions and responsibilities.

5. www.infosectrain.com
It improves password security
It allows multiple organizations to share and manage user identities
It provides real-time monitoring of user activities
It enables single sign-on for internal applications only
Answer: B. It allows multiple organizations to share and manage user identities
Explanation: Federated identity management allows multiple organizations to
share and manage user identities across systems and domains, facilitating
seamless access to resources while maintaining security and trust relationships
between the organizations.
Answer: B. It allows multiple organizations to share and manage user identities
Explanation: Federated identity management allows multiple organizations to
share and manage user identities across systems and domains, facilitating
seamless access to resources while maintaining security and trust relationships
between the organizations.
Answer: B. To assign and manage user access rights and permissions
Explanation: User provisioning in Identity and Access Management (IAM)
involves assigning and managing user access rights and permissions, ensuring
that users have the appropriate access to systems and resources based on their
roles and responsibilities within the organization.
Answer: B. To assign and manage user access rights and permissions
Explanation: User provisioning in Identity and Access Management (IAM)
involves assigning and managing user access rights and permissions, ensuring
that users have the appropriate access to systems and resources based on their
roles and responsibilities within the organization.
Domain 5
04
Q.4. What is the main benefit of implementing a federated identity
management system?
Q.5. What is the purpose of user provisioning in IAM?
To monitor user activity
To assign and manage user access rights and permissions
To encrypt user data
To provide training for new users

6. www.infosectrain.com 10
Domain 6 Security Assessment and Testing (12%)
Q.1. What is the primary objective of a vulnerability assessment?
To encrypt data transmissions
To identify and quantify security vulnerabilities in a system
To provide user access controls
To monitor network traffic for suspicious activity
Answer: B. To identify and quantify security vulnerabilities in a system
Explanation: The purpose of a vulnerability assessment is to detect and
quantify security weaknesses within a system, enabling organizations to
assess their security status and prioritize efforts to mitigate potential risks.
Answer: B. To identify and quantify security vulnerabilities in a system
Explanation: The purpose of a vulnerability assessment is to detect and
quantify security weaknesses within a system, enabling organizations to
assess their security status and prioritize efforts to mitigate potential risks.
Answer: B. Reviewing and evaluating the effectiveness of security policies and
controls
Explanation: An important aspect of conducting a security audit is reviewing
and evaluating the effectiveness of security policies and controls. This process
ensures that the security measures in place are functioning as intended and
helps identify any gaps or areas for improvement.
Answer: B. Reviewing and evaluating the effectiveness of security policies and
controls
Explanation: An important aspect of conducting a security audit is reviewing
and evaluating the effectiveness of security policies and controls. This process
ensures that the security measures in place are functioning as intended and
helps identify any gaps or areas for improvement.
Q.2. What is an important aspect of conducting a security audit?
Encrypting all data during transmission
Reviewing and evaluating the effectiveness of security policies and controls
Providing training for end-users
Monitoring network traffic for real-time threats

7. www.infosectrain.com
Domain 6
04
Q.3. What is the purpose of a security baseline?
To provide a set of minimum security standards for systems and devices
To monitor real-time network traffic
To develop new encryption algorithms
To conduct penetration testing
Answer: A. To provide a set of minimum security standards for systems and
devices
Explanation: A security baseline establishes the minimum security
requirements for systems and devices. It establishes a foundational level of
security that must be met to ensure consistent protection across the
organization.
Answer: A. To provide a set of minimum security standards for systems and
devices
Explanation: A security baseline establishes the minimum security
requirements for systems and devices. It establishes a foundational level of
security that must be met to ensure consistent protection across the
organization.
Q.4. A multinational corporation has multiple data centers worldwide. During a natural
disaster, one of the data centers is completely destroyed. Which type of site
should the company use to ensure minimal downtime and continued operations?
Cold site
Warm site
Hot site
Mobile site
Answer: C. Hot site
Explanation: A hot site is a fully functional offsite data center equipped with
essential hardware, software, and data, ready to assume operations promptly
in case the primary site is unavailable.
Answer: C. Hot site
Explanation: A hot site is a fully functional offsite data center equipped with
essential hardware, software, and data, ready to assume operations promptly
in case the primary site is unavailable.

8. www.infosectrain.com 10
Domain 7 Security Operations (13%)
Q.1. Which of the following is a key component of a business continuity plan (BCP)?
Network segmentation
Data encryption
Disaster recovery plan
Vulnerability scanning
Answer: C. Disaster recovery plan
Explanation: A disaster recovery plan outlines the procedures and processes to
recover and restore operations after a disaster or disruption, ensuring the
continuity of business operations.
Answer: C. Disaster recovery plan
Explanation: A disaster recovery plan outlines the procedures and processes to
recover and restore operations after a disaster or disruption, ensuring the
continuity of business operations.
Answer: B. To simulate a security incident and assess how well the incident
response plan performs
Explanation: The main purpose of conducting a tabletop exercise is to simulate
a security incident and evaluate the effectiveness of the incident response plan.
Answer: B. To simulate a security incident and assess how well the incident
response plan performs
Explanation: The main purpose of conducting a tabletop exercise is to simulate
a security incident and evaluate the effectiveness of the incident response plan.
Q.2. What is the main purpose of conducting a tabletop exercise?
To train employees on how to use new software
To simulate a security incident and assess how well the incident response
plan performs
To perform a full-scale test of the disaster recovery plan
To assess network performance

9. www.infosectrain.com
Domain 7
04
Q.3. Which of the following best describes a cold site in disaster recovery planning?
A backup site that is fully operational with all necessary hardware and software
A site with only the basic infrastructure and no equipment or data
A site that is used for data archiving and storage
A location where network traffic is monitored
Answer: B. A site with only the basic infrastructure and no equipment or data
Explanation: A cold site is a backup site with only the basic infrastructure, such
as power and environmental controls, but without any equipment or data. It
requires additional setup before it can be used for business operations, making
it less expensive but slower to activate in the event of a disaster.
Answer: B. A site with only the basic infrastructure and no equipment or data
Explanation: A cold site is a backup site with only the basic infrastructure, such
as power and environmental controls, but without any equipment or data. It
requires additional setup before it can be used for business operations, making
it less expensive but slower to activate in the event of a disaster.
Answer: A. To identify the primary reason for a security incident and prevent
its recurrence
Explanation: Root cause analysis (RCA) in security operations aims to pinpoint
the main cause of a security incident and enact preventive measures to
enhance the organization's security stance, thereby lowering the risk of similar
incidents occurring again.
Answer: A. To identify the primary reason for a security incident and prevent
its recurrence
Explanation: Root cause analysis (RCA) in security operations aims to pinpoint
the main cause of a security incident and enact preventive measures to
enhance the organization's security stance, thereby lowering the risk of similar
incidents occurring again.
Q.4. Why do security operations conduct root cause analysis (RCA)?
To identify the primary reason for a security incident and prevent its recurrence
To monitor network traffic for suspicious activity
To develop new security policies
To perform vulnerability assessments

10. www.infosectrain.com 10
Domain 8 Software Development Security (10%)
Q.1. Which of the following describes the concept of "defense in depth" in
software development security?
Using multiple layers of security controls to protect software
Implementing only one strong security measure to save resources
Relying on the operating system to provide all necessary security
Allowing end users to choose their own security settings
Answer: A. Using multiple layers of security controls to protect software
Explanation: “Defense in depth” involves implementing multiple layers of
security controls to safeguard software, ensuring that even if one control is
compromised, others will continue to provide protection.
Answer: A. Using multiple layers of security controls to protect software
Explanation: “Defense in depth” involves implementing multiple layers of
security controls to safeguard software, ensuring that even if one control is
compromised, others will continue to provide protection.
Answer: B. Encrypting the data at rest and in transit
Explanation: Encrypting data both at rest and in transit is a widely used and
highly effective method to safeguard sensitive information, ensuring its security
whether stored or during transmission.
Answer: B. Encrypting the data at rest and in transit
Explanation: Encrypting data both at rest and in transit is a widely used and
highly effective method to safeguard sensitive information, ensuring its security
whether stored or during transmission.
Q.2. What is a common method to protect sensitive data in software applications?
Using plain text storage for ease of access
Encrypting the data at rest and in transit
Storing sensitive data in user profiles
Avoiding the use of access controls

11. www.infosectrain.com
Domain 8
04
Q.3. What is the purpose of static application security testing (SAST)?
To test the application's performance under load
To identify security vulnerabilities in the source code without executing
the program
To monitor network traffic for threats
To encrypt data transmissions
Answer: B. To identify security vulnerabilities in the source code without
executing the program
Explanation: Static Application Security Testing (SAST) examines source code
to detect security vulnerabilities without executing the program, allowing
developers to resolve issues early in the development process.
Answer: B. To identify security vulnerabilities in the source code without
executing the program
Explanation: Static Application Security Testing (SAST) examines source code
to detect security vulnerabilities without executing the program, allowing
developers to resolve issues early in the development process.
Q.4. An organization is developing a cloud-based application that must comply with
data privacy regulations. What steps should the development team take to ensure
compliance and protect user data?
Store all user data in a local database
Implement encryption, access controls, and regular audits
Use only open-source software
Disable user logging to protect privacy
Answer: B. Implement encryption, access controls, and regular audits
Explanation: To ensure compliance with data privacy regulations and protect
user data, the development team should implement encryption, access
controls, and regular audits. These steps help secure the data and ensure
adherence to regulatory requirements.
Answer: B. Implement encryption, access controls, and regular audits
Explanation: To ensure compliance with data privacy regulations and protect
user data, the development team should implement encryption, access
controls, and regular audits. These steps help secure the data and ensure
adherence to regulatory requirements.

12. www.infosectrain.com
Summary
Preparing for the CISSP exam can be daunting, given the comprehensive nature of
the exam, which covers eight critical cybersecurity domains. InfosecTrain is here to
simplify your journey to becoming a Certified Information Systems Security
Professional. With our tailored training programs, you get access to expert
instructors, detailed study guides, and practical exercises that cover commonly
asked CISSP exam questions and answers. Our resources help demystify complex
concepts, ensuring you understand and retain essential information. By joining
InfosecTrain, you benefit from structured learning, regular assessments, and
dedicated support, making your CISSP exam preparation efficient and effective.
Embark on your path to CISSP certification with InfosecTrain and secure your future
in cybersecurity.
16

13. www.infosectrain.com