2026最新CISSP模拟试题及答案｜认证考试真题解析汇总

Valuable paper insurance coverage does cover damage to which of the following?

Which of the following statements pertaining to a security policy is NOT true?

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on:

The preliminary steps to security planning include all of the following EXCEPT which of the following?

Step-by-step instructions used to satisfy control requirements are called a:

One purpose of a security awareness program is to modify:

What is a security policy?

The end result of implementing the principle of least privilege means which of the following?

Which of the following exemplifies proper separation of duties?

An access control policy for a bank teller is an example of the implementation of which of the following?

At which of the Orange Book evaluation levels is configuration management required?

Which type of security control is also known as "Logical" control?

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes-Oxley Section 404 compliance?.

The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their company. As part of the external audit they brought in a technology expert, who incidentally was a new CI

The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)?

Which of the following provides enterprise management with a prioritized list of time-critical business processes, and estimates a recovery time objective for each of the time critical processes and the components of the enterprise that support those proc

Which of the following answers is the BEST example of Risk Transference?

Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff?

Regarding risk reduction, which of the following answers is BEST defined by the process of giving only just enough access to information necessary for them to perform their job functions?

Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from the workplace for a while?

Which of the following is a fraud detection method whereby employees are moved from position to position?

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with:

In terms or Risk Analysis and dealing with risk, which of the four common ways listed below seek to eliminate involvement with the risk being evaluated?

Of the multiple methods of handling risks which we must undertake to carry out business operations, which one involves using controls to reduce the risk?

There is no way to completely abolish or avoid risks, you can only manage them. A risk free environment does not exist. If you have risks that have been identified, understood and evaluated to be acceptable in order to conduct business operations. What is

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the followin

Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks,

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?

Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company?

Which of the following pairings uses technology to enforce access control policies?

Which type of risk assessment is the formula ALE = ARO x SLE used for?

Which of the following Confidentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users?

You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called?

Which of the following is a CHARACTERISTIC of a decision support system (DSS) in regards to Threats and Risks Analysis?

Which of the following is covered under Crime Insurance Policy Coverage?

It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security?

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following?

Which of the following ensures that security is NOT breached when a system crash or other system failure occurs?

Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle?

What is the MAIN objective of proper separation of duties?

This baseline sets certain thresholds for specific errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious?

What is surreptitious transfer of information from a higher classification compartment to a lower classification compartment without going through the formal communication channels?

Which of the following is given the responsibility of the maintenance and protection of the data?

In discretionary access environments, which of the following entities is authorized to grant information access to other people?

Who is ultimately responsible for the security of computer based information systems within an organization?

Which of the following embodies all the detailed actions that personnel are required to follow?

Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and its sensitivity level?

Which of the following is NOT a responsibility of an information (data) owner?

In regards to information classification what is the main responsibility of information (data) owner?

The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as:

The US department of Health, Education and Welfare developed a list of fair information practices focused on privacy of individually, personal identifiable information. Which one of the following is incorrect?

The typical computer fraudsters are usually persons with which of the following characteristics?

The US-EU Safe Harbor process has been created to address which of the following?

What level of assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database?

According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a requirement to “protect stored cardholder data.” Which of the following items cannot be stored by the merchant?

Which of the following is NOT a proper component of Media Viability Controls?

Degaussing is used to clear data from all of the following media except:

What is the main issue with media reuse?

Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette?

Which of the following is NOT a media viability control used to protect the viability of data storage media?

An electrical device (AC or DC) which can generate coercive magnetic force for the purpose of reducing magnetic flux density to zero on storage media or other magnetic media is called:

What is the most secure way to dispose of information on a CD-ROM?

Which of the following refers to the data left on the media after the media has been erased?

What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account?

Which of the following logical access exposures involvers changing data before, or as it is entered into the computer?

When it comes to magnetic media sanitization, what difference can be made between clearing and purging information?

Which of the following method is recommended by security professional to PERMANENTLY erase sensitive data on magnetic media?

Which protocol makes USE of an electronic wallet on a customer's PC and sends encrypted credit card information to merchant's Web server, which digitally signs it and sends it on to its processing bank?

In Mandatory Access Control, sensitivity labels attached to object contain what information?

Which of the following European Union (EU) principles pertaining to the protection of information on private individuals is incorrect?

Who should DECIDE how a company should approach security and what security measures should be implemented?

The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of:

Controlling access to information systems and associated networks is necessary for the preservation of their:

What security model is dependent on security labels?

At which temperature does damage start occurring to magnetic media?

Which of the following access control models requires defining classification for objects?

In which of the following security models is the subject's clearance compared to the object's classification such that specific rules can be applied to control how the subject-to-object interactions take place?

Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?

Which of the following classes is defined in the TCSEC (Orange Book) as discretionary protection?

Which of the following division is defined in the TCSEC (Orange Book) as minimal protection?

Which of the following establishes the minimal national standards for certifying and accrediting national security systems?

Which of the following places the Orange Book classifications in order from MOST secure to LEAST secure?

What would BEST define a covert channel?

Which of the following Orange Book ratings represents the highest level of trust?

What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions?

Which division of the Orange Book deals with discretionary protection (need-to-know)?

Which of the following computer crime is MORE often associated with INSIDERS?

Which of the following groups represents the leading source of computer crime losses?

Which of the following term BEST describes a weakness that could potentially be exploited?

Which of the following BEST describes an exploit?

Virus scanning and content inspection of S/MIME encrypted e-mail without doing any further processing is:

What can be defined as secret communications where the very existence of the message is hidden?

Which of the following terms can be described as the process to conceal data into another file or media in a practice known as security through obscurity?

Which of the following can be best defined as computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data and for detecting or extracting the marks later?

What is Dumpster Diving?

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons?

Which of the following would BEST be defined as an absence or weakness of safeguard that could be exploited?