Free CISSP Practice Questions Across All 8 Domains (With Answer Explanations)

Correct answer: C

Before changing a process, you need to understand why the existing process failed. The incidents provide direct evidence of what the assessment program missed. Jumping to solutions, more frequent assessments, new certification requirements, or contract terminations, without first diagnosing the root cause, is likely to produce the wrong fix.

Option A addresses frequency but not quality; if the assessments are missing the right indicators, doing them more often just produces the same blind spots faster. Option B is a reactive business decision that may be appropriate in some cases, but it is not a security program improvement. Option D imposes a blanket requirement that may not address the specific gaps the incidents revealed. The security manager's first obligation is to understand the problem before prescribing the remedy.

Correct answer: B

A unified control framework, sometimes called a common controls framework or integrated compliance approach, allows a single control to satisfy requirements across multiple frameworks at once. This is both more efficient and more defensible. The organization demonstrates compliance with all applicable requirements without duplicating effort.

Option A creates legal and regulatory exposure in the frameworks deprioritized, which is not an acceptable trade-off for any regulated entity. Option C increases cost and coordination complexity without solving the underlying problem; separate vendors for separate frameworks often create more fragmentation, not less. Option D is not a realistic option. Regulators rarely grant exemptions based on internal resource constraints, and making such a request signals non-compliance.

Correct answer: C

Solid-state drives present unique challenges for traditional data sanitization. Overwriting, which is effective on spinning hard disk drives, is unreliable on SSDs because of wear-leveling algorithms that prevent writes from always reaching every cell where data may reside.

Option A is therefore insufficient for SSDs. Degaussing, Option B, does not affect SSDs because SSDs store data using electrical charge in flash memory cells, not magnetic fields — degaussing is only effective on magnetic media. Reformatting, Option D, does not securely remove data and is never an acceptable sanitization method for sensitive data. Cryptographic erasure works by destroying the encryption keys that protect already-encrypted data, rendering the data unrecoverable even if the drive is accessed, and combining this with physical destruction gives the highest assurance for sensitive HR records. This approach is endorsed by NIST SP 800-88 for SSD media.

Correct answer: C

Data classification should always be driven by the potential impact of unauthorized disclosure, not mechanically by the classification of source data.

Option A states an absolute rule that does not exist — aggregated and derived data must be evaluated on its own merits. Option B is similarly too absolute; it is possible to aggregate data in ways that genuinely reduce sensitivity, for example, by removing all personally identifiable attributes. Option D describes a process requirement but not the principle that should drive the reclassification decision. The correct answer, C, reflects the core purpose of data classification: ensuring that protective controls are proportionate to the risk. In this case, the analyst should ask whether the aggregated purchase patterns could reveal information that would harm customers or the organization if disclosed, and if the answer is yes at the Restricted level, that is the appropriate classification regardless of whether the data has been transformed.

Correct answer: B

GDPR Article 25 explicitly requires data protection by design and by default, which aligns directly with the privacy by design principle. This means privacy controls, data minimization, purpose limitation, and user rights must be built into the architecture from the beginning, not added afterward.

Defense in depth, Option A, is a valid security principle but addresses confidentiality, integrity, and availability broadly. It does not specifically address the privacy obligations that GDPR imposes. Least privilege, Option C, and separation of duties, Option D, are both relevant controls that would be implemented as part of the design, but neither is the overarching architectural principle that GDPR mandates. A CISSP must recognize that privacy and security are related but distinct disciplines, and that privacy by design is the specific response to privacy regulation requirements.

Correct answer: B

Returning different error messages based on whether a username exists allows an attacker to enumerate valid accounts in the system. This is a form of information disclosure that makes credential attacks significantly more efficient. The attacker no longer needs to guess both usernames and passwords, only passwords for confirmed valid accounts. The correct remediation is to return a generic message such as "invalid username or password" for all authentication failures, regardless of which component failed.

Option A describes a real vulnerability class, but is not what is described here. There is no indication of database query manipulation in the scenario. Option C describes a different class of problem involving authorization logic, which is not the issue presented. Option D addresses session token management, which is unrelated to the error message behavior described.

Correct answer: B

A Type 1 hypervisor, also called a bare-metal hypervisor, runs directly on the physical hardware without requiring a host operating system. This provides two advantages in the described environment: better performance because there is no host OS layer consuming resources, and a smaller attack surface because there is no host OS to compromise. A Type 2 hypervisor runs on top of a host operating system, meaning an attacker who compromises the host OS can potentially affect all guest virtual machines.

Option A incorrectly states that Type 2 provides stronger isolation; the opposite is true. Option C is accurate that Type 2 may be simpler to manage in some contexts, but ease of management does not outweigh the performance and security requirements stated in the scenario. Option D contains a factual error: Type 1 hypervisors do not require a host operating system; that is precisely what distinguishes them from Type 2.

Correct answer: B

A permissive outbound rule allowing all traffic to any destination on any port is one of the most dangerous firewall misconfigurations in practice. It means that malware already inside the network can reach any external command-and-control server on any port, and that any internal user or process can exfiltrate data to any destination without restriction. The principle of least privilege applied to network traffic means outbound rules should permit only the specific ports and destinations required for business operations

Option A is not the most significant risk. Performance is a secondary concern compared to the security exposure. Option C treats the rule as a documentation problem when it is a security problem; a business justification does not neutralize the risk. Option D misreads the rule — the scenario describes an outbound rule, not an inbound rule, so restricting source IPs does

Correct answer: B

Split tunnel VPN allows the remote worker's traffic to be divided: traffic destined for internal corporate resources is routed through the encrypted VPN tunnel, while all other internet traffic goes directly to its destination without passing through the corporate network. This satisfies the stated requirement — internal application access is secured while the organization does not bear the bandwidth and latency cost of routing all user internet traffic through its infrastructure. Full tunnel VPN.

Option A, routes all traffic through the corporate network, which is the opposite of what is described. Site-to-site VPN, Option C, connects two fixed network locations rather than individual remote users to a corporate network. SSL VPN with clientless access, Option D, allows browser-based access to specific applications and does not require a client, but it does not address the routing architecture question that the scenario presents. It describes an access method, not a traffic routing model.

Correct answer: B

Federation allows the parent organization to establish a trust relationship with the acquired company's identity provider, enabling acquired employees to authenticate using their existing credentials without creating duplicate accounts in the parent system. This provides immediate access, maintains accountability through the existing identity records, and avoids the provisioning overhead of creating individual accounts for potentially hundreds of employees.

Option A creates duplicate account management overhead and introduces provisioning errors during a period of organizational transition — it also requires deprovisioning all those accounts later when the integration project completes. Option C, granting temporary administrator accounts, is a significant security violation; temporary access should be scoped to the minimum required, not elevated to administrator level. Option D is appropriate for normal operations, but in a pthe ost-acquisition context requiring immediate access, the standard provisioning queue may cause unacceptable operational delays.

Correct answer: C

Phishing resistance means the authentication mechanism cannot be defeated by tricking a user into entering their credentials on a fake site

SMS OTPs, Option A, are not phishing-resistant because an attacker can create a real-time phishing site that forwards the OTP as the user enters it, and SMS is also vulnerable to SIM-swapping attacks. TOTP authenticator apps, Option B, are slightly stronger than SMS but still not phishing-resistant for the same reason — the six-digit code can be intercepted by a real-time phishing proxy. Push notifications, Option D, are susceptible to MFA fatigue attacks where an attacker repeatedly sends push requests until the user approves one. FIDO2 hardware security keys, Option C, are phishing-resistant by design because the cryptographic authentication is bound to the specific website origin — a fake site cannot receive a valid FIDO2 assertion even if the user is tricked into interacting with it. FIDO2 is the standard recommended by CISA and NIST for phishing-resistant MFA.

Correct answer: B

When a penetration tester discovers a critical vulnerability, particularly one that could expose sensitive customer data, the correct action is to stop exploitation and immediately notify the client. This is not just an ethical best practice — it is typically defined in the rules of engagement agreed upon before the test began. Financial institutions are subject to data protection regulations that may require notification if customer data is accessed, even during a sanctioned test.

Fully exploiting the vulnerability to extract data, Options A and D, risks causing actual harm to real customers and triggering regulatory obligations that the engagement contract likely did not authorize. Continuing to test other areas without notifying the client, Option C, delays a critical finding that the client needs to act on immediately. The tester's obligation is to document, notify, and let the client decide how to proceed — not to maximize the demonstration of impact.

Correct answer: B

When remediation cannot occur due to resource constraints, the appropriate security governance response is formal risk acceptance, not workarounds that obscure the risk. Risk acceptance means the relevant executive or risk owner explicitly acknowledges the vulnerability, understands the potential impact, and accepts organizational responsibility for the residual risk. This creates a documented record that the organization was aware of the risk and made a deliberate decision — which is important for audit, regulatory, and liability purposes.

Option A hiding vulnerabilities from scan reports is never acceptable — it creates a false picture of the security posture and could constitute fraud if the organization is subject to compliance requirements. Option C manipulating severity ratings is equally unacceptable for the same reasons. Option D conducting a penetration test may be valuable in isolation, but it does not solve the governance problem of unaddressed vulnerabilities — the application owner already knows the vulnerabilities exist.

Correct answer: C

The correct first action in any incident is to follow the incident response plan and notify the appropriate stakeholders — not to make unilateral technical decisions. The IR plan defines who has authority to authorize containment actions, particularly when those actions affect senior leadership.

Immediately isolating an executive's workstation during a board presentation, Option A, could cause significant business disruption and potentially embarrass leadership without authorization. Waiting for the executive to finish, Option B, may be operationally considerate but delays a security decision that should be made by the designated incident commander or security leadership, not the analyst independently. Blocking the IP at the firewall, Option D, is a reasonable containment action but still a unilateral technical decision that should go through the proper authorization chain. The IR plan exists precisely to handle these situations — who to notify, what authority the analyst has, and what escalation looks like.

Correct answer: B

The combination of factors here: a service account authenticating interactively rather than through automation, from an unusual geographic location, at an unusual time, represents a high-confidence indicator of compromise. Service accounts used for automated processes should not be authenticating interactively from foreign IP addresses at any time. This is a classic pattern of credential theft followed by the attacker's use of the stolen credentials.

Option A, treating this as a false positive without investigation, is dangerous given the specificity of the anomalies. Option C is reasonable in ambiguous situations but this scenario has multiple simultaneous anomaly indicators, not just one; the appropriate action is to disable and investigate, then restore if the explanation is benign. Option D is partially true. Geolocation can be spoofed through VPNs and proxies. But this observation does not reduce the seriousness of the other anomaly indicators. When multiple high-confidence indicators converge, the correct response is containment followed by investigation.

Correct answer: B

The scenario does not indicate that the backups were not made or that they were stored insecurely. The failure is specifically that the organization did not test whether the backups could actually be restored, which is the most fundamental requirement of any backup program. A backup that cannot be restored is not a backup. Regular restore testing would have caught the software version incompatibility long before it became a recovery problem.

Option A is not supported by the scenario — nothing suggests the backups were infrequent. Option C addresses physical or logical security of the storage facility, which is not the issue described. Option D describes the specific technical root cause, software version incompatibility, but the underlying process failure is the absence of restore testing, which would have caught this and any other restoration issue. CISSP candidates should recognize the distinction between a technical symptom and the governance failure that allowed it to persist.

Correct answer: B

When user-supplied input is passed directly to a database query without validation or sanitization, the application is vulnerable to injection attacks, most commonly SQL injection. An attacker can craft malicious input that changes the structure of the query, potentially reading unauthorized data, modifying data, or executing commands. The correct remediation has three components: input validation to reject input that does not conform to expected formats, parameterized queries (also called prepared statements) to separate data from query structure so user input cannot change query logic, and output encoding to prevent injected content from being interpreted in other contexts.

Option A addresses XSS, which involves injecting scripts into web pages rendered by browsers — this is a different vulnerability class from what is described. Option C addresses broken access control, which is a different vulnerability. Option D addresses XML-specific injection, but the scenario specifies JSON input, not XML.

Correct answer: B

Storing secrets in source code is one of the most common and consequential security mistakes in software development. The primary risk is that 40 developers now have access to production payment processor credentials, and those credentials exist in every git commit and clone of the repository — meaning they persist in version history even if the file is subsequently deleted. The correct response has two immediate components: move all secrets to a dedicated secrets management system such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault, and rotate the exposed keys immediately because they must be treated as compromised.

Option A is a valid security practice but does not address the exposure of the keys themselves. Option C addresses data loss, which is not the issue. Option D addresses key lifecycle management, which is good practice but does not address the immediate exposure the current situation creates. The CISSP must recognize that rotation is urgent, not deferred — the keys are already exposed.

Correct answer: B

Standard change management timelines exist to prevent instability from unvetted changes — they are not designed to override security judgment during active exploitation. When a vulnerability has a public exploit and confirmed active exploitation in the wild, the risk of delay almost certainly exceeds the risk of an accelerated but abbreviated patch cycle. Mature change management programs include an emergency change process for exactly this situation, which allows faster deployment with appropriate but compressed review.

Option A following the full 30-day process is unreasonable when exploitation is confirmed and ongoing — 30 days of exposure to an actively exploited critical vulnerability is not acceptable risk management. Option C implementing compensating controls is valuable as an interim measure and may be part of the emergency response, but compensating controls are not a substitute for patching a confirmed critical vulnerability. Option D waiting for a second patch adds delay without a clear security benefit and reflects risk aversion around change management rather than risk aversion around the vulnerability itself.

Correct answer: B

The goal of integrating security into CI/CD is to catch vulnerabilities early without making the developer experience so painful that teams route around the controls. Running full SAST on every commit is often impractical because comprehensive scans can take many minutes, which creates unacceptable pipeline latency for teams committing frequently. The balanced approach is a tiered model: fast, targeted checks on every commit that catch the most critical and highest-confidence issues without significant delay, combined with thorough scans at logical gates such as pre-merge reviews or nightly scheduled runs where latency is acceptable.

Option A running SAST only on release candidates reduces pipeline friction but defeats the purpose of shifting security left by the release candidate stage, as fixing findings is significantly more expensive. Option C, replacing SAST with DAST, is not a valid trade-off. They test different things; SAST analyzes source code while DAST tests running applications, and neither is a substitute for the other. Option D, relying on developer judgment to address self-run findings, removes the systematic enforcement that makes security controls reliable.