Text preview & study summary

(ISC)2 CISSP - Certified Information Systems Security Professional - Security Risk Architecture Networking IAM Operations Software

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A cloud architect is designing a multi-cloud data residency strategy for an organization that must comply with GDPR (EU data) and data localization laws in multiple countries. Which architectural approach BEST addresses these requirements?

Answer choices

  • A. Store all data in a single US-based data center for simplicity

  • B. Implement data residency controls using cloud regions/zones aligned with regulatory requirements, with data sovereignty policies ensuring personal data of EU citizens is processed and stored within the EU, and national data is processed within respective countries (Correct)

  • C. Encrypt all data — encrypted data is exempt from data residency requirements

  • D. Use a content delivery network (CDN) — CDNs are exempt from data localization laws

Explanation

Data residency requirements (GDPR Article 46, national data localization laws in China, Russia, India, etc.) mandate that specific categories of personal data remain within defined geographic boundaries. Architecture requirements: (1) classify data by jurisdiction, (2) use cloud regions that map to required geographies (AWS eu-west-1, Azure germanywestcentral for GDPR), (3) implement technical controls preventing data replication across geographic boundaries, (4) regular compliance audits of data flows. Encryption (option C) does NOT exempt data from residency requirements — encrypted personal data is still personal data under GDPR. CDNs (option D) are NOT exempt.

Question 2

A cloud-based application processes healthcare data (PHI) and must comply with HIPAA. The application uses AWS as its infrastructure provider. Regarding shared responsibility for HIPAA compliance, which statement is CORRECT?

Answer choices

  • A. AWS is fully responsible for HIPAA compliance since they are the "covered entity" providing the service

  • B. HIPAA compliance is shared: AWS is responsible for the security OF the cloud (physical infrastructure, hypervisor, managed services), while the organization is responsible for security IN the cloud (application security, access control, encryption key management, PHI handling, BAA terms) (Correct)

  • C. The organization is fully responsible for all HIPAA compliance including AWS's physical security

  • D. HIPAA doesn't apply to cloud-hosted PHI — only on-premise systems require HIPAA compliance

Explanation

Cloud shared responsibility for HIPAA: AWS (as a Business Associate) is responsible for: physical security, network infrastructure, hypervisor security, and compliance of their managed services (AWS signs a BAA — Business Associate Agreement). The covered entity/customer is responsible for: application-level security, PHI access controls, encryption configuration, audit logging, user authentication, PHI handling practices, and ensuring the BAA is in place. A BAA is legally required before using AWS to store/process PHI. Without a BAA, AWS cannot be used for PHI — AWS offers a standard BAA addendum. The organization cannot outsource HIPAA accountability — they remain the covered entity (or business associate) with ultimate compliance responsibility.

Question 3

A security team is planning a penetration test of a production web application. The organization wants to understand real-world attack risk while minimizing disruption to live users. Which test type is most appropriate?

Answer choices

  • A. White box testing — provide full application documentation and source code to pentesters

  • B. Black box testing — pentesters have zero knowledge, simulating an external attacker

  • C. Gray box testing — provide limited information (user credentials, general architecture) simulating a partially-informed attacker (e.g., insider threat, credential-obtained attacker) (Correct)

  • D. Red team engagement — multi-week adversarial simulation of advanced persistent threats

Explanation

Gray box testing balances realism and efficiency for web application testing: (1) limited information (application URL, user accounts with varying privilege levels, general architecture) simulates real-world attack scenarios like credential stuffing or insider threat, (2) more efficient than black box (less time on reconnaissance), (3) covers more attack surface than white box (testers still think like attackers). White box (option A) is best for code-level security review/SDL. Black box (option B) has limited time-to-coverage ratio for web apps. Red team (option D) is suitable for comprehensive organizational security posture testing, not targeted web app testing. The choice depends on objectives and time constraints.

Question 4

A vulnerability assessment reveals that a critical production server hasn't been patched in 18 months. The system owner argues that patching requires an outage that the business cannot afford. What risk management approach and security principle applies?

Answer choices

  • A. Accept the risk permanently since the business need overrides security requirements

  • B. Apply the risk management framework: document the risk exception with specific acceptance criteria, require compensating controls (additional monitoring, network isolation, WAF), set a review date, and require sign-off by appropriate risk acceptance authority — all exceptions have business owners accountable for accepted risk (Correct)

  • C. Bypass the change management process and patch during business hours to minimize downtime

  • D. Immediately take the system offline since it represents an unacceptable risk

Explanation

Unpatched production systems are a common challenge requiring formal risk exception management: (1) document the specific vulnerabilities and their business risk, (2) implement compensating controls to reduce residual risk, (3) obtain formal risk acceptance sign-off from the system/business owner (they own the risk), (4) set a mandatory review/remediation date (exceptions shouldn't be permanent), (5) track in the risk register. This balances business continuity with security governance. The business owner accepting risk is fundamental to good governance — security enables informed business decisions. Permanent acceptance without review (option A) is inappropriate for critical vulnerabilities.

Question 5

During a forensic investigation, a security analyst needs to analyze a suspect hard drive image. Which principle is MOST critical to maintain forensic integrity?

Answer choices

  • A. Analyze the original drive directly to avoid any data transformation

  • B. Create a forensic copy (bit-level image) of the original drive, verify hash values (SHA-256/MD5) of original and copy match, and analyze ONLY the copy — this preserves evidence integrity and maintains chain of custody (Correct)

  • C. Analyze the drive in the original system to preserve the original execution environment

  • D. Document findings first, then create a forensic image

Explanation

Digital forensics evidence integrity requires: (1) forensic imaging — create a bit-for-bit copy using tools like dd, FTK Imager, or Guymager, (2) hash verification — calculate SHA-256 of the original, hash the copy, verify they match (any modification changes the hash), (3) work on the copy — the original evidence is sealed and preserved, (4) chain of custody — document who handled evidence, when, and what was done. Analyzing the original drive (option A) risks modifying evidence (e.g., mounting changes timestamps). Hash matching provides mathematical proof that the copy is identical to the original, making findings legally defensible. This is covered in CISSP Domain 7: Security Operations.