Text preview & study summary
(ISC)2 CISSP - Certified Information Systems Security Professional - Security Risk Architecture Networking IAM Operations Software
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A cloud architect is designing a multi-cloud data residency strategy for an organization that must comply with GDPR (EU data) and data localization laws in multiple countries. Which architectural approach BEST addresses these requirements?
Explanation
Data residency requirements (GDPR Article 46, national data localization laws in China, Russia, India, etc.) mandate that specific categories of personal data remain within defined geographic boundaries. Architecture requirements: (1) classify data by jurisdiction, (2) use cloud regions that map to required geographies (AWS eu-west-1, Azure germanywestcentral for GDPR), (3) implement technical controls preventing data replication across geographic boundaries, (4) regular compliance audits of data flows. Encryption (option C) does NOT exempt data from residency requirements — encrypted personal data is still personal data under GDPR. CDNs (option D) are NOT exempt.
Question 2
A cloud-based application processes healthcare data (PHI) and must comply with HIPAA. The application uses AWS as its infrastructure provider. Regarding shared responsibility for HIPAA compliance, which statement is CORRECT?
Explanation
Cloud shared responsibility for HIPAA: AWS (as a Business Associate) is responsible for: physical security, network infrastructure, hypervisor security, and compliance of their managed services (AWS signs a BAA — Business Associate Agreement). The covered entity/customer is responsible for: application-level security, PHI access controls, encryption configuration, audit logging, user authentication, PHI handling practices, and ensuring the BAA is in place. A BAA is legally required before using AWS to store/process PHI. Without a BAA, AWS cannot be used for PHI — AWS offers a standard BAA addendum. The organization cannot outsource HIPAA accountability — they remain the covered entity (or business associate) with ultimate compliance responsibility.
Question 3
A security team is planning a penetration test of a production web application. The organization wants to understand real-world attack risk while minimizing disruption to live users. Which test type is most appropriate?
Explanation
Gray box testing balances realism and efficiency for web application testing: (1) limited information (application URL, user accounts with varying privilege levels, general architecture) simulates real-world attack scenarios like credential stuffing or insider threat, (2) more efficient than black box (less time on reconnaissance), (3) covers more attack surface than white box (testers still think like attackers). White box (option A) is best for code-level security review/SDL. Black box (option B) has limited time-to-coverage ratio for web apps. Red team (option D) is suitable for comprehensive organizational security posture testing, not targeted web app testing. The choice depends on objectives and time constraints.
Question 4
A vulnerability assessment reveals that a critical production server hasn't been patched in 18 months. The system owner argues that patching requires an outage that the business cannot afford. What risk management approach and security principle applies?
Explanation
Unpatched production systems are a common challenge requiring formal risk exception management: (1) document the specific vulnerabilities and their business risk, (2) implement compensating controls to reduce residual risk, (3) obtain formal risk acceptance sign-off from the system/business owner (they own the risk), (4) set a mandatory review/remediation date (exceptions shouldn't be permanent), (5) track in the risk register. This balances business continuity with security governance. The business owner accepting risk is fundamental to good governance — security enables informed business decisions. Permanent acceptance without review (option A) is inappropriate for critical vulnerabilities.
Question 5
During a forensic investigation, a security analyst needs to analyze a suspect hard drive image. Which principle is MOST critical to maintain forensic integrity?
Explanation
Digital forensics evidence integrity requires: (1) forensic imaging — create a bit-for-bit copy using tools like dd, FTK Imager, or Guymager, (2) hash verification — calculate SHA-256 of the original, hash the copy, verify they match (any modification changes the hash), (3) work on the copy — the original evidence is sealed and preserved, (4) chain of custody — document who handled evidence, when, and what was done. Analyzing the original drive (option A) risks modifying evidence (e.g., mounting changes timestamps). Hash matching provides mathematical proof that the copy is identical to the original, making findings legally defensible. This is covered in CISSP Domain 7: Security Operations.
