CISSP ISC Certified Information Systems Security Professional (CISSP) Free Practice Exam Questions (2025 Updated)

Authentication by ownership is stronger than authentication by knowledge because it is more difficult to duplicate. Authentication by ownership is a type of authentication that relies on something that the user possesses, such as a smart card, a token, or a biometric feature. Authentication by knowledge is a type of authentication that relies on something that the user knows, such as a password, a PIN, or a security question. Authentication by ownership is more difficult to duplicate than authentication by knowledge, as it requires physical access, specialized equipment, or sophisticated techniques to copy or forge the authentication factor. Authentication by knowledge is easier to duplicate than authentication by ownership, as it may be guessed, cracked, or stolen by various methods, such as brute force, social engineering, or phishing. Authentication by ownership is not necessarily easier to change, simpler to control, or more convenient to keep on the user’s person than authentication by knowledge, as these factors may depend on the specific implementation and context of the authentication system. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 5: Identity and Access Management, page 247.

 Security in a distributed file system using mutual authentication differs from file security in a multi-user host in that access control cannot rely on the Operating System (OS), and eavesdropping is possible. A distributed file system is a system that allows users to access files stored on remote servers over a network. Mutual authentication is a process where both the client and the server verify each other’s identity before establishing a connection. In a distributed file system, access control cannot rely on the OS, because the OS may not have the same security policies or mechanisms as the remote server. Therefore, access control must be implemented at the application layer, using protocols such as Kerberos or SSL/TLS. Eavesdropping is also possible in a distributed file system, because the network traffic may be intercepted or modified by malicious parties. Therefore, encryption and integrity checks must be used to protect the data in transit. A multi-user host is a system that allows multiple users to access files stored on a local server. In a multi-user host, access control can rely on the OS, because the OS can enforce security policies and mechanisms such as permissions, groups, and roles. Eavesdropping is less likely in a multi-user host, because the network traffic is confined to the local server. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 3: Security Architecture and Engineering, p. 373-374; CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3: Security Architecture and Engineering, p. 149-150.

Software assurance is a process of ensuring that the software systems or applications meet the quality, reliability, and security standards and requirements of the organization and the stakeholders. Software assurance can be applied throughout the software development life cycle, from planning to deployment to maintenance. A generic acquisition process is a process of procuring software systems or applications from external vendors or contractors. A generic acquisition process typically consists of four phases: initiation, solicitation, evaluation, and award. The first phase of software assurance in a generic acquisition process is developing software requirements to be included in the work statement. The software requirements define the functional and non-functional specifications, expectations, and constraints of the software system or application, such as performance, usability, security, or compliance. Developing software requirements is a critical step for software assurance, as it helps to establish the scope, objectives, and criteria for the software acquisition. Establishing and consenting to the contract work schedule, issuing a Request for Proposal (RFP) with a work statement, or reviewing and accepting software deliverables are not the first steps of software assurance in a generic acquisition process, as they are more related to the later phases of solicitation, evaluation, or award. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21: Software Development Security, page 1173; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 8: Software Development Security, Question 8.13, page 306.

The criteria that ensures information is protected relative to its importance to the organization is legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification. These criteria are the factors or the elements that determine the level or the degree of protection that the information needs or deserves, based on its importance or significance to the organization. These criteria are used to classify or categorize the information into different levels or categories, such as public, internal, confidential, or secret, and to apply or enforce the appropriate security controls or measures, such as encryption, access control, or backup, to protect the information from threats or risks, such as theft, loss, or corruption. Legal requirements are the criteria that define the protection of the information based on the legal, regulatory, or contractual obligations or standards that the organization must comply with, such as GDPR, HIPAA, or PCI DSS. Value is the criterion that defines the protection of the information based on the worth or the benefit that the information provides or generates for the organization, such as revenue, profit, or reputation. Criticality is the criterion that defines the protection of the information based on the impact or the consequence that the unavailability or the disruption of the information would cause to the organization, such as loss, damage, or harm. Sensitivity is the criterion that defines the protection of the information based on the exposure or the vulnerability of the information to unauthorized or malicious access, modification, or disclosure, such as confidentiality, integrity, or privacy. The value of the data to the organization’s senior management, legal requirements determined by the organization headquarters’ location, or organizational stakeholders, with classification approved by the management board are not the criteria that ensure information is protected relative to its importance to the organization, as they are not the factors or the elements that determine the level or the degree of protection that the information needs or deserves, based on its importance or significance to the organization. The value of the data to the organization’s senior management is not a criterion that ensures information is protected relative to its importance to the organization, as it is a subjective or biased measure of the importance or the significance of the information, and it may not reflect the actual or the objective worth or benefit of the information for the organization. Legal requirements determined by the organization headquarters’ location is not a criterion that ensures information is protected relative to its importance to the organization, as it is a limited or a narrow scope of the legal, regulatory, or contractual obligations or standards that the organization must comply with, and it may not cover or address the legal requirements of other locations or jurisdictions where the organization operates or conducts business. Organizational stakeholders, with classification approved by the management board is not a criterion that ensures information is protected relative to its importance to the organization, as it is a process or a method of classifying or categorizing the information, and not a factor or an element that determines the level or the degree of protection that the information needs or deserves, based on its importance or significance to the organization. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 1: Security and Risk Management, page 32.

The most likely action that will allow the organization to keep risk at an acceptable level is separating the security function into distinct roles. Separating the security function into distinct roles means to create and assign the specific and dedicated roles or positions for the security activities and initiatives, such as the security planning, the security implementation, the security monitoring, or the security auditing, and to separate them from the normal IT operations. Separating the security function into distinct roles can help to keep risk at an acceptable level, as it can enhance the security performance and effectiveness, by providing the authority, the resources, the guidance, and the accountability for the security roles, and by supporting the principle of least privilege and the separation of duties. Increasing the amount of audits performed by third parties, removing privileged accounts from operational staff, and assigning privileged functions to appropriate staff are not the most likely actions that will allow the organization to keep risk at an acceptable level, as they are related to the evaluation, the restriction, or the allocation of the security access or activity, not the separation of the security function into distinct roles. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 32. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 47.

 With data labeling, the data owner must be the key decision maker. The data owner is the person or entity that has the authority and responsibility for the data, including its classification, protection, and usage. The data owner must decide how to label the data according to its sensitivity, criticality, and value, and communicate the labeling scheme to the data custodians and users. The data owner must also review and update the data labels as needed. The other options are not the key decision makers for data labeling, as they either do not have the authority or responsibility for the data (A, B, and C), or do not have the knowledge or interest in the data (B and C). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 63; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 69.

 The type of attack that has most likely occurred when a disgruntled network administrator has intercepted emails meant for the Chief Executive Officer (CEO) and changed them before forwarding them to their intended recipient is a man-in-the-middle (MITM) attack. A MITM attack is a type of attack that involves an attacker intercepting, modifying, or redirecting the communication between two parties, without their knowledge or consent. The attacker can alter, delete, or inject data, or impersonate one of the parties, to achieve malicious goals, such as stealing information, compromising security, or disrupting service. A MITM attack can be performed on various types of networks or protocols, such as email, web, or wireless. Spoofing, eavesdropping, and denial of service are not the types of attack that have most likely occurred in this scenario, as they do not involve the modification or manipulation of the communication between the parties, but rather the falsification, observation, or prevention of the communication. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 462. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 478.

The third party needs to have access to the skill sets consistent with the programming languages used by the organization. The programming languages are the tools or the methods of creating, modifying, testing, and supporting the software applications that perform the functions or the tasks required by the organization. The programming languages can vary in their syntax, semantics, features, or paradigms, and they can require different levels of expertise or experience to use them effectively or efficiently. The third party needs to have access to the skill sets consistent with the programming languages used by the organization, as it can ensure the quality, the compatibility, and the maintainability of the software applications that the third party is responsible for. The third party does not need to have processes that are identical to that of the organization doing the outsourcing, access to the original personnel that were on staff at the organization, or the ability to maintain all of the applications in languages they are familiar with, as they are related to the methods, the resources, or the preferences of the software development, not the skill sets consistent with the programming languages used by the organization. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1000. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1016.

The best practice would require re-authentication after a period of inactivity, in addition to authentication at the start of the user session. Authentication is a process of verifying the identity or the credentials of a user or a device that requests access to a system or a resource. Re-authentication is a process of repeating the authentication after a certain condition or event, such as a change of location, a change of role, a change of privilege, or a period of inactivity. Re-authentication can help to enhance the security and the accountability of the access control, as it can prevent or detect the unauthorized or malicious use of the user or the device credentials, and it can ensure that the user or the device is still active and valid. Re-authenticating after a period of inactivity can help to prevent the unauthorized or malicious access by someone who may have gained physical access to the user or the device session, such as a co-worker, a visitor, or a thief. Re-authenticating periodically during a session, for each business process, or at system sign-off are not the best practices, as they may not be necessary or effective for the security or the accountability of the access control, and they may cause inconvenience or frustration to the user or the device. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 685. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 701.

Capability Maturity Models (CMM) are frameworks that describe the key elements of effective processes for various domains, such as software engineering, project management, or information security. CMM serve as a benchmark for an organization to assess its current level of maturity and identify the areas for improvement. CMM can help an organization to establish, standardize, measure, control, and optimize its procedures in systems development, which is the process of creating, maintaining, and enhancing information systems. Experience in the industry, definition of security profiles, and human resource planning efforts are not the main focus of CMM, although they may be influenced by the maturity level of the organization. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1034. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1060.

A synchronous token is a hardware device that generates and displays a one-time password (OTP) that changes at fixed intervals, usually based on a clock or a counter. The OTP is synchronized with the authentication server, and the user must enter the OTP within a certain time window to log in. This is an example of single factor authentication based on something the user has (the token). The other options are not correct, as they either do not match the description of the token (A and B), or do not specify the type of token ©. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 331; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 387.

The best reason to review audit logs periodically is to identify anomalies in use patterns that may indicate unauthorized or malicious activities, such as intrusion attempts, data breaches, policy violations, or system errors. Audit logs record the events and actions that occur on a system or network, and can provide valuable information for security analysis, investigation, and response. The other options are not as good as identifying anomalies, as they either do not relate to security (B), or are not the primary purpose of audit logs (A and D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 405; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 465.

The most critical factor to achieve the goals of a security program is the executive management support. The executive management is the highest level of authority or decision-making in the organization, such as the board of directors, the chief executive officer, or the chief information officer. The executive management support is the endorsement, the sponsorship, or the involvement of the executive management in the security program, such as the security planning, the security implementation, the security monitoring, or the security auditing. The executive management support is the most critical factor to achieve the goals of the security program, as it can provide the vision, the direction, or the strategy for the security program, and it can align the security program with the business needs and requirements. The executive management support can also provide the resources, the budget, or the authority for the security program, and it can foster the security culture, the security awareness, or the security governance in the organization. The executive management support can also influence the stakeholders, the customers, or the regulators, and it can demonstrate the commitment, the accountability, or the responsibility for the security program. Capabilities of security resources, effectiveness of security management, and budget approved for security resources are not the most critical factors to achieve the goals of the security program, as they are related to the skills, the performance, or the funding of the security program, not the endorsement, the sponsorship, or the involvement of the executive management in the security program. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 33. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 48.

The primary way to measure the effectiveness of the security program is through the audit findings. The audit findings are the results or the outcomes of the audit process, which is a systematic and independent examination of the security activities and initiatives, to determine whether they comply with the security policies and standards, and whether they achieve the security objectives and goals. The audit findings can help to evaluate the effectiveness of the security program, as they can identify and report the strengths and the weaknesses, the successes and the failures, and the gaps and the risks of the security program, and they can provide the recommendations and the feedback for the improvement and the enhancement of the security program. Risk elimination, audit requirements, and customer satisfaction are not the primary ways to measure the effectiveness of the security program, as they are related to the impossibility, the necessity, or the quality of the security program, not the evaluation or the assessment of the security program. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 39. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 54.

The primary areas that need to be addressed concerning mobile code used for malicious purposes, in addition to web browsers, are email, media players, and instant messaging applications. Mobile code is a type of code that can be transferred or executed over a network, such as the internet, without the user’s knowledge or consent, and that can perform various functions or tasks on the user’s system, such as displaying advertisements, collecting information, or installing malware. Mobile code can be embedded or attached in various types of applications or files, such as web browsers, email, media players, or instant messaging applications, and can pose a serious security threat to the user’s system or data. Text editors, database, and internet phone applications are not the primary areas that need to be addressed concerning mobile code used for malicious purposes, as they are not the common or likely sources or targets of the mobile code attacks, and they may not support or execute the mobile code as easily or frequently as the other applications. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1050. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1066.

A retinal scan is a biometric technique that uses unique patterns on a person’s retina blood vessels to identify them. The retina is a thin layer of tissue at the back of the eye that contains millions of light-sensitive cells and blood vessels. The retina converts the light rays that enter the eye into electrical signals that are sent to the brain for visual processing78

The pattern of blood vessels in the retina is not genetically determined and varies from person to person, even among identical twins. The retina also remains unchanged from birth until death, unless affected by some diseases or injuries. Therefore, the retina is considered to be one of the most accurate and reliable biometrics, apart from DNA78

A retinal scan is performed by projecting a low-energy infrared beam of light into a person’s eye as they look through the scanner’s eyepiece. The beam traces a standardized path on the retina, and the amount of light reflected by the blood vessels is measured. The pattern of variations in the reflection is digitized and stored in a database for comparison

A data retention policy is a document that specifies the rules and guidelines for how long and under what conditions an organization should retain its data. The main goal of a data retention policy is to ensure the integrity and confidentiality of data for a predetermined amount of time. Integrity means that the data is accurate, complete, and consistent, and that it has not been modified or corrupted by unauthorized parties. Confidentiality means that the data is protected from unauthorized access or disclosure, and that it respects the privacy and security of the data owners or subjects. A data retention policy can help an organization to comply with the legal or regulatory requirements, to support the business or operational needs, and to reduce the storage or management costs of the data. Ensuring that data is destroyed properly, ensuring that data recovery can be done on the data, and ensuring the availability of data for a predetermined amount of time are not the main goals of a data retention policy, as they are related to the disposal, restoration, or accessibility of the data, not the integrity or confidentiality of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 49. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 64.

The factor that most influences the design of the organization’s electronic monitoring policies is workplace privacy laws. Workplace privacy laws are the laws that regulate the extent and manner of the employer’s monitoring or surveillance of the employee’s activities, communications, or behavior in the workplace, such as email, phone, internet, or video monitoring. Workplace privacy laws vary by country, state, or region, and may impose different requirements or restrictions on the employer’s electronic monitoring policies, such as the purpose, scope, consent, disclosure, or protection of the monitoring data. The employer must comply with the applicable workplace privacy laws when designing and implementing the electronic monitoring policies, to avoid violating the employee’s privacy rights or facing legal consequences. Level of organizational trust, results of background checks, and business ethical considerations are not the factors that most influence the design of the organization’s electronic monitoring policies, as they are related to the culture, security, or values of the organization, not the legal or regulatory framework of the electronic monitoring. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 50. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 65.

The amount of data that will be collected during an audit is primarily determined by the audit scope. The audit scope is the extent and boundaries of the audit, such as the subject matter, the time period, the locations, the departments, the functions, the systems, or the processes to be audited. The audit scope defines what will be included or excluded from the audit, and it helps to ensure that the audit objectives are met and the audit resources are used efficiently and effectively. The auditor’s experience level, the availability of the data, and the integrity of the data are not the primary factors that determine the amount of data that will be collected during an audit, as they depend on the audit scope to be defined first. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 54. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 69.

According to the star property (*property) of the Bell-LaPadula model, a subject with a given security clearance may write data to an object if and only if the object’s security level is greater than or equal to the subject’s security level. In other words, a subject can write data to an object with the same or higher sensitivity label, but not to an object with a lower sensitivity label. This rule is also known as the no write-down rule, as it prevents the leakage of information from a higher level to a lower level. In this question, User A has a Restricted clearance, and File 1 has a Restricted security class. Therefore, User A can write to File 1, as they have the same security level. User B, User C, and User D cannot write to File 1, as they have higher clearances than the security class of File 1, and they would violate the star property by writing down information to a lower level. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 498. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 514.

The thing that system and database administrators must be aware of and apply when configuring systems used for storing personal employee data is the organization’s security policies and standards. Security policies and standards are the documents that define the rules, guidelines, and procedures that govern the security of the organization’s information systems and data. Security policies and standards help to ensure the confidentiality, integrity, and availability of the information systems and data, and to comply with the legal or regulatory requirements. System and database administrators must be aware of and apply the organization’s security policies and standards when configuring systems used for storing personal employee data, as they are responsible for implementing and maintaining the security controls and measures that protect the personal employee data from unauthorized access, use, disclosure, or theft. Secondary use of the data by business users, the business purpose for which the data is to be used, and the overall protection of corporate resources and data are not the things that system and database administrators must be aware of and apply when configuring systems used for storing personal employee data, as they are related to the usage, purpose, or scope of the data, not the security of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 35. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 48.

When implementing a secure wireless network, the option that supports authentication and authorization for individual client endpoints is Wi-Fi Protected Access 2 (WPA2) Enterprise. WPA2 is a security protocol that provides encryption and authentication for wireless networks, based on the IEEE 802.11i standard. WPA2 has two modes: Personal and Enterprise. WPA2 Personal uses a Pre-Shared Key (PSK) that is shared among all the devices on the network, and does not require a separate authentication server. WPA2 Enterprise uses an Extensible Authentication Protocol (EAP) that authenticates each device individually, using a username and password or a certificate, and requires a Remote Authentication Dial-In User Service (RADIUS) server or another authentication server. WPA2 Enterprise provides more security and granularity than WPA2 Personal, as it can support different levels of access and permissions for different users or groups, and can prevent unauthorized or compromised devices from joining the network. Temporal Key Integrity Protocol (TKIP), Wi-Fi Protected Access (WPA) Pre-Shared Key (PSK), and Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) are not the options that support authentication and authorization for individual client endpoints, as they are related to the encryption or integrity of the wireless data, not the identity or access of the wireless devices. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 506. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 522.

The access control logs must contain the time of the access, in addition to the identifier. Access control logs are the records or the files that capture and store the information or the data related to the access control events or activities, such as the authentication, the authorization, the audit, or the accountability. Access control logs can help to monitor and analyze the access control performance and effectiveness, to detect and investigate any security incidents or breaches, and to provide evidence or proof for any legal or regulatory actions. The access control logs must contain the time of the access, as it can help to identify and verify when the access control event or activity occurred, and to correlate and compare it with other events or activities, such as the network traffic, the system activity, or the user behavior. The time of the access can also help to determine the duration and the frequency of the access control event or activity, and to measure and evaluate the access control efficiency and quality. The security classification, the denied access attempts, and the associated clearance are not the information that must be contained in the access control logs, as they are related to the level of sensitivity or protection of the data or the resource, the unsuccessful or rejected access control requests, or the level of authorization or permission of the user or the device, not the time of the access control event or activity. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 671. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 687.

The correct list of password attacks is brute force, dictionary, phishing, and keylogger. Password attacks are the attacks that aim to guess, crack, or steal the passwords or the credentials of the users or the systems, and to gain unauthorized or malicious access to the information or the resources. Password attacks can include the following methods: - Brute force is a method that tries all possible combinations of characters or symbols until the correct password is found. - Dictionary is a method that uses a list of common or likely words or phrases as the input for guessing the password. - Phishing is a method that uses fraudulent emails or websites that impersonate legitimate entities or parties, and that trick the users into revealing their passwords or credentials. - Keylogger is a method that uses a software or a hardware device that records the keystrokes of the users, and that captures or transmits their passwords or credentials. Masquerading, salami, malware, and polymorphism are not password attacks, as they are related to the impersonation, manipulation, infection, or mutation of the data or the systems, not the guessing, cracking, or stealing of the passwords or the credentials. Zeus, netbus, rabbit, and turtle are not password attacks, as they are the names of specific types of malware, such as trojans, worms, or viruses, not the methods of attacking the passwords or the credentials. Token, biometrics, IDS, and DLP are not password attacks, as they are the types of security controls or technologies, such as authentication, identification, detection, or prevention, not the attacks on the passwords or the credentials. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 684. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 700.

A Public Key Infrastructure (PKI) is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates, which are electronic documents that bind a public key to an identity. A digital certificate can be used to authenticate the identity of an entity, such as a person, a device, or a server, that possesses the corresponding private key. An organization can implement a partial PKI with only the servers having digital certificates, which means that only the servers can prove their identity to the clients, but not vice versa. The security benefit of this implementation is that servers can authenticate themselves to the client, which can prevent impersonation, spoofing, or man-in-the-middle attacks by malicious servers. Clients can authenticate themselves to the servers, mutual authentication is available between the clients and servers, and servers are able to issue digital certificates to the client are not the security benefits of this implementation, as they require the clients to have digital certificates as well. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Cryptography and Symmetric Key Algorithms, page 615. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Cryptography and Symmetric Key Algorithms, page 631.

A Host-Based Intrusion Protection (HIPS) system is a software that monitors and blocks malicious activities on a single host, such as a computer or a server. A HIPS system can also prevent unauthorized changes to the system configuration, files, or registry12

During the initial implementation, a HIPS system is often deployed in monitoring or learning mode, which means that it observes the normal behavior of the system and the applications running on it, without blocking or alerting on any events. The objective of starting in this mode is to automatically create exceptions for specific actions or files that are legitimate and safe, but may otherwise trigger false alarms or unwanted blocks by the HIPS system34

By creating exceptions, the HIPS system can reduce the number of false positives and improve its accuracy and efficiency. However, the monitoring or learning mode should not last too long, as it may also expose the system to potential attacks that are not detected or prevented by the HIPS system. Therefore, after a sufficient baseline of normal behavior is established, the HIPS system should be switched to a more proactive mode, such as alerting or blocking mode, which can actively respond to suspicious or malicious events

The security program can be considered effective when the risk is lowered to an acceptable level. The risk is the possibility or the likelihood of a threat exploiting a vulnerability, and causing a negative impact or a consequence to the organization’s assets, operations, or objectives. The security program is a set of activities and initiatives that aim to protect the organization’s information systems and resources from the security threats and risks, and to support the organization’s business needs and requirements. The security program can be considered effective when it achieves its goals and objectives, and when it reduces the risk to a level that is acceptable or tolerable by the organization, based on its risk appetite or tolerance. Vulnerabilities are proactively identified, audits are regularly performed and reviewed, and backups are regularly performed and validated are not the criteria to measure the effectiveness of the security program, as they are related to the methods or the processes of the security program, not the outcomes or the results of the security program. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 24. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 39.

Single Sign-On (SSO) is a technology that allows users to securely access multiple applications and services using just one set of credentials, such as a username and a password56

With SSO, users do not have to remember and enter multiple passwords for different applications and services, which can improve their convenience and productivity. SSO also enhances security, as users can use stronger passwords, avoid reusing passwords, and comply with password policies more easily. Moreover, SSO reduces the risk of phishing, credential theft, and password fatigue56

SSO is based on the concept of federated identity, which means that the identity of a user is shared and trusted across different systems that have established a trust relationship. SSO uses various protocols and standards, such as SAML, OAuth, OIDC, and Kerberos, to enable the exchange of identity information and authentication tokens between the systems56

The attribute of the data that has been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, is the confidentiality. The confidentiality is the property or the characteristic of the data that ensures that the data is only accessible or disclosed to the authorized individuals or entities, and that the data is protected from the unauthorized or the malicious access or disclosure. The confidentiality of the data can be compromised when the data is copied, stolen, leaked, or exposed by an unauthorized individual or a malicious actor, such as the one who accessed the system hosting the database. The compromise of the confidentiality of the data can violate the privacy, the rights, or the interests of the data owners, subjects, or users, and can cause damage or harm to the organization’s operations, reputation, or objectives. Availability, integrity, and accountability are not the attributes of the data that have been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, as they are related to the accessibility, the accuracy, or the responsibility of the data, not the secrecy or the protection of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 263. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, Security Architecture and Engineering, page 279.