ISC2 CISSP Practice Test

Sherwood Applied Business Security Architecture (SABSA) is the correct answer because it provides a layered architectural model that helps organizations trace security requirements from business drivers all the way through to technical implementation. SABSA uses six layers (Business, Architect's, Designer's, Builder's, Tradesman's, and Service Manager's views) to ensure security solutions are aligned with business needs at every level.

The other frameworks, while valuable, don't provide the same comprehensive architectural approach to linking business objectives with technical implementations. NIST frameworks focus more on specific security controls and risk management approaches. ISO 27001 is centered around Information Security Management Systems with less emphasis on architectural design. COBIT offers IT governance and management practices but doesn't provide the same level of architectural guidance that connects business vision directly to technical implementation details.

The correct answer is conducting facilitated workshops with key stakeholders representing different business functions. When gathering security requirements for mission-critical systems, especially financial ones, bringing together diverse stakeholders in facilitated workshops provides several advantages. This approach ensures comprehensive input from various perspectives (technical, business, compliance, end-users), allows for real-time discussion of security trade-offs, helps build consensus, and identifies potential conflicts early. The other approaches have limitations: automated scanning tools focus on technical vulnerabilities rather than business requirements; reviewing past breach reports may provide insights but doesn't capture current business needs or priorities; and delegating requirement gathering to department heads may miss cross-functional dependencies and create disjointed requirements.

The correct answer is A practice where a trusted third party holds copies of encryption keys. Key escrow is a practice where a trusted third party (the escrow agent) holds copies of encryption keys. The purpose is to ensure that authorized parties, such as law enforcement with proper legal authorization or organizations needing business continuity, can access encrypted data if the primary keys are unavailable.

A technique to encrypt the same data with multiple keys is incorrect because this describes multi-key encryption, not key escrow.

A method to derive multiple keys from a master key is incorrect because this describes key derivation functions, not key escrow.

A procedure to securely transfer keys between systems is incorrect because this relates to key distribution, not escrow.

When providing federated identity, a service provider (such as Active Directory Federation Services or similar technologies) issues security tokens that allow users to authenticate once and access resources in both environments without re-authenticating. It establishes and maintains trust relationships, performs claims transformation when necessary, and enables Single Sign-On across the hybrid environment.

A federation service provider is essential in a hybrid federated identity architecture because it serves as the intermediary that manages trust relationships between the organization's identity provider and service providers across both on-premises and cloud environments.

The most effective recovery strategy employs a combination of diverse storage options to safeguard against data loss and improve recovery times. This approach allows for flexibility and redundancy, ensuring that if one method is compromised, others are available. The other options lack sufficient diversity in storage methods or do not provide optimal frequency for backups, which can impede recovery effectiveness.

The correct answer is the data owner. This role is accountable for determining how data should be classified, how it is handled, and who has access to that data. Unlike data custodians, who focus on the technical aspects of data management, the owner has the authority to make decisions about data policies and controls. There are distinct responsibilities among the roles involved in the data lifecycle; for example, while data controllers manage processing activities, the ultimate authority lies with the data owner when it comes to defining security practices.

Implementing role-based access controls ensures that individuals are granted access based on their specific job responsibilities, minimizing the risk of unauthorized access to sensitive information. In contrast, requiring users to create complex passwords might enhance security, but it does not restrict access based on roles. Restricting access solely to the IT department does not address the need for appropriate access control for other authorized personnel, and merely conducting access reviews annually may lead to time gaps where unauthorized access could occur.

Privacy regulation, such as General Data Protection Regulation (GDPR) compliance, is the most important requirement for the Chief Information Security Officer (CISO) to address first. Privacy regulation often includes stringent data protection requirements with significant penalties for non-compliance. Before conducting business in an area with privacy regulation, the organization must ensure its data protection practices align with requirements including data subject rights, consent mechanisms, breach notification procedures, and data protection impact assessments.

While the other options are important security considerations, addressing local privacy regulations represents a legal requirement specific to the expansion scenario described and would need immediate attention before beginning operations in new jurisdictions.

The correct answer is to identify vulnerabilities by sending unexpected or random inputs. Fuzz testing works by automatically generating and sending malformed, unexpected, or random data to an application to trigger error conditions, crashes, or unexpected behaviors that might indicate security vulnerabilities. It's particularly effective at finding input validation issues, buffer overflows, and other boundary condition problems.

Performing dynamic taint analysis of data flows within an application is a different security testing technique that tracks how untrusted data moves through an application to identify potential vulnerabilities. While this approach can reveal security issues, it uses instrumentation to monitor data propagation rather than generating random inputs as fuzz testing does.

Validating input sanitization routines against known attack patterns is more closely related to penetration testing or security scanning with predefined patterns. Unlike fuzz testing, which generates random or unexpected inputs, this approach uses known malicious inputs to test specific defenses.

Verifying the integrity of compiled binaries against their source code is related to software assurance and supply chain security. This process ensures that the compiled code matches the reviewed source code and hasn't been tampered with during the build process, but it doesn't involve sending unexpected inputs to find vulnerabilities.

The correct answer emphasizes that tabletop exercises help teams evaluate their response strategies by discussing scenarios in a controlled environment. This form of testing fosters collaboration, uncovers weaknesses in the plan, and enhances overall preparedness. Other choices may refer to relevant aspects of recovery but fail to focus on the discussion and evaluative nature of the exercise.

The correct answer is the requirements phase because security requirements should be identified and documented at the earliest possible stage of development. Establishing security requirements during the requirements phase ensures they're treated with the same importance as functional requirements and properly incorporated into subsequent design and implementation decisions.

**The design phase **is too late for initial security requirements definition. While security architecture designs are created during this phase, they should be based on security requirements already established. Delaying security considerations until the design phase can result in architectural decisions that are difficult to secure properly.

**The implementation phase **is significantly too late to begin considering security requirements. By this point, the architecture is established, and major changes to accommodate security needs would be expensive and time-consuming. Security during implementation should focus on following secure coding practices based on previously established requirements.

The testing phase is entirely too late for defining security requirements. At this point, the application is largely built, and discovering that it doesn't meet fundamental security needs would require substantial rework. The testing phase should verify that the implementation meets the security requirements defined much earlier in the lifecycle.

The Disaster Recovery Coordinator is responsible for coordinating all recovery activities during a disaster recovery operation. This individual oversees the execution of the disaster recovery plan, manages the recovery team, communicates with stakeholders, and ensures that recovery procedures are followed correctly. The Disaster Recovery Coordinator is appointed specifically to lead the recovery efforts and serves as the central point of authority during the recovery process. The other roles mentioned have important but different responsibilities within an organization's security framework.

Degaussing is a media sanitization technique that uses a powerful magnetic field to neutralize the magnetic data stored on media. This process is effective for magnetic storage like Hard Disk Drives (HDDs) and magnetic tapes. However, it is ineffective for Solid-State Drives (SSDs) because SSDs store data electronically in flash memory (NAND) cells, which are not affected by magnetic fields. Appropriate sanitization techniques for SSDs include cryptographic erasure, using the ATA Secure Erase command, or physical destruction.

Fuzzing, or fuzz testing, is the most effective approach for identifying authentication bypass vulnerabilities in APIs because it systematically sends unexpected, malformed, or random data inputs to the API endpoints to discover how they handle invalid or unexpected inputs. This technique is particularly effective at finding authentication bypass vulnerabilities as it can reveal edge cases where input validation fails or where error handling might expose sensitive information that could assist in bypassing authentication controls.

While schema validation testing is valuable for ensuring API inputs conform to expected formats, it doesn't specifically target authentication logic flaws. Load testing focuses on performance under stress rather than security vulnerabilities. Port scanning is a network reconnaissance technique that identifies open ports and services but doesn't test application-level authentication mechanisms in APIs.

Secure Shell (SSH) with multi-factor authentication is the most appropriate solution for secure remote administrative access. SSH provides encrypted communications for administrative sessions, ensuring confidentiality of sensitive network operations. When combined with multi-factor authentication, it significantly enhances security by requiring something the user knows (password) plus something they have (token or mobile device) or something they are (biometrics). SSH also has robust logging capabilities for auditing administrative actions, which is crucial for security monitoring and compliance.

VPN alone provides encryption but lacks the specific administrative controls and logging capabilities needed for administrative access. Remote Desktop Protocol has known security vulnerabilities when not properly secured and doesn't inherently include multi-factor authentication. Telnet transmits data in plaintext, making it fundamentally insecure for administrative functions.