ISC2 CISSP Practice Test

Automated vulnerability scanning is the best first step because it provides a systematic, comprehensive baseline assessment of potential security flaws with minimal disruption to the application. It efficiently identifies common vulnerabilities such as SQL injection, cross-site scripting (XSS), and misconfigurations before proceeding to more resource-intensive and targeted testing methods. The scan results will help prioritize further testing efforts and remediation activities. While the other options are valuable security practices, they either come later in the testing process or address different aspects of security management that wouldn't serve as the most efficient first step for identifying vulnerabilities in a newly deployed web application.

The correct answer is implementing a local identity proxy. A local identity proxy (sometimes called an identity broker or federation server) is installed within the corporate network and serves as an intermediary between the company's internal identity provider (directory services) and external service providers. This approach allows authentication traffic to be contained within the organization's network boundary because the proxy handles all external communications while maintaining internal connections to the identity store.

The token forwarding mechanism option is incorrect because security tokens are typically sent directly from identity provider to service provider, which would mean authentication traffic would cross network boundaries.

The cloud-based integration service would actually move authentication traffic outside the company's network boundary, which directly contradicts the requirement.

Implementing a credential caching system by itself doesn't necessarily keep authentication traffic within the network boundary - it may reduce the frequency of authentication events but doesn't control where that traffic flows when authentication does occur.

The correct answer is a clean agent system using FM-200 or NOVEC 1230. Clean agent systems are specifically designed for protecting sensitive electronic equipment and valuable assets in data centers and server rooms. They extinguish fires by interrupting the combustion process at the chemical level without leaving residue that could damage electronics. They're safe for human exposure at design concentrations, and they don't conduct electricity, which makes them ideal for electrical fires in data centers.

The other options are less suitable:

• Water sprinkler systems can cause significant water damage to electronic equipment and may lead to electrical hazards.

• CO2 systems are effective but can be lethal to humans if discharged in occupied spaces, requiring extensive safety measures and evacuation protocols.

• Dry chemical systems leave a residue that can damage sensitive electronic components and require extensive cleanup after discharge.

Digital signatures provide non-repudiation because they use the sender's private key, which should be known only to the sender. Since the private key is under the sender's control, they cannot credibly deny having created the signature, thus establishing accountability. Recipients verify the signature using the sender's public key, confirming the message came from the claimed sender.

The incorrect options misrepresent how digital signatures work. They don't inherently include timestamps, don't encrypt the message (they encrypt a hash of the message), and don't require real-time CA validation for each transaction.

The 'right to be forgotten' (officially called the 'right to erasure' in Article 17 of GDPR) gives individuals the power to request the deletion of their personal data under certain circumstances. This right enables EU citizens and residents to request that organizations erase their personal data when there is no compelling reason for its continued processing. The right is not absolute and has certain exceptions such as when the data is needed for legal compliance, public health purposes, or establishing legal claims. The other options represent different data protection concepts but do not specifically address the complete removal of personal data from systems.

Attribute-based Access Control (ABAC) is the correct answer because it evaluates access requests based on attributes of subjects (users), objects (resources), actions, and environmental conditions. In this healthcare scenario, ABAC can use multiple attributes like the relationship between provider and patient, time of access, location, and data sensitivity level to make dynamic access decisions.

Role-based Access Control (RBAC) would be insufficient as it primarily makes access decisions based on pre-defined roles and doesn't easily accommodate environmental conditions like time and location. Discretionary Access Control (DAC) relies on the resource owner to grant access rights and lacks the fine-grained control needed for multiple attributes. Mandatory Access Control (MAC) uses security labels and clearance levels in a rigid hierarchy, which doesn't allow for the contextual, relationship-based decisions required in this healthcare scenario.

The scenario describes East-West traffic, which refers to lateral movement between servers within the same data center. Unlike North-South traffic (which flows between the data center and external networks), East-West traffic requires different security approaches.

Micro-segmentation is most appropriate because it provides fine-grained security controls between workloads within the data center, limiting lateral movement if a server is compromised. Traditional perimeter defenses primarily protect North-South traffic but don't adequately secure server-to-server communications. Micro-segmentation creates security zones around workloads and controls communication between them, aligning with zero-trust principles.

Perimeter firewalls focus on North-South traffic, VPN concentrators secure remote access connections, and NAC systems control endpoint authentication rather than server-to-server communications.

Just In Time (JIT) minimizes the risk of unauthorized access by limiting the operational time of access privileges. It ensures that users have permissions only for the duration necessary to perform their activities, significantly lowering the exposure to potential threats. Conversely, traditional access mechanisms that provide continuous permissions can lead to higher risks should credentials be compromised, as they allow longer access than necessary.

The best initial step is to review and enhance existing security protocols. Focusing on clear procedures for identifying and managing unknown individuals can help create a safer environment. Although alternative actions might seem relevant, they do not directly address the urgent need to ensure employee safety through established guidelines.

The correct answer is a full interruption test. A full interruption test (also known as a cutover test) is the most comprehensive and realistic form of disaster recovery testing. In this approach, primary systems are completely shut down and operations are transferred to the recovery site, simulating an actual disaster scenario. While this provides the most accurate assessment of recovery capabilities, it also carries the highest risk and potential business impact, which is why it's typically conducted during planned downtime with extensive preparation.

A simulation test does not actually shut down production systems but rather tests recovery procedures in a simulated environment. A parallel test involves running systems at both the primary and recovery sites simultaneously to compare results. A tabletop exercise is discussion-based and doesn't involve actual system recovery operations. None of these alternatives provides the comprehensive validation of recovery procedures under realistic conditions that the CISO is seeking.

The correct answer is implementing session tokens with appropriate timeout values. Session tokens provide a secure way to maintain a user's authenticated state across multiple requests without requiring re-authentication for each interaction. By setting appropriate timeout values (neither too short nor too long), the organization balances security with usability.

The other options have significant issues:

• Long-lasting sessions with extended expiration would create a security vulnerability by maintaining authentication for excessive periods
• Storing credentials in browser cookies would expose authentication information in an insecure manner
• IP-based session tracking is problematic because many users might share the same IP address (especially with NAT) or a legitimate user's IP might change during a session (mobile users)

Assessing the disaster recovery plan outcomes after an incident is essential to identify areas of improvement and ensure that procedures are effective and efficient for future incidents. This assessment allows organizations to understand what worked well and what did not, informing better practices and enhancing overall resilience. Other options do not focus on the evaluation aspect, which is critical for ongoing improvement.

The correct approach is to develop a data classification scheme with retention periods based on legal requirements, business needs, and industry regulations. This creates a tailored framework that properly categorizes data and applies appropriate retention periods to each category. This balanced approach minimizes both legal risk (by ensuring compliance with retention requirements) and storage costs (by not keeping unnecessary data longer than required).

The seven-year retention period ignores varying requirements across data types and jurisdictions. Deleting data promptly after transactions fails to meet record-keeping requirements and loses business intelligence value. Retaining data as long as needed is too vague and potentially violates data minimization principles in regulations like GDPR while increasing storage costs and complicating information governance.

The chain of custody documentation is the most important element to include in the investigation report. Chain of custody provides a chronological paper trail that shows how evidence was collected, analyzed, transferred, and preserved. This documentation is crucial for maintaining the integrity and admissibility of evidence in potential legal proceedings. Without proper chain of custody documentation, evidence may be deemed inadmissible in court due to questions about its integrity.

The other options, while important in various contexts, are not as critical as chain of custody documentation:

• Personal opinions about culpability may introduce bias into the investigation report and should be avoided in favor of factual findings.
• Screenshots without timestamps lack verification of when they were obtained and could be challenged.
• Recommendations for disciplinary actions are typically not part of an investigation report but would be addressed separately by management or HR based on the findings.

The correct approach is to create a forensic image (bit-by-bit copy) of the storage media before beginning any analysis. This preserves the original state of the evidence and ensures that the original evidence isn't altered during examination. A forensic image captures all data on the device, including deleted files and slack space. This approach maintains the chain of custody and ensures that the evidence remains admissible in court. Direct examination of the live system risks altering timestamps, file metadata, and other crucial forensic artifacts. Similarly, shutting down the system could lose volatile memory (RAM) data which might contain valuable evidence about the attack. Documenting the system state is important but should follow proper imaging procedures, not precede them.