One of the most valued vendor-neutral security certifications today is the Certified Information Systems Security Professional (CISSP) credential offered by cybersecurity professional association (ISC)². The qualifications required of those considering it are five years’ experience in security administration and firsthand knowledge in the areas addressed by the eight CISSP exam domains.
It is worth noting that the five years’ experience requirement is reduced by one year if you have a college degree or possess a qualifying IT security-related certification, but that won’t help much if you don’t actually know the domain topics well. Information about the five-year requirement can be found in the full set of objectives that is available online.
The minimum passing score is 700 points (out of 1000) and the 100-150 questions (it is an adaptive test) are based on the following domains and weighting:
- Security and Risk Management — 15 percent
- Asset Security — 10 percent
- Security Architecture and Engineering — 13 percent
- Communication and Network Security — 13 percent
- Identity and Access Management (IAM) — 13 percent
- Security Assessment and Testing — 12 percent
- Security Operations — 13 percent
- Software Development Security — 11 percent
How well do you know the topics addressed on the CISSP exam and how well can you answer multiple-choice questions about them? What follows is a self-test of 25 questions based on the topics within the first four domains. (A subsequent test will cover the remaining 49 percent of topics. Watch for that next month.) In all cases, pick the best answer(s) to each question.
The answers appear at the end of the questions. Good luck!
1. The data on a server is estimated to be worth $1 million and it is projected that the exposure factor is 0.1. What is the single loss expectancy (SLE)?
A. $10 million
B. $1 million
2. Which type of attack uses information about system activity (such as power usage or processor utilization) to gather insights about information being encrypted?
A. Meet in the middle
3. An employee has abruptly resigned and left the organization to start their own firm. They need to be removed from the Identity and Access Management (IAM) system in a process known as:
4. What are the three recognized data states (choose three)?
A. At rest
B. In transit
C. In archive
D. In use
E. In storage
F. In cache
G. Awaiting action
5. What type of cipher is Skipjack?
6. When it comes to security roles, which of the following has been officially designated as accountable for a specific information asset dataset?
A. Data/asset owner
7. DRM (Digital Rights Management) provides protection for works protected by which of the following?
D. All of the above
8. Which of the following extends the concept of user behavior analytics (UBA)?
9. With a single loss expectancy of $100,000 and a projected annualized rate of occurrence (ARO) being once every four years, what is the annualized loss expectancy (ALE)?
10. Which of the following is a structured approach to potential threats that involves identifying them, quantifying them, and addressing possible responses?
A. Tabletop casting
B. Threat modeling
C. Feign simulating
D. Fire drilling
11. Which of the following principles is used with the Biba security model and states that a subject at one level of integrity must not read data at a lower integrity level (no read down)?
A. Simple integrity
B. Naught integrity
C. * (star) integrity
D. Implicit integrity
12. You are in a meeting and it is imperative that a decision be made before the meeting concludes. Which of the following is an anonymous feedback and response process that can be used for the group to arrive at a consensus?
A. Horizon scanning
B. Delphi technique
C. Last to go method
D. Syntactic practice
13. Which of the following is an encapsulation protocol used to allow VLANs to extend across subnets and is documented in RFC 7348?
14. Rather than top management promoting adherence to strict security policies, the IT department has had to mandate and push such policies. This is known as what type of approach?
C. Bottom up
D. Top down
15. What is left over after mitigation has been applied to total risk?
A. Structured risk
B. Residual risk
C. Controlled risk
D. Measured risk
Please visit GoCertify to attempt the remaining 10 questions of this quiz.
1. C — The single loss expectancy (SLE) is equal to the asset value (AV) times the exposure factor (EF). In this case, $1 million times 0.1 indicates that the expected loss from a disaster/compromise/etc. is $100,000.
2. D — A side-channel attack uses information about system activity (such as power usage or processor utilization) to gather insights about information being encrypted.
3. A — Removing the former employee from the Identity and Access Management (IAM) system should be a part of the offboarding process.
4. A, B, and D — The three recognized data states are at rest, in transit, and in use.
5. C — Skipjack is a block cipher that processes 64-bit blocks.
6. A — The Data/Asset Owner has been officially designated as accountable for a specific information asset dataset and has administrative control over it.
7. C — DRM (Digital Rights Management) provides protection for works protected by copyright.
8. D — UEBA (User and Entity Behavior Analytics) extends the concept of user behavior analytics (UBA) to include other observations. In both cases, algorithms look for anomalies from normal behavior to flag possible problems.
9. B — With a single loss expectancy of $100,000 and a projected annualized rate of occurrence (ARO) being once every four years (0.25), the annualized loss expectancy (ALE) is equal to $100,000 x 0.25 or $25,000.
10. B — Threat modeling is a structured approach to potential threats that involves identifying them, quantifying them, and addressing possible responses.
11. A — The simple integrity principle is used with the Biba security model and states that a subject at one level of integrity must not read data at a lower integrity level (no read down).
12. B — The Delphi technique is an anonymous feedback and response process that can be used for a group to arrive at a consensus.
13. C — VXLANs use an encapsulation protocol to allow VLANs to extend across subnets. The technology is documented in RFC 7348.
14. C — Without the support of upper management (which would make it a top down approach), this scenario describes a bottom up approach.
15. B — Residual risk is left over after mitigation has been applied to total risk.