Effective May 1, 2021, the Certified Information Systems Security Professional (CISSP) credential from (ISC)² was updated. In the previous installment of this two-part series, we looked at the first four of the eight CISSP knowledge domains (a complete overview from (ISC)² is available online).

Now it’s time to look at the latter four domains. Those domains, and their weighting on the certification exam, are as follows:

• Identity and Access Management — 13 percent
• Security Assessment and Testing — 12 percent
• Security Operations — 13 percent
• Software Development Security — 11 percent

How well do you know the topics addressed on the CISSP exam and how well can you answer multiple-choice questions about them? What follows is a self-test of 25 questions based on the topics within these four domains (49 percent of all topics).

In all cases, pick the best answer(s) to each question. The answers appear at the end of the questions. Good luck!

1. The organization you work for is at the forefront of software development in a niche space and they regularly release new codes dozens of times each day. What type of DevOps environment is this?
A. CI/CD
B. IDE
C. SCM
D. SOAR

2. Which of the following is a use case that takes the point of view of an actor who is hostile to the system?
A. Synthetic testing
B. Misuse case testing
C. Interface testing
D. Breach attack testing

3. Which type of contractual agreement has a neutral third-party hold source code, documentation, and related data until some mutually agreed upon event, such as an incident, occurs?
A. Software guardian
B. Software conservator
C. Software custodian
D. Software escrow

4. Single sign-on relates to authentication and is, thus, a subset of which of the following?
A. Multi-factor Authentication
B. Permission-based Access Control
C. Federated Identity Management
D. Terminal Access Controller Access Control System

5. With which development model is code/software released quickly: in sprints, or rapid successions?
A. Azure
B. Agile
C. Arduous
D. Assiduous

6. Within the realm of disaster recovery planning, a tabletop exercise is also known as which of the following?
A. Inspection
B. Roleplay
C. Walkthrough
D. Checkup

7. One form of dynamic testing uses scripted transactions that have documented/expected results and a comparison is done between the expected results and the achieved results. What is this known as?
A. Vulnerability assessment
B. Synthetic transactions
C. Test coverage analysis
D. Compliance checking

8. In the vernacular of the CISSP, which of the following is software that can be purchased from third-party vendors and used?
A. COTS
B. OFT
C. ODBC
D. DBMS

9. Collecting and verifying information about someone for the purpose of proving that they are who they claim to be and then establishing an electronic relationship that can be trusted is known as:
A. Role definition
B. Discretionary access control
C. Identify proofing
D. Credential management

10. Your team has been taken to an off-premise site that is very much like your own facility but not your own in order to allow for normal operations. You have been told to act as if this is your site and your data and told that a network error has happened so you need to respond as you would to recover from said disaster. What type of disaster recovery plan method is this?
A. Model test
B. Checklist test
C. Walkthrough test
D. Parallel test

11. After a suspected incident, which of the following is used to document anyone and everyone who handle evidence?
A. NDA
B. Verification manifest
C. Chain of custody
D. Writ of corpus

12. You have been assigned to work with a multifunctional group from different departments to develop a new product for release. What type of group is this categorized as?
A. MTP
B. IRL
C. IPT
D. SYN

13. Which of the following is an access control method in which access rights are granted to users with policies that combine attributes together?
A. MAC
B. DAC
C. ABAC
D. RBAC

14. An internally appointed team looking for vulnerabilities on your network has identified and validated a dozen weaknesses. What should be done next?
A. Accession
B. Remediation
C. Acquiescence
D. Succession

15. As with any organization, there are some aspects of your network that cannot afford to be down for long and thus a hot site must be created for them. In order to qualify as a hot site, the location needs to be operational within the time frame specified by which two objectives (choose two)?
A. Recovery risk
B. Recovery cost
C. Recovery time
D. Recovery point

Please visit GoCertify to attempt the remaining 10 questions of this quiz.

ANSWERS

1. A — In a CI/CD (continuous integration/continuous delivery) DevOps environment, code is constantly being released — often many times a day.
‍
2. B — Misuse case testing is a use case that takes the point of view of an actor who is hostile to the system.
‍
3. D — A software escrow agreement is a contractual agreement in which a neutral third-party agrees to hold source code, documentation, and related data until some mutually agreed upon event — such as a disaster or incident — occurs.
‍
4. C — Single sign-on relates to authentication and is a subset of Federated Identity Management (FIM).
‍
5. B — With the Agile development model, code/software is released quickly: in sprints, or rapid successions.
‍
6. C — Within the realm of disaster recovery planning, a tabletop exercise is also known as a walkthrough, or structured walkthrough.
‍
7. B — Synthetic transactions use scripted transactions that have documented/expected results and a comparison is then done between the expected results and the achieved results.
‍
8. A — Software that can be purchased from third-party vendors and used is known as COTS (commercial-off-the-shelf software).
‍
9. C — Identity proofing involves collecting and verifying information about someone for the purpose of proving that they are who they claim to be and then establishing an electronic relationship that can be trusted with them.
‍
10. D — In a parallel test, normal operations are allowed to continue and the team interacts with another set of systems/data/etc.
‍
11. C — A chain of custody record is used to document anyone and everyone who handles evidence.
‍
12. C — A multifunctional group from different departments charged with developing a product is known as an Integrated Product Team (IPT).
‍
13. C — Attribute-based access control (ABAC) is an access control method in which access rights are granted to users with policies that combine attributes together.
‍
14. B — After vulnerabilities have been identified and validated, the next step should be remediation of those vulnerabilities.
‍
15. C and D — In order to qualify as a hot site, the location needs to be operational within the time frame specified by which the recovery time and point objectives.

‍