Free CISSP Exam Prep Practice Test

Attempt CISSP practice test questions and test your skills. This free CISSP exam prep material simulates the actual certification exam.

  • 250 Questions,
  • 360 Minutes
Related course


The course enables you to define and design IT security architecture as well as develop expertise in building and maintaining a secure e ...


1. This is a FREE test and can be attempted multiple times. But it is recommended to take the test when you are ready for best practice experience.

2. Test Duration: 360 Minutes

3. Number of questions: 250 Multiple Choice Questions

4. Each question has multiple options out of which one or more may be correct

5. You can pause the test in between and you are allowed to re-take the test later. Your test will resume from where you left, but the test time will be reduced by the amount of time you’hv taken in the previous attempt.

Please fill the form below to start the Practice Test
Phone Number*
{{seconds | secondsToDate | date:'HH:mm:ss'}} Time remaining
1. Which attack is used to understand the type of network topology implemented at the target?
2. The opposing forces to Confidentiality, Integrity, and Availability are:
3. The primary goal of a security awareness program is:
4. Theft of Personally Identifiable Information (PII), such as credit card information is an example of which type of attack?
5. Ensuring -------- includes preventing denial-of-service attacks.
6. Which of the following information security policies are violated in most computer attacks?
7. The Health Insurance Portability and Accountability Act (HIPAA), requires that medical providers keep which information private?
8. Fault tolerance safeguards help us to combat threats to -----------
9. What is the term used to describe a component, which in case of failure automatically responds in way that causes no or minimum harm?
10. Which one of the following is a major part of Trusted Computer Base?
11. Who mediates all access relationship between subjects and objects of a system?
12. Which operating system allows multiple users to access a computer system at the same time?
13. What provides network link redundancy?
14. When a computer uses more than one CPU in parallel to execute instructions it is known as -------------.
15. Which of the following questions employees should desist from answering to outsiders?
16. Which attack involves an employee shaving off pennies from multiple accounts and depositing the funds into his own bank account?
17. One method to simplify the administration of access controls is to group it in
18. Cryptography does not answer the concerns of:
19. Insiders are mostly responsible for kind of attack
20. You are using RAID 5 for fault tolerance, if one of the disks in it becomes corrupted, when can you take it out?
21. Which function specifies access rights to resources?
22. Which method provides a baseline for our system to Restore?
23. What states that a process, a user or a program must be able to access only the information and resources that are necessary to perform its authorized task?
24. Which of the following is not included in ISC2 Code of Ethics?
25. Orange Book is based on which one of the following models?
26. Why debugging programs are used?
27. At which layer of OSI model encryption is not possible?
28. Which DES modes can best be used for authentication?
29. Which security model is dependent on security labels?
30. Which firewall inspects the state and context of the incoming data packets, and helps to track the connectionless protocols?
31. Which RAID Level technique creates exact copy (or mirror) of a set of data on two disks?
32. A server cluster looks like a
33. Why would a database be denormalized?
34. Managers of which department are ideal of development of information security policy for a large organization?
35. Why does buffer overflows?
36. Which type of firewall can be used to track connectionless protocols such as UDP and RPC?
37. E-mail directory should not have this as a best practice?
38. Which of the following should be used for IPsec to work in gateway-gateway or host-gateway mode?
39. Which of the following phase requires the involvement of Information Security Analyst?
40. Security Controls are implemented to?
41. One advantage of circuit level gateway compared to an application level firewall is, it is:
42. Which one is not implemented at the Internet layer of the TCP/IP protocol model?
43. Which of the following is true about network sniffers?
44. How a subject gets access to an object in Multi-Level Security Policy?
45. A contingency plan should address which of the following?
46. Which of the following statements is not true about Application Control?
47. Which one is a meta-model that incorporates a number of the software development models?
48. Secure Electronic Transaction Protocol (SET) works in which layer of OSI/ISO model?
49. Which of the following statements are not true for pre-shared key authentication within IKE / IPsec protocol?
50. Which of the following characteristics are not included in TCP protocol?
51. What is the purpose of using Virtual Private Network (VPN)?
52. How the Information Security function should be handled in an organization?
53. By using which of the following attack a person can illegally capture network user passwords?
54. What is generally concerned with personnel security?
55. What is the action to make sure that your security policy is being enforced through the use of procedures and standards?
56. Computer center fires are generally caused by:
57. Which one uses a key of the same length as the message?
58. Which of the following is not an Access Control techniques?
59. Which of the following is not of VPN protocol standards?
60. While deciding on implementing a new biometric system which of the following characteristics is of prime concern?
61. Business continuity plan development is based mostly on:
62. Which of the following is an advantage to security guards?
63. Preventive control includes:
64. What is comparatively least responsible for the downtime?
65. Which of the following can be considered as bad practice when it comes to secure information processing facilities?
66. What is another name for the Orange Book?
67. During which phase of SDLC should Security and access controls be incorporated?
68. Which of the following model provides foundation for specifying and analyzing an integrity policy for a computing system?
69. Which of the following is not an example of auditing tools?
70. The two types of ciphers are:
71. Cat5 and Cat6 Categories are examples of
72. When the cost of the countermeasures outweighs the cost of the risk, the best way to handle the risk is:
73. Clipping levels refers to:
74. What are Two types of integrity?
75. Which of the following term is another name for VPN?
76. What addresses situations where users need to log on multiple times to access different resources?
77. Which of the following recovery strategies is difficult to implement?
78. Why using two routers connect your trusted internal LAN to your DMZ is not considered a good design?
79. Most of the time, computer-generated evidence is considered as:
80. IPv4 address is:
81. Evidence like printed business records, manuals, and, printouts are classified as:
82. To be admissible in court the evidence must be:
83. Active attack includes:
84. Which of the following statements is not true about Trade secrets?
85. Executives of any organization can be held liable for losses that result from computer system breaches as per the principle of culpable negligence if:
86. Decompiling vendor code is a form of:
87. The primary functions of an operating system includes
88. Which one is fraudulent use of telephone services?
89. A connection-orientated protocol is------
90. In which network topology uses a three byte frame that travels around ring?
91. A commercial application of steganography that is used to identify documents or verify their authenticity is ----
92. Job rotation is important because:
93. What is ARP poisoning?
94. Which of the following management type focuses on establishing and maintaining consistency of a system's or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life?
95. Security class is also known as:
96. Allowing access to resources based on permitted IP addresses is definition of:
97. Access control model is:
98. Which of the following biometrics can last for lifetime?
99. Which are the two major factors to measure biometric performance?
100. Which of the following is most important while selecting a biometric system for securing critical assets?
101. Installing malicious software on the system to allow future backdoor access, leads to violation of the---------- integrity
102. In which biometric system Dwell time and flight time metrics are used?
103. A confidential number to verify a user's identity is
104. Which of the following is a major security issue in memory card?
105. Which protocol provides centralized Authentication, Authorization, management for systems to connect and use a network service?
106. What addresses the protection of computers and components from EMI and RF emissions?
107. Ethernet LAN in a bus topology is prone to unauthorized disclosure than switched Ethernet in a star topology because
108. How many password combinations are possible when a system uses a numeric password with 1-4 digits?
109. To carry out dictionary attack the attacker need not have:
110. The cost of an exhaustive attack can be increased by:
111. Which attack involves faking someone's identity?
112. Mandatory Access Control can be considered as:
113. Under MAC, which of the following is true?
114. What can provide for required backup computing capacity through a hot site or a cold site?
115. What is backup of all files that are new or modified since the last full backup?
116. Which virus type changes some of its characteristics as it spreads?
117. Which virus can infect both program files and boot sectors?
118. Why are macro viruses are very easy to create?
119. Security issues related to Java applets include:
120. Media reuse posses security threat of:
121. When IDS detects Internet Protocol (IP) packets whose source address is the same as the IP destination address, it should:
122. When any intrusion is detected what should be your first step?
123. Which of the following technique is generally not used for monitoring purposes?
124. Network Intrusion Detection System (NIDS) includes all except:
125. What monitors network traffic in real time?
126. Which of the following parameter establishes a baseline or threshold for violation activities for user errors?
127. What determines the period of time logs should be maintained?
128. Which of the following enables applications to share data by providing IPIt is based on the client/server model and enables two programs to send commands to each of them directly?
129. Which of the following is not an spam blocking architecture?
130. Major security issue related to aggregation in a database is:
131. Which of the following is not a countermeasure for Object Reuse?
132. Which of the following entities has characteristics of reusing code and reduced maintenance?
133. Which of these is not a best practice in data warehousing?
134. Once a Change is approved it should be
135. Which of the following control is required in an application, which process incentives for employees such that the incentive for any one employee cannot exceed $500?
136. The primary step in SDLC is:
137. Buffer overflow and boundary condition errors are examples of:
138. In which of the following RAID level, the drive array continues to operate even if any disk or any path to any disk fails?
139. Ideally, usernames should be?
140. If you are an information security manager for a company ABC Inc. with a human resources database, which of the following you may be authorized to view ?
141. MAC systems are usually focused on preserving the --------- of data.
142. Which of the following statements highlight the importance of Job rotation?
143. Which of the following is not a data destruction method?
144. In the context of Information security, the records management includes all except?
145. Which one is not an example of an operation control?
146. Which of these is not a detective technical control?
147. Which one is not considered a technical control?
148. Fencing of ------------- can stop a determined intruder.
149. Which one is not a physical control for physical security?
150. Motion detector is an example of:
151. What is the major advantage of Dry Pipe System?
152. Which incident is characterized by obtaining an increased level of privilege?
153. Technologies used to store firmware includes
154. Which of the following causes Injection attacks?
155. Why Log files should not be deleted?
156. Ethics are:
157. According to RFC 1087, 'Ethics and the Internet,' which of the following statement is considered unethical?
158. The first law to implement penalties for the creators of viruses, worms, and other types of malicious code that cause harm to computer system is ------
159. Which law requires mandatory periodic training for all persons involved in the management, use, or operation of federal computer systems that contain sensitive information?
160. Which law consist of the policies, procedures, and regulations promulgated by agencies of the executive branch of government?
161. Which of these is not a deterrent control?
162. Examples of data remanence includes all except?
163. Which type of protection is best suited for a unique computer program developed?
164. The law that prevents government agencies from disclosing personal information that an individual supplies to the government under protected circumstances is -----
165. Which are not a valid reason for processing personal information, as defined by the European Union privacy directive?
166. What must be either uniquely identified by a witness or authenticated through a documented chain of custody?
167. Which of the following rules states that a written contract is assumed to contain all of the terms of an agreement?
168. Which one test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site?
169. Fastest backup restoration time is provided by combination
170. Fastest backup creation time is provided by combination
171. Which backup involves always storing copies of all files modified since the most recent full backup?
172. What can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products?
173. What type of document provides a high-level view of the entire organization's disaster recovery efforts?
174. Which of the following statements does not describe Business Continuity Planning and Disaster Recovery Planning?
175. Which industry made drastic changes in DRP/BCP activities after September 11, 2001 terrorist attacks?
176. Disaster Recovery Planning's objective is:
177. Access to audit reports be controlled and restricted because:
178. Which of the following is not a preventive control?
179. Audit trails are ------ type of security controls.
180. Failure of which of the following can result in the perception that due care is not being maintained?
181. Which of the following factor determines the frequency of Information security audit in any given environment?
182. What records lists actions that have occurred on a system?
183. Monitoring cannot be used to:
184. An examination of the management controls within an IT infrastructure is-------
185. Calculate Single Loss Expectancy (SLE) for Jet Industries which expects that it would lose $40 million, if flash floods struck its aircraft operations facility.
186. Which of the following is difficult to measure in quantitative analysis in BIA?
187. When designing continuity plan provisions and processes what should be protected first?
188. Which of the following task of BCP bridges the gap between the BIA and the Continuity Planning phases?
189. Intangible concerns, such as loss of brand value are dealt in which BIA process?
190. Longest time a business function can be unavailable without causing irreparable harm to the organization is known as?
191. Which of the following should be used to assign quantitative values to assets in the priority identification phase of the BIA?
192. Which of the following resource is utilized most during the BCP phase?
193. Which of the following states the responsibility of senior management to ensure safety and protection of their resources during any disaster?
194. Activities that require special access to be performed within a secured IT environment are:
195. One of the effective means of preventing and detecting the installation of unauthorized application is:
196. Antivirus protection is best implemented by
197. Who needs to be informed, when records about their activities on a system are being recorded and retained?
198. What should be used in areas where technical controls cannot be used to control virus infections?
199. More vulnerabilities like virus infections are added to the system by
200. Which of the following correctly describes IPsec?
201. Which one of the following is an insecure encryption algorithm?
202. Certificate Revocation List has the major disadvantage of:
203. What was created to support the use of stored-value payment cards?
204. Which attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations?
205. Which one of the following Data Encryption Standard (DES) operating modes has better error correcting codes?
206. For a secure two-way communications using asymmetric key cryptography what is the minimum number of cryptographic keys required?
207. The different types of Cryptanalysis includes all Except
208. The cipher which operates on large pieces of a message rather than individual bit of a message is known as:
209. What is the only cryptosystem not vulnerable to attacks if correctly implemented?
210. What type of cipher relies on variety of techniques to reorder the characters within a message?
211. What is the length of cryptographic key in Digital Encryption Standard (DES)?
212. Best countermeasure against new threats of malicious code objects exploiting known vulnerabilities is to:
213. Which viruses modify their own code each time they infect a system?
214. Which attack relies upon the timing of the execution of two events?
215. Standard TCP/IP handshaking process has how many phases?
216. What is the size of the Master Boot Record on a system?
217. Which of the following terms is not used to describe the main RAM of a typical computer system?
218. The key used to enforce referential integrity between database tables.
219. Which of the following provides access control based on value of an attribute of the object?
220. Which DBMS primarily supports the establishment of many-to-many relationships?
221. The software program that acts on behalf of a user in their absence to carry out certain operations is known as
222. What is the most probable malicious code object that might be inserted in an application by a disgruntled software developer with the purpose of destroying system data upon the deletion of the developer's account?
223. Which of the following is not a routing protocol?
224. Which of these is not a feature of firewalls?
225. Which type of firewalls block unauthorized users and activities by examining source and destination address, application usage, source of origin, and the relationship between current packets with the previous packets of the same session?
226. Example of a connectionless protocol is:
227. A TCP wrapper is:
228. Which of the following cables has the most twists per inch?
229. Which of the following cable types is the least resistant to EMI?
230. Layer 6 of the OSI model is
231. Physical access controls cannot prevent:
232. What is not a typical type of alarm that can be triggered for physical security.
233. Which of the following type of detector can detect variations in electrical or magnetic field around any object?
234. The most popular and inexpensive form of physical access control device is:
235. The most common reason of failure for a water-based fire suppression system is attributed to:
236. For an organization a critical application must always:
237. Information classification systems has a major limitation of:
238. Security policy does not include:
239. Which of the following is important characteristics of information security policy?
240. Which one has the major function of ensuring the integrity of business information?
241. Which of the following is not required to maintain server room in most efficient and secured way?
242. Which of the following perimeter defining choices is most commonly used as deterrent for casual trespassers?
243. What is the most common form of perimeter security devices or mechanisms?
244. Types of Input Attacks includes
245. What is true about the padded cells?
246. What is a trial and error method to obtain password for user accounts by using different combination of characters?
247. A system can be protected from Brute force and dictionary attacks by all except:
248. What is not a denial of service attack?
249. A SYN flood attack can be carried out by
250. Which of the following is responsible for setting user clearances to computer-based information?
{{ seconds | secondsToDate | date:'HH:mm:ss'}} Time remaining

All test progress will be lost in case you close the browser without finishing the test. Please finish the test to access your results.