Mar-2026 Download Free Latest Exam CISSP Certified Sample Questions [Q928-Q946]

Share

Mar-2026 Download Free Latest Exam CISSP Certified Sample Questions

Prepare for your exam certification with our CISSP Certified ISC

NEW QUESTION # 928
Which access control model enables the owner of the resource to specify what subjects can access specific resources?

  • A. Role-based Access Control
  • B. Discretionary Access Control
  • C. Mandatory Access Control
  • D. Sensitive Access Control

Answer: B

Explanation:
Discretionary Access Control (DAC) is used to control access by restricting a subject's access to an object. It is generally used to limit a user's access to a file. In this type of access control it is the owner of the file who controls other users' accesses to the file. Using a DAC mechanism allows users control over access rights to their files. When these rights are managed correctly, only those users specified by the owner may have some combination of read, write, execute, etc. permissions to the file.


NEW QUESTION # 929
An organization implements Network Access Control (NAC) ay Institute of Electrical and Electronics Engineers (IEEE) 802.1x and discovers the printers do not support the IEEE 802.1x standard. Which of the following is the BEST resolution?

  • A. Install an IEEE 802. 1x bridge for the printers.
  • B. Implement port security on the switch ports for the printers.
  • C. Implement a virtual local area network (VLAN) for the printers.
  • D. Do nothing; IEEE 802.1x is irrelevant to printers.

Answer: A

Explanation:
The best resolution for an organization that implements Network Access Control (NAC) using IEEE 802.1x and discovers the printers do not support the IEEE 802.1x standard is to install an IEEE 802.1x bridge for the printers. IEEE 802.1x is a standard that provides port-based authentication for network devices, such as switches, routers, or wireless access points. IEEE 802.1x allows only authorized devices to access the network, based on their credentials or certificates. However, some devices, such as printers, may not support IEEE
802.1x or have the required credentials or certificates. In this case, an IEEE 802.1x bridge can be used to connect the printers to the network. An IEEE 802.1x bridge is a device that acts as a proxy for the printers and performs the IEEE 802.1x authentication on their behalf. The bridge can also isolate the printers from the rest of the network and apply security policies to them. References: CISSP All-in-One Exam Guide, Chapter 4:
Communication and Network Security, Section: IEEE 802.1x, pp. 264-265.


NEW QUESTION # 930
When determining who can accept the risk associated with a vulnerability, which of the following is MOST important?

  • A. Type of potential loss
  • B. Information ownership
  • C. Countermeasure effectiveness
  • D. Incident likelihood

Answer: D

Explanation:
Section: Security and Risk Management


NEW QUESTION # 931
Which of the following is NOT one of the European Union (EU) privacy
principles?

  • A. Individuals have the right to correct errors contained in their personal data.
  • B. Individuals are entitled to receive a report on the information that is held about them.
  • C. Data transmission of personal information to locations where equivalent personal data protection cannot be assured is prohibited.
  • D. Information collected about an individual can be disclosed to other organizations or individuals unless specifically prohibited by the individual.

Answer: D

Explanation:
This principle is stated as an opt-out principle in which the individual has to take action to prevent information from being circulated to other organizations. The correct corresponding European Union principle states that information collected about an individual cannot be disclosed to other organizations or individuals unless authorized by law or by consent of the individual. Thus, the individual would have to take an active role or opt-in to authorize the disclosure of information to other organizations. The other principles are valid EU privacy principles.


NEW QUESTION # 932
Which of the following categories of hackers poses the greatest threat?

  • A. Student hackers
  • B. Corporate spies
  • C. Disgruntled employees
  • D. Criminal hackers

Answer: C

Explanation:
Explanation/Reference:
Explanation:
Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access.
Incorrect Answers:
B: Student hackers are a lesser threat as a disgruntled employee already has access to the system.
C: A disgruntled employee is a larger threat compared to a criminal hacker as the employee already has access to the system.
D: A disgruntled employee is a larger threat compared to a corporate spy as the employee already has access to the system.
References:
Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 602


NEW QUESTION # 933
Which of the following is the most costly countermeasure to reducing physical security risks?

  • A. Security Guards
  • B. Electronic Systems
  • C. Procedural Controls
  • D. Hardware Devices

Answer: A

Explanation:
One drawback of guards is that the cost of maintaining a guard function either internally or through an external service is expensive. Although some guards are contracted through a separate company, they should still be considered part of personnel and are the most expensive service of the choices provided. A guard can also potentially incur liability costs.
The following answers are incorrect:
procedural controls Procedural controls are not expensive, they often involve time to develop but are certainly not the most expensive countermeasure.
hardware devices Hardware devices can be expensive, especially if they are biometric readers. However, there is a fairly fixed cost of ownership whereas guards could incur liability costs and can be a very costly 24x7 countermeasure.
electronic systems Electronic systems can be expensive, especially if they are biometric readers. However, there is a fairly fixed cost of ownership whereas guards could incur liability costs and can be a very costly 24x7 countermeasure.
The following reference(s) were/was used to create this question:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340).


NEW QUESTION # 934
Which of the following is MOST critical in a contract in a contract for data disposal on a hard drive with a third party?

  • A. Allowed unallocated disk space
  • B. Amount of overwrites required
  • C. Frequency of recovered media
  • D. Authorized destruction times

Answer: B


NEW QUESTION # 935
Proxies works by transferring a copy of each accepted data packet from one network to another, thereby masking the:

  • A. data's details.
  • B. data's payload.
  • C. data's origin.
  • D. data's owner.

Answer: C

Explanation:
The application firewall (proxy) relays the traffic from a trusted host running a specific application to an untrusted server. It will appear to the untrusted server as if the request originated from the proxy server.
"Data's payload" is incorrect. Only the origin is changed. "Data's details" is incorrect. Only the origin is changed. "Data's owner" is incorrect. Only the origin is changed.
References: CBK, p. 467 AIO3, pp. 486 - 490


NEW QUESTION # 936
What is the MAIN feature that onion routing networks offer?

  • A. Non-repudiation
  • B. Anonymity
  • C. Traceability
  • D. Resilience

Answer: B


NEW QUESTION # 937
Which of the following ciphers is a subset on which the Vigenere polyalphabetic cipher was based on?

  • A. The Jefferson disks
  • B. Caesar
  • C. SIGABA
  • D. Enigma

Answer: B

Explanation:
Explanation/Reference:
Explanation:
Julius Caesar (100-44 B.C.) developed a simple method of shifting letters of the alphabet. He simply shifted the alphabet by three positions.
Today, this technique seems too simplistic to be effective, but in the time of Julius Caesar, not very many people could read in the first place, so it provided a high level of protection. The Caesar cipher is an example of a monoalphabetic cipher. Once more people could read and reverse-engineer this type of encryption process, the cryptographers of that day increased the complexity by creating polyalphabetic ciphers.
In the 16th century in France, Blaise de Vigenere developed a polyalphabetic substitution cipher for Henry III. This was based on the Caesar cipher, but it increased the difficulty of the encryption and decryption process
Incorrect Answers:
B: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not the Jefferson disks.
C: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not Enigma.
D: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not SIGABA.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 761-762


NEW QUESTION # 938
Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege?

  • A. multi-factor authentication (MFA)
  • B. user access review
  • C. access recovery
  • D. identity provisioning

Answer: D

Explanation:
Section: Security Architecture and Engineering


NEW QUESTION # 939
Which choice below MOST accurately describes the organization's
responsibilities during an unfriendly termination?

  • A. Cryptographic keys can remain the employee's property.
  • B. System access should be removed as quickly as possible after
    termination.
  • C. Physical removal from the offices would never be necessary.
  • D. The employee should be given time to remove whatever files he
    needs from the network.

Answer: B

Explanation:
Friendly terminations should be accomplished by implementing a
standard set of procedures for outgoing or transferring employees.
This normally includes:
Removal of access privileges, computer accounts, authentication
tokens.
The control of keys.
The briefing on the continuing responsibilities for confidentiality
and privacy.
Return of property.
Continued availability of data. In both the manual and the electronic
worlds this may involve documenting procedures or filing
schemes, such as how documents are stored on the hard disk,
and how they are backed up. Employees should be instructed
whether or not to clean up their PC before leaving.
If cryptography is used to protect data, the availability of cryptographic keys to management personnel must be ensured.
Given the potential for adverse consequences during an unfriendly
termination, organizations should do the following:
System access should be terminated as quickly as possible when
an employee is leaving a position under less-than-friendly terms.
If employees are to be fired, system access should be removed at
the same time (or just before) the employees are notified of their
dismissal.
When an employee notifies an organization of the resignation
and it can be reasonably expected that it is on unfriendly terms,
system access should be immediately terminated.
During the notice of termination period, it may be necessary to
assign the individual to a restricted area and function. This may
be particularly true for employees capable of changing programs
or modifying the system or applications.
In some cases, physical removal from the offices may be necessary.
Source: NIST Special Publication 800-14 Generally Accepted Principles
and Practices for Securing Information Technology Systems.


NEW QUESTION # 940
The BEST example of the concept of "something that a user has" when providing an authorized user access to a computing system is

  • A. the user's hand geometry.
  • B. a passphrase.
  • C. a credential stored in a token.
  • D. the user's face.

Answer: C


NEW QUESTION # 941
Refer to the information below to answer the question.
A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.
Which of the following BEST describes the access control methodology used?

  • A. Lightweight Directory Access Control (LDAP)
  • B. Role Based Access Control (RBAC)
  • C. Lattice Based Access Control (LBAC)
  • D. Least privilege

Answer: B


NEW QUESTION # 942
The security architect has been mandated to assess the security of various brands of mobile devices. At what phase of the product lifecycle would this be MOST likely to occur?

  • A. Disposal
  • B. Operations and maintenance
  • C. Implementation
  • D. Development

Answer: D

Explanation:
The most appropriate time for a security architect to assess the security of various brands of mobile devices would be during the development phase of the product lifecycle. Assessing security at this stage allows the organization to identify and mitigate potential vulnerabilities before the devices are released into the market. By addressing security concerns early, the organization can minimize risks and reduce the likelihood of security incidents.


NEW QUESTION # 943
What setup should an administrator use for regularly testing the strength of user passwords?

  • A. A networked workstation so that the live password database can easily be accessed by the cracking program.
  • B. A password-cracking program is unethical; therefore it should not be used.
  • C. A networked workstation so the password database can easily be copied locally and processed by the cracking program.
  • D. A standalone workstation on which the password database is copied and processed by the cracking program.

Answer: D

Explanation:
Poor password selection is frequently a major security problem for any system's security. Administrators should obtain and use password-guessing programs frequently to identify those users having easily guessed passwords.
Because password-cracking programs are very CPU intensive and can slow the system on which it is running, it is a good idea to transfer the encrypted passwords to a standalone (not networked) workstation. Also, by doing the work on a non-networked machine, any results found will not be accessible by anyone unless they have physical access to that system.
Out of the four choice presented above this is the best choice.
However, in real life you would have strong password policies that enforce complexity requirements and does not let the user choose a simple or short password that can be easily cracked or guessed. That would be the best choice if it was one of the choice presented.
Another issue with password cracking is one of privacy. Many password cracking tools can avoid this by only showing the password was cracked and not showing what the password actually is. It is masking the password being used from the person doing the cracking. Source: National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute Network Security Guide, February 2002, page 8.


NEW QUESTION # 944
Which of the following embodies all the detailed actions that personnel are required to follow?

  • A. Guidelines
  • B. Baselines
  • C. Standards
  • D. Procedures

Answer: D

Explanation:
Procedures are step-by-step instructions in support of of the policies, standards,
guidelines and baselines. The procedure indicates how the policy will be implemented and who
does what to accomplish the tasks."
Standards is incorrect. Standards are a "Mandatory statement of minimum requirements that
support some part of a policy, the standards in this case is your own company standards and not
standards such as the ISO standards"
Guidelines is incorrect. "Guidelines are discretionary or optional controls used to enable
individuals to make judgments with respect to security actions."
Baselines is incorrect. Baselines "are a minimum acceptable level of security. This minimum is
implemented using specific rules necessary to implement the security controls in support of the
policy and standards." For example, requiring a password of at leat 8 character would be an
example. Requiring all users to have a minimum of an antivirus, a personal firewall, and an anti
spyware tool could be another example.
References:
CBK, pp. 12 - 16. Note especially the discussion of the "hammer policy" on pp. 16-17 for the
differences between policy, standard, guideline and procedure.
AIO3, pp. 88-93.


NEW QUESTION # 945
A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?

  • A. No, because the cloud provider is not certified to host government data.
  • B. Yes, because the cloud provider is GDPR compliant.
  • C. Yes, because the cloud provider meets all regulations requirements.
  • D. No, because the encryption solution is internal to the cloud provider.

Answer: D


NEW QUESTION # 946
......

Free ISC CISSP Exam 2026 Practice Materials Collection: https://www.lead2passexam.com/ISC/valid-CISSP-exam-dumps.html

CISSP Exam Info and Free Practice Test All-in-One Exam Guide Mar-2026: https://drive.google.com/open?id=1AZczaObYx4YaKCM53gFym_THPTEoj6tx