CISSP Rules

Question 1

In CISSP, what security objective does encryption primarily support?

Answer 1

Confidentiality (Integrity only if digital signatures or hashing are explicitly stated)

Question 2

What does hashing primarily provide in CISSP?

Answer 2

Integrity by detecting unauthorized modification, not confidentiality

Question 3

What is availability concerned with in CISSP?

Answer 3

Ensuring authorized access to systems and data when needed (uptime)

Question 4

Who owns security governance in CISSP?

Answer 4

The Board of Directors and senior management

Question 5

What is the primary purpose of security in CISSP?

Answer 5

To enable business objectives, not block them

Question 6

In CISSP, what should come first: policy or technology?

Answer 6

Policy always comes before standards, procedures, and tools

Question 7

How does CISSP define the relationship between governance and compliance?

Answer 7

Governance is broader; compliance is only the minimum baseline

Question 8

What is due care in CISSP?

Answer 8

Implementing reasonable security controls

Question 9

What is due diligence in CISSP?

Answer 9

Continuous monitoring and maintenance of security controls

Question 10

What legal risk can arise from lack of due diligence?

Answer 10

Negligence

Question 11

What is the conceptual CISSP risk formula?

Answer 11

Risk = Threat × Vulnerability × Impact

Question 12

Who must approve risk acceptance in CISSP?

Answer 12

Senior management

Question 13

Does risk mitigation eliminate risk in CISSP?

Answer 13

No, it only reduces risk

Question 14

Which risk response eliminates risk entirely?

Answer 14

Risk avoidance

Question 15

What is risk appetite in CISSP?

Answer 15

The organization’s overall strategic willingness to accept risk

Question 16

What is risk tolerance in CISSP?

Answer 16

The acceptable deviation from risk appetite at a tactical level

Question 17

What is residual risk?

Answer 17

Risk remaining after controls are applied

Question 18

What is inherent risk?

Answer 18

Risk that exists before any controls are implemented

Question 19

Who is the data controller in privacy laws?

Answer 19

The entity that determines the purpose and means of processing personal data

Question 20

Who is the data processor in privacy laws?

Answer 20

The entity that processes data on behalf of the controller

Question 21

Where does primary accountability for privacy violations lie in CISSP?

Answer 21

With the data controller

Question 22

In CISSP, what determines accountability: execution or decision-making?

Answer 22

Decision-making authority

Question 23

What does purpose limitation control?

Answer 23

How personal data is used

Question 24

What does data minimization control?

Answer 24

How much personal data is collected

Question 25

What is the impact of a broken chain of custody?

Answer 25

Evidence may become inadmissible in court

Question 26

What is the key distinction between criminal and civil law?

Answer 26

Criminal law is state vs individual; civil law is party vs party

Question 27

Are all data assets protected equally in CISSP?

Answer 27

No, protection is based on classification

Question 28

Who is the asset owner in CISSP?

Answer 28

A business role responsible for the information asset

Question 29

Is IT the asset owner by default in CISSP?

Answer 29

No, IT is never the asset owner by default

Question 30

Who classifies data in CISSP?

Answer 30

The asset owner

Question 31

Who accepts residual risk for an information asset?

Answer 31

The asset owner

Question 32

What is the primary responsibility of a data custodian?

Answer 32

Implementing and maintaining security controls

Question 33

Can accountability be delegated in CISSP?

Answer 33

No, accountability cannot be delegated

Question 34

Who is accountable for data misclassification?

Answer 34

The asset owner

Question 35

What is the primary driver for data classification?

Answer 35

Business impact if the data is compromised

Question 36

Do users ever classify data in CISSP?

Answer 36

No, users never classify data

Question 37

In CISSP, at which stages must security controls be applied in the data lifecycle?

Answer 37

Security controls must apply across the entire data lifecycle

Question 38

What drives how long data should be retained in CISSP?

Answer 38

Legal, regulatory, and business requirements

Question 39

What overrides normal data retention and disposal schedules?

Answer 39

A litigation hold

Question 40

Does deleting data guarantee it is destroyed?

Answer 40

No, data remanence may still exist

Question 41

How should data disposal methods be chosen in CISSP?

Answer 41

Based on data classification and risk

Question 42

What determines data handling requirements?

Answer 42

Data classification

Question 43

What is the primary purpose of data marking?

Answer 43

To support user awareness and proper handling

Question 44

Does data marking enforce access control?

Answer 44

No, it only supports awareness

Question 45

What does need to know restrict in CISSP?

Answer 45

Which data a user may access

Question 46

What does least privilege restrict in CISSP?

Answer 46

The amount of access granted to a user

Question 47

In CISSP, how must data be protected across states?

Answer 47

Data must be protected at rest, in transit, and in use

Question 48

How must exceptions to data handling rules be managed?

Answer 48

They must be documented and approved

Question 49

What does least privilege limit?

Answer 49

The scope of access granted

Question 50

What does need to know limit?

Answer 50

Access to data relevant to specific job tasks

Question 51

What is the primary flow of physical security controls?

Answer 51

Prevent, detect, and respond

Question 52

Which physical control is most effective at preventing tailgating?

Answer 52

Mantraps

Question 53

What is the primary function of fences in physical security?

Answer 53

To deter and delay attackers

Question 54

In CISSP, what takes priority over asset protection?

Answer 54

Life safety

Question 55

What is the difference between defense in depth and zoning?

Answer 55

Defense in depth is layering; zoning is segmentation

Question 56

What does defense in depth mean in physical security?

Answer 56

Applying multiple independent layers of controls

Question 57

What does zoning mean in facility security?

Answer 57

Dividing areas based on sensitivity and risk

Question 58

What is the purpose of secure system design in CISSP?

Answer 58

To build security into systems from the beginning

Question 59

What does defense in depth rely on?

Answer 59

Multiple independent security layers

Question 60

How should systems behave when access control fails?

Answer 60

They should fail safe (fail closed)

Question 61

Should security depend on secrecy of design?

Answer 61

No, security must not rely on secrecy of design

Question 62

What increases security assurance in system design?

Answer 62

A smaller Trusted Computing Base

Question 63

What is the risk of shared components in system design?

Answer 63

Increased attack surface and systemic risk

Question 64

Which design principle minimizes shared mechanisms?

Answer 64

Least common mechanism

Question 65

What is the primary focus of the Bell–LaPadula model?

Answer 65

Confidentiality

Question 66

What is the primary focus of the Biba model?

Answer 66

Integrity

Question 67

What does the Clark–Wilson model enforce?

Answer 67

Integrity through well-formed transactions

Question 68

What problem does the Brewer–Nash (Chinese Wall) model address?

Answer 68

Conflicts of interest

Question 69

How does the Brewer–Nash model make access decisions?

Answer 69

Based on prior access (dynamic)

Question 70

Which type of encryption should be used for bulk data?

Answer 70

Symmetric encryption

Question 71

Which type of encryption is best for key exchange?

Answer 71

Asymmetric encryption

Question 72

What security objective does hashing provide?

Answer 72

Integrity

Question 73

Does hashing provide confidentiality?

Answer 73

No, hashing does not hide data

Question 74

What security objectives do digital signatures provide?

Answer 74

Integrity, authentication, and non-repudiation

Question 75

What commonly undermines strong cryptography in practice?

Answer 75

Poor key management

Question 76

What is the most effective way to reduce attack surface?

Answer 76

Disabling unnecessary services

Question 77

Why are firmware vulnerabilities especially dangerous?

Answer 77

They operate below the operating system

Question 78

What mitigation limits the blast radius of a compromise?

Answer 78

Isolation

Question 79

What major risk is introduced by virtualization?

Answer 79

Hypervisor compromise

Question 80

What ensures systems remain securely configured over time?

Answer 80

Configuration management