- Home
- ISC Certification
- CISSP Exam
- ISC.CISSP.v2024-09-21.q999 Practice Test
Question 881
Which of the following access control techniques BEST gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?
Correct Answer: C
Explanation/Reference:
Explanation:
Role-based access control (RBAC) is a model where access to resources is determines by job role rather than by user account.
Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. This is very useful since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are in the chain of command, the more access you will most likely have.
Role relation defines user membership and privilege inheritance. For example, the nurse role can access a certain amount of files, and the lab technician role can access another set of files. The doctor role inherits the permissions and access rights of these two roles and has more elevated rights already assigned to the doctor role. So hierarchical is an accumulation of rights and permissions of other roles.
Reflects organizational structures and functional delineations.
Incorrect Answers:
A: Access control lists form the basis of access control; they determine who can access what. However,
"access control lists" on its own is not a model that maps to the organizational structures and functional delineations required in a specific environment.
B: Discretionary access control is a model where the subjects must have the discretion to specify what resources certain users are permitted to access. This is not a model that maps to the organizational structures and functional delineations required in a specific environment.
D: Non-mandatory access control is not a defined access control model. It would imply any access model that is not mandatory access control.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 224-226
Explanation:
Role-based access control (RBAC) is a model where access to resources is determines by job role rather than by user account.
Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. This is very useful since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are in the chain of command, the more access you will most likely have.
Role relation defines user membership and privilege inheritance. For example, the nurse role can access a certain amount of files, and the lab technician role can access another set of files. The doctor role inherits the permissions and access rights of these two roles and has more elevated rights already assigned to the doctor role. So hierarchical is an accumulation of rights and permissions of other roles.
Reflects organizational structures and functional delineations.
Incorrect Answers:
A: Access control lists form the basis of access control; they determine who can access what. However,
"access control lists" on its own is not a model that maps to the organizational structures and functional delineations required in a specific environment.
B: Discretionary access control is a model where the subjects must have the discretion to specify what resources certain users are permitted to access. This is not a model that maps to the organizational structures and functional delineations required in a specific environment.
D: Non-mandatory access control is not a defined access control model. It would imply any access model that is not mandatory access control.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 224-226
Question 882
It is MOST important to perform which of the following to minimize potential impact when implementing a new vulnerability scanning tool in a production environment?
Correct Answer: A
Explanation
Section: Security Operations
Section: Security Operations
Question 883
Which access control method allows the data owner (the person who created the file) to control access to the information they own?
Correct Answer: A
DAC - Discretionary Access Control is where the user controls access to the data they create or manage.
It is the least secure method of access control because of a few factors:
- Employee changeover can lead to confusion of data ownership or abandoned data.
- Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion.
- People in general are the least reliable component of any organization
The following answers are incorrect:
- MAC - Mandatory Access Control: This is incorrect because in the MAC model of access control, labels are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he or she is denied access.
- RBAC - Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users' Role determines the access level to data they are given.
- NDAC - Non-Discretionary Access Control: Sorry, this isn't a common term associated with access control methodologies.
The following reference(s) was used to create this question:
2013 Official Security+ Curriculum.
It is the least secure method of access control because of a few factors:
- Employee changeover can lead to confusion of data ownership or abandoned data.
- Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion.
- People in general are the least reliable component of any organization
The following answers are incorrect:
- MAC - Mandatory Access Control: This is incorrect because in the MAC model of access control, labels are used to identify the level of sensitivity of the data. If the user does not have privileges to such data he or she is denied access.
- RBAC - Role-Based Access Control: Sorry, RBAC is Role-Based Access Control where the users' Role determines the access level to data they are given.
- NDAC - Non-Discretionary Access Control: Sorry, this isn't a common term associated with access control methodologies.
The following reference(s) was used to create this question:
2013 Official Security+ Curriculum.
Question 884
Which of the following is the FIRST step in the incident response process?
Correct Answer: D
Investigating all symptoms to confirm the incident is the first step in the incident response process. An incident is an event that violates or threatens the security, availability, integrity, or confidentiality of the IT systems or data. An incident response is a process that involves detecting, analyzing, containing, eradicating, recovering, and learning from an incident, using various methods and tools. An incident response can provide several benefits, such as:
* Improving the security and risk management of the IT systems and data by identifying and addressing the security weaknesses and gaps
* Enhancing the security and decision making of the IT systems and data by providing the evidence and information for the security analysis, evaluation, and reporting
* Increasing the security and improvement of the IT systems and data by providing the feedback and input for the security response, remediation, and optimization
* Facilitating the compliance and alignment of the IT systems and data with the internal or external requirements and standards Investigating all symptoms to confirm the incident is the first step in the incident response process, because it can ensure that the incident is verified and validated, and that the incident response is initiated and escalated.
A symptom is a sign or an indication that an incident may have occurred or is occurring, such as an alert, a log, or a report. Investigating all symptoms to confirm the incident involves collecting and analyzing the relevant data and information from various sources, such as the IT systems, the network, the users, or the external parties, and determining whether an incident has actually happened or is happening, and how serious or urgent it is. Investigating all symptoms to confirm the incident can also help to:
* Prevent the false positives or negatives that might cause the incident response to be delayed or unnecessary
* Identify the scope and impact of the incident on the IT systems and data
* Notify and inform the appropriate stakeholders and authorities about the incident
* Activate and coordinate the incident response team and resources
The other options are not the first steps in the incident response process, but rather steps that should be done after or along with investigating all symptoms to confirm the incident. Determining the cause of the incident is a step that should be done after investigating all symptoms to confirm the incident, because it can ensure that the root cause and source of the incident are identified and analyzed, and that the incident response is directed and focused. Determining the cause of the incident involves examining and testing the affected IT systems and data, and tracing and tracking the origin and path of the incident, using various techniques and tools, such as forensics, malware analysis, or reverse engineering. Determining the cause of the incident can also help to:
* Understand the nature and behavior of the incident and the attacker
* Detect and resolve any issues or risks caused by the incident
* Prevent and mitigate any future incidents or attacks involving the same or similar cause
* Support and enable the legal or regulatory actions or investigations against the incident or the attacker Disconnecting the system involved from the network is a step that should be done along with investigating all symptoms to confirm the incident, because it can ensure that the system is isolated and protected from any external or internal influences or interferences, and that the incident response is conducted in a safe and controlled environment. Disconnecting the system involved from the network can also help to:
* Prevent the incident from communicating or connecting with any other system or network, and potentially spreading or escalating the attack
* Prevent the incident from receiving or sending any commands or data, and potentially altering or deleting the evidence
* Prevent the incident from detecting or evading the incident response, and potentially hiding or destroying itself Isolating and containing the system involved is a step that should be done after investigating all symptoms to confirm the incident, because it can ensure that the incident is confined and restricted, and that the incident response is continued and maintained. Isolating and containing the system involved involves applying and enforcing the appropriate security measures and controls to limit or stop the activity and impact of the incident on the IT systems and data, such as firewall rules, access policies, or encryption keys. Isolating and containing the system involved can also help to:
* Minimize the damage and loss caused by the incident on the IT systems and data
* Maximize the recovery and restoration of the IT systems and data
* Support and enable the eradication and removal of the incident from the IT systems and data
* Facilitate the learning and improvement of the IT systems and data from the incident
* Improving the security and risk management of the IT systems and data by identifying and addressing the security weaknesses and gaps
* Enhancing the security and decision making of the IT systems and data by providing the evidence and information for the security analysis, evaluation, and reporting
* Increasing the security and improvement of the IT systems and data by providing the feedback and input for the security response, remediation, and optimization
* Facilitating the compliance and alignment of the IT systems and data with the internal or external requirements and standards Investigating all symptoms to confirm the incident is the first step in the incident response process, because it can ensure that the incident is verified and validated, and that the incident response is initiated and escalated.
A symptom is a sign or an indication that an incident may have occurred or is occurring, such as an alert, a log, or a report. Investigating all symptoms to confirm the incident involves collecting and analyzing the relevant data and information from various sources, such as the IT systems, the network, the users, or the external parties, and determining whether an incident has actually happened or is happening, and how serious or urgent it is. Investigating all symptoms to confirm the incident can also help to:
* Prevent the false positives or negatives that might cause the incident response to be delayed or unnecessary
* Identify the scope and impact of the incident on the IT systems and data
* Notify and inform the appropriate stakeholders and authorities about the incident
* Activate and coordinate the incident response team and resources
The other options are not the first steps in the incident response process, but rather steps that should be done after or along with investigating all symptoms to confirm the incident. Determining the cause of the incident is a step that should be done after investigating all symptoms to confirm the incident, because it can ensure that the root cause and source of the incident are identified and analyzed, and that the incident response is directed and focused. Determining the cause of the incident involves examining and testing the affected IT systems and data, and tracing and tracking the origin and path of the incident, using various techniques and tools, such as forensics, malware analysis, or reverse engineering. Determining the cause of the incident can also help to:
* Understand the nature and behavior of the incident and the attacker
* Detect and resolve any issues or risks caused by the incident
* Prevent and mitigate any future incidents or attacks involving the same or similar cause
* Support and enable the legal or regulatory actions or investigations against the incident or the attacker Disconnecting the system involved from the network is a step that should be done along with investigating all symptoms to confirm the incident, because it can ensure that the system is isolated and protected from any external or internal influences or interferences, and that the incident response is conducted in a safe and controlled environment. Disconnecting the system involved from the network can also help to:
* Prevent the incident from communicating or connecting with any other system or network, and potentially spreading or escalating the attack
* Prevent the incident from receiving or sending any commands or data, and potentially altering or deleting the evidence
* Prevent the incident from detecting or evading the incident response, and potentially hiding or destroying itself Isolating and containing the system involved is a step that should be done after investigating all symptoms to confirm the incident, because it can ensure that the incident is confined and restricted, and that the incident response is continued and maintained. Isolating and containing the system involved involves applying and enforcing the appropriate security measures and controls to limit or stop the activity and impact of the incident on the IT systems and data, such as firewall rules, access policies, or encryption keys. Isolating and containing the system involved can also help to:
* Minimize the damage and loss caused by the incident on the IT systems and data
* Maximize the recovery and restoration of the IT systems and data
* Support and enable the eradication and removal of the incident from the IT systems and data
* Facilitate the learning and improvement of the IT systems and data from the incident
Question 885
The DES algorithm is an example of what type of cryptography?
Correct Answer: A
DES is also known as a Symmetric Key or Secret Key algorithm.
DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption.
For the exam remember that:
DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits)
DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only.
DES has a total key length of 64 Bits.
The following answers are incorrect:
Two-key This is incorrect because DES uses the same key for encryption and decryption.
Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key
for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a
Private Key.
Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the
same key is used for encryption and decryption.
References used for this question:
http://en.wikipedia.org/wiki/Data_Encryption_Standard
DES is a Symmetric Key algorithm, meaning the same key is used for encryption and decryption.
For the exam remember that:
DES key Sequence is 8 Bytes or 64 bits (8 x 8 = 64 bits)
DES has an Effective key length of only 56 Bits. 8 of the Bits are used for parity purpose only.
DES has a total key length of 64 Bits.
The following answers are incorrect:
Two-key This is incorrect because DES uses the same key for encryption and decryption.
Asymmetric Key This is incorrect because DES is a Symmetric Key algorithm using the same key
for encryption and decryption and an Asymmetric Key algorithm uses both a Public Key and a
Private Key.
Public Key. This is incorrect because Public Key or algorithm Asymmetric Key does not use the
same key is used for encryption and decryption.
References used for this question:
http://en.wikipedia.org/wiki/Data_Encryption_Standard
- Other Version
- 513ISC.CISSP.v2026-04-20.q414
- 8535ISC.CISSP.v2024-12-05.q999
- 8021ISC.CISSP.v2023-07-03.q999
- 2920ISC.CISSP.v2023-04-20.q206
- 6883ISC.CISSP.v2022-09-06.q331
- 7587ISC.CISSP.v2022-08-27.q376
- 12934ISC.CISSP.v2022-04-07.q650
- 145ISC.Fast2test.CISSP.v2021-12-03.by.osborn.827q.pdf
- 22312ISC.CISSP.v2021-10-01.q353
- Latest Upload
- 202PaloAltoNetworks.NGFW-Engineer.v2026-05-01.q43
- 299Nokia.4A0-113.v2026-05-01.q69
- 258EC-COUNCIL.312-49v11.v2026-04-30.q214
- 228Microsoft.MB-820.v2026-04-30.q101
- 211Salesforce.MC-202.v2026-04-30.q57
- 206BICSI.INSTC_V8.v2026-04-29.q53
- 336NMLS.MLO.v2026-04-28.q82
- 243NCARB.Project-Management.v2026-04-28.q27
- 465EMC.D-AV-DY-23.v2026-04-27.q184
- 1120ServiceNow.CSA.v2026-04-27.q483