Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey all of you , I'm Sean Gerber with CISSP Cyber Training , and today we're going to be having some various CISSP questions for you to help you pass the CISSP exam . Before we get started , you want to go to CISSPcybertrainingcom and you can get access to all of these CISSP questions .
All you have to do is just sign up for my email list and you can get access to 30 free CISSP questions every single month . If you like that , you can try before you buy . If you like that , then you can get access by purchasing my membership or one of the other programs we have and you can get access to all of my CISSP questions .
It's awesome , it really is . There's my recorded content . You name it . You can get it through CISSPcybertrainingcom . Let's start talking about CISSP questions and let's get on with question number one . We're going to be focused on domain six and of this domain , six . You can actually also see these at my podcast at CCT061 .
You can get these videos on YouTube and you can get them through CISSPcybertrainingcom . Which of the following is a primary objective of security assessments and testing A ensuring compliance of legal regulations . Two identifying vulnerabilities and weaknesses . C actually , there should have been two . There should have been B . C establishing incident response procedures .
D developing security policies and procedures . Which of the following primary objectives of a security assessment and of testing A ensuring compliance with legal regulations . B identifying vulnerabilities and weaknesses . C establishing incident response procedures or D developing security policies and procedures ?
When you're dealing with security assessments and the testing , the ultimate goal is to get your vulnerabilities and find your weaknesses . Therefore , the answer would be B . Each of those other areas compliance , incident response and security policies are beneficial for a security assessment program , but they're not the primary objective for them .
What is the purpose of validation strategies in security assessments and testing ? Again , what is the purpose of validation strategies in security assessments and in testing ? A to ensure compliance with regulatory requirements . B to assess the effectiveness of the security controls . C to evaluate the accuracy of the test results .
Or D to define the scope of the testing activities . Okay , the purpose of the validation strategies ? Basically , you're validating the security assessment and its test is B to assess the effectiveness of the security controls . Again , that's designed to basically identify unknown vulnerabilities by simulating real world attacks .
If you want to basically validate that , you need to determine if it was effective or not . Which assessment methodology is best suited for identifying known vulnerabilities in a system ?
Again , the question is which assessment methodology is best suited to identify unknown vulnerabilities within a system A vulnerability scanning , b penetration scanning , c security auditing or D risk assessments ? Okay , so which assessment methodology is best suited for identifying unknown vulnerabilities ? And the answer would be penetration testing .
Again , it's specifically designed to identify unknown vulnerabilities by simulating real world attacks . Question four what is the essential consideration when creating test data for security assessments ? So , again , what is the essential consideration when creating realistic test data for security assessments ? A including live production data . B using sensitive customer information .
C maintaining data confidentiality . Or D avoiding anonymization techniques . Okay , so what is the essential consideration when creating realistic test data for security assessments ?
So , you're wanting to make sure that you create this realistic test data , but what is the purpose behind it , or main consideration that you wanna do it , when you're adding this data , this test data , to it . So you're grabbing data and you're putting it in there to basically run and see if it works . What is the main consideration you need to keep in mind ?
And that would be C maintaining data confidentiality . Okay , so you've got using sensitive customer information . That would be an essential consideration . You wouldn't wanna do that . You also , including live production data , may not wanna do that either . And then avoiding anonymization techniques . You want to anonymize the data , right ?
So if you're gonna be testing , so you wouldn't want that either . The main part that you're dealing with is data confidentiality . That is a bigger , broader brush than just using sensitive , than mentioning sensitive customer data .
So that's a kind of a tricky one because you may bite off on the sensitive customer information , but the real answer is maintaining data confidentiality . Question five which of the following is a critical step in the audit process for security assessments and testing ? A identifying vulnerabilities , b conducting penetration testing , c engaging external auditors or .
D implementing remediation measures ? Again , which of the following is a critical step in the audit process for security assessment and testing ? A identify weaknesses . B conduct penetration testing . C engage external auditors . And D is implement remediation measures . So again , the question coming down to is a critical step in the audit process .
That would be engaging external auditors . So usually having an external auditor and you're dealing with auditing is an important factor . You can do that for internal , but you would want a third party or a third group to do that internally for yourselves . Question six what is the primary purpose of continuous improvement in security assessment and testing ?
A identifying vulnerabilities and weaknesses , b ensuring compliance with legal regulations , c enhancing the effectiveness of assessment processes or . D developing security policies and procedures ? Okay , again , the question was a primary purpose of continuous improvement in security assessment and testing A identifying vulnerabilities and weaknesses , b compliance and regulations .
C enhancing the effectiveness of assessment processes or . D developing security policies and procedures . The primary purpose of continuous improvement is C enhancing the effectiveness of assessment processes . Again , continuous improvement aims to enhance the effectiveness of your security assessment and testing over time .
Question seven what is a common validation objective in security assessment testing ? A compliance with legal regulations . B as accuracy of assessment documentation . C alignment of industry standards or . D development of risk plans , risk mitigation plans . Again , what is a common validation objective in security assessment and testing ?
And the answer would be compliance with legal regulations , the one of the main purposes of a security assessment and the testing that goes with it is to help you come in line with compliance around legal regulations that might be out there .
Depending on the industry you're in , you may have to have various audits or assessments done to ensure that you will comply with those legal regulations . One would be data security law with China . There would be ones with in the United States . Is your PCI DSS ? All of those fall within that environment .
Question eight which audit strategy develops an unbiased evaluation of an organization's a security posture ? A internal audits , b external audits , three three C third-party audits or D compliance audits . Again , which is an unbiased evaluation of the organization's security posture ? And the answer would be C third-party audits .
They do typically provide an unbiased evaluation of your organization's security structure . An external audit might be somebody you actually work with you maybe you know them . That would be a situation where that might not be as unbiased as you possibly might like . Okay , question nine .
Well , before we get into question nine , just wanted to again put out a plug for CISSP cyber training . Go check it out . You can also go to freecisspquestionscom and you can get access to my 30 free CISSP questions every single month for the next year . I mean you'll get them 360 questions to help you . That's 30 free CISSP questions at freecisspquestionscom .
Question nine , which are the following examples of an external audit in security assessments and testing A self-assessment of internal auditors . B review the security policies by management . C an assessment conducted by an independent consulting firm . Or D evaluation of control effectiveness by the IT department .
So which of the following is an example of an external audit in security assessment and testing ? So , again , external audit . And the answer is C an assessment conducted by an independent consulting firm . If you look at the rest of the questions , you have to deal with internal auditors , you have management and you have the IT department .
That is not typically an external audit . An independent consulting firm would be an external audit . Question 10 , what is a recommendation approach ? A recommended approach for addressing identified vulnerabilities in security assessments ? So you have a security assessment , you find some vulnerabilities . How should you address those ? A ignore low severity vulnerabilities .
B prioritize vulnerabilities based on severity , conduct an additional assessment for confirmation . Or D focus solely on technical controls . Now , if you want , read through these , they'll make kind of sense right . So you definitely want to deal with severity and ? But ignoring anything is usually not good .
I mean , there might be a time you might do that , but typically isn't something you would do . You really don't need to . Once you've just conducted an assessment , you don't need to do another one , unless you really want to just spend money . So the answer would be be prioritizing violent vulnerabilities based on severity .
So again , that's the recommended approach for identifying vulnerabilities in security assessments is to prioritize them Based on the severity and then address them as needed . Question 11 which aspect of a security assessment and testing should be continuously updated to reflect emerging threats ? A test plans and procedures . B regulatory compliance requirements .
C security control documentation or D audit reporting templates ? So again , which aspect of the security assessment and the test should continuously be updated to reflect emerging threats ? When you're basically testing your plans and procedures , that's , the threats will change , right from ransomware to a Worm that may roll in to different .
You may have a stray backhoe that hits out , takes out your network . Those are different . So you may have different test plans and procedures and you may modify those to meet these emerging threats . Next question what is the purpose , purpose ? What is the purpose of a performance evaluation in security assessments and testing ?
A Assess the effectiveness of the controls . B monitor the progress of the remediation activities . C evaluate the competence of the individuals individuals involved in the assessment . Or . D Validating compliance with regulatory requirements . So , again , what is the purpose of performance evaluations ?
Again , you're doing a review of the person in a security assessment and testing you both . The purpose of that is that you are evaluating their competence in what they're doing . So it would be answer would be C .
So that's the ultimate goals that you are trying to figure out Are they the person that will actually understand what they're doing and are they capable of doing it ? Question 13 , which of the following is used to validate effectiveness controls during a security assessment testing Question ? What is the question ?
What is the method is used to validate the effectiveness of controls during security assessments and testing ? A Penetration testing be risk assessments . C Security auditing or Devulnerability scanning skin . Which method is used to validate the effectiveness of controls during a security assessment and testing ? Yes , or the answer is C security auditing .
Right , security auditing is a way to evaluate the effectiveness of the controls during a security assessment and a test . Question 14 , how can collaboration and knowledge sharing contribute to continuous improvement in security assessments and tests ? A facilitating the exchange of ideas and experiences . B reducing the need for external audits .
C streamlining the assessment process . Or D minimizing the need for remediation efforts . So the question is again how can collaboration and knowledge sharing contribute to continuous improvement in security assessments and testing ? Answer is A facilitating the exchange of ideas and experiences .
That is basically how , when you share ideas , you get better ideas on how to deal with things . As an example , I met with some people in our local community and started sharing some ideas on ransomware and how it may affect the community , and they are taking that advice and they're moving on with it . So there's different ways .
By sharing information can really go a long ways in protecting facilities or protecting anybody in general . Alright , question 15 , the last question , the last melon which of the following is a key benefit of external audits in security assessments and testing ? So , again , what is a key benefit of an external audit in security assessments and testing ?
A assurance of regulatory compliance . B identification of all vulnerabilities . C cost effective assessment procedures or D objectivity and impartiality . Again , what is the question is which of the following is a key benefit of an external audit in security assessments and testing ? A insurance regulations assurance of regulatory compliance .
B identification of all vulnerabilities , c cost effective assessment processes or D objectivity and impartiality . And the answer would be D objectivity and impartiality are one of the key benefits of having an external audit . Okay , I hope you all liked this . This was 15 questions of the CISSP . Go out to cisspcybertrainingcom and you can get some more .
Sign up for at free cisspquestionscom and you can get a plethora of CISSP questions to help you study for the exam . Again , the ultimate goal is to help you pass this doggone exam . We want you to get through it , we want you to do well and we want you to move on with your cybersecurity career .
All right , have a great day and we'll catch you on the flip side , see you .