🎓 CISSP Practice - Domain 1 - Security and Risk Management

Correct Answer: B

A high-level policy sets governance expectations without dictating technology, letting departments innovate while still requiring risk ownership. A undercuts security by pre-authorizing waivers. C transfers policy control to vendors. D blocks innovation by front-loading lengthy approvals.

Correct Answer: A

The assumption that fewer clicks equal lower loss is flawed; BEC actors may target fewer but higher-value transactions. B is method-oriented and does not explain the doubling of losses. C is a governance issue, not an assumption error. D is a framework choice, not a root cause of increased losses.

Correct Answer: C

Mitigation reduces likelihood/impact to align residual risk with the board’s “no material effect” appetite. Acceptance (A) violates the appetite. Avoidance (B) is commercially unrealistic for a retailer. Transfer (D) still leaves a breach within the quarterly window; insurance reimburses but does not prevent material earnings impact.

Correct Answer: A

Continued transfer without a valid mechanism violates GDPR, exposing the firm to administrative fines—pure compliance risk. The other options are financial, competitive, or technical, not regulatory.

Correct Answer: D

The board’s monetary threshold is policy; before deviating from it the model assumptions must be validated (D). Option A ignores cost-benefit and could violate fiduciary duty by overspending. B compares cumulative cost only to gross ALE, not to the 2 % cap. C is dangerous “security through obscurity” and ignores the already-quantified exceedance of appetite.

Correct Answer: B

Mapping NIST CSF categories to ISO 27001 Annex A controls is a control-mapping exercise to achieve compliance efficiency. It is not aggregation (A), transference (C), or qualitative ranking (D).

Correct Answer: D

By lobbying to change the regulation, the CISO is attempting to reject (D) the risk (i.e., eliminate the requirement) rather than avoid, transfer, or accept it. Avoidance (A) would mean exiting the critical-infrastructure sector. Transference (B) would involve insurance. Acceptance (C) would be quietly complying.

Correct Answer: A

A board-level appetite statement must cover all material risk categories, not just IT. Tolerance tables translate risk into business terms. B is too tactical; C is useful but not the only dimension; D standardizes scoring but does not articulate appetite.

Correct Answer: A

With CSP-held keys, the provider can decrypt and produce data in response to a lawful request; the BAA does not negate this residual risk. Bit rot (B) is normally addressed by CSP integrity controls and SLAs. Account hijacking (C) is a client-side control issue, not a residual risk of the CSP architecture. Jurisdictional risk (D) is typically disclosed and contractually stabilized.

Correct Answer: B

ISO 31000 is the international standard for enterprise risk management and is framework-agnostic, allowing alignment of risk appetite across diverse jurisdictions and industries. NIST 800-53 (A) and ISO 27001 (C) are control sets for information security, too narrow. COBIT (D) focuses on IT governance, not total enterprise risk.

Correct Answer: C

“Confidential” is appropriate for proprietary data whose unauthorized disclosure would harm the business. “Internal Use Only” understates the competitive impact. “Restricted” (D) is usually reserved for highly regulated or secret data (e.g., state secrets, PCI card data). Public (A) is clearly wrong.

Correct Answer: B

Mitigation with a virtual patch (WAF rule) plus disabling the vulnerable function reduces likelihood quickly without halting revenue. Accept (A) ignores active exploitation. Transfer (C) does not prevent service disruption. Avoid (D) is disproportionate.

Correct Answer: C

A 3× increase in e-commerce revenue makes the public website a higher-value target for DDoS extortion or competitor sabotage (C). Physical POS theft (A) and paper receipts (D) decline as store traffic drops. Skimming at partner pumps (B) is unrelated to the retailer’s online strategy.

Correct Answer: A

SOX focuses on financial-statement accuracy; segregation of duties (A) prevents any single founder from deploying unaudited code that could manipulate transaction logs. Integrity statements (B) and phishing training (C) are useful but do not enforce technical enforcement. A firewall (D) protects network perimeter, not financial logic.

Correct Answer: B

Minimizing data precision (city vs. GPS) is core to privacy by design; it lowers risk while retaining utility. Consent (A) and opt-out (D) are lawful but do not reduce the data’s sensitivity. Encryption (C) protects confidentiality, not privacy from over-collection.

Correct Answer: A

Entering a jurisdiction with evolving AML laws creates strategic risk—uncertainty at the board level about future compliance obligations that could fundamentally alter business models or require costly retro-fits. Transaction risk (B) is operational, not regulatory; reputation risk (C) is secondary and speculative; credit risk (D) is financial, not legal/regulatory.

Correct Answer: A

Domain 1 teaches that even when a vendor provides a compliant product, the organization still owns the residual risk once the system is integrated into its unique environment. B is partially true but too narrow; qualitative assessment is a method, not a principle. C is a possible control, not a principle. D contradicts the concept that risk acceptance must be evidence-based, not automatic.

Correct Answer: C

Stale policies demonstrate lack of due care and can undermine both internal governance and external evidentiary requirements (e.g., in litigation). Annual review (B) is true but narrower; due care (C) is the overarching principle. Risk ownership (A) and monetary appetite (D) are unrelated to the accuracy issue.

Correct Answer: A

A heat-map (A) directly compares residual risk levels to the quantitative or qualitative thresholds in the approved appetite statement. A clean pen-test (B) is point-in-time. Budget compliance (C) and peer benchmarking (D) do not measure risk against appetite.

Correct Answer: A

SOC 2 + right-to-audit + encryption (A) gives verifiable, ongoing assurance when physical audits are impractical. Force-majeure waiver (B) is unenforceable and does not demonstrate due diligence. Insurance (C) is only financial recovery, not assurance. PCI-DSS (D) is irrelevant to PHI.

Correct Answer: C

GDPR (and most modern privacy regimes) restricts transfers of personal data outside the EEA unless the destination country has an “adequacy” finding, or the exporter puts in place approved safeguards such as SCCs or BCRs. Failure to meet these conditions exposes the firm to regulatory fines and injunctions, so this is the show-stopper. A is irrelevant—Tier III still offers 99.98 % availability. B is incorrect because Singapore’s PDPA does not require loyalty data to stay in Singapore. D is an operational issue, not a legal barrier to transfer.

Correct Answer: D

The provider is both data processor and key custodian, creating a conflict (D) that negates the protective value of encryption against lawful access requests. Insider threat (A) is broader and less specific. Remanence (B) is irrelevant to live data. Lock-in (C) is an economic, not confidentiality, risk.

Correct Answer: B

Integrity-verification technology lowers the likelihood/impact of Trojan insertion, classic mitigation (B). Avoidance (A) would mean dropping the supplier. Transfer (C) would be insurance or contractual indemnity. Acceptance (D) would be doing nothing.

Correct Answer: A

The Inform function requires that policies, processes, and procedures be documented and communicated; absence of documentation violates this regardless of control implementation. Tone at the top (B) is present but undocumented. Due care (C) is broader and less specific. Transparency (D) is secondary to operational evidence.

Correct Answer: B

(ISC)² Code ethics Canon II requires honesty and legality; paying for silence or extortion could violate anti-bribery laws. The CISO should negotiate in good faith, obtain details under responsible disclosure, then decide on reward and CVE based on policy. Canon I (A) is broader; C and D are less relevant to the immediate ethical dilemma.

Correct Answer: B

The appetite is breached; the governance process (B) ensures explicit board acceptance and mitigating controls. Immediate termination (A) is commercially unrealistic. Insurance (C) does not reduce supplier concentration risk. A forced 30-day shift (D) is operationally infeasible and may create more risk.

Correct Answer: B

Original ALE = USD 4 M; new ALE = 0.05/0.40 × 4 M = USD 0.5 M; annual savings = 3.5 M. Upgrade cost 1.2 M yields net annual benefit 2.3 M, paying back in ~0.5 years, well under the 3-year hurdle. Exposure factor (A) is already baked into the ALE. Insurance (C) costs less but does not reduce probability/impact. Deferring (D) ignores the positive ROI.

Correct Answer: B

The SoA and independent audit report detail which Annex-A controls are in scope, any non-conformities, and compensating controls, giving the CISO evidence to map to the firm’s risk appetite. ISO 27001 does not prescribe specific controls, so A is false. C is redundant—both ISO and SOC can provide assurance. D ignores efficient reuse of audit artifacts.

Correct Answer: C

Engaging counsel and seeking legitimate relief (C) balances legal compliance with security. Disabling encryption (A) creates unacceptable risk. Bribery (B) is illegal under the parent’s anti-corruption policy. Immediate exit (D) is disproportionate without exploring legal avenues.

Correct Answer: B

Likelihood for low-frequency, high-impact events is best informed by sector-specific threat intelligence. Historical internal data (A) will be sparse for events that have not yet occurred. C relates to known vulnerabilities, not adversary intent. D measures severity of existing vulnerabilities, not probability of a nation-state attack.

Correct Answer: B

Courts accept digital signatures only if the signer’s private key is under sole control and backed by a trustworthy CA; an HSM provides this. Encryption (A) protects confidentiality, not non-repudiation. GDPR (C) and ISO 27001 (D) are good governance but do not directly prove who signed.

Correct Answer: B

A lagging indicator (incidents caused by human error) captures credential leaks that bypass click-through tests, giving the board a risk-based outcome metric. A is useful but still leading; C ignores behavior change; D abandons human controls entirely.

Correct Answer: D

Mitigation (D) reduces likelihood and impact to a level commensurate with the strategic reward while preserving market entry; residual risk can then be accepted by the board. Accept (A) without first lowering the risk would breach fiduciary duty given the high inherent risk. Avoid (B) is unnecessarily conservative and ignores business strategy. Transfer alone (C) does not satisfy the regulatory requirement that the bank remain ultimately responsible for data protection; insurance is only a financial back-stop, not a control.

Correct Answer: C

The stated RPO (1 hour) was not achieved because the last usable backup was 6 hours old, indicating the backup frequency or replication mechanism did not support the documented RPO. The RPO definition itself (B) was correct; the failure was in execution. A and D are not the primary cause of data loss.

Correct Answer: A

The first domain stresses that risk management starts with understanding business consequence. Choice A directly addresses the potential business impact (loss of market access) and provides the board with the monetary context needed to make an informed risk decision. B is a control detail, not a board-level risk statement. C is a tactical workaround that may not be granted. D is an implementation option that should be analyzed only after the business impact is understood.

Correct Answer: A

The mayor’s directive is a risk-appetite position; lives-at-risk is a stakeholder impact. The appropriate venue to reconcile the two is the formal risk-appetite statement, which the council can amend to allow exceptions under life-safety criteria. BIA (C) informs but does not set appetite; DR RTO (B) and insurance (D) are downstream artifacts.

Correct Answer: A

SLE directly measures the financial impact of one occurrence, aligning with the board’s monetary threshold. B, C, and D are frequency or process metrics that do not, by themselves, indicate dollar loss.

Correct Answer: C

Mitigation through additional controls (new HSMs) allows continued business while achieving compliance with the stricter requirement. A invites regulatory fines. B is business-prohibitive. D is not feasible—card brands will not accept liability for local law violations.

Correct Answer: A

Even anonymized telemetry (location, MAC addresses, noise levels) can be triangulated with public data to profile citizens, creating a privacy risk that triggers data-protection obligations. B incorrectly labels availability as a privacy risk. C is a confidentiality issue for sensor firmware, not personal data. D is a notice issue, not the primary privacy concern.

Correct Answer: B

HIPAA’s business-associate agreement and OCR guidance place configuration of access controls on the customer under the shared-responsibility model. Safe harbor (A) applies to encryption, not mis-configuration. CSP is not automatically liable (C), and clouds are not exempt (D).

Correct Answer: C

The relevant saving is the reduction in expected loss (0.3 – 0.05 = 0.25) multiplied by records and fine, minus cost (C). A uses old probability, not reduction. B uses post-mitigation probability incorrectly. D computes cost as percentage of maximum loss, not ROI.

Correct Answer: A

Due care requires senior management to act reasonably to protect assets; repeatedly deferring a necessary security budget demonstrates negligence. Due diligence (B) is the ongoing monitoring activity—absent here but not the primary breach. C and D are operational controls unrelated to governance accountability.

Correct Answer: A

Availability is one leg of the AIC (confidentiality, integrity, availability) triad foundational to security management. The other choices are frameworks or processes that implement but do not define the scope.

Correct Answer: C

ALE = SLE × ARO. Single loss = (5 TB × 20 % × $2,000) + (6 hr × $15,000) = $2,000 + $90,000 = $92,000. ARO = 0.25. ALE = $92,000 × 0.25 = $23,000 (corruption) + $9,500 (downtime portion) = $32,500. A omits downtime; B omits corruption; D uses ARO = 1.

Correct Answer: A

The threat landscape changes with jurisdiction; the register must reflect new threats (e.g., extraterritorial subpoena) and updated residual risk. B incorrectly lowers inherent risk—certification does not eliminate it. C destroys audit trail and violates risk-management principles. D is partially correct but assigning ownership to the provider is invalid; the company always retains risk ownership.

Correct Answer: B

A measurable, monetary risk-appetite statement (B) is auditable and aligns with both insurance underwriting and ISO 31000. A is operationally unrealistic and therefore not credible. C is qualitative and ambiguous. D omits the board’s governance role in setting risk appetite.

Correct Answer: A

Labour law is a regulatory requirement; security must align with it (A). Cost-benefit (B) is secondary to legal compliance. Least privilege (C) and SSO (D) are technical, not governance, issues.

Correct Answer: B

Non-maleficence (“do no harm”) directly supports the decision to limit data, thereby reducing breach impact and surveillance potential. Beneficence (A) is broader and subjective. Justice (C) concerns fairness, not data minimization. Fidelity (D) to investors is secondary to ethical duty to users.

Correct Answer: B

TEF is the rate at which a specific threat actor is expected to act against an asset. LEF is the subset of those events that become loss events after accounting for controls and vulnerability. Vuln describes the asset’s susceptibility, and TCap describes the attacker’s strength.

Correct Answer: A

Risk management is context-specific; adopting only material controls avoids “check-box” security while still meeting audit needs. B creates unnecessary overhead for a start-up. C transfers operational burden but does not eliminate risk ownership or the need for internal governance. D postpones risk treatment and violates the principle of due care.

Correct Answer: B

HIPAA explicitly requires a BAA to mandate return or destruction of PHI at termination. This addresses the Security Rule’s “assigned security responsibility” and Privacy Rule’s minimum-necessary principle. A is good but not explicitly required; C is operational, not privacy-focused; D is risk transfer, not core HIPAA compliance.

Correct Answer: C

DFARS 252.204-7012 requires that any subsidiary handling CUI on behalf of the prime contractor apply “equivalent” security; mapping against ITSG-33 proves equivalence. A is necessary but not sufficient; B is not required for CUI; D ignores potential gaps in logging, incident response, etc.

Correct Answer: C

The risk assessment report (C) explicitly shows the hospital follows ISO 27005 scoping, risk identification, analysis, and treatment steps. A balanced scorecard (A) is too high-level, a CIO attestation (B) lacks objective evidence, and a CVE list (D) addresses only vulnerability management, not enterprise risk.

Correct Answer: B

Schrems II (B) invalidated Privacy Shield and cast doubt on SCCs absent “supplementary measures” for U.S. government surveillance risk, directly impacting the CISO’s plan. Due care/diligence (A) is too generic. Safe-harbour (C) is obsolete. NIST baselines (D) are technical and do not address cross-border transfer law.

Correct Answer: C

A gap analysis is the first step to understand the scope of non-compliance before designing controls (ISO 27001 Plan-Do-Check-Act). A is wrong because it may not satisfy the “explicit consent” requirement and could cripple loss-prevention. B is wrong because BCRs must be approved by regulators, not self-declared. D is premature and costly without knowing retention limits, legal basis, or whether onward transfers are still allowed.

Correct Answer: C

Ethical risk is still risk; mitigation via policy and audit demonstrates due care and maintains public trust. A is an extreme business-negative. B does not prevent reputational damage. D ignores stakeholder trust and could increase liability if misuse occurs.

Correct Answer: B

Paying an extortionate demand violates legal and honest conduct (B). While protecting society (A) is important, the immediate conflict is the unethical/illegal nature of the payment. Competent service (C) and advancing the profession (D) are secondary.

Correct Answer: B

For classified data, the cloud must provide an overall environment equivalent to that mandated by the classification—technical, procedural, contractual, legal. Sovereignty (A) may or may not apply. Zero-knowledge (C) is a subset of technical controls. Power feeds (D) are availability, not confidentiality, concerns.

Correct Answer: B

A targeted assessment (B) provides the evidence needed to judge residual risk before the company is legally and financially committed. Accepting the SOC-2 (A) ignores the competitor’s compliance history and the limited scope of SOC-2. Calculating ALE (C) is premature without understanding the actual control gaps. Drafting an MOU (D) is a post-deal activity and does not inform the current risk decision.

Correct Answer: B

The contractual statement is the primary compliance gap; a DPA (B) modifies it to satisfy data-localization requirements before any technical controls matter. CloudTrail (A) and encryption (D) do not prevent cross-border human access. A BIA (C) is useful but does not address the immediate legal issue.