ISC2-CISSP Domain 1: Security and Risk Management Welcome to your ISC2-CISSP Domain 1: Security and Risk Management 1. CISSP: Security and Risk Management In the context of enterprise security, which of the following best describes the principle of least privilege? A. Granting users access to all resources, but tracking usage for audit purposes. B. Providing users with access only to the information and resources necessary for their roles. C. Ensuring all users have equal access to information to promote transparency. D. Limiting user access based on seniority within the organization. None 2. CISSP: Security and Risk Management When implementing security controls for a new information system, which of the following is the MOST critical factor to consider for effective risk management? A. The cost of the security controls. B. The impact of the security controls on user convenience. C. The alignment of security controls with business objectives. D. The aesthetics of the security controls within the system interface. None 3. CISSP: Security and Risk Management In the process of risk assessment, what is the PRIMARY purpose of identifying threats and vulnerabilities? A. To comply with regulatory requirements. B. To facilitate the purchase of insurance. C. To determine the likelihood and impact of potential security events. D. To allocate tasks among the security team members. None 4. CISSP: Security and Risk Management Which of the following best represents the concept of "defense in depth" in cybersecurity? A. Implementing a single, comprehensive security measure that addresses all potential threats. B. Utilizing multiple layers of security controls throughout the IT environment. C. Focusing exclusively on perimeter security to defend against external threats. D. Deploying the most advanced technology in one layer of security. None 5. CISSP: Security and Risk Management Which of the following is a key factor in the successful implementation of an information security governance framework? A. Regularly bypassing the framework for expedited decision-making. B. Ensuring that the framework is only accessible to the IT department. C. Aligning the framework with international security standards. D. Making the framework complex to ensure thoroughness. None 6. CISSP: Security and Risk Management In the context of security policies, what is the MOST effective approach to handle non-compliance by users? A. Ignoring minor non-compliance issues to focus on major breaches. B. Implementing strict penalties for any form of non-compliance. C. Providing continuous education and training on the importance of compliance. D. Allowing exceptions based on the user's role in the organization. None 7. CISSP: Security and Risk Management When assessing the effectiveness of security controls, which of the following metrics is MOST valuable? A. The total cost of implementing the controls. B. The number of controls implemented across the organization. C. The reduction in the frequency and impact of security incidents. D. The speed at which new controls can be deployed. None 8. CISSP: Security and Risk Management In the development of a business continuity plan (BCP), what is the PRIMARY focus? A. Ensuring that all IT systems have redundant backups. B. Maintaining business operations during and after a disruption. C. Reducing insurance premiums through risk mitigation. D. Achieving compliance with international standards. None 9. CISSP: Security and Risk Management In the establishment of a risk management program, why is it important to define an acceptable level of risk? A. To eliminate all risks from the organization. B. To ensure that no unauthorized risks are taken. C. To provide a benchmark for making risk-based decisions. D. To comply with all possible regulatory requirements. None 10. CISSP: Security and Risk Management In the context of information security, which of the following best describes a risk appetite statement? A. A document that lists all identified risks and their potential impacts. B. A formal declaration of the amount of risk an organization is willing to accept. C. An operational plan for mitigating all risks to an acceptable level. D. A detailed analysis of the cost-benefit ratio of risk mitigation strategies. None 11. CISSP: Security and Risk Management Which of the following scenarios exemplifies a failure in applying the separation of duties principle? A. A database administrator is responsible for both creating backups and performing data restoration. B. An IT technician has access only to the server room for maintenance tasks. C. The CFO approves budgets but does not have access to execute payments. D. A security analyst monitors network traffic and escalates anomalies to a separate incident response team. None 12. CISSP: Security and Risk Management What is the PRIMARY goal of incorporating security requirements into the Software Development Life Cycle 'SDLC'? A. To minimize the cost of software development. B. To ensure that security is retroactively applied to software products. C. To integrate security measures throughout the development process. D. To speed up the development and deployment of software applications. None 13. CISSP: Security and Risk Management In risk management, what is the significance of conducting a Business Impact Analysis (BI A. A) To determine the aesthetic impact of security measures on the business environment. B. To identify and prioritize business functions critical to the organization's survival. C. To calculate the exact financial loss in the event of a specific security incident. D. To assess the personal preferences of top management regarding security investments. None 14. CISSP: Security and Risk Management Which of the following best describes the purpose of a security control baseline? A. A minimum set of security controls standardized across similar organizations for efficiency. B. An advanced set of security measures applied to the organization's most critical assets. C. A temporary set of security controls used during emergency situations. D. A customizable set of security controls for each department within an organization. None 15. CISSP: Security and Risk Management What is the key difference between qualitative and quantitative risk analysis? A. Qualitative risk analysis uses numerical values, while quantitative does not. B. Quantitative risk analysis is faster to perform than qualitative analysis. C. Qualitative risk analysis focuses on the impact and probability of risks in non-numerical terms, while quantitative analysis assigns numerical values to these factors. D. Quantitative risk analysis can only be performed by external consultants. None 16. CISSP: Security and Risk Management In the framework of international compliance, what is the PRIMARY purpose of the General Data Protection Regulation (GDPR)? A. To standardize cybersecurity technology across the European Union. B. To protect the privacy and personal data of individuals within the European Union. C. To create a uniform IT governance framework for companies operating in the European Union. D. To increase the cyber defense capabilities of the European Union against external threats. None 17. CISSP: Security and Risk Management Which of the following best explains the concept of "risk transference" in the context of risk management? A. Shifting the impact of a risk to another party through mechanisms such as insurance. B. Eliminating a risk by discontinuing the activities that lead to its occurrence. C. Reducing the likelihood of a risk occurring by implementing preventive measures. D. Accepting the consequences of a risk without taking any mitigative action. None 18. CISSP: Security and Risk Management In the governance of information security, which of the following best describes the role of an Information Security Steering Committee? A. To perform technical assessments of the organization's security infrastructure. B. To oversee and guide the organization's information security program. C. To develop and implement security technologies directly. D. To handle day-to-day security operations and incident response. None 19. CISSP: Security and Risk Management What is the PRIMARY objective of implementing an incident response plan (IRP)? A. To prevent any security incidents from occurring. B. To ensure that incidents are detected and reported in real-time. C. To provide a structured approach for managing and recovering from security incidents. D. To document security incidents for legal and compliance purposes only. None 20. CISSP: Security and Risk Management When assessing the effectiveness of security controls, which of the following metrics is MOST valuable? A. The total cost of implementing the controls. B. The number of controls implemented across the organization. C. The reduction in the frequency and impact of security incidents. D. The speed at which new controls can be deployed. None 1 out of 20 Time is Up! Time's up
