CISSP Exam Questions for Self-Study (Domain 8)

Note:  Pardon the messiness of the questions.  These questions come from my podcast and will be cleaning the questions up over the coming weeks.


  • When considering Development Security there are some key considerations you need to be aware of:
    1. Separate business / development functions
    2. Consider development environment compromised
    3. Trust but verify
    4. All of the above
    5. None of the above
  • Answer:  [D] All of the Above are crucial in your thinking around the development security



  • What are the various SDLC development models covered in the CISSP Exam
    1. Waterfall, V-shaped, Iterative, Agile, Spiral, and Big Bang
    2. Waterfall, X-shaped, Repetitive, Agile Spiral, and Big Bang
    3. Waterfall, Y-shaped, Repetitive, Agile, Spiral, and Big  Bang
    4. None of the Above
  • Answer:  [A] Waterfall, V-shaped, Iterative, Agile, Spiral, and Big Bang




Abstract episodes of interaction between a system and its environment:

  • Misuse case
  • Web proxies
  • Use cases
  • Negative testing





A list of the most widespread and critical errors that can lead to serious vulnerabilities in software:

  • Information security continuous monitoring (ISCM)
  • CWE/SANS Top 25 most dangerous software errors
  • Automated vulnerability scanners
  • Real user monitoring (RUM)


CORRECT ANSWER - Information security continuous monitoring (ISCM) 



This criteria requires sufficient test cases for each program statement to be executed at least once; however, its achievement is insufficient to provide confidence in a software product's behavior:

  • Statement coverage
  • Data flow coverage
  • Condition coverage
  • Path coverage


CORRECT ANSWER - Statement coverage 


An edict stating that all evidence be labeled with information about who secured it and who validated it is called _______________.

  • A. CERT
  • B. Chain of custody
  • C. Direct evidence
  • D. Incident response policy



A thorough and accurate chain of custody record is critical in an investigation process. The process includes labeling physical evidence and compiling a complete history of how evidence was collected, analyzed, transported and preserved.


From <>




The golden arches of McDonald's are protected under what intellectual property law?

  • A. Trademark
  • B. Trade secret
  • C. Logo protection
  • D. Copyright


CORRECT ANSWER - A. Trademark 

Trademarks can exist in a variety of forms -- a word, shape, graphic or phrase. The determining factor is whether or not it alone represents the larger organization in the eyes of the outside world. McDonald's, for example, is known worldwide for its golden arches. This symbol is an identifier of the restaurant and thus falls under trademark law.


From <>




Which is not true of the Federal Sentencing Guidelines, which were enacted in 1991?

  • A. Developed specifically to address white-collar crimes
  • B. Detailed the specific responsibilities of senior executives within companies
  • C. Established a maximum fine of $100 million
  • D. Encouraged the implementation of security policies and a security program


CORRECT ANSWER - C. Established a maximum fine of $100 million 

Because laws and sentencing guidelines were not addressing white-collar crimes related to technology, the Federal Sentencing Guidelines were developed. These guidelines targeted the assumed responsibilities of senior executives and imposed maximum fines of $290 million per instance. However, these fines could be avoided if companies could prove proper due diligence and due care, and the existence of company-wide security policies and programs.


From <>


There are different categories for evidence depending upon what form it is in and possibly how it was collected. Which of the following is considered supporting evidence?

  • A. Best evidence
  • B. Corroborative evidence
  • C. Conclusive evidence
  • D. Direct evidence


CORRECT ANSWER - B. Corroborative evidence 

Corroborative evidence cannot stand alone, but instead is used as supporting information in a trial. It is often testimony indirectly related to the case but offers enough correlation to supplement the lawyer's argument. The other choices are all types of evidence that can stand alone.


From <>




Computer-generated or electronic information is most often categorized as what type of evidence?

  • A. Best
  • B. Hearsay
  • C. Corroborative
  • D. Opinion



Because computer files and systems can be modified after the fact without others being aware of it, they are considered hearsay evidence. Hearsay evidence is not considered reliable or trustworthy because it is not firsthand evidence.


From <>




Which type of law punishes the individuals with financial restitution instead of jail penalties?

  • A. Tort
  • B. Administrative
  • C. Criminal
  • D. Regulatory



Tort, a type of civil law, deals only with financial restitution or community service as punishments. Typically, civil lawsuits do not require the degree of burden of proof that criminal cases require. Administrative law deals with government-imposed regulations on large organizations and companies in order to protect the safety and best interest of their employees and customers.


From <>




If a waiter tells his friends how the restaurant's famous secret sauce is made, what law has he violated?

  • A. No law was violated
  • B. Trademark
  • C. Trade secret
  • D. Copyright


CORRECT ANSWER - C. Trade secret 

A trade secret can be many things, but the cardinal rule is that it must provide the company with a competitive advantage. A restaurant's secret sauce would qualify as a trade secret, which means it could prosecute the waiter for violating the law.


From <>




What is the first step in forensic analysis at a cybercrime scene?

  • A. Execute the primary programs on the computer to obtain more information
  • B. Capture log files on the computer
  • C. Notify customers of potential outages
  • D. Capture a complete image of the system



The first step in a forensic investigation is to make a copy of the hard drive. This method ensures that the original system is not altered in any way during the investigation process.


From <>




Which organization posts four primary Code of Ethics canons involving societal protection, individual honorability, diligent service and professional development?

  • A. Computer Ethics Institute
  • B. (ISC)2
  • C. Internet Ethics Board
  • D. Internet Activities Board



The (ISC)2 demands that its members follow four main canons of ethics. The canons listed on their Web site ( are:

  • Protect society, the commonwealth and the infrastructure.
  • Act honorably, honestly, justly, responsibly and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.


From <>



Witness testimony would be classified as what type of evidence?

  • A. Real
  • B. Secondary
  • C. Best
  • D. Conclusive


CORRECT ANSWER - B. Secondary 

Secondary evidence is not as reliable as best evidence and may need supporting evidence. Typically, oral evidence like testimonies is placed in this category. Also, copies of documents are considered secondary in nature. The other choices are all types of evidence that can stand alone.


From <>




Which of the following would protect a senior executive in a liability lawsuit brought on by an employee?

  • A. He is able to demonstrate that due diligence and due care were established and followed.
  • B. He was on vacation during the incident.
  • C. The incident was not covered in the company's security policy.
  • D. The employee was not in good standing.


CORRECT ANSWER - A. He is able to demonstrate that due diligence and due care were established and followed. 

The Federal Sentencing Guidelines were developed to establish more detail in what is expected of executives within companies. It promotes consistent due diligence and due care by the management team. If the executive can prove that proper due diligence and due care were practiced, then it is conceivable that he would not be liable in the suit.


From <>





Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .