CertiPro CISSP: Practice CISSP Exam 2023 (Intermediate)

Two full mock CISSP tests of 125 questions each, covering all 8 domains


The “Certification Pro: CISSP Cybersecurity Practice Exam” is a meticulously designed assessment tool specifically created to help information security professionals and enthusiasts evaluate their knowledge and understanding of the CISSP Common Body of Knowledge (CBK). The practice exam features a diverse range of questions and scenarios, simulating real-world situations that test-takers might encounter during the actual CISSP certification exam, providing them with invaluable experience and confidence.

Covering all eight domains of the CISSP CBK, this practice exam ensures a comprehensive evaluation of participants’ skills in security and risk management, asset security, security architecture and engineering, communication and network security, identity and access management, security assessment and testing, security operations, and software development security. By addressing each domain, the practice exam offers a well-rounded assessment of the test-taker’s knowledge and readiness for the CISSP certification exam.

Below I am sharing few sample Q&A:

1. Jane is a security manager at a large financial institution. She recently learned about a data breach at a competitor, which resulted in significant financial losses. Jane wants to ensure that her organization avoids a similar breach. Which risk management strategy should Jane prioritize to minimize the potential for a data breach?

a) Risk avoidance

b) Risk acceptance

c) Risk mitigation

d) Risk transference

2. Robert, a system administrator, is tasked with protecting sensitive information for his company. He needs to ensure that only authorized personnel can access the data, even if it is intercepted. Which data protection method should Robert use to accomplish his goal?

a) Encryption

b) Tokenization

c) Obfuscation

d) Steganography

3. Thomas is a security architect working on a new project. He needs to ensure that the web application is secure from potential attacks. To achieve this, he plans to implement a security control that can prevent SQL injection attacks. Which of the following security controls should Thomas implement?

a) Input validation

b) Intrusion detection system

c) Least privilege

d) Network segmentation

4. Alice, a network engineer, has been asked to implement a secure communication protocol between two remote offices. She needs to ensure that the data transmitted between these offices remains confidential and cannot be tampered with. Which protocol should Alice use?


b) FTP


d) IPSec

5. In a large organization, Mike is responsible for managing access controls for various applications. He wants to implement a centralized access control solution that can provide a single sign-on experience for the users. Which solution should Mike implement?




d) OAuth

6. Samantha is a penetration tester who has been hired to assess the security of a company’s web application. Her goal is to identify any security vulnerabilities and provide recommendations for remediation. Which of the following techniques should Samantha use to accomplish this?

a) Fuzz testing

b) Black-box testing

c) Vulnerability scanning

d) Compliance auditing

7. Laura is the head of the incident response team at her organization. She recently discovered a malware infection on a critical server. What should be her first step in responding to this incident?

a) Eradicating the malware

b) Identifying the attack vector

c) Containment

d) Recovery

8. Peter is a software developer working on a web application that handles sensitive user data. He wants to ensure the security of the application by implementing secure coding practices. Which of the following concepts should Peter prioritize to protect the application from cross-site scripting (XSS) attacks?

a) Output encoding

b) Input validation

c) Session management

d) Secure data storage

9. Emily, a risk analyst, is tasked with performing a quantitative risk analysis for a new IT project. She needs to estimate the potential financial loss associated with a specific threat. What should Emily calculate to determine this value?

a) Single Loss Expectancy (SLE)

b) Annualized Loss Expectancy (ALE)

c) Annualized Rate of Occurrence (ARO)

d) Exposure Factor (EF)

10. David is an information security officer who is responsible for ensuring the confidentiality of sensitive data during its entire lifecycle. He wants to protect sensitive data on a hard drive that is scheduled for disposal. What process should David use to ensure the data cannot be recovered?

a) Formatting

b) Overwriting

c) Degaussing

d) Encryption

1-c) Risk mitigation

Jane should focus on risk mitigation, which involves implementing controls to reduce the likelihood or impact of a data breach. Risk avoidance (a) is not realistic in a large financial institution, as completely avoiding risks would hinder normal business operations. Risk acceptance (b) is not appropriate, as the goal is to minimize the potential for a data breach. Risk transference (d) involves transferring the risk to a third party, but this does not address the primary concern of minimizing data breaches.

2-a) Encryption

Encryption transforms data into ciphertext, which can only be accessed by those who possess the corresponding decryption key, ensuring that even intercepted data remains confidential. Tokenization (b) replaces sensitive data with non-sensitive tokens, but it does not protect data during transmission. Obfuscation (c) makes data difficult to understand, but it is not secure against determined attackers. Steganography (d) hides data within other data, which is not suitable for protecting transmitted data.

3-a) Input validation

Implementing input validation ensures that only properly formatted data is allowed to enter the system, helping to prevent SQL injection attacks. Intrusion detection systems (b) monitor network traffic for signs of malicious activity but do not prevent SQL injection attacks directly. The least privilege principle (c) restricts user access rights, but it does not address input manipulation. Network segmentation (d) isolates different parts of the network, which does not specifically address SQL injection vulnerabilities.

4-d) IPSec

IPSec provides secure communication through encryption and authentication, ensuring data confidentiality and integrity between two remote offices. HTTP (a) is an unsecured protocol used for transmitting hypertext, while FTP (b) is used for file transfers but does not provide encryption by default. SMTP (c) is an email protocol that does not inherently offer end-to-end encryption.

5-c) SAML

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider, enabling single sign-on. RADIUS (a) and TACACS+ (b) are centralized authentication protocols but do not provide single sign-on capabilities. OAuth (d) is an authorization framework that does not inherently support single sign-on for multiple applications.

6-b) Black-box testing

Black-box testing involves testing the functionality of an application without knowledge of its internal structure, which allows Samantha to simulate real-world attacks and identify vulnerabilities. Fuzz testing (a) involves providing invalid, unexpected, or random data as inputs, which may be useful but is not as comprehensive as black-box testing. Vulnerability scanning (c) uses automated tools to identify known vulnerabilities but does not provide in-depth testing of application functionality. Compliance auditing (d) assesses adherence to regulatory requirements but does not focus on identifying security vulnerabilities.

7-c) Containment

The first step in responding to an incident is containment, which involves isolating the affected systems to prevent further damage or spread of the malware. Eradicating the malware (a) is important but should only be done after containment. Identifying the attack vector (b) is crucial for understanding the root cause but should follow containment to prevent ongoing damage. Recovery (d) involves restoring affected systems and processes, which is necessary but should be done after containment, eradication, and identification of the attack vector.

8-a) Output encoding

To protect against XSS attacks, Peter should prioritize output encoding, which ensures that any user-generated content is properly escaped before being rendered by a web browser. Input validation (b) is essential to prevent various attacks but does not directly prevent XSS attacks resulting from improper output handling. Session management (c) is vital for ensuring proper authentication and authorization but does not specifically address XSS attacks. Secure data storage (d) is crucial for protecting sensitive data but is not the primary concern when defending against XSS attacks.

9-b) Annualized Loss Expectancy (ALE)

ALE is the product of the Single Loss Expectancy (SLE) and the Annualized Rate of Occurrence (ARO). ALE represents the expected financial loss due to a specific threat over the course of a year, making it the appropriate value for Emily to calculate. Single Loss Expectancy (a) represents the financial impact of a single occurrence of a threat, which does not account for its frequency. Annualized Rate of Occurrence (c) is the estimated frequency of a threat occurring within a year, but it does not include the financial impact. Exposure Factor (d) represents the percentage of asset value lost due to a specific threat, but it does not consider the frequency or the overall financial impact.

10-c) Degaussing

Degaussing uses a strong magnetic field to erase the data on a hard drive, ensuring that the sensitive data cannot be recovered upon disposal. Formatting (a) removes data from the drive but leaves it potentially recoverable using specialized tools. Overwriting (b) replaces existing data with new data, but remnants of the original data may still be recoverable in some cases. Encryption (d) can protect the data while the drive is in use, but it does not ensure the data is permanently removed before disposal.

Who this course is for:

  • This practice test is designed for: Information security professionals who are preparing for the CISSP certification exam and want to assess their knowledge, identify areas for improvement, and gain confidence in their abilities. Individuals with experience in the information security field seeking to enhance their understanding of CISSP Common Body of Knowledge (CBK) domains and familiarize themselves with the exam format. IT professionals considering a career in information security or pursuing CISSP certification in the future, who wish to gauge their current knowledge level and identify areas where they may need further study. Professionals working in related fields, such as IT management, network administration, or software development, who want to expand their understanding of information security principles and best practices, as the practice test covers a wide range of topics relevant to the broader IT industry.

Tutorial Bar