Practice questions · CISSP

CISSP Practice Questions

Free CISSP practice questions with answers and plain-English explanations. Browse the PDF, video and online mock test.

Free sample · CISSPQ1
Which of the following access control models requires security clearance for subjects?
Correct — D. Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object.
↑ Tap an answer to check it
Free questions

CISSP Questions

Open each answer, read the explanation, then continue into the full practice flow.

  1. Q1Which of the following access control models requires security clearance for subjects?

    Show answer

    ✓ Correct answer: Mandatory access control

    Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object.

    Open the full explanation page →

  2. Q2In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because:

    Show answer

    ✓ Correct answer: the access controls are based on the individual's role or title within the organization.

    With Non-Discretionary Access Control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual’s role in the organization (role-based access control) or the subject’s responsibilities and duties (taskbased access control). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individual’s role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role.

    Open the full explanation page →

  3. Q3Which item is not part of a Kerberos authentication implementation?

    Show answer

    ✓ Correct answer: Message authentication code

    Message authentication code (MAC) is a cryptographic function and is not a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services, applications, and devices), an authentication service, tickets, and a ticket granting service.

    Open the full explanation page →

  4. Q4A central authority determines which files a user can access. <br/><br/>Which of the following best describes this?

    Show answer

    ✓ Correct answer: Nondiscretionary access control model

    A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example or rule‐based access control model. An access control matrix includes multiple objects, and it lists the subject’s access to each of the objects.

    Open the full explanation page →

  5. Q5The major disadvantage of many Single Sign-On (SSO) implementations is described in which of the following?

    Show answer

    ✓ Correct answer: Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access to.

    Single Sign-On is a distributed Access Control methodology in which a user only has to authenticate once to have access to all major and secondary network domains. <br/><br/>When the individual needs extra resources, they would not be asked to re-authenticate. The security concern this raises is that if a fraudster is able to compromise those credentials, they will also have access to all the resources that the account has access to. Because they are distractors, all of the other responses are wrong.

    Open the full explanation page →

  6. Q6To computer security software, the three traditional methods of authenticating yourself are something you know, something you have, and something:

    Show answer

    ✓ Correct answer: you are.

    Three common factors that can be used for authentication:<br/><br/>- Something a person knows.<br/><br/>- Something a person has.<br/><br/>- Something a person is.

    Open the full explanation page →

  7. Q7In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on:

    Show answer

    ✓ Correct answer: The individual's role in the organization

    With Non-Discretionary Access Control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual’s role in the organization (role-based access control) or the subject’s responsibilities and duties (taskbased access control). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individual’s role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role.

    Open the full explanation page →

  8. Q8In Mandatory Access Control, sensitivity labels attached to objects contain what information?

    Show answer

    ✓ Correct answer: The item's classification and category set

    Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available).Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. <br/><br/>When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object.

    Open the full explanation page →

  9. Q9The Orange Book describes four hierarchical levels to categorize security systems. <br/><br/>Which of the following levels require mandatory protection?

    Show answer

    ✓ Correct answer: A and B.

    The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book.<br/><br/>TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels:<br/><br/>A. Verified protection<br/><br/>B. Mandatory protection<br/><br/>C. Discretionary protection<br/><br/>D. Minimal security<br/><br/>Classification A represents the highest level of assurance, and D represents the lowest level of assurance. Level B is the lowest level that requires mandatory protection. Level A, being a higher level also requires mandatory protection.

    Open the full explanation page →

  10. Q10As per the Orange Book, what are two types of system assurance?

    Show answer

    ✓ Correct answer: Operational Assurance and Life-Cycle Assurance.

    When products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process. Operational assurance concentrates on the product’s architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances. Life-cycle assurance pertains to how the product was developed and maintained. Each stage of the product’s life cycle has standards and expectations it must fulfill before it can be deemed a highly trusted product. Examples of life-cycle assurance standards are design specifications, clipping-level configurations, unit and integration testing, configuration management, and trusted distribution. Vendors looking to achieve one of the higher security ratings for their products will have each of these issues evaluated and tested.

    Open the full explanation page →

Unlock everything

Full CISSP bank + unlimited mocks

Try 30 questions free. Unlock the complete CISSP question bank, every explanation, and unlimited timed mock exams. Practice on any device.

Unlock CISSP →
Cramming?
$2.99
/ week · per exam
Best value
$6.99
/ month · per exam