ISC2 CISSP — Certified Information Systems Security Professional · Domain 1 · 16% of exam

Security and Risk Management

Drill 20 practice questions focused entirely on Security and Risk Management for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A retailer's e-commerce platform experiences credential-stuffing attacks. Currently, each successful breach costs an average of $50,000, and the company suffers about 6 successful breaches per year. A proposed multi-factor authentication and bot-mitigation solution costs $120,000 annually and is expected to reduce the frequency of successful breaches to 1 per year. Based purely on a quantitative cost-benefit analysis, what should the risk manager recommend?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services firm is performing a quantitative risk assessment on its data center. Historical records and industry data show that a major power outage affecting the facility has occurred roughly twice over the past ten years, and each event causes losses estimated at $150,000. The single loss expectancy (SLE) is already documented at $150,000. Which value should the risk analyst use for the annualized rate of occurrence (ARO) when calculating the annualized loss expectancy (ALE)?

Reviewed for accuracy · Report an issue
Question 3 of 20

An e-commerce company earns nearly all its revenue during a two-week holiday sales window. During last year's window, a volumetric distributed denial-of-service (DDoS) attack made the storefront unreachable for several hours, causing significant lost sales. The CISO wants to prioritize a control that most directly addresses the property of the CIA triad that failed in this incident. Which control should the CISO prioritize?

Reviewed for accuracy · Report an issue
Question 4 of 20

A regional bank's executive team asks the security manager to clarify the difference between the organization's Business Continuity Plan (BCP) and its Disaster Recovery Plan (DRP) before approving budget for both. The manager needs to explain how the two efforts relate. Which statement most accurately describes the relationship and scope of these plans?

Reviewed for accuracy · Report an issue
Question 5 of 20

A multinational manufacturer has no formal data classification program. Engineering blueprints, employee health records, and public marketing brochures are all stored together with identical access controls. The CISO wants to ensure that protection efforts and costs are proportional to the value and sensitivity of each information asset. Which action should the CISO take FIRST to address this problem?

Reviewed for accuracy · Report an issue
Question 6 of 20

A multinational retailer headquartered in the United States discovers that a database containing personal data of customers residing in several European Union countries has been breached. The Chief Privacy Officer is determining the organization's legal notification obligations. Which factor most directly determines which breach notification laws the retailer must comply with for the affected EU customers?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services firm suffers a data breach. During litigation, plaintiffs argue the company failed to act as a reasonable organization would. Investigators find the firm had conducted thorough vendor assessments, performed risk analyses, and documented security requirements — but never actually implemented the patching and monitoring controls those assessments recommended. Which concept did the firm MOST clearly fail to satisfy, exposing it to negligence liability?

Reviewed for accuracy · Report an issue
Question 8 of 20

A European subsidiary of a US-based company plans to transfer employee personal data to its parent company's HR system hosted in a US data center. The company's legal team confirms the US recipient is not certified under any adequacy framework recognized by the EU. Which mechanism should the security and privacy team recommend to make this cross-border transfer lawful under GDPR while requiring the least dependence on future regulatory approval?

Reviewed for accuracy · Report an issue
Question 9 of 20

A financial services firm discovers that unauthorized modifications to transaction records could go undetected for weeks. Regulators require the firm to demonstrate that stored transaction data has not been altered without authorization. The CISO is asked to recommend the control that most directly addresses this specific concern. Which control should the CISO prioritize?

Reviewed for accuracy · Report an issue
Question 10 of 20

A CISSP-certified security consultant discovers that a client's flagship product contains a serious vulnerability that could expose customer financial data. The client's executive team instructs the consultant to keep the finding confidential to protect the company's reputation and stock price, and reminds the consultant of the signed nondisclosure agreement. Following the ISC2 Code of Ethics, how should the consultant prioritize their obligations when deciding what to do?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services firm discovers that a single accounts-payable clerk can create a new vendor, approve invoices for that vendor, and release payment—all without any second person's involvement. An internal auditor flags this as a significant fraud risk. Which personnel security principle should the security manager recommend implementing to most directly address the identified risk?

Reviewed for accuracy · Report an issue
Question 12 of 20

A newly formed startup has limited historical loss data and no budget for detailed financial modeling. The CISO must present a prioritized list of risks to the executive board within one week, ranking each risk by relative severity so leadership can decide where to focus early security investment. Which risk assessment approach is MOST appropriate for this situation?

Reviewed for accuracy · Report an issue
Question 13 of 20

A regional bank stores customer records in a data center whose replacement value (facility, hardware, and data reconstruction) is assessed at $4,000,000. A risk analyst determines that a major flood would damage approximately 35% of the asset value each time it occurs, and historical and geographic data indicate such a flood is likely once every 20 years. The board asks the analyst to present the figure that represents the expected monetary loss from a SINGLE flood event, so it can be compared against a proposed flood-barrier project. Which value should the analyst present?

Reviewed for accuracy · Report an issue
Question 14 of 20

A security team identifies a residual risk in a legacy application that cannot be cost-effectively remediated before a critical product launch. The estimated impact is within the organization's documented risk appetite, and no compensating control is feasible in the timeframe. According to sound risk management practice, what is the MOST appropriate next step?

Reviewed for accuracy · Report an issue
Question 15 of 20

A financial services firm is evaluating a proposal to launch a new online cryptocurrency trading feature. After a risk assessment, the security team determines that the regulatory uncertainty, extreme volatility of the assets, and the high likelihood of sophisticated attacks create a level of residual risk that far exceeds the organization's risk appetite, even after considering all available controls. The board decides not to proceed with launching the feature at all. Which risk treatment strategy does this decision BEST represent?

Reviewed for accuracy · Report an issue
Question 16 of 20

A financial services firm identifies a low-probability but catastrophic risk: a rare regional flood could destroy its primary data center, causing losses estimated at $40 million. The cost to build a geographically distant hot site to fully eliminate the exposure exceeds $30 million and is not budget-feasible. Executive leadership wants to protect the balance sheet against the financial consequences if the event occurs, without owning additional mitigation infrastructure. Which risk treatment approach best fits leadership's stated objective?

Reviewed for accuracy · Report an issue
Question 17 of 20

A newly hired CISO at a mid-sized financial services firm discovers that the security program operates independently, with technical controls chosen by the IT team based on industry trends rather than any documented connection to the firm's strategic goals. The board complains that security spending appears disconnected from business priorities and cannot demonstrate value. Which action should the CISO take FIRST to correct this governance deficiency?

Reviewed for accuracy · Report an issue
Question 18 of 20

A new CISO discovers that engineers configure firewalls inconsistently, each interpreting the high-level acceptable-use policy differently. The CISO wants to publish a document that specifies the exact, step-by-step commands and settings staff must follow to harden the firewalls, leaving no room for interpretation. Which type of governance document should the CISO create to meet this need?

Reviewed for accuracy · Report an issue
Question 19 of 20

A security manager at a manufacturing firm is drafting documentation for a new endpoint hardening initiative. She wants to create a document that mandates specific, uniform technical configurations (e.g., minimum password length of 14 characters, TLS 1.2 or higher, and disabling of a defined list of services) that all Windows workstations must comply with, and against which compliance can be audited. Which type of document should she produce?

Reviewed for accuracy · Report an issue
Question 20 of 20

A financial services firm signs a contract with a SaaS vendor that processes sensitive customer data. During the security review, the firm's third-party risk manager discovers the SaaS vendor outsources its data hosting and backup operations to a separate cloud subcontractor located in another country. The firm's own regulators hold the firm accountable for protecting customer data end-to-end. What is the MOST effective action to address this supply-chain risk before signing?

Reviewed for accuracy · Report an issue

More CISSP practice

Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.

← Back to CISSP overview