Security Operations
Drill 14 practice questions focused entirely on Security Operations for the ISC2 CISSP exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
During a fraud investigation, a forensic analyst images a suspect's hard drive and later hands the copy to a second analyst for review. Weeks afterward, the defense challenges whether the evidence was altered while in storage. Which practice would MOST directly refute this challenge and support the evidence's admissibility in court?
A financial services firm must validate its disaster recovery plan for a core transaction-processing system. The CISO wants the highest-confidence test that proves the recovery site can handle real production workloads, but the business absolutely cannot tolerate any downtime or risk to the live production environment during the exercise. Which DR test type best satisfies these competing requirements?
A regional insurance company must ensure its claims-processing application can resume within 8 hours of a data center outage. The application changes frequently, and business impact analysis sets an RPO of 4 hours. Leadership wants to minimize ongoing costs while still meeting these targets. The IT team is choosing between recovery site strategies. Which option BEST balances the recovery objectives with cost efficiency?
During a critical outage at 2 a.m., an on-call systems administrator applies an unapproved firewall rule change to restore a failed VPN concentrator that thousands of remote employees depend on. The change works and service is restored. Following the organization's change management process, what should the administrator do next?
A forensic analyst must acquire the contents of a suspect's laptop hard drive for a potential litigation case. The analyst needs to ensure that the acquired image is an exact, verifiable copy and that the original evidence remains unaltered during the process. Which combination of practices BEST satisfies these requirements?
A responder arrives at a compromised but still-running Linux server that is actively communicating with an external IP. Management wants a forensically sound image before the system is taken offline. Which evidence should the responder collect FIRST to preserve the most fragile data?
During an active intrusion, an analyst discovers that a compromised server is actively exfiltrating data to an external IP. Legal has stated they intend to pursue prosecution and require forensically sound evidence. Management is pressuring the team to stop the data loss immediately. What is the BEST containment action for the analyst to take?
A SOC analyst reviewing threat intelligence feeds notices a newly published CVE for the exact version of a web server the organization runs in its DMZ. No exploitation attempts against the organization have been observed yet, but the feed reports active scanning for this vulnerability across the internet. According to NIST incident-handling terminology, how should the analyst classify this observation?
A security analyst has contained a ransomware outbreak by isolating infected hosts from the network. The malware's persistence mechanisms, dropped payloads, and compromised service accounts have been identified during analysis. The incident response team leader now asks what activity must be completed BEFORE systems are restored to production. Which action correctly represents the next phase of the incident response process?
During a ransomware outbreak, responders in a hospital's data center are simultaneously alerted that the malware has begun encrypting systems and that a coolant leak in the same room has raised the risk of an electrical hazard near the racks. The incident commander must decide the immediate priority for the on-site team. Which action should take precedence?
A ransomware incident at a mid-sized firm has been fully contained, eradicated, and systems have been restored from clean backups with normal operations verified. The incident response manager wants to derive the greatest long-term value from the event. What should be the NEXT action to strengthen the organization's future response capability?
A newly deployed SIEM is generating over 4,000 alerts per day, and the security operations center (SOC) analysts report that fewer than 2% of these alerts represent genuine security events. Analysts have begun ignoring entire categories of alerts, and a recent phishing-driven compromise was missed because the relevant alert was buried in noise. As the SOC manager, what is the MOST effective action to address the root cause of this problem?
A security operations team is deploying a new SIEM. Logs are flowing in from firewalls, Windows servers, Linux hosts, and cloud services, each using different timestamp formats and field structures. Analysts complain that correlation rules fail because the same field (e.g., source IP) appears under different names across sources. Which SIEM processing capability must be properly configured to resolve this issue?
A security operations team wants to detect a scenario where a long-tenured database administrator, using legitimate credentials, begins accessing customer records at 3 a.m. and downloading volumes far larger than their historical norm. Signature-based tools and standard SIEM correlation rules have not flagged the activity because no policy violation or known malicious signature is triggered. Which capability would MOST effectively identify this behavior?
More CISSP practice
Keep going with the other ISC2 CISSP — Certified Information Systems Security Professional domains, or take a full timed mock exam.
← Back to CISSP overview