Home > CISSP > Quizzes > CISSP Domain 6: Security Assessment and Testing
CISSP Domain 6: Security Assessment and Testing
Fast practice, instant feedback. Timer auto-submits when time’s up.
Avg score: 56% Most missed: “Amel is a security professional who believes hackers are within her network. She…”

Domain 6: Security Assessment and Testing Practice Questions
Questions from the following topics are included in this domain: 
Designing and validating assessments and tests
Conducting security control testing
Collecting security process data
Analyzing test output data and generating reports 
Conducting and facilitating security audits    

CISSP Domain 6: Security Assessment and Testing
Time left 00:00
25 Questions

1. When an architect, designer, or developer reuses parts, components, or code instead of validating new replacements, the individual is engaged in which activity?
2. Kosovare runs a security training class for her team, teaching them to ask people Did you forget your badge?" if they see someone wandering around the building without their badge. What can she do to be certain that staff are following their training?"
3. Amel is a security professional who believes hackers are within her network. She is concerned they are successfully covering their tracks by modifying log files. What are two steps she can take to mitigate altered log files? (Choose two.)
4. Paul is a security administrator reviewing audit logs from a security information and event management (SIEM) device. This activity would fall under which category?
5. Bug number 535 was fixed with patch number 1. Bug number 435 was fixed with patch number 2. After customers installed patch number 2, several calls to support stated bug number 535 was returned. What type of testing was NOT done in this scenario?
6. A hacker dials multiple phone numbers, attempting to find modems and fax machines. What is this attack called?
7. Any testing that's performed where the evaluator has zero knowledge of the environment is also known as which kind of test?
8. Hedvig is a developer who just completed unit testing for her product. Once this test has passed, which test should she run to ensure the entire product is valid before releasing it to production? (Choose two.)
9. The main difference between a business continuity plan (BCP) and a disaster recovery plan (DRP) is which of the following?
10. Users have been split into two groups to test whether a single difference in a social media website keeps users more interested in the website and on it for longer. What is this testing called?
11. Paul is a hardware technician who needs to replace the hard drive on the server. To complete this job, all users must be off the server. However, he has noticed that there are three users still on the system, since he has been checking remotely every 10 minutes. What is a better way for him to determine whether users are still logged on?
12. Tobin is a security manager and has learned that a new software management application has been introduced to the company. Staff are excited to use it because it will double production at half the cost of past methods. What is her BEST recommendation?
13. Level one merchants are required to conduct network scans how often to comply with PCI-DSS?
14. Arnie is a software developer and suggests to his supervisor to delay the project 1 week so that he can update the application with security mitigations. Why should his supervisor take this advice?
15. Debinha is an application developer who has completed a program that accepts credit cards. She simulates being a hacker, attempting to steal credit card information. This is an example of what kind of testing?
16. Mix is the chief security officer (CSO) of MLX Corp, and he is helping the security managers find the best security controls to protect their assets. Which technique does he advise the security managers to use to select the best controls?
17. DeMarcus is an ethical hacker attacking HART Hospital, as authorized by their chief information security officer. Federal investigators notice the attack and raid DeMarcus' facility and arrest him. What is the MOST LIKELY reason for him being arrested?
18. Before auditing work begins, each organization must understand the Terms of Engagement (ToE). Which of the following is NOT part of the ToE?
19. Which of the following is NOT a software tool that analyzes source code for bugs and security vulnerabilities?
20. Restoring systems back to standard operations after a disaster is known as disaster recovery. What is the process called where vital functions operate immediately after a disaster?
21. Which of the following Service Organization Controls (SOC) reports are Type I and Type II reports?
22. Which of the following is NOT a requirement of the payment card industry data security standard (PCI DSS)?
23. Gyasi measures single loss expectancies, along with likelihoods, to evaluate whether he should purchase insurance or provide his own mitigations to protect corporate assets. These measurement indicators are known as what?
24. Integrating validating security with applications that are part of the DevOps cycle is also known as what? (Choose two.)
25. In the arena of software development and using the principles of continuous integration (CI), developers work in which order before releasing finished code to production?