CCT 307: Practice CISSP Questions - Security Policies and Procedures

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

Headlines say the talent shortage is easing, yet nearly half of UK businesses still lack basic cyber skills. That disconnect sets the stage for a frank, practical tour through what actually reduces risk—no buzzwords required. We open with real takeaways from the UK’s international cyber skills initiatives and move quickly to the daily decisions that shape resilience: encryption in the cloud, least privilege by default, and how to keep role-based access control from collapsing under credential creep.

We make the identity layer tangible. Single sign-on can simplify life and lower password reuse, but it also centralizes risk. We share how to counterbalance SSO with MFA, conditional access, and strong monitoring. Cloud-based IAM accelerates deployment and gives flexibility, yet brings ongoing costs and integration challenges with legacy systems; outsourcing introduces a loss of control that must be offset by airtight requirements, auditability, and vendor transparency. Phishing remains the most reliable social engineering vector, so security awareness training isn’t optional—it’s the routine that turns policy into behavior.

Zero trust becomes manageable when you stop treating it like a switch and start treating it like a program. We outline a phased path: define protect surfaces, segment by sensitivity, apply continuous verification where the impact is highest, and expand deliberately. Vendor access deserves the same precision: NDAs for legal guardrails, least privilege for scope, monitoring for assurance, and scheduled reviews to remove stale permissions. Along the way, we talk mentorship, pro bono work, and competitions as concrete ways to grow talent while delivering real security outcomes.

We also road-test your knowledge with a focused Domain 1.9 CISSP question set, reinforcing the core ideas with scenario-based reasoning. If you’re preparing for the CISSP or leading a security program, you’ll walk away with a clear playbook: encrypt by default, minimize access, verify continuously, and measure what matters. If this resonates, subscribe, share with a teammate, and leave a review so others can find the show.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_00: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber, and I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started.

SPEAKER_01: 0:26 

Good morning, everybody. This is Sean Gerber with CISSP Cyber Training and hope you all are having a beautiful, blessed day today. Today is, what is it? It is CISSP question Thursday. So we're gonna get into some CISSP questions that are associated with the podcast that occurred on Monday over domain one. So it is gonna be an exciting day. But before we get started, we have usually I'd like to start with a little bit of some news. And there was just an article that popped out recently about the UK hosts an international cyber skills conference. Uh, I know this is a big topic for a lot of different companies, and I've I get approached here and there about CISOs, I should say, CIOs that are looking for CISOs to do fractional CISO work. And this is no different. There are tons of opportunities out there for security professionals. You just have to be able to be in the right place to find those, and yet they have the experience to help you with that. But the interesting part with that was that this UK is realizing that they are having challenges with filling their cybersecurity roles. And so, therefore, they had a three-day international conference to discuss how to tackle the growing threat of cyber attacks. Now, I'll be very transparent. There is a lot of conversations that occur on how to deal with this. Sometimes I feel there are conversations and not enough action. But at least within this conference, they're trying to do some things to potentially offset some of those challenges. One of the things they had was this global cybersecurity skills recommendations report. And in this report, they did say that they're trying to figure out how to get this resolved. And they did say that the number of shortfalls within the UK of jobs has gone down. It's not as much as it was. So they're saying about 11,000 jobs in 2023 down to about 3,500 in 2024. But the interesting part in this is that they said 44% of UK businesses still do not have the fundamental skills to protect themselves from a cyber attack. So the rules may have reduced, but I've seen this time and again. They do not have the knowledge, the businesses don't, to protect themselves from a cyber event or incident. And what can happen is that as they don't have the skills to do that, one event can be catastrophic for a business. I mean, take it from me. You already are running on very small margins your businesses, and now you have a cybersecurity incident that occurs, it can be damaging. And if not, it can also potentially shut you down. So it's important to understand that if you are a cybersecurity professional looking for a role, it is important that you work hard to get your education uh in a level that will be acceptable by people, but also to help businesses that maybe don't totally understand that they have a problem. And this is one thing I'd recommend is that doing this pro bono work, potentially like helping nonprofits, is a very good way for you to kind of gain some knowledge, some expertise, but also help people out because you have knowledge that you may not think you do, but you have knowledge that many people just are looking for. Even if your knowledge in your mind is a more basic type of knowledge, there are there's tons of individuals out there that are looking for someone that has something to be able to give them some guidance and some direction. They also had a, in this article, they talk about the UK launches two cyber skill uh schemes and one competition. They're basically having to figure out how to have competitions to bring new people into cybersecurity as well as then educate and teach them so that they can uh go out and try to do more to help protect the the overall country itself. So it's again, they have a uh scheme that delivers tailored support to universities, councils, and businesses across England. And then they also have a competition to find young talent. Uh I will say that I have a young individual that I work that I go to church with, and he is super smart, and we've done a lot to kind of help kind of guide and direct him uh into the cybersecurity field because he is going to do wonders for that. But it also takes someone that can kind of lead and mentor individuals, these young folks, to kind of give them the direction that they need to get into the cybersecurity space. Okay, so let's get into the questions for this week. Question, we're in group 10. This is of domain one. And if you go to CISSP Cyber Training, you'll be able to get access to this courseware. All of it's there is available to you. Uh, all these questions are available. You can go and study for these questions for the CISSP, and you can gain access to all the information there. It is all, again, would you go in, you purchase any of this content, it goes to a nonprofit that is associated with adoptive families. So I would highly recommend that if you're interested in the CISSP, what a great way for you to be able to get the training you need as well as being able to help other people out. So it's a good deal. Okay, so we're again group 10. This is 15 questions, and this is we're tied to the today is domain one, and it's 1.9. So question one, which of the following is the most effective method for preventing unauthorized access to sensitive data in a cloud environment? Again, which is the following is most effective method for preventing unauthorized access to sensitive data in a cloud environment? A implementing strong encryption at rest and in transit. B conducting regular vulnerability assessments. C. Limiting network access to authorized users only, or D regularly updating software systems. So the most effective way for preventing unauthorized access of sensitive data is implementing strong encryption and at rest and in transit. So we talk about this in the past is that when people gain access to the data, it's very easy for them to gain access to it. I mean, I shouldn't say easy. It's it's odds are highly likely that they're going to gain access to the data that you may or may not want them to have. And having encryption is an important factor, especially when you're dealing with sensitive data in a cloud environment. Question two, which of the following is a common weakness in the role-based access controls? Or are back? A lack of segregation of duties, B excessive privileges, C, overlapping roles, or D lack of user training. Now, again, what is a common weakness? Now, this can be a couple different things, right? There can be weaknesses in this with lack of user training, and there can be excessive privileges, but realistically, the common weakness in role-based access controls is overlapping roles or credential creep. Again, this in RBAC, this can create confusion and inconsistency, complicating the access management and increasing the risk of unauthorized access. So overlapping roles can be a problem with RBAC. Question three, which of the following is the best method for ensuring that employees are aware of and comply with the organization's security policies? Again, which of the following is the best method for ensuring that employees are aware and comply with the organization's security policies? A posting security policies in a visible location. B providing security awareness training. C implementing technical controls to enforce compliance, or D conducting regular security audits. Again, which of the following is the best method for ensuring employees are aware and comply with the organization's security policies? And the answer is B providing security awareness training. Again, this training can be an effective way to help employees. Now it isn't going to be the panacea and fix everything, but it is a really good way to help again getting this stuff in front of people on a routine basis. Over and over again. Question four, which of the following is a disadvantage of using single sign-on solution? So what's an advantage disadvantage of using SSO? A increased complexity. B increased cost. C limited scalability or D reduced security. Now, when you talk about this, what do you mean? You're going to say, well, this doesn't make sense because it does have increased complexity, it does increase your cost, and it does limit, it doesn't really limit your scalability, but it I guess it can because it depends on if everybody signs up for SSO. But what the main disadvantage is it reduces security. And you're going, what do you mean? Well, the reason is, and this is kind of a double-edged sword, is that it can potentially expose it's a single point of failure within your organization, and it can expose access to multiple systems and applications. It also is a benefit in the fact that not everybody has to remember passwords for all these logins, which is a lot of password reuse that's that occurs. So reduced security in the best situation, right? So in this question, the best answer of all these answers is the reduced security. But keep in mind you need to understand with SSO what are the other positives and negatives that go along with that. Question five, which of the following is the best practice for managing privileged accounts? So which of the following is a best practice for managing privileged accounts? A use strong and complex passwords. B implement least privileged access controls. C, monitoring privileged account activity, or D regularly changing passwords. So which of the following is a best practice for managing privileged accounts? And the answer is B. Implementing least privilege access controls. Again, least privilege is crucial. It's very important for the mapping or managing of privileged accounts and it minimizes potential damage from an account compromise, right? So if you have least privilege and your account is compromised, it does limit the blast radius in which someone can gain access to this data. Question six, which of the following is a disadvantage of using cloud-based identity and access management solutions? So what is a disadvantage of using cloud-based identity and access management solutions solutions? A increased cost. B decrease flexibility. C decreased security. Or D longer implementation time. So longer implementation time isn't true because when you're deploying IAM within the cloud, it's very easy. I should say it's it's easier than if you were deploying it on-prem. The decreased security, no, that's important because IAM account management is an important factor unless you were to just leave it wide open. And then decreased flexibility, it does give you the flexibility that you need. Now, it sometimes can be a little bit problematic when you're dealing with on-prem and cloud and integrating your IAM solution between the two, but it is it's not a factor. It is actually increased cost. So they they will lead to a higher cost to ongoing service fees and potential additional charges, making it a potential disadvantage, a notable disadvantage. So there is increased cost by using IAM solutions. They don't do this stuff for free, so unfortunately, you gotta pay for it somehow. Question seven Which of the following is a common attack vector for social engineering attacks? Okay, this is probably easy. You guys will get this one. A malware, B devenial service, C, phishing emails, or D, unauthorized physical access. Right? A common attack vector for social engineering attacks is C phishing attacks, right? That's what they use to get as much of the information as they can. And the point is they mask around it as legitimate emails. Question eight, which of the following is a best practice for managing vendor access to an organization's systems? A providing vendors with broad access to the network, B requiring vendors to sign non-disclosure agreements, C monitoring vendor activity, or D limiting vendor access to specific systems. So which of the following is a best practice for managing vendors' access to an organization's system? And the answer is B. Okay, it's it's requiring vendors to sign non-disclosure agreements. Again, this is a best practice, and this is how you manage the access. It doesn't really manage it so much. It's more of just kind of, I guess it's managing it. It's not physically managing it, it's managing it from a paperwork standpoint. And it does help protect sensitive information by legally binding them to confidentiality, which is an important part of any vendor agreement. Just keep in mind though, any document somebody signs is not going to stop them from doing something with the data they shouldn't do. But it does add one more level of protection that is there's consequences associated if they were to be doing something inaccurate or wrong. Question nine, which of the following is a challenge associated with implementing a zero trust security model? A decreased user productivity, B increased cost, C integration of legacy systems, or D increased complexity. So again, the question is which of the following is a challenge associated with implementing a zero trust security model? And the answer is D. It is an increased complexity. Now, it all of those are an important part of a zero trust model. Decreased user productivity, increased cost, integration with legacy systems, all of those can be a challenge associated with a zero trust model. But when it comes to the complexity piece of this, adding zero trust security model does introduce a lot of complexity and is a rigorous requirement, and requiring every access request and continually accessing trust, it can be a very complicated security management plan. And I would highly recommend if you're going to implement zero trust within your organization, start small. Start in areas that you know you can use or that are not complex, that don't have a lot of ties, and then just be build upon it. And I will say a zero trust for your entire environment, it might be a great bumper sticker. I don't know how well that you can deploy zero trust from an environment that started off as a blended environment. So what I mean by that is if you start Greenfield, where you start with a brand new uh building or a brand new network, that you can move to a zero trust relatively simply, not easily, but simply. If you start with nothing, now if you start with a complicated network that is already has an old legacy network built into you're trying to embed within a cloud environment, uh new technology, old technology, moving to a zero trust environment can be a bit more problematic. And I will say that it could be very, very challenging. So you what you want to start off with, especially if you're dealing with a legacy environment that you have, uh start small. Start in areas that you feel you can deploy zero trust, and you may never get there. You may never get to a complete zero trust within your environment because of the additional costs that it may result in you moving forward. So just kind of keep that in mind. Now, if you have mandates from governmental officials that you must be zero trust, well, then I guess you'll just be dumping gobs of money and try to figure it out. But just know that if you don't have mandates that you must have your entire network zero trust, then you may it may, not saying it will, but it may come down where you are in smaller uh segments that you may deploy your zero trust. Question 10. Which of the following is a risk associated with outsourcing identity and access management services? A loss of control, B, increased cost, C, decreased security, or D reduced vendor expertise. So again, you're outsourcing your IAM services. And the answer is A, loss of control. Okay, so I outsourcing IAM can lead to loss of control over the management and security controls associated with it. So one thing to think about is if one of the requirements is you must maintain control, that would be one of the requirements that you talk to your vendor about and go, what can we do here? So you just need to kind of think about that before you start going down the IAM path. Get really prescriptive on what are your requirements, what are you asking for specifically to try to accomplish with your IAM's uh deployment. Question 11 Which of the following is a best practice for managing privileged accounts in a cloud environment? Again, which of the following is a best practice for managing privileged accounts in a cloud environment? A using strong complex passwords, B implementing least privilege across our access controls, C, monitoring privileged access account activity, or D enforcing multi-factor authentication. So which of the following is the best practice for managing privileged accounts in a cloud environment? And the answer is B implementing least privilege access controls. Again, least privilege controls are vital for managing privileged accounts in the cloud. You want to do that anytime you can, but especially for privileged accounts. It does limit the account's access to only what is necessary, reducing the potential impact of a compromised account. Question twelve, which of the following is a common weakness in identity and access management implementation? A overlapping roles, B lack of segregation of duties, C, say excessive privileges, or D inconsistent password policies. So which of the following is a common attack, a common weakness in identity and access management implementation? And the answer is C. Excessive privileges. That is a common weakness that you will see in IAM. Question 13. Which of the following is a best practice for managing vendor access to an organization's systems? Okay, we talked about this a little earlier, but it's a different question. Which of the following is a best practice for managing vendor access to an organization's systems? A providing vendors with broad access to the network. B requiring vendors to sign non-disclosure agreements. C monitoring a vendor activity or D regularly reviewing access permissions. Again, which of the following is a best practice for managing access to an organization's systems? And that is D. Regularly reviewing access permissions. This is a best practice for managing vendor access and it ensures that only necessary permissions are granted in helps identity and revoke the access of outdated or unnecessary access controls or access credentials. Yes. Sorry, I kind of lost my train of thought on that one. Question 14. Which of the following is not a common personnel security policy control? A background checks. B separation of duties. C mandatory vacations or D risk assessments. So which of the following is not a common personnel security policy control? And the answer is D. Risk assessments. Risk assessments are a broader process used to evaluate the overall security posture of an organization, including personal security, but is not a specific control within the personnel security policies. Question fifteen. Which of the following is a primary purpose of a non-disclosure agreement? So what is the primary purpose of a nondisclosure agreement, or NDA? A to protect the organization's intellectual property. B to ensure employees comply with companies' prop policies. C to hold employees accountable for their actions, or D to prevent unauthorized access to systems. And again, the primary purpose of an NDA is to protect the organization's intellectual property. So A ND are NDAs. They're the primarily used to protect the organization's IP and confidential information. Again, by prohibiting employees and contractors from disclosing unauthorized to unauthorized parties. That being said, again, it's a piece of paper. So it doesn't mean people aren't going to do it. Okay, I hope you guys enjoyed this. Again, this was off of domain 1.9 of the CISSP ISC Squared book. You can go out to CISSP Cyber Training and you can get all of this content for you at CISSP Cybertraining.com. Again, all pro Proceeds go to nonprofit for adoptive families. So again, go out and buy to your heart's content. Bye, bye, bye. Have you guys have a wonderful day again? And you go out there, attack the evil hacker horde, and we'll catch you all on the flip side. See ya.