cissp practice questions Advanced Practice Exam: Hard Questions 2025

A multinational organization is considering accepting a shared cloud provider’s standard contract for a platform hosting regulated workloads. The contract includes broad limits on provider liability, minimal audit rights, and no explicit breach notification timelines. The business argues speed-to-market outweighs legal negotiations. As the CISSP advising senior leadership, what is the BEST next step to reduce enterprise risk while preserving business agility?

A company uses a quantitative risk model and is evaluating two options for a critical manufacturing system. Current exposure: the system experiences a high-impact outage about once every 5 years. Estimated single loss expectancy (SLE) per outage is $8M. Option 1 reduces outage frequency to once every 20 years at an annual cost of $600K. Option 2 reduces SLE to $3M but does not reduce frequency, at an annual cost of $300K. Ignoring secondary effects, which option provides the GREATER reduction in annualized loss expectancy (ALE) per dollar spent?

During an acquisition, two companies must consolidate data classification schemes. Company A labels all customer records as “Confidential,” while Company B separates records into “Internal,” “Confidential,” and “Restricted,” with “Restricted” requiring additional approvals, DLP controls, and dedicated key management. The merged company must avoid weakening controls for the most sensitive records while keeping the scheme usable. What is the BEST approach?

A research lab needs to process highly sensitive intellectual property in a cloud-based analytics environment. Requirements: (1) the cloud provider must not be able to access plaintext data or encryption keys, (2) compute must occur on decrypted data to support existing algorithms, and (3) performance must be acceptable for batch workloads. Which architecture BEST meets these requirements?

An organization is designing a multi-tenant internal SaaS platform. A key threat is a shared component leaking one tenant’s data to another due to coding mistakes. The engineering team proposes strict input validation, unit testing, and code review. The security architect wants an additional control that reduces the blast radius even if application-layer controls fail. What is the BEST architectural control to add?

A financial firm is migrating from a flat network to a zero trust architecture. During pilot, administrators complain that troubleshooting is difficult because flows are frequently blocked by policy decisions made at multiple enforcement points. The CISO wants to maintain strong segmentation while improving operational diagnosability and policy correctness. What is the BEST next step?

A company uses mutual TLS (mTLS) between microservices. Certificates are short-lived and issued by an internal CA. After an incident, investigators determine an attacker obtained a service’s private key from a container image layer and used it to impersonate the service until the certificate expired. The organization wants to prevent key theft from enabling impersonation, even for short-lived certs. Which is the BEST improvement?

An enterprise uses SSO with SAML for multiple SaaS applications. A new security requirement states: “If a user is disabled in HR, their access to all SaaS apps must be revoked within 5 minutes, including existing sessions.” The IdP can disable accounts quickly, but several SaaS apps keep sessions active for hours. What is the BEST solution approach?

A security team must validate that a new EDR tool reliably detects credential dumping techniques without causing unacceptable operational disruption. Leadership wants evidence that the detection works across varied endpoints and that false positives are manageable. Which testing strategy provides the BEST assurance?

A development team practices CI/CD and wants to prevent deployment of code that contains hardcoded secrets and to limit blast radius if a secret is exposed. They already use static analysis and code review, but secrets still leak via build logs and temporary artifacts. Which combination is the BEST next step?