During a penetration test, the red team discovers a critical vulnerability in a production system that could allow full privilege escalation. From a CISSP perspective, what’s the right next step, should they exploit it fully to prove impact, or stop short and document the finding? How do you balance business risk, liability, and the test’s objectives?

An organization is experiencing a distributed denial-of-service (DDoS) attack that is overwhelming its internet bandwidth. Which of the following is the MOST effective immediate response? A Unplugging the primary internet connection. B Contacting their upstream internet service provider (ISP) for assistance. C Blacklisting the source IP addresses of the attack traffic. D Reconfiguring the firewall to block the malicious traffic.

What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)? A. Management support B. Consideration of organizational need C. Technology used for delivery D. Target audience

A corporation does not have a formal data destruction policy. During which phase of a criminal legal proceeding will this have the MOST impact? A. Sentencing B. Trial C. Discovery D. Arraignment

Which of the following controls is the most important for a system identified as critical in terms of data and function to the organization? A. Preventive controls B. Monitoring controls C. Cost controls D. Compensating controls