Activity
Mon
Wed
Fri
Sun
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
Apr
May
Jun
Jul
What is this?
Less
More

Memberships

CyberMAYnia CAREER

537 members • Free

CISSP Study Group

2.2k members • Free

170 contributions to CISSP Study Group
CISSP Practice Question (Domain 6: Security Assessment and Testing - AI Exam Guidance)
Your organization fine-tuned a large language model on internal customer support records and deployed it as an employee-facing assistant. An internal audit is scheduled, and the audit committee asks you to demonstrate that the model cannot be induced to reveal sensitive training data. What is the MOST appropriate assessment approach? A. Perform static analysis of the model's source code and dependencies B. Conduct adversarial prompt testing designed to elicit training data memorization C. Validate that role-based access controls restrict who can query the model D. Review data classification labels applied to the fine-tuning dataset Come back for the answer tomorrow, or study more now!
1 like • 2d
Your organization fine-tuned a large language model on internal customer support records and deployed it as an employee-facing assistant. An internal audit is scheduled, and the audit committee asks you to demonstrate that the model cannot be induced to reveal sensitive training data. What is the MOST appropriate assessment approach? A. Perform static analysis of the model's source code and dependencies ( static analysis is a useful secure development practice but cannot adequately demonstrate resistance to training data extraction attacks). B. Conduct adversarial prompt testing designed to elicit training data memorization ( the most appropriate assessment approach to demonstrate that the model cannot be induced to reveal sensitive training data, it mimics AI read teaming/ penetration testing for real attack mindset - directly validates whether the model exhibits training data memorization or can be manipulated through prompt engineering to disclose sensitive information). C. Validate that role-based access controls restrict who can query the model ( RBAC is most effective for implementing PoLP preventive control mostly for insider threat / lateral movement, howver, 'B' is more effective for assessment in the given scenario). D. Review data classification labels applied to the fine-tuning dataset ( data classification labels are initial governance level preventive measures for applying access controls / encryption according to data sensitivity but not an assessment approach).
CISSP Practice Question (Domain 6: Security Assessment and Testing - AI Exam Guidance)
Your organization deploys a customer-facing AI model that passed standard penetration testing. Leadership wants assurance the model itself cannot be manipulated or stolen. As the security assessment lead, what is the MOST appropriate NEXT step? A. Commission AI red teaming for evasion and model extraction attacks B. Repeat penetration testing with expanded application scope C. Review the vendor's secure development attestation D. Enable runtime anomaly monitoring on model outputs Come back for the answer tomorrow, or study more now!
1 like • 6d
A. Commission AI red teaming for evasion and model extraction attacks (most appropriate next step as proactive measure for assurance from manipulation or stealing). B. Repeat penetration testing with expanded application scope ( As the AI model already passed the atandard PT, repeatition with expanded scope without specific inclusion of option 'A' will not be effective - expanded penetration testing may uncover additional application or infrastructure issues but still does not specifically assess AI model manipulation and model theft). C. Review the vendor's secure development attestation ( vendor attestations provide process assurance but do not demonstrate resistance to AI-specific attacks such as model extraction or adversarial manipulation). D. Enable runtime anomaly monitoring on model outputs ( runtime monitoring is an important detective control, but it does not validate the model's resistance to evasion or model extraction. Leadership requested assurance of security, making AI red teaming the more appropriate next assessment activity).
Passed the CISSP
Hello all, I am excited to share that I have passed the CISSP exam. I want to thank everyone in this community who takes the time to answer questions, share their knowledge and encourage others. Your contributions made a real different in my journey. Thank you all for being part of my journey and I hope I can pay it forward by helping others as well.
0 likes • 7d
Congratulations @Victor De Jesus
Practice Question
What is the primary function of a Data Loss Prevention (DLP) solution? A. Encryption B. Access Control C. Monitoring D.Traffic Filtering
0 likes • 12d
As per author of the question, option D is coorect as explained by @ Ed Morawski
0 likes • 10d
Explanation (Shon Gerber) : A. Encryption Encryption is a confidentiality control that scrambles data to make it unreadable without a key. - The Distinction: While a DLP solution can trigger encryption (e.g., automatically encrypting an email that contains a Credit Card number), encryption itself is a separate cryptographic process. DLP is the "brain" that decides if the encryption needs to happen based on the data's movement. B. Access Control Access control (like RBAC or MAC) determines who can see or modify a file while it sits on a server. - The Distinction: Access control is generally "internal." DLP is focused on what happens when an authorized user tries to move that data outside of the protected environment (e.g., uploading it to personal cloud storage or copying it to a USB drive). C. Monitoring Monitoring is a broad activity that happens across all security domains. - The Distinction: While DLP certainly monitors data, "Monitoring" is too generic an answer. DLP's primary functional value is its ability to intervene and block unauthorized transfers, not just watch them happen.   D. Traffic Filtering / Content Inspection This is the core of DLP. It inspects the content of data packets or files to see if they match specific "sensitive" patterns. -  The Mechanism: DLP uses techniques like Pattern Matching (looking for 16-digit numbers that look like credit cards), Keywords, and Document Fingerprinting (recognizing a specific sensitive form).   - The Three States of DLP: 1. Data at Rest: Scanning file shares and databases for sensitive info.   2.  Data in Transit (Network DLP): Monitoring email, web traffic, and FTP.   3.  Data in Use (Endpoint DLP): Monitoring clipboards, printers, and USB ports.  
CISSP Practice Question (Domain 5: Identity and Access Management - AI Exam Guidance)
An AI scheduling agent needs calendar and email access for all executives. The vendor requests a single privileged service account to simplify deployment before next month's rollout deadline. As the IAM lead, what is the MOST appropriate action? A. Approve the account with session recording enabled B. Issue scoped non-human identities per function with credential rotation C. Delay rollout until the vendor supports federated authentication D. Grant access but restrict it to business hours only Come back for the answer tomorrow, or study more now!
1 like • 10d
A. Approve the account with session recording enabled ( detective / monitoring control enabled approval seems appropriate but preventive measures / due diligence has priority). B. Issue scoped non-human identities per function with credential rotation ( most appropriate choice with limited scope NHIs and credential rotation rather single privleged account which increase attack surface and violates fundamental PoLP). C. Delay rollout until the vendor supports federated authentication ( not in comformity with alignment of security with business). D. Grant access but restrict it to business hours only ( partly effecitve,time-of-day restrictions are only an additional control. They do not address the fundamental risk of a single over-privileged service account).
1-10 of 170
Hassan Na
5
232points to level up
@hassan-hassan-4557
CISSP aspirant, ISC2 CC

Active 10h ago
Joined Dec 7, 2025
Powered by