PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CISSO Practice Questions

Pass your Mile2 Certified Information Systems Security Officer (CISSO) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

In asymmetric cryptography, which key does the sender use to encrypt a message so that only the intended recipient can decrypt it?

A
B
C
D
to track
Same family resources

Explore More Mile2 Cybersecurity Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Mile2 Certified AI Cybersecurity Officer (CAICSO)

Practice Questions

Mile2 Certified Cloud Security Officer (CCSO)

Practice Questions

Mile2 Certified Digital Forensics Examiner (CDFE)

Practice Questions

Mile2 Certified Disaster Recovery Engineer (CDRE)

Practice Questions

Mile2 Certified Information Systems Risk Manager (CISRM)

Practice Questions

Mile2 Certified Network Forensics Examiner (CNFE)

Practice Questions
2026 Statistics

Key Facts: CISSO Exam

100 MCQ

Exam Length

Mile2

70%

Passing Score

Mile2

19 modules

Course Modules

Mile2

DoD 8140

Government Approved

Mile2

2 attempts

Included in Combo

Mile2

5 days

Instructor-Led Duration

Mile2

The Mile2 C)ISSO is a 100-question online exam requiring 70% to pass. It covers 19 modules of IS security management content aligned with NIST, ISO, and NICE Framework standards. It is DoD 8140 approved and includes two exam attempts in the combo package.

Sample CISSO Practice Questions

Try these sample questions to test your CISSO exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1A security analyst is performing a quantitative risk assessment. The asset value is $500,000, the exposure factor is 40%, and the annualized rate of occurrence is 0.5. What is the Annualized Loss Expectancy (ALE)?
A.$100,000
B.$200,000
C.$250,000
D.$400,000
Explanation: ALE = SLE × ARO. SLE = Asset Value × Exposure Factor = $500,000 × 0.40 = $200,000. ALE = $200,000 × 0.5 = $100,000. The ALE represents the expected annual monetary loss from the risk.
2Which risk response strategy involves shifting the financial impact of a risk to a third party, such as purchasing cyber insurance?
A.Risk acceptance
B.Risk avoidance
C.Risk reduction
D.Risk transference
Explanation: Risk transference (also called risk sharing) moves the financial consequence of a risk to a third party, most commonly through insurance or outsourcing. The risk itself is not eliminated, but liability for losses is shared or shifted. Cyber insurance is the classic example.
3Which qualitative risk analysis technique uses a structured set of guiding words (such as NO, MORE, LESS, AS WELL AS) applied to each element of a process to identify potential deviations and hazards?
A.HAZOP
B.FMEA
C.Delphi technique
D.Risk matrix
Explanation: HAZOP (Hazard and Operability Study) uses predefined guide words applied to design intentions to systematically identify deviations and hazards. It is widely used in industrial and information systems risk analysis to uncover failure modes caused by deviations from intended operation.
4In the context of information security governance, who holds ultimate accountability for all organizational assets and is the final decision-maker regarding acceptable risk levels?
A.Chief Information Security Officer (CISO)
B.Information Owner
C.System Administrator
D.Senior Management
Explanation: Senior Management (executive leadership) bears ultimate accountability for organizational assets and is the authority responsible for approving acceptable risk levels. This is a foundational governance principle: security decisions must align with business objectives owned by executive leadership.
5A company's security policy requires data to be labeled before transmission. Which role is responsible for assigning the data classification label to a specific dataset?
A.Data custodian
B.System owner
C.Security officer
D.Data owner (information owner)
Explanation: The Data Owner (Information Owner) is the manager or business unit leader responsible for a specific dataset. They determine the classification level, authorized users, and protection requirements. The Data Custodian implements those protection controls on the owner's behalf.
6Which social engineering attack technique involves an attacker impersonating a trusted entity — such as IT support — and fabricating a scenario to manipulate a victim into revealing credentials?
A.Phishing
B.Vishing
C.Tailgating
D.Pretexting
Explanation: Pretexting involves creating a fabricated scenario (the pretext) where an attacker assumes a false identity or role (e.g., IT helpdesk, auditor) to manipulate the victim. It differs from phishing in that it often involves direct verbal interaction and a more elaborate cover story rather than simply a malicious link.
7What is the primary purpose of multi-factor authentication (MFA)?
A.To require verification using two or more independent authentication factors
B.To enforce password complexity requirements
C.To replace passwords entirely with biometric tokens
D.To log all authentication events for audit purposes
Explanation: MFA requires a user to present two or more authentication factors from different categories: something you know (password), something you have (token/smart card), and something you are (biometrics). This makes credential theft alone insufficient to gain access because the attacker would also need the second factor.
8Which access control model uses a security lattice with clearance levels (e.g., Confidential, Secret, Top Secret) and enforces the 'no read up, no write down' rule?
A.Discretionary Access Control (DAC)
B.Role-Based Access Control (RBAC)
C.Biba Integrity Model
D.Bell-LaPadula Model
Explanation: The Bell-LaPadula Model is a mandatory access control model focused on CONFIDENTIALITY. Its rules are: Simple Security Property (no read up — a subject cannot read objects at a higher classification) and Star Property (no write down — a subject cannot write to objects at a lower classification). This prevents information leakage from higher to lower classifications.
9In Role-Based Access Control (RBAC), which of the following BEST describes how permissions are assigned to users?
A.Permissions are assigned directly to individual users based on their identity
B.Permissions are inherited from a security label attached to the data object
C.Permissions are delegated by the resource owner to any user they choose
D.Permissions are assigned to roles, and users are assigned to roles
Explanation: In RBAC, permissions are associated with roles (e.g., 'network-admin', 'auditor'), and users are assigned to one or more roles. This simplifies administration because changing a role's permissions automatically affects all users in that role, and removing a user from a role revokes all associated permissions.
10Which authentication mechanism issues a ticket-granting ticket (TGT) after initial authentication and allows users to access multiple services without re-entering credentials?
A.RADIUS
B.TACACS+
C.Kerberos
D.LDAP
Explanation: Kerberos is a network authentication protocol using symmetric-key cryptography and a Key Distribution Center (KDC). After a user authenticates to the KDC, they receive a Ticket Granting Ticket (TGT). The TGT is used to request service tickets for individual resources, enabling Single Sign-On (SSO) without transmitting passwords.

About the CISSO Exam

The Mile2 CISSO certifies security officers in the broad body of knowledge required to manage an enterprise information security program. It covers 19 modules spanning risk management, access controls, cryptography, network security, incident response, business continuity, and legal/ethical frameworks. It is designed as structured preparation for CISSP and is DoD 8140 approved.

Questions

100 scored questions

Time Limit

Approximately 2 hours

Passing Score

70% (70/100)

Exam Fee

Varies by package (Mile2 Cybersecurity Institute)

CISSO Exam Content Outline

~6%

Risk Management

Qualitative and quantitative risk analysis, ALE/SLE/ARO formulas, and risk response strategies

~6%

Security Management

Governance, data classification roles, security policy hierarchy, and social engineering awareness

~5%

Identification and Authentication

MFA, Kerberos, RADIUS, TACACS+, and identity management protocols

~6%

Access Controls

DAC, MAC, RBAC, ABAC, Bell-LaPadula, Biba, and Clark-Wilson models

~5%

Security Models and Evaluation Criteria

TCSEC (Orange Book) evaluation classes and Common Criteria (PP, ST, EAL)

~5%

Operations Security

OPSEC process, change management, least privilege, and separation of duties

~5%

Vulnerability Assessments

Penetration testing types, vulnerability scanning, and CVSS scoring

~5%

Symmetric Cryptography and Hashing

DES, AES, encryption modes, HMAC, and hashing algorithms (MD5, SHA family)

~5%

Network Connections

IPSec (AH/ESP), Diffie-Hellman, VPN protocols, and asymmetric cryptography (RSA, PKI, CRL)

~5%

Network Protocols and Devices

Firewalls, DMZ architecture, DHCP, DNS, SNMP, and VLANs

~5%

Telephony, VPNs, and Wireless

WPA2/WPA3, 802.1X, evil twin attacks, and wireless security protocols

~5%

Security Architecture and Attacks

DoS/DDoS, session hijacking, ARP/DNS spoofing, MitM, and zero trust architecture

~5%

Software Development Security

SDLC security, SAST/DAST, buffer overflow, SQL injection, XSS, CSRF, and secure design principles

~4%

Database Security

SQL injection bypass, database abstraction, stored procedures, and access control for databases

~5%

Malware and Software Attacks

Virus types, ransomware, rootkits, Trojans, credential stuffing, and phishing variants

~5%

Business Continuity

BIA, MTD, RTO, RPO, alternate site types, and continuity plan development

~5%

Disaster Recovery

DR testing methods (parallel, full interruption), backup types (incremental, differential), and recovery

~5%

Incident Management, Law, and Ethics

NIST SP 800-61 IR lifecycle, HIPAA, FISMA, SOX, FIPS 200, due care, and professional ethics

~4%

Physical Security

Mantraps, CCTV, layered physical controls, fire suppression, power protection, and CPTED

How to Pass the CISSO Exam

What You Need to Know

  • Passing score: 70% (70/100)
  • Exam length: 100 questions
  • Time limit: Approximately 2 hours
  • Exam fee: Varies by package

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CISSO Study Tips from Top Performers

1Master quantitative risk formulas: ALE = SLE × ARO, SLE = Asset Value × Exposure Factor
2Know all access control models: Bell-LaPadula (no read up, no write down = confidentiality), Biba (no read down, no write up = integrity), Clark-Wilson (well-formed transactions + SoD)
3Distinguish TCSEC levels: C2 (DAC + audit), B1 (MAC labels), B2 (formal model), A1 (verified design)
4For BCP/DR: MTD > RTO > RPO — MTD is the limit, RTO is the target, RPO is data loss tolerance
5Know the difference between hot site (minutes), warm site (hours-days), cold site (days-weeks)
6Understand HMAC (shared key + hash = integrity + authenticity) vs. digital signature (private key = non-repudiation)
7TACACS+ encrypts full packet + separates AAA; RADIUS encrypts only password + bundles auth/authz

Frequently Asked Questions

What is the Mile2 CISSO exam format?

The Mile2 CISSO exam consists of 100 multiple-choice questions with a 70% passing score (70 correct answers). It is delivered online through Mile2's Learning Management System. Two exam attempts are included in the CISSO Exam Combo package. Both standard and ANSI/DoD 8140 proctored formats are available.

What domains does the Mile2 CISSO cover?

The CISSO covers 19 modules: Risk Management, Security Management, Identification and Authentication, Access Controls, Security Models and Evaluation Criteria, Operations Security, Vulnerability Assessments, Symmetric Cryptography and Hashing, Network Connections, Network Protocols and Devices, Telephony/VPNs/Wireless, Security Architecture and Attacks, Software Development Security, Database Security, Malware and Software Attacks, Business Continuity, Disaster Recovery, Incident Management/Law/Ethics, and Physical Security.

Is the Mile2 CISSO DoD 8140 approved?

Yes, the Mile2 CISSO is approved under the DoD 8140 (formerly DoD 8570) framework, making it a recognized credential for government and defense contractor security roles requiring compliance with that directive.

How does the CISSO compare to the CISSP?

The Mile2 CISSO is designed as structured preparation for the CISSP. It covers a similar breadth of IS security management knowledge across overlapping domains. The CISSO is considered an intermediate certification, while the CISSP (ISC² exam) requires 5 years of experience and is broadly recognized as the premier senior security management credential.

Who should pursue the Mile2 CISSO?

The CISSO targets Information Systems Security Officers, IS Managers, Risk Managers, Auditors, System Owners, and Government employees who need a broad IS security management credential. It is also suitable for IT professionals preparing for the CISSP.

What is the best way to prepare for the Mile2 CISSO?

Candidates should study all 19 course modules, focusing on quantitative risk analysis (ALE/SLE/ARO calculations), access control models (Bell-LaPadula, Clark-Wilson, RBAC, ABAC), cryptography (symmetric, asymmetric, PKI), network security (firewalls, DMZ, VPNs), and BCP/DR planning (BIA, MTD, RTO, RPO). Practice questions with detailed explanations help reinforce applied knowledge.