CISSP PRACTICE QUESTIONS – 20200128

Effective CISSP Questions

To address security concerns, you align the software development life cycle to ISO 15288, which consists of four families or groups of system life cycle processes: agreement, organizational project-enabling, technical management, and technical processes. Which of the following belongs to the process family, Technical Processes?
A. Configuration Management
B. Life Cycle Model Management
C. Quality Assurance
D. Business or Mission Analysis
Continue reading

CISSP PRACTICE QUESTIONS – 20200127

Effective CISSP Questions

Your organization adopts the NIST FARM risk management approach to frame, assess, respond to, and monitor risks that arise from a variety of sources or tiers such as information systems, business processes, or the organization. As a CISO, you are considering the governance structures from the organizational perspective to address risk. Which of the following is not your primary concern?
A. Strategies for internal development and external acquisition of IT products
B. Risk management strategy
C. Approaches to replacing legacy information systems
D. Enterprise Architecture
Continue reading

Risk Assessment “Slash” Analysis?

Risk Assessment in NIST FARM

Source: NIST SP 800-30 R1

Risk Assessment_ISO31000

According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.

However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.

  • Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
  • Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented

Risk Framing Components

The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.

NIST FARM-Assessment Methodology

FIGURE 2: RELATIONSHIP AMONG RISK FRAMING COMPONENTS (NIST SP 800-30 R1)

NIST FARM-Assessment Process

FIGURE 5: RISK ASSESSMENT PROCESS (NIST SP 800-30 R1)

Risk Assessment “Slash” Analysis?

It seems that both ISO and NIST distinguish risk assessment from risk analysis. However, it’s common for people to use them interchangeably. I think it’s a good practice to use them precisely.

Security Control Assessment (SCA)

CISSP PRACTICE QUESTIONS – 20200126

Effective CISSP Questions

You learned from the news that the World Health Organization (WHO) is closely monitoring a novel deadly coronavirus under spreading. As a CISO, which of the following will you do first?
A. Implement emergent update for latest antivirus signatures
B. Conduct the exercise of the Occupant Emergency Plan (OEP)
C. Enable the incident response plan and security incident response team
D. Review and test the business continuity plan (BCP)
Continue reading

CISSP PRACTICE QUESTIONS – 20200125

Effective CISSP Questions

As a CISSP working for a direct bank based in Taiwan that relies entirely on internet banking, you are participating in a development meeting for threat modeling the customer relationship management (CRM) system, a web application. A member identifies an attack vector that malicious users might manipulate query parameters in the URL resulting in a server buffer overflow. Which of the following should be conducted first?
A. Replace the static array as the buffer with a dynamic one
B. Refer to OWASP Top 10 for suggested solutions
C. Evaluate how easy for a malicious user to make it
D. Authenticate every user input
Continue reading