CISSP PRACTICE QUESTIONS – 20201027

Effective CISSP Questions

You are concerned with stealthy threat actors, who can be a nation-state or sponsored groups, gain unauthorized access to organizational networks and remain undetected for an extended period to conduct large-scale targeted intrusions for specific goals. Which of the following is the best to discover and hunt this type of attack?
A. Have security analysts conduct analysis with data from various sources
B. Create microsegments and establish a software-defined perimeter
C. Implement an anomaly-based intrusion prevention system
D. Install a hardened padded cell with anonymized data to observe attackers

Continue reading

CISSP PRACTICE QUESTIONS – 20201026

Effective CISSP Questions

You intend to monitor, detect, and prevent unknown malicious traffic on your network. Which of the following is the best solution?
A. An appliance that authenticates devices to grant network access
B. A host that examines and filters network packets between zones
C. A device that imitates a legitimate server and behaves like “baiting” a suspect
D. A node that blocks traffic by comparing a sample of traffic against a known baseline

Continue reading

CISSP PRACTICE QUESTIONS – 20201025

Effective CISSP Questions

You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way for you to report the fraud?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority

Continue reading

CISSP PRACTICE QUESTIONS – 20201024

Effective CISSP Questions

To identify, analyze, and prioritize business continuity requirements is crucial to initiate the business continuity management (BCM) program. Which of the following should be conducted first?
A. Determining the scope of the BCM program
B. Understanding the organization and its context
C. Understanding the needs and expectations of stakeholders
D. Develop project plans

Continue reading

Establishing Policy Framework as Due Diligence

John Smith posts an interesting question about policy framework and due diligence today as follows:

Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.

Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.

Standard of Due Diligence

The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.

However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:

Policy Framework

The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.