CISSP PRACTICE QUESTIONS – 20190501

InformationSecurityGovernance

You are the new CISO of an international trading company and just got on board recently. Which of the following is the first and most concern for you?

A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies

Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

My suggested answer is B. The role and responsibility (R&R) of CISO.

Continue reading

CISSP PRACTICE QUESTIONS – 20190430

MTD-RTP-RPO

In an executive meeting, the vice president (VP) of manufacturing, the data owner of the material requirement planning (MRP), and the VP of sales, the data owner of the online shopping website, are justifying the criticality of the underlying information systems that process their data and support their business processes. Both of them believe their business processes are more critical and should be recovered first in case of a disaster. As a CISO, how should you do?

A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.
B. Take importance and urgency into consideration, and implement a hot site for the business processes with higher priority while a code site for the ones with lower priority.
C. Prepare a disaster recovery plan (DRP) based on the recovery time objective and recovery point objective.
D. Prepare a business continuity plan (BCP) and a business case with alternatives to implement a hot site to support both MRP and the online shopping website.

Continue reading

Common Criteria – Evaluation Assurance Level

CommonCriteria-EAL

  • The Target of Evaluation (TOE) under the Common Criteria provides a different level of assurance. The most crucial factor is whether it is engineered based on a design.
  • If a TOE is lack of design, its EAL will be under 3, while a TOE with a design will be methodically reviewed.
  • The EAL of a TOE with a design depends on the condition that it is semi-formally or formally designed. Formal design is usually based on a mathematical model.

Informed Decisions

You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. The use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?
A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Prepare a business case and submit it to the CEO for final approval.

Continue reading

CISSP Practice Questions

question-mark2

1. A covert timing channel hinders which of the following security objective?

A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation

2. When you are concerned with the issue of data loss and error when transmission between applications on your industrial control systems (ICS) network, you are considering issues in which layer of the ISO Open System Interconnection (OSI) Reference Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

3. When you are considering the issue of identifying and numbering networks and hosts, and the transmission path between two hosts, you are considering issues in which layer of the ISO Open System Interconnection (OSI) Reference Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

4. When you are considering the issue of identifying and numbering networks and hosts, and the transmission path between two hosts, you are considering issues in which layer of the TCP/IP Model?

A. Logic Link Control (LLC) Layer
B. Transport Layer
C. Network Layer
D. Internet Layer

5. You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. Use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?

A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.

6. You are the CISO of a multinational trading company. Your company implements a large scale web site selling products to global consumers. A network intrusion detection system (IDS) is implemented to detect abnormal traffic and potential attacks. Your incident response (IR) team receives a report from users that the web site is not available and shows HTTP error 404. An IR team member suspects that it’s a distributed denial of service (DDOS) attack, but the IDS didn’t trigger any alert. What action should the IR team take FIRST?

A. Document the incident in the incident management system.
B. Inform and ask the contracted internet service provider to mitigate the DDOS traffic
C. Analyze the incident report from the end user and notify the senior management
D. Ask for more details from the end user to realize the real situation

7. In an executive meeting, the vice president (VP) of manufacturing, the data owner of the material requirement planning (MRP), and the VP of sales, the data owner of the online shopping website, are justifying the criticality of the underlying information systems that process their data and support their business processes. Both of them believe their business processes are more critical and should be recovered first in case of a disaster. As a CISO, how should you do?

A. Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.
B. Take importance and urgency into consideration, and implement a hot site for the business processes with higher priority while a code site for the ones with lower priority.
C. Prepare a disaster recovery plan (DRP) based on the recovery time objective and recovery point objective.
D. Prepare a business continuity plan (BCP) and a business case with alternatives to implement a hot site to support both MRP and the online shopping website.

8. You are the new CISO of an international trading company and just got onboard recently. Which of the following is the first and most concern for you?

A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies

9. Jack logged into an online book store, amazz-books.com, using his Google Account. Which of the following refers to the client in terms of federated identity?

A. Jack
B. amazz-books.com
C. Google
D. The browser Jack is using

10. Which of the following provides the most flexible access control?

A. A subject asserting unmarried
B. A subject with the Top Secret clearance
C. A subject with need-to-know
D. A subject assigned to the Admin role

Continue reading

Business Mindset Sample Question

BusinessMideset

You are the CISO of an IC design house and report to the CEO directly; confidentiality of customer privacy, and research and development data is the most concern. The use of any USB devices violates the acceptable usage policy (AUP). A customer account manager reports that many crucial customers are complaining about the efficiency of uploading files to the company’s file server. He suggests that the data can be transferred using a USB flash drive to streamline the collaboration process. As a CISO, what should you do FIRST?
A. Add an exception to the acceptable usage policy (AUP) to allow the use of USB flash drive as security is a business enabler. To help the business deliver value is the ultimate responsibility of a CISO.
B. Reject the suggestion because it violates the acceptable usage policy (AUP), and the use of USB flash drive is highly risky.
C. Side with the account manager and submit a proposal in favor of the suggestion to the CEO.
D. Prepare a business case and submit it to the CEO for final approval.

This post, Informed Decisions, states the justification.

CISSP PRACTICE QUESTIONS – 20190422

Incident Response Process
You are the CISO of a multinational trading company. Your company implements a large scale web site selling products to global consumers. A network intrusion detection system (IDS) is implemented to detect abnormal traffic and potential attacks. Your incident response (IR) team receives a report from users that the web site is not available and shows HTTP error 404. An IR team member suspects that it’s a distributed denial of service (DDOS) attack, but the IDS didn’t trigger any alert. What action should the IR team take FIRST?
A. Document the incident in the incident management system.
B. Inform and ask the contracted internet service provider to mitigate the DDOS traffic
C. Analyze the incident report from the end user and notify the senior management
D. Ask for more details from the end user to realize the real situation

Continue reading

The Reference Monitor Concept

When studying Domain 3, Security Architecture and Engineering, of the CISSP CBK, it is not uncommon that CISSP aspirants are confused by the concept of the reference monitor. The following is a summary of my studying the Orange Book to clarify it.

  • The Anderson Report
    • October of 1972
    • James P. Anderson & Co.
  • Reference Monitor
    • Enforces the authorized access relationships between subjects and objects of a system.
  • The Reference Validation Mechanism
    • An implementation of the reference monitor concept.
    • Must be tamper-proof, always be invoked, and small enough.
  • Security Kernel
    • Early examples of the reference validation mechanism were known as security kernels.
  • References

PS. Access Control Matrix is mentioned in the official CISSP study guide 8th by Sybex, and AIO by Shon Harris. The textbook, Operating System Concepts 9th by Wiley, also introduces the Access Matrix model. However, you find nowhere they appear in the Orange Book but “self/group/public controls” or “access control lists” do. That’s why I choose to put “Access Control List” onto the diagram instead of the “Access Control Matrix.”


Thanks go to Dr. D. Cragin Shelton.

The following links provide more information: