It’s quite interesting that almost every CISSP aspirant learns the CIA triangle (Confidentiality, Integrity, and Availability) but just a few know why they need to know about it.
It seems to be a simple or straightforward question. However, it lays the foundation of information security and risk management and plays a vital role on your way to success in the CISSP exam.
Why do you think it’s imperative to learn about the CIA triangle? Your feedback and comments are always welcome!
Which criteria is the most important consideration for the selection and deployment of a biometric authentication system?
A. Crossover error rate (CER) or Equal error rate (ERR)
B. processing speedI’m a little bit confused
Shon Harris 5th e
This question is a post from Ehab Badawi in Luke’s SNT group on 2019/05/04 6:59 AM Taipei Standard Time.
It seems to be a simple question at first glance. However, I would prefer B to A. It deserves more attention to think about the criteria for the selection and deployment of a biometric authentication system.
The accuracy of a biometric system can be evaluated by using well-known performance indicators, e.g., False Accept Rate (FAR), False Reject Rate (FRR), and Equal Error Rate (EER).
The value of the EER can be easily obtained from the ROC (relative operating characteristic) curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is the most accurate.
Based on the information above, EER or accuracy is an essential factor to consider when selecting a biometric authentication system.
However, when evaluating a biometric authentication system, there are other factors to consider, such as cost, acceptability, and so forth. Processing speed affects acceptability. Let’s consider the following case:
If our criteria to purchase a biometric authentication system is EER < 0.3 and Processing speed >= 15000. System A and B are the qualified alternatives. In general, we will select and deploy System A as it has a higher processing speed. In this case, the processing speed would be more decisive or more important.
So, which one is the most important consideration? EER or processing speed? And what does “important” mean? Undoubtedly, we have to take both of them into account to select and deploy a biometric authentication system.
I would treat EER as a selection criterion while processing speed the deployment criterion. EER depends on use cases, security first or convenience first; processing speed affects system throughput and user acceptability. In practice, I would prefer to choosing a system with higher processing speed from alternative systems with similar or equal EER. That’s why I prefer B to A, even though it seems that Answer A, CER or ER, is a more popular answer.
References
You are the head of the research and development (R&D) department of a pharmaceutical company and the Product Owner of the Scrum team developing an application that handles the most sensitive data for your department. You are concerned with the protection of the application data stored in the database. As a product owner, how do you address the concern of data confidentiality in the database?
A. Assign any development team member to develop a proprietary cryptographic module to encrypt the data in the database.
B. Assign the most senior development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
C. Outsource the task to a professional cryptographic vendor and require them to use a standard cipher that is openly reviewed and certified.
D. Add the encryption requirement of a standard cipher that must be openly reviewed and certified, into the product backlog and let the development team decide the implementation details.
PS. Scrum is quite popular these days. It’s good for security professionals to fulfill the security by design principle in the context of the agile setting, while Scrum is one of the mainstream frameworks.
Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
This post is the justification of the Cryptography Practice Question. The recommended answer is A, Task a development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
It is a proprietary cryptographic solution to develop a cryptographic module in-house or use one without public review and certification, and it is a way of “security through obscurity” which doesn’t follow the Kerckhoffs’s principle or Shannon’s maxim.
The concept of Kerckhoffs’s principle and Shannon’s maxim is widely embraced by cryptographers, as it is believed to be a more effective and secure way than “security through obscurity.”
The FIPS 140-2, Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to approve cryptographic modules. This standard specifies the security requirements that will be satisfied by a cryptographic module. FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application.
References
You are a development team member of the Scrum team developing an application that handles the most sensitive data for the research and development department in your company. You are considering the protection of the application configurations in storage to follow the security by design principle. After some research, you are aware that some protection mechanisms are broken and insecure. e.g. WEP and DES. How should you do to protect your application configurations in storage?
A. Task a development team member to develop the application code utilizing a standard cipher that is openly reviewed and certified.
B. Task the most senior engineer to develop a symmetric cipher and classify it as the most sensitive asset.
C. Task the most senior engineer to develop an asymmetric cipher and classify it as the most sensitive asset.
D. Hire an implementation subject matter expert with the Ph.D. degree to develop an asymmetric cipher and classify it as the most sensitive asset.
Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
This post is the justification of the Business Continuity Practice Question. The recommended answer is A, “Facilitate the process for the determination of the maximum tolerable downtime, and invite the VP of information technology to commit to the recovery time objective and recovery point objective.”
This question is designed based on the Topic 1.7 Identity, analyze, and prioritize Business Continuity (BC) requirements in Domain 1 of the CISSP exam outline.
Enterprises are doing business to deliver value, or business is all about delivering value. Common factors affecting value delivery are people, process, technology, and so forth. A process delivering value is commonly called business process. The basic idea behind the concept of business continuity is to recover critical business processes subject to the limited enterprise resources available in case of a disruptive incident or disaster.
Based on the statements above, we can conclude some key points as follows:
It’s ineffective for IT people to conduct any disaster recovery planning before the critical business processes are determined, not to mention making decisions on alternative sites, e.g., mirror site, hot site, warm site, or code site, you name it.
The essence of business impact analysis (BIA) is to identify critical business processes and the impact in case of a disaster. MTDs of business processes are the most important output of BIA. RTO and RPO are objectives guiding the DRP; both of them are derived from MTD and negotiated between the business and IT people. In other words, RTO and RPO are commitments of IT to the business to fulfill the MTD requirement.
So, what about the business continuity planning process and the role of CISO? They vary from business to business. It’s not uncommon for a CISO as a coordinator or facilitator to facilitate the BIA process. This reemphasizes the importance of the R&R of CISO.
I won’t recommend Answer B, C, and D as the correct answers mainly because the decision about the hot site or cold site are made before the critical business processes are identified and not justified with any cost/benefit analysis.
You are the new CISO of an international trading company and just got on board recently. Which of the following is the first and most concern for you?
A. Salary and benefits package
B. The role and responsibility (R&R) of CISO
C. To develop and implement an information security strategy
D. To elicit business and security requirements, and develop an information security program and supporting policies
Kindly be reminded that the recommended answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.