CISSP PRACTICE QUESTIONS – 20190831

CISSP Practice Questions

Your company is engineering an information system to support the new business of selling toys online. As a security professional, you are working with the development team to review the design for flaws in the threat modeling process. Which of the following will you LEAST use in the process of identifying potential threats or design flaws?
A. Misuse case
B. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)
C. DREAD (Damage, Reproducibility, Exploitability, Affected Users, and Discoverability)
D. CWE (Common Weakness Enumeration)

Continue reading

CISSP PRACTICE QUESTIONS – 20190830

CISSP Practice Questions-red

  1. Your company is engineering an information system to support the new business of selling toys online. As a security professional, you recommend following the ISO/IEC/IEEE 15288 standard (Systems and software engineering – System life cycle processes) to ensure the use of secure information system development processes. You also emphasize that “Information Management” is one of the most critical processes. To which of the following process families does the “Information Management” belong?
    A. Agreement Processes
    B. Organizational Project-Enabling Processes
    C. Technical Management Processes
    D. Technical Processes
  2. Your company is engineering an information system to support the new business of selling toys online. As a security professional, in which phase should you ensure the use of secure information system development processes according to the System Development Life Cycle (SDLC) from the National Institute of Standards and Technology (NIST)?
    A. Initiation
    B. Development/Acquisition
    C. Implementation/Assessment
    D. Operations and Maintenance

Continue reading

CISSP PRACTICE QUESTIONS – 20190829

CISSP Practice Questions-green

1. What of the following best describes “management intent”?
A. Mission
B. Goals
C. Strategy
D. Policy

2. Which of the following best describes the idea of the strategic alignment of the security function?
A. Create a dedicated position of CISO and delegate the CISO in charge of information security.
B. Wake up the awareness of the CEO and the board of directors that they are liable for including information security into the agenda of corporate strategy
C. Mitigate risks to the acceptable level of senior management to achieve confidentiality, integrity, and availability.
D. Govern or manage information security with a business mindset to deliver values.

Continue reading

CISSP PRACTICE QUESTIONS – 20190828

CISSP Practice Questions

Your organization implements mandatory access control based on the Bell-LaPadula Model which doesn’t support the strong star property, an alternative to the star property. There is a printer, classified as Top Secret, in your organization. Bob is a middle officer with a security clearance of Secret. He is also assigned both the simple and star security property defined in the Bell-LaPadula Model. Can Bob print his report to the printer classified as Top Secret?
A. Yes, Bell-LaPadula Model does not prohibit this type of information flow.
B. Yes, Bell-LaPadula Model allows reading data from the upper level of sensitivity.
C. No. Bell-LaPadula Model prohibits reading data from the upper level of sensitivity.
D. No. Bell-LaPadula Model prohibits writing data to a lower level of sensitivity.

Continue reading

CISSP Practice Questions – 20190827

CISSP Practice Questions

Your company is engineering an information system (the system) to support the new business of selling toys online. As a security professional, you are a member of the engineering project team and responsible for ensuring the security needs are addressed properly and the information system is compliant with the security policies in your company. The project was kicked off last week. Which of the following should be determined first?
A. Categorize the system based on the impact if it is compromised
B. Select appropriate security controls from certain control frameworks
C. Scope and tailor the security controls based on business requirements
D. Evaluate the value of the data processed by the system and the impact in case of the data is breached

Continue reading

Good Q4 of 2019 is coming!

I am committed to being a professional instructor and coach, and that is the driver for me to pass six ISC2 certification exams (CISSP, CSSLP, CCSP, ISSEP, ISSMP, and ISSAP) in 99 days last year (2018), all at the first attempt.

After recovering from eye surgery recently, I started to promote my classroom-based CISSP courses in Taiwan. To demonstrate my efforts and achievement, I decided to hang those certificates on the office wall today, only to find out that I’ve forgotten I didn’t receive the ISSAP and ISSMP certificate packages yet.

OMG, it seems that I have to wait for another 3 months to receive my certificates.

I will keep posting to share my experience. If you have any question, please feel free to post in my Facebook group, the Effective CISSP. Thanks for your attention.