You are the development team leader and recently found your nightly build failed from time to time. Eve was a disgruntled developer in your team and quit last month. She is responsible for part of the solution and not authorized to integrate the solution. She installed a program running under the local system privilege to delete, on Monday midnights, some source code in the local code repository pushed to the central code repository to be integrated.

1. What is the program installed by Eve called?
A. Encapsulation
B. Maintenance hook
C. Multipartite
D. Logic bomb

2. You decide to conclude that Eve is accountable for the failures of the nightly builds. Which of the following is the least important?
A. Authentication
B. Authorization
C. Auditing
D. Non-repudiation

Continue reading →

Discovery

Discovery is the pre-trial phase in a lawsuit in which each party investigates the facts of a case, through the rules of civil procedure, by obtaining evidence from the opposing party and others by means of discovery devices including requests for answers to interrogatories, requests for production of documents and things, requests for admissions, and depositions.

Source: HG.org

1. Requests for answers to interrogatories
2. Requests for production of documents and things
3. Requests for admissions
4. Depositions

Electronic discovery

Electronic discovery or “e-discovery” refers to discovery of information stored in electronic format (often referred to as Electronically Stored Information, or ESI).

Videos

• How to end a deposition by Harvey Specter
• Sam Destroys At A Deposition
• Suits: Katrina And Brian Sink A Deposition (1:09)

Source

• https://www.hg.org/legal-articles/what-is-discovery-in-a-civil-case-30930

Your company is procuring computer systems to support the new business of video streaming services. You are responsible for ensuring the computer systems are compliant with the security policies in your company. Which of the following is your most concern?
A. Trusted Computing Base
B. System Design Flaws
C. Security Kernel
D. Implicit Covert Channels

Continue reading →

Information Security Governance

Information Security Governance

As a CISO, how do you govern information security? What are governance, risk, and compliance?

The Amicliens InfoSec Conceptual Model is a blueprint for you to prepare for the CISSP exam, while the Information Security Governance blueprint guides you through your CISM journey.

After risk assessment, your company assigned you to prepare a disaster recovery plan to handle the identified disasters. A hot site, warm site, and cold site are common alternatives to the primary site. You are considering the backup site alternatives when preparing the disaster recovery plan. Which of the following will be your most concern?
A. Risk Appetite
B. Management Buy-in
C. Maximum Tolerable Downtime
D. Recovery Time Objective

Continue reading →

Effective CISSP

It doesn’t matter how much you have read,
what really matters is how much you have learned.

1. Understand every single term in the CISSP Exam Outline.
2. Use the ISC2 official study guide. (comprehension over memorization)
3. Read NIST and references suggested by ISC2. (a mile wide, an inch deep)
4. Do at least 2500 practice questions. (quality over quantity)
5. Follow Wentz’s blog and join his Effective CISSP Facebook group.
6. Take the exam within 6 months.

The CISSP Exam

• 8 Domains
• 63 Tasks
• 207 Subtasks

Click to access CISSP-Detailed-Content-Outline.pdf

ISC2 Access Control Types

Controls, Security Controls, and Access Controls?

Security Controls are grouped into 18 families according to NIST SP800-53, 14 categories in ISO 27002, and 3 categories (Administrative, Technical, and Physical) by HIPAA.

The official CISSP study guide, Sybex 8th Edition, defines 7 types of what? Types of “controls” or types of “access controls”? “Controls” are different from “Access Controls”. Access Control is just one of the families or categories in terms of NIST or ISO.

Please refer to page 79 and 582 in the Sybex 8th. You will find out the inconsistent materials.

Related Posts

• Access Control Concepts
• Types of Access Control
• The Core Concept of Access Control
• Access Control Terminologies

Critical Success Factors

The CISSP exam is undoubtedly challenging, but you can manage to succeed as I did.

The following are the critical success factors:

1. Discipline and Commitment
2. SMART Goals and Study Plan
3. Effective Study Materials
4. Effective and Efficient Study Approach

Discipline and Commitment

• Keep studying every day. It’s more effective to study constantly than intermittently.
• Reserve enough funds for your CISSP.

SMART Goals and Study Plan

• Determine your exam date. You don’t have to register and pay for the exam immediately, but I encourage you to do so in the beginning. If you feel that you are not well prepared one week before your exam date, reschedule it.
• Evaluate how many study hours you will spend preparing for the CISSP exam. In my opinion, 250-hour is a ballpark figure for your reference. Work experience related to general management, project management, ITIL foundation, and network essentials helps.

Effective Study Materials

• Get one and only one study guide as your primary source; If you are affordable, a second source isn’t a bad idea. I recommend the ISC2 official study guide from Sybex as the primary.
• Make good use of the practice questions and other resources companioned with the study guide. Typically, you can register the book online to get access to the online practice questions.
• Get a reliable source of questions for more practice.
• Before you sit for the CISSP exam, practice at least 2500 questions.

Effective and Efficient Study Approach

• Keep a constant and stable pace of study.
• Use the top-down approach. Building the high-level conceptual model of information security (your study blueprint) in the first one or two weeks is crucial. Don’t dive into the details in the beginning.
• Weigh concepts over the facts. Please do understand how the principles, processes, lifecycles, and frameworks work and how to apply them in practice. Rote learning or memorizing everything doesn’t work.
• Study information security with a business mindset. Relate what you have learned to your job; that is, study to solve problems and deliver values.

My Journey to Success

• Security Governance
  1. CGEIT, Certified Governance of Enterprise IT
  2. CISM, Certified Information Security Manager
  3. CRISC, Certified in Risk and Information Systems Control
  4. CISA, Certified Information Systems Auditor
• Security Management
  1. CISSP, Certified Information Systems Security Professional
  2. CISSP-ISSEP, Information Systems Security Engineering Professional
  3. CISSP-ISSAP, Information Systems Security Architecture Professional
  4. CISSP-ISSMP, Information Systems Security Management Professional
  5. CCSP, Certified Cloud Security Professional
  6. CSSLP, Certified Secure Software Lifecycle Professional
• Security Technologies
  1. CEH, EC-Council Certified Ethical Hacker v10
  2. ECSA, EC-Council Certified Security Analyst v10

Get Started Your CISSP Journey!

Please refer to the CISSP Starter Page to start your CISSP journey, and join Wentz’s Effective CISSP Facebook group to learn and share together!

• CISSP Starter Page: https://wentzwu.com/cissp
• Effective CISSP: https://www.facebook.com/groups/EffectiveCISSP