CISSP PRACTICE QUESTIONS – 20191101

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The solution architect chooses to implement a RAID storage system composed of high-capacity and high-speed Solid State Disks (SSD). The development team is developing a security plan for the system. Given security is a priority concern, which of the following is the best to deal with issues of data remanence when retiring disks or the storage system?
A. Degaussing
B. Low-level formatting
C. Multiple passes of overwriting
D. Cryptographic Erase

Continue reading

CISSP PRACTICE QUESTIONS – 20191031

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development of some software modules will be outsourced to external software vendors. The computer systems, operating systems, and other standard hardware and essential software will be procured as well. Which of the following is least related to the procurement of this project?
A. Common Criteria
B. Vendor’s reputation
C. Zachman Enterprise Framework
D. The Capability Maturity Model Integration (CMMI)

Continue reading

Agile

SoftwareDevelopmentApproaches

AGILE

Agile is hot, but there are many misconceptions about it. Frequent delivery of working software or values is one of its core concepts. Delivery means hand over working software to customers to create values.

Development progress or prototypes are not working software; they create no values because they don’t operate in the production environment.

SCRUM

From the perspective of scrum.org, there’s no project manager but a product owner. They call the daily event as Daily Scrum instead of a daily standup meeting.

PERIODIC REVIEW

Periodic review, demonstration, and daily meeting (standup or being sat) are general management practices. They are not specific to Agile or Scrum.

WATERFALL MODEL

The Waterfall Model delivers at the end of the project. Customers may review a pile of user requirement specification (URS) documents after the requirement analysis; documented designs as the solution in documents as well. In each phase, customers get nothing real until the end of the project.

SPIRAL MODEL

The Spiral Model is an improvement of the Waterfall Model. It delivers at the end of the project but demonstrates prototypes or work products to customers after each iteration, which can be treated as a small waterfall.

Practice Question: CISSP PRACTICE QUESTIONS – 20191030

Wentz’s Risk Model

Wentz’s Risk Model

Wentz’s Risk Model incorporates the Peacock Model, the Onion Model, the Ring Model, and the Concept of Neutral Risk.

The Concept of Neutral Risk, based on the risk definition of ISO 31000, introduces the business mindset of seizing opportunities and avoiding threats to highlight that information security is not only a business enabler but also a business driver.

The Peacock Model is a notion of information systems that extends the definition defined by 44 U.S.C, Sec 3502. The Onion Model denotes the concept of layered defense or defense in depth.

The Ring Model is derived from the NIST Generic Risk Model to specify risk in the context of information security.

Asset Valuation

The Peacock

Asset valuation is challenging because of the diversity of stakeholders and assets. Tangible or intangible assets can be evaluated based on the following approach:

  • Original or historical cost
  • Replacement or re-creation cost
  • Potential income
  • Market value
  • Costs incurred due to the security incidents

CISSP PRACTICE QUESTIONS – 20191030

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The COO, who doesn’t like surprises, sponsors this initiative, and the reliability of the production system is the priority. He asked for periodic review and demonstration of development progress or prototypes and thought the daily standup meeting is favorable.  The project team is evaluating the development approach. Which of the following is the best?
A. Waterfall Model
B. Agile
C. Spiral Model
D. SCRUM

Continue reading

Types of Access Control

0903N-CISSP-社團封面S

Types of Access Control

  1. Directive controls promote security awareness and direct compliant behaviors, e.g., policies, posters, and signs.
  2. Deterrent controls discourage violation of security policies and reduce or eliminate the motive of unauthorized behaviors, e.g., guards and mantraps.
  3. Preventive controls raise the hurdle and thwart the breaching attempts, e.g., firewalls, intrusion prevention systems (IPS), and antivirus software.
  4. Detective controls monitor and report potential or undergoing breaching attempts, e.g., intrusion detection systems (IDS), honeypots or honeynets, and reviews.
  5. Corrective controls stop the breaching attempts to maintain or restore normal operations or service level, e.g. Trusted Recovery and Antivirus Software (Quarantining a virus).
  6. Recovery controls recover from disruption and restore to normal operations and service level if breaching attempts disrupt the operations or services, e.g., backup and restore, system imaging, and shadowing.
  7. Compensating controls provide contingent or alternative protection to existing controls. For example, a PIN code is compensating for the Windows Hello facial recognition.