Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The solution architect chooses to implement a RAID storage system composed of high-capacity and high-speed Solid State Disks (SSD). The development team is developing a security plan for the system. Given security is a priority concern, which of the following is the best to deal with issues of data remanence when retiring disks or the storage system?
A. Degaussing
B. Low-level formatting
C. Multiple passes of overwriting
D. Cryptographic Erase

Continue reading


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development of some software modules will be outsourced to external software vendors. The computer systems, operating systems, and other standard hardware and essential software will be procured as well. Which of the following is least related to the procurement of this project?
A. Common Criteria
B. Vendor’s reputation
C. Zachman Enterprise Framework
D. The Capability Maturity Model Integration (CMMI)

Continue reading




Agile is hot, but there are many misconceptions about it. Frequent delivery of working software or values is one of its core concepts. Delivery means hand over working software to customers to create values.

Development progress or prototypes are not working software; they create no values because they don’t operate in the production environment.


From the perspective of, there’s no project manager but a product owner. They call the daily event as Daily Scrum instead of a daily standup meeting.


Periodic review, demonstration, and daily meeting (standup or being sat) are general management practices. They are not specific to Agile or Scrum.


The Waterfall Model delivers at the end of the project. Customers may review a pile of user requirement specification (URS) documents after the requirement analysis; documented designs as the solution in documents as well. In each phase, customers get nothing real until the end of the project.


The Spiral Model is an improvement of the Waterfall Model. It delivers at the end of the project but demonstrates prototypes or work products to customers after each iteration, which can be treated as a small waterfall.

Practice Question: CISSP PRACTICE QUESTIONS – 20191030

Wentz’s Risk Model

Wentz’s Risk Model

Wentz’s Risk Model incorporates the Peacock Model, the Onion Model, the Ring Model, and the Concept of Neutral Risk.

The Concept of Neutral Risk, based on the risk definition of ISO 31000, introduces the business mindset of seizing opportunities and avoiding threats to highlight that information security is not only a business enabler but also a business driver.

The Peacock Model is a notion of information systems that extends the definition defined by 44 U.S.C, Sec 3502. The Onion Model denotes the concept of layered defense or defense in depth.

The Ring Model is derived from the NIST Generic Risk Model to specify risk in the context of information security.

The Effective CISSP: Security and Risk Management has more!
The Effective CISSP: Security and Risk Management

Asset Valuation

The Peacock

Asset valuation is challenging because of the diversity of stakeholders and assets. Tangible or intangible assets can be evaluated based on the following approach:

  • Original or historical cost
  • Replacement or re-creation cost
  • Potential income
  • Market value
  • Costs incurred due to the security incidents


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The COO, who doesn’t like surprises, sponsors this initiative, and the reliability of the production system is the priority. He asked for periodic review and demonstration of development progress or prototypes and thought the daily standup meeting is favorable.  The project team is evaluating the development approach. Which of the following is the best?
A. Waterfall Model
B. Agile
C. Spiral Model

Continue reading

Types of Access Control


Types of Access Control

  1. Directive controls promote security awareness and direct compliant behaviors, e.g., policies, posters, and signs.
  2. Deterrent controls discourage violation of security policies and reduce or eliminate the motive of unauthorized behaviors, e.g., guards and mantraps.
  3. Preventive controls raise the hurdle and thwart the breaching attempts, e.g., firewalls, intrusion prevention systems (IPS), and antivirus software.
  4. Detective controls monitor and report potential or undergoing breaching attempts, e.g., intrusion detection systems (IDS), honeypots or honeynets, and reviews.
  5. Corrective controls stop the breaching attempts to maintain or restore normal operations or service level, e.g. Trusted Recovery and Antivirus Software (Quarantining a virus).
  6. Recovery controls recover from disruption and restore to normal operations and service level if breaching attempts disrupt the operations or services, e.g., backup and restore, system imaging, and shadowing.
  7. Compensating controls provide contingent or alternative protection to existing controls. For example, a PIN code is compensating for the Windows Hello facial recognition.


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development team is designing the data model for the SQL database based on the entity-relationship diagram. It splits the comma-separated values (CSV) data stored in a field into multiple fields. Which of the following best describes the process?
A. Split horizon
B. Normalization in 1NF
C. Normalization in 2NF
D. Key clustering

Continue reading

Data Dictionary as a Metadata Repository



Metadata is “data that provides information about other data”. In short, it’s data about data.

Source: Wikipedia


Database Schema

The database schema of a database is its structure described in a formal language supported by the database management system (DBMS). The term “schema” refers to the organization of data as a blueprint of how the database is constructed (divided into database tables in the case of relational databases).

Source: Wikipedia

A database generally stores its schema in a data dictionary. (Wikipedia)

Snowflake Schema

In computing, a snowflake schema is a logical arrangement of tables in a multidimensional database such that the entity relationship diagram resembles a snowflake shape.

Source: Wikipedia

XML Schema

An XML schema is a description of a type of XML document, typically expressed in terms of constraints on the structure and content of documents of that type, above and beyond the basic syntactical constraints imposed by XML itself.

Source: Wikipedia

Data Dictionary

A data dictionary is used to standardize a definition of a data element and enable
a common interpretation of data elements.

A data dictionary is used to documentstandard definitions of data elements, their
meanings, and allowable values. A data dictionary contains definitions of each
data element and indicates how those elements combine into composite data
elements. Data dictionaries are used to standardize usage and meanings of data
elements between solutions and between stakeholders.

Data dictionaries are sometimes referred to as metadata repositories and are used
to manage the data within the context of a solution. As organizations adopt data
mining and more advanced analytics, a data dictionary may provide the metadata
required by these more complex scenarios. A data dictionary is often used in
conjunction with an entity relationship diagram (see Data Modelling (p. 256)) and
may be extracted from a data model.

Data dictionaries can be maintained manually (as a spreadsheet) or via automated



  • Metadata is data about data. It’s not the data itself.
  • Schema is one type of metadata that describes how the data is organized.
  • Data Dictionary details may include definitions, relationships with other data, origin, format, and usage.
  • A data dictionary is a collection of metadata conceptually and a repository of metadata physically.

Goals and Objectives

Goals and Objectives

The Hierarchy of Objectives

“Goals” and “Objectives” are often used interchangeably. However, we can use them in a more specific way to communicate effectively.

A goal is a written statement of desired outcomes or future state. It is typically broken down into objectives that are then broken down further to a reasonable level and organized hierarchically. The hierarchy is not limited to two levels. From this point of view, a goal is an upper-level objective (parent) relative to the lower-level ones (children) broken down from it.



  • Broad
  • Long-term
  • Upper-level
  • Measured by KPIs or KGIs
    (Key Goal Indicators)
  • Specific
  • Short-term
  • Lower-level
  • Measured by KPIs
    (Key Performance Indicators)


Success is the result of achieving the goal that is measured by key performance indicators (KPIs) or key goal indicators (KGIs). The term KGI comes from COBIT. It distinguishes KGI as a lagging indicator from KPI as a leading indicator. However, it’s not uncommon to use KPI only.

Performance is the progress to the objective or goal through execution.