Effective CISSP Questions

Your company as a Taiwan-based public company decides to start the business of selling toys online and shipping globally. To penetrate the market in the US, your company set up a branch company in the United States. The governance model is centralized; only the decisions that must be compliant with local laws and regulations are delegated to the local branch. The local data retention policy of the US branch is different from the local laws and regulations. As a security professional for the local branch, which of the following is the best action?
A. Review the local data retention policy
B. Suggest the local branch follow the policy of headquarters
C. Request corrective actions to be compliant with the local laws and regulations
D. Revise the local policy to meet the requirements of the local laws and regulations

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Review the local data retention policy.

General Problem Solving Process

Before taking any action to fix anything, one has to determine if the problem exists. Therefore, it’s a good practice to define the problem and work out a problem statement, then analyze the problem in detail so that alternative solutions can be generated or proposed.

Considering the cost and benefit, you select a solution (some will call it the “strategy”) to implement. In an organization, projects or programs will be initiated to implement the selected solution or strategy.

To elaborate on a policy, an organization may or may not set standards that not only meet but also higher than the requirements of laws and regulations. The data retention policy may be associated with a standard of 7 years retention period that meets the 5 years requirement by the laws or regulations. In this situation, you don’t have to take any corrective actions.

As a result, reviewing the local data retention policy to realize if the policy violates the laws or regulations is the best action.

9 thoughts on “CISSP PRACTICE QUESTIONS – 20191017

  1. Steps: review –> make correction

    Revise = review + change to correct something.

    “The local data retention policy of the US branch is different from the local laws and regulation” –> am I right to say this sentence is a conclusion about retention policy violation? If yes, reviewing is considered as Done and next is to proceed corrective actions –> should be C?

    • “Different” means the policy can be higher or lower than the requirements of laws. It does not necessarily violate the law. Sometimes laws or regulations may change, organizations shall review their policies and revise them, if necessary.

    • I won’t define “revise” as review and take corrective actions. They are distinct steps. Review can be part of the risk assessment process: revision as a corrective action is the risk response. The question emphasizes the importance of risk based decisions. Review the policy to determine if it violates the law, analyze its likelihood and impact, and determine if it should be mitigated or handled. If so, develop risk response strategies to handle it.

  2. Thanks Wentz, can D be true as it revises the local policy.
    I was understood: revise means review + then correct


  3. Due to the vagueness of the question, I feel like D is the best answer. Revise does mean to review and take corrective action, which is pertinent in this case and I expect that is what a manager should do to protect his/her organization

Leave a Reply