CISSP PRACTICE QUESTIONS – 20191028

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The project team identified some risks as follows:
R001 – The company’s reputation might be damaged.
R002 – The business process of shipping might be disrupted.
R003 – The attackers might initiate distributed denial of services (DDOS).
Aa a security professional, which of the following should be mitigated first?

A. R001
B. R002
C. R003
D. None of the above

Continue reading

CISSP PRACTICE QUESTIONS – 20191027

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The development team is developing the front-end user experience (UX) using JavaScript and evaluating solutions to protect the client scripts from being comprehended or investigated. Which of the following is the best to do so?
A. Native code compiler
B. Obfuscator
C. Symmetric cipher
D. Code signing

Continue reading

CISSP PRACTICE QUESTIONS – 20191026

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. The system shall support an App on the iOS platforms. The development team is complaining about repeated rejections when uploading App onto the App Store operated by Apple because of security issues. Which of the following is most likely employed to test the uploaded APPs on the App Store?
A. Static Application Security Testing
B. Dynamic Application Security Testing
C. Code Review
D. V-Model Testing

Continue reading

CISSP PRACTICE QUESTIONS – 20191025

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. To streamline the order fulfillment process, the system will be integrated with the ones of key business partners. The development team is evaluating solutions to exchange messages, e.g. XML or JSON, between systems in this supply chain integration initiative. Which of the following layer of the ISO OSI reference model is most related to the evaluation?
A. Application
B. Message Exchange (MX)
C. Presentation
D. Transport

Continue reading

The Core Concept of Access Control

TCBAccessControl

Given a trusted computing system, the security mechanisms or capabilities are collectively called a trusted computing base (TCB); the security kernel is one of the TCB components or modules that is in charge of access control or authentication, authorization, and accounting (3A) specifically. The security kernel is the implementation of the reference monitor concept mentioned in the Anderson report by James P. Anderson & Co. in October of 1972. The security perimeter separates the components unrelated to security enforcement form those of the TCB.

CISSP PRACTICE QUESTIONS – 20191024

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. The E-Commerce system that supports the new business will be developed in-house. To streamline the order fulfillment process, the system will be integrated with the ones of key business partners. The development is evaluating solutions to address the issue of access control between systems in this supply chain integration initiative. As a security professional, which of the following is the best?
A. Identity as a Service (IDaaS)
B. Federated Identity
C. Single Sign-On (SSO)
D. Kerberos

Continue reading

Security Function

governancestructure

What is a Function?

A function is a collection of activities or procedures arranged in a logical way that accepts input and produces output.

An organizational unit or department performs one or more functions to create and deliver values. For example, the functions performed by HR include staffing, development, compensation, safety and health, employee and labor relations, and so forth.

However, a function may or may not be performed by a department that appears in the organizational structure diagram officially. So does the security function.

Security Function

A security function is a function that ensures security by applying safeguards to protect assets from threats to achieve confidentiality, integrity, and availability.

For simplicity, a security function can be viewed as an unofficial or virtual security department. A security department performs security functions, but security functions can be performed by any department officially or unofficially.

Large organizations typically institute a dedicated organizational unit or department to perform security functions, while some organizations just decide to perform security functions without a formal department. For instance, it’s common for organizations to delegate IT department to take care of security instead of the information security department.

CISSP PRACTICE QUESTIONS – 20191023

Effective CISSP Questions

Your company is selling toys online and shipping globally. When signing in to the web site, a customer, Jack, forgot his password. He clicked the “Forgot password?” button to reset his password and received a password notification email in 2 minutes that provided his old password for him to sign in. Jack called the customer service to complain about the insecure web system because of receiving the password notification email.  As a security professional, which of the following is the best suggestion?
A. Implement a self-service portal to reset password
B. Accelerate the delivery speed of password notification emails
C. Employ a one-way function to handle passwords and concatenated random strings
D. Use AES256 to encrypt passwords with salts

Continue reading

Governance Practices

Information Security Governance

The board of directors and senior management govern an organization to achieve its ultimate goal: to create and deliver values.

  • They institute the organizational structure and systems to support operations,
  • communicate the organization’s mission and vision to guide direction,
  • set goals to align strategies,
  • optimize resources to realize strategies,
  • monitor performance to respond to changes,
  • manage risks to ensure success, and
  • behave responsibly to uphold integrity.