Effective CISSP Questions

You are a member of the steering committee for the program of the business continuity management system and sitting in a meeting with the agenda of business impact analysis to determine the Maximum Tolerable Period Downtimes (MTPDs) and recovery time objectives (RTOs). All of the following should have been done prior to the meeting except what?
A. Plan for actions to address risks to the effectiveness of the management system
B. Establish the business continuity policy
C. Conduct risk assessment in terms of business activities
D. Understand the organization’s context and interested parties

Continue reading

How do you define “provisioning?”

User Life Cycle

The CISSP exam outline mentioned:

  • 5.7 Manage the identity and access provisioning lifecycle (e.g., provisioning, review)
  • 7.4 Secure the provisioning of resources

My Definition

I roughly define “provisioning” in the context of identity and access management as “the process of creating user accounts and granting privileges across systems in a streamlined or automatic way.

Imagine that you’re preparing a user account for a new employee. How do you deal with the following situation:

  1. HR system: a detailed employee record
  2. PACS (physical access control system)
  3. Enterprise portal
  4. ERP systems
  5. Cloud services
  6. VDI (Virtual Desktop Infrastructure)

You may have to create a couple of user accounts and credentials (keycards, fobs, smartphone, biometric) and grant privileges across those systems mentioned above. It takes much time to do it manually. Moreover, it’s error-prone.

The employee may be promoted, rotated, fired, or resign. The privileges granted have to be updated.

That’s the situation provisioning comes in handy. It deals with the cumbersome process of creating and changing accounts and privileges through automation.

Provisioning helps streamline identity and access management processes across the account life cycle.


In telecommunication, provisioning involves the process of preparing and equipping a network to allow it to provide new services to its users. In National Security/Emergency Preparedness telecommunications services, “provisioning” equates to “initiation” and includes altering the state of an existing priority service or capability.

Source: Wikipedia




Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. The project team has finished business and privacy impact analysis. Which of the following security activity should be conducted next?
A. Assess system security
B. Create a detailed plan for certification and accreditation (C&A)
C. Assess risk to the system
D. Review operational readiness

Continue reading


Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing an E-Commerce system that supports the new business. You suspect a former developer deleted some crucial files before leaving the company. Which of the following least helps to blame the malicious behavior on him?
A. Implement reliable authentication mechanism
B. Grant permissions and rights based on duties
C. Maintain a non-repudiable log
D. Correlate and review the logs in terms of a specific subject or theme

Continue reading


Effective CISSP Questions

Mandatory vacation and job rotation are implemented in your company to detect and prevent corruption. As a security professional, which of the following will you suggest with priority?
A. Conduct user entitlement review periodically
B. Isolate employees from enterprise networks when an audit is undergoing on their mandatory vacation
C. Provide training and certification courses upon rotation to ensure the new job can be done effectively
D. Require immediate password change when an employee rotates to a new position

Continue reading

Security Association Parameters


Source: IBM Knowledge Center

The range of SPI is 256 to 16383. The default is 0. I am afraid SPI itself is not sufficient to uniquely identify a SA. That’s why a SA is uniquely identified by the three items:

  • Security Parameter Index (SPI)
  • Security Protocol (AH or ESP)
  • Destination IP Address

It’s similar to the concept of a composite key in the relational database.

Thank you, Chaudhary, to supplement the details:

Chaudhary Darvin_SPI



Effective CISSP Questions

The incident response (IR) team in your company submitted an urgent human resource request for a security analyst. The job description of a security analyst requires at least five years of work experience and the CISSP certificate. Nawwar is an experienced network engineer with ten years of experience and the CISSP certificate. The head of the IR team proposed to hire Nawwar as soon as possible. As a security professional, which of the following suggestion will you make to the Human Resources department first?
A. Make a contingent offer of employment
B. Ask for drug testing
C. Hire a professional organization to do a criminal background check
D. Conduct a reference check

Continue reading