Monthly Archives: December 2019

What is “Strategy?”

Posted on by
2

Core Concepts

  • What: mission/vision/objective
    • Long-term
    • Overall
    • Organizational
  • How: plan/approach
    • Initiatives
    • Resources

Strategy

  • plan to achieve a long-term or overall objective (ISO 9000:2015)
  • plan to accomplish the organization’s mission and achieve the organization’s vision (ISO 21001:2018)
  • organization’s overall plan of development, describing the effective use of resources in support of the organization in its future activities
    Note 1 to entry: involves setting objectives and proposing initiatives for action (ISO/IEC/IEEE 24765:2017)
  • organization’s approach to achieving its objectives (ISO 30400:2016)

CISSP PRACTICE QUESTIONS – 20191228

Posted on by
Reply

Effective CISSP Questions

The system administrator didn’t exercise his due care neglecting the notification sent from the E-Commerce system that the RAID system is corrupting. Two RAID member disks failed in the end, that disrupted E-Commerce services. Thanks to the established recovery strategy, the E-Commerce system automatically failed over to the alternative hot site in 10 minutes. Which of the following is the best to define the recovery strategy?
A. Disaster Recovery Plan (DRP)
B. Business Continuity Plan (BCP)
C. Information System Contingency Plan (ISCP)
D. Computer Security Incident Response Plan (CSIRP)

Continue reading

CISSP PRACTICE QUESTIONS – 20191227

Posted on by
1

Effective CISSP Questions

The system administrator didn’t exercise his due care neglecting the notification sent from the E-Commerce system that the RAID system is corrupting. Two RAID member disks failed in the end, that disrupted E-Commerce services. The company cannot tolerate such business losses over three days and shall recover the E-Commerce system in 24 hours. To recover the system, to which of the following should the system administrator refer?
A. Disaster Recovery Plan (DRP)
B. Business Continuity Plan (BCP)
C. Information System Contingency Plan (ISCP)
D. Computer Security Incident Response Plan (CSIRP)

Continue reading

Zero Trust Architecture (ZTA)

Posted on by
1

ABAC seems to be the backbone of the Zero Trust Architecture (ZTA). No matter where users and devices are located (LAN/VPN/WAN), access requests shall be dynamically authorized at the finest granularity.

The Operative Definition of ZTA

Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.

Network Components

In a ZTA network, there should be a separation (logical or possibly physical) between communication flows used to control and configure the network and application communication flows used to perform the actual work of the organization.

This is often broken down to a control plane for network control communication and a data plane for application communication flows [Gilman].

The control plane is used by the various infrastructure components for maintaining systems; judging, granting, or denying access to resources; and performing any necessary operations to set up connections between resources.

The data plane is used for the actual communication between applications. This communication channel may not be possible prior to the connection being established via the control plane.

For example, the control plane could be used by the PA and PEP to set up the connection between the user and the enterprise resource. The application workload would then use the data plane connection that was established.

Please refer to NIST SP 800-207 (draft) for details.

 

CISSP PRACTICE QUESTIONS – 20191226

Posted on by
1

Effective CISSP Questions

In a risk management workshop, a team member identified a risk related to the uninterruptible power supply (UPS). If the UPS batteries are not replaced regularly, the servers may encounter unexpected power interruption as the batteries age and impact the availability. To take preventive action to mitigate this risk, which of the following should be considered most?
A. Mean Time Between Failure (MTBF)
B. Mean Time To Failure (MTTF)
C. Mean Time To Repair (MTTR)
D. Maximum Tolerable Downtime (MTD)

Continue reading

CISSP PRACTICE QUESTIONS – 20191225

Posted on by
Reply

Effective CISSP Questions

The E-commerce web site of your company is suffering a DoS attack by flooding Christmas tree packets on Christmas day when the incident response team members are going home for a family reunion. Which of the following best describes this attack?
A. A Christmas tree packet is an IP packet with flags FIN, PSH, and URG turned on
B. A Christmas tree attack comes from the logic bomb on zombies triggered on Chrismas day
C. A Christmas tree attack is one type of cryptoanalysis attack
D. A Christmas tree packet affects both routers and the endpoints

Continue reading

CISSP PRACTICE QUESTIONS – 20191224

Posted on by
2

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally as a strategic move. You are going to be designated as the program manager for the E-commerce program that is sponsored by the COO and tasks an in-house development team to develop the E-commerce system to support the new business.  Which of the following is most critical to your success?
A. Competent team
B. Communicated Policy
C. Executable strategy
D. Documented program plan

Continue reading