Effective CISSP Questions

Your company decides to invest in solutions, in the coming year, to support salespeople as road warriors and boost sales. Laptops, mobile phones, VPN, wireless networks, and customer relationship management (CRM) systems are parts of the selected solution. As a CISO, which of the following is the least concern when developing a risk management strategy?
A. Foreign ownership, control, or influence over suppliers
B. Investment strategies
C. The impact of the solution upon business processes
D. Laws and regulations
Continue reading

Subject Alternative Name

Today is the first workday after the Chinese lunar new year. One of the certificates for private use expired on the customer’s web server. Because the Chrome browser requires Subject Alternative Names, the certificate request file needs more attributes to add. If not, Chrome will pop up an insecure web site warning as follows:

This server could not prove that it is; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.


  1. Use the Certificate (for Computer) snap-in in Microsoft Management Console
  2. Create custom requests (PKCS #10 Request file and Subject Alternative Names: DNS)
  3. Request X.509 Certificate from Microsoft Certificate Services
  4. Install the new certificate on the web server

PKCS #10


Subject Alternative Names


X.509 Certificate



Effective CISSP Questions

As a security professional, you are attending the risk management meeting. A member points out a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level. Which of the following should be conducted first?
A. Escalate this problem to the management and suggest sourcing a backup provider
B. Activate the information system contingency plan (ISCP)
C. Train in-house team members to support the system as a backup solution
D. Identify affected business processes and related resources
Continue reading

Wentz’s Governance Model

Wentz's Governance Model

Wentz’s Governance Model is a generic governance model derived from the concept of GRC (Governance, Risk Management, and Compliance). It highlights the philosophy of governance for values and introduces seven risk-aware governance practices reorganized per the definition of governance by the IT Governance Institute.

Sound governance achieves the ultimate goals of creating and delivering values while considers risk and compliance. That relies on three crucial factors: risk-aware governance practices, well-crafted strategy and well-structured organization, which can be examined from the perspectives of the static organizational structure and dynamic organizational processes and the holistic view of enterprise architecture.

The seven risk-aware governance practices derived from the definition of governance by the IT Governance Institute and the discipline of GRC are listed as follows:

  1. Institute the organization to support the mission
  2. Communicate the vision to guide the strategic direction for value delivery
  3. Derive goals and intended outcomes to align strategies
  4. Allocate and optimize resources to maximize values
  5. Measure and monitor performance to achieve objectives
  6. Manage risks to respond to changes and ensure success
  7. Behave responsibly to maintain integrity and compliance

They can be mapped into the following diagram:

Risk-Aware Governance Practices


Effective CISSP Questions

You are the manger authorized to make decisions on the acceptance of risk. After risk treatment, you are considering a case that the cost of handling the residual risk is much higher than the risk acceptance criteria. Even though quantitive economic benefits cannot justify it, you deeply believe the risk with low likelihood is not urgent but brings a significant impact on the organization and should be handled. Which of the following decisions best meets the risk acceptance principles?
A. No further treatment because it doesn’t meet the risk acceptance criteria
B. No further treatment because subjective judgment is not reliable
C. Revise the risk acceptance criteria if possible, and implement risk treatment
D. Implement exception risk treatment but comment and justify your decision.
Continue reading


Effective CISSP Questions

To address security concerns, you align the software development life cycle to ISO 15288, which consists of four families or groups of system life cycle processes: agreement, organizational project-enabling, technical management, and technical processes. Which of the following belongs to the process family, Technical Processes?
A. Configuration Management
B. Life Cycle Model Management
C. Quality Assurance
D. Business or Mission Analysis
Continue reading