You are implementing the company networks for a startup. Which of the following is least related to the data link layer?
A. Configuring the physical address of a network interface card.
B. Implementing a linear network with token passing.
C. Splitting traffic by VLAN tagging.
D. Binding multiple logical addresses to a network interface card.
Monthly Archives: May 2020
The Effective CISSP: SRM Readers Meetup, Taiwan
The first reader’s meetup of my book, The Effective CISSP: Security and Risk Management, is held on May 31st, 2020.
- Wentz introduced the strategic role of the CISSP certification.
- Ethan gave an awesome overview of CIA, GRC, and other core management concepts.
- Sky shared the topic of business continuity management (BCM).
Disruption and Destruction
When it comes to information security, which is the opposite of availability? Disruption or destruction? I prefer disruption to destruction.
The scope of information security includes information and information systems, and the context determines their availability. Destruction ruins the availability of information, while disruption breaches the availability of information systems. The availability of information depends on the availability of information systems.
As information itself is not accessible or usable, information consumers shall get access to or use the information with some tools or instruments, no matter the information is at rest, in motion, and in use. As a result, I assume the “access to and use of information” shall be realized through the information system, as defined in the “Information system” section.
Disruption over Destruction
Given:
- Information depends on the information system.
- The opposite of the availability of information means information is not available.
The following logic justifies the conclusion:
- If information is available, then the information system is available.
- If the information system is NOT available, then information is NOT available.
- That means, if the information system is disrupted, then information is NOT available.
- We can conclude that disruption is the opposite of the availability of information.
Information System
An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace). (NIST SP 800-39)
An information system typically comprises components such as 1) data, 2) computer systems, 3) operating systems, 4) software, 5) networks, 6) data centers, 7) people, 8) business processes, and so forth. My book, The Effective CISSP: Security and Risk Management, introduced the Peacock Model as a metaphor for the information system.
The Peacock Model
The Peacock Model is a metaphor of information systems that extends the definition defined by 44 U.S.C, Sec 3502, and aligns with this definition of NIST SP 800-39, as stated above. It treats People and Business Processes as extensions and part of an information system, as an information system is implemented and operated by people to support business processes.
CISSP PRACTICE QUESTIONS – 20200531
A host with an IP address, 10.10.10.6/29, sends ICMP control messages of Echo Request to 10.10.10.7/29 but receives no response because requests timed out. Which of the following is the most likely cause?
A. The destination ignores the requests, or the network is jammed.
B. The default gateway of the host is not properly configured.
C. The routing table of the gateway doesn’t converge.
D. The destination resides in another broadcast domain.
CISSP PRACTICE QUESTIONS – 20200530
Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. The EC system accepts credit cards and processes personal data. Which of the following addresses those concerns and provides the best assurance?
A. PCI-DSS
B. Risk Assessment
C. Security Assessment
D. Third-party Audit
Financial Viability of Controls

Courtesy of Sven De Preter
This concise document is the courtesy of Sven De Preter (The Strategist of the new study group, Certification Stage) and shared with his permission.
Sven adds a new perspective, CAPEX, OPEX, and TCO, on top of the concept of ALE (Annual Loss Expectancy) introduced in most of the CISSP study guides.
- CAPEX (Capital Expenditure) as initial costs
- OPEX (Operational Expenditure) as ongoing costs
- TCO (Total Cost of Ownership)
CISSP PRACTICE QUESTIONS – 20200529
Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. As a security professional, you suggest penetration testing should be conducted. Which of the following is your most concern?
A. The decision of employment of internal or external penetration test team
B. The capability and experience of the penetration test team
C. The procedure that the penetration test team asks for permission to conduct penetration testing
D. The escalation path to the senior management if testing takes down the system
The Future, The Moment, and The Good Old Days
CISSP PRACTICE QUESTIONS – 20200528
As a CISO, you issue a policy that mandates every employee shall be aware of social engineering attacks. A supporting standard is then developed that requires everyone shall accept at least three or more hours of awareness training each year. Which of the following activities is the best upcoming activity conducted to enforce the policy?
A. Penetration testing
B. Security assessment
C. Vulnerability assessment
D. Risk assessment
CISSP PRACTICE QUESTIONS – 20200527
According to ISO 31000, the risk is the “effect of uncertainty on objectives.” Which of the following is a risk?
A. The mother nature
B. Sabotage
C. The loss of 5 million of monetary value
D. None of the above