Effective CISSP Questions

Your company sells toys online worldwide, which is supported by a three-tiered web-based E-Commerce system. To avoid inconsistent system configurations, which of the following is the most important?
A. Detail procedures
B. Up-to-date standards
C. Sound governance
D. Periodic training

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Sound governance.

Governance through the Policy Framework

Governance is the overall practices exercised by the board of directors and senior management (the governance level) who directs and controls the organization, allocates and optimizes the resources, and holds the ultimate responsibility for the outcomes to create and deliver values and achieve organizational missions.

Source: The Effective CISSP: Security and Risk Management

In other words, the governance level directs and controls the organization through the policy framework, which refers to the policy and its supporting standards, procedures, and guidelines.

Inconsistent system configurations can be improved through periodic training to develop competent people and detail procedures to ensure consistency that aligns with up-to-date standards. However, it is the policy that directs the development of standards, procedures, and the training program. Being without sound governance means the lack of the policy framework. It is the root cause of the problem, inconsistent system configurations.


Is governance no much too high level to effect something as detailed as a server configuration? Detailed procedures on how to configure the server sounded more practical.

Source: @GS from

Governance is exercised by the board or senior management, also known as the governance level. They are accountable or ultimately responsible for almost everything.

The Marriott data breach impacts up to 5.2 million customers. We all agree with that the data breach has resulted from insecure information systems, don’t we? Who is accountable or ultimately responsible for this data breach? The governance level.

As a result, the governance level has to direct and control the organization or company through the policy framework (policies, standards, and procedures). They may have their hands clean, but they are accountable for setting off policies (their intentions) so that the middle management can develop supporting standards, procedures, and guidelines for the staff to implement policies.

In conclusion, everything comes from the policy, the explicitly expressed management intention.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

  • It is available on Amazon.
  • Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.


2 thoughts on “CISSP PRACTICE QUESTIONS – 20200524

  1. Pingback: Discord

Leave a Reply