Which of the following least contributes to access control on a need-to-know basis? (Source: Wentz QOTD)
A. An object with non-hierarchical labels
B. A subject’s capability table
C. A subject’s security clearance
D. A compartmented object

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

Your company decides to subscribe to SaaS from a well-known cloud service provider. As a security professional, you are tasked to prepare for a security plan. Which of the following should you do first?
A. Determine data types processed by the SaaS cloud services.
B. Categorize the system based on its impact level
C. Scope and tailor security controls
D. Identify stakeholders

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

As the newly hired CISO for a global company selling toys all over the world, you are reviewing the company’s mission statement and organizational structure and processes, identifying applicable legal and regulatory requirements, and interviewing stakeholders to implement the business continuity management system (BCMS). Which of the following is the most likely activity you will do next?
A. Conduct business impact analysis
B. Determine the scope
C. Assess risk
D. Develop the business continuity plan

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

You are planning the program for security awareness, training, and education. Which of the following is not the primary target audience who needs more knowledge and skills that will enable them to perform their jobs more effectively?
A. All employees
B. End-users
C. Security administrators
D. IT engineers

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

Your company sells toys online worldwide. A web-based E-Commerce system developed by an in-house Integrated Product Team (IPT) supports the business. The development team is considering a solution to protect customer orders in motion. Which of the following is the best solution in terms of security, performance, and cost/benefit ratio?
A. For developers to implement encryption in the business logic layer for full mediation
B. For the architect to incorporate a software encryption module as a cross-cutting aspect
C. For database administrators to implement a secure enclave on the database server
D. For web server administrators to enable secure transmission

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

You are the head of the research and development department in charge of web conferencing products. The development team develops the product using an object-oriented language. Which of the following object-oriented principles or features relies on interfaces to decouple dependencies and exchange messages and achieve loose coupling?
A. Inheritance
B. Middleware
C. Polymorphism
D. Application Programming Interface (API)

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

Your company develops web conferencing products. You are the head of the research and development department. You plan to provide end-to-end protection over user sessions based on the symmetric cipher. An open design, work factor of cryptanalysis, and user acceptance are major evaluation criteria. Which of the following is the least appropriate cipher?
A. Rijndael
B. Skipjack
C. RSA RC6
D. Serpent

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →