Effective CISSP Questions

You’re implementing an L2TP/IPsec VPN solution to support remote employees. Which of the following is not true? (Source: Wentz QOTD)
A. AH may not be available in IPsec
B. AH ensures integrity only, but not confidentiality through encryption
C. Implementation of ESP is a mandatory requirement of IPsec
D. ESP ensures both confidentiality and the same level of integrity as AH does

Continue reading

What is Assurance?

International Accreditation Forum

The diagram demonstrates the ISO assurance system in terms of management systems. The following are common management systems:

  • Quality Management System (QMS, ISO 9001)
  • Environmental management systems (EMS, ISO 14001)
  • Food Safety Management System (FSMS, ISO 22001)
  • Business Continuity Management System (BCMS, ISO 22301)
  • Information Security Management System (ISMS, ISO 27001)
  • Occupational health and safety management systems (OHSMS, ISO 45001)

Continue reading


I added more information about the confusing C&A process into the post, Jargons: V&V and C&A. The newly added materials are included as follows.

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

C&A Systems

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

NIST SP 800-160 V1 and ISO 15288



Effective CISSP Questions

Wired Equivalent Privacy (WEP), ratified in 1997, is the first-generation security solution for 802.11 wireless networks. The 64-bit WEP uses the stream cipher RC4 with a 24-bit initialization vector (IV) and a 40-bit secret key. Hackers can use Aircrack-ng to sniff wireless traffic and crack the secret key by exploiting the short IV. Which of the following best describes the attack used to break WEP? (Source: Wentz QOTD)
A. Ciphertext-only
B. Known-plaintext
C. Chosen-plaintext
D. Chosen-ciphertext

Continue reading