Effective CISSP Questions

A network administrator responsible for monitoring network anomalies found, by analyzing network traffic, a sales representative sent an unencrypted email to competitors. It may involve price domination and violate antitrust. Which of the following is the best for the network administrator to convey this finding to appropriate management? (Source: Wentz QOTD)
A. Corporate bylaws
B. Acceptable use policy (AUP)
C. Crisis communication plan
D. Reporting procedure

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Reporting procedure.

Policy Framework

A procedure is a set of step-by-step instructions to finish a task. A policy is a high-level document that reflects the management’s intent, which is elaborated and supported by associated standards and procedures. Policies, standards, and procedures are not necessarily separate documents. They can be compiled in a manual or even written in a document altogether.

Acceptable use policy (AUP)

An acceptable use policy (AUP), acceptable usage policy or fair use policy, is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.

Source: Wikipedia

Crisis Communication Plan

Crisis communication is part of crisis management, that “is the process by which an organization deals with a disruptive and unexpected event that threatens to harm the organization or its stakeholders. The study of crisis management originated with large-scale industrial and environmental disasters in the 1980s. It is considered to be the most important process in public relations.” (Wikipedia, 2019)

The crisis communications plan typically designates spokespersons as the only authority for answering questions from or providing information to the public regarding emergency response.

Source: The Effective CISSP: Security and Risk Management

Requirements of Bylaws

Under the general bylaws definition, there are very few requirements that must be included in your bylaws. A few of the typical requirements that are seen include:

  1. The name, purpose, and location of the company’s office
  2. Members of the company
  3. Voting rights and selection process of members
  4. The name and number of the members of the board of directors
  5. The maximum and minimum amount of allowed directors
    How to assign new directors and the responsibility of all directors
  6. The length of time a person can stay on the board of directors
  7. The names of current officers, and the assigning and removal of officers
  8. The duties and responsibilities of officers, members, and directors
  9. The time a meeting will take place, the meeting location, and meeting terms, such as annual or special meetings
  10. Specific rules for amending any current bylaws

Source: RocketLawyer



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.


Leave a Reply