Effective CISSP Questions

You work for a US-based public company that sells toys all over the world. A PaaS supports the online EC system that accepts credit cards. As an internal auditor, which of the following least concerns you in terms of compliance? (Source: Wentz QOTD)
B. Baselines
C. Sarbanes-Oxley Act (SOX)
D. Information security policy

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Baselines.

Compliance Requirements

An audit is an assessment conducted by an independent entity through interviewing, examination, and testing to determine if compliance requirements are achieved.

  • Sarbanes-Oxley Act (SOX) is a legal requirement applicable to public companies in the US.
  • PCI-DSS is a payment card industry requirement established by the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC was founded by MasterCard, American Express, Visa, JCB International and Discover Financial Services in 2006
  • Information security policy, at the top of the policy framework, is also one of the most crucial audit criteria to be compliant with. Organizational standards and procedures are also sources of compliance requirements.


Baselines and Standards

Baselines are the means while standards are the ends. We have to comply with standards instead of baselines. In other words, we implement baselines to meet the compliance requirements of standards. However, baselines are not necessarily compliant with standards. Baselines can be higher, equal to, or lower than standards.

Baselines are anything of importance that requires signoff or approval to control changes against them. Baselines may be subject to change due to corrective actions or continuous improvement resulting from performance review or problem-solving process.

For example, the scope, budget, schedule, performance measurement, security controls, or configurations are well-established baselines. A security control baseline is the minimum requirement of security that is typically determined by the security control scoping and tailoring process. A snapshot of configurations can serve as a security baseline.

Source: The Effective CISSP: Security and Risk Management

Policy Framework

Internal Audit as the 3rd Line of Defense



您在一家銷售玩具的美國上市公司工作。 PaaS支持接受信用卡的在線EC電子商務系統。 作為內部稽核員,從符合性的角度來看,以下哪項您最不用擔心? (來源:Wentz QOTD)
B. 基準 (Baselines)
C. Sarbanes-Oxley Act (SOX)
D. 資訊安全政策


My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.


2 thoughts on “CISSP PRACTICE QUESTIONS – 20200814

  1. Which baselines? How do you approach such a vague answer? These could be the baselines required to comply with some regulation, or something imposed by marketing (e.g. to use specific products in the tech platform).

Leave a Reply