Effective CISSP Questions

You are the development team leader and recently found your nightly build failed from time to time. Eve was a disgruntled developer in your team and quit last month. She is responsible for part of the solution and not authorized to integrate the solution. She installed a program running under the local system privilege to delete, on Monday midnights, some source code in the local code repository pushed to the central code repository to be integrated. You decide to conclude that Eve is accountable for the failures of the nightly builds. Which of the following is the least important?
A. Authentication
B. Authorization
C. Auditing
D. Non-repudiation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Authorization.

Accountability is a property that ensures that the actions (what) of an entity (who) may be traced uniquely to that entity (accounting & auditing). To conclude accountability, we have to clarify who does what by writing logs (accounting) and reviewing them (auditing).

Users can attempt to do anything even if the action is not authorized. If a user conducts an unauthorized action, the system just writes a log to record the fact or event. By reviewing the logs, we can trace the unauthorized action to the user. That’s why authorization is the least important when we are concluding accountability.


A property that ensures that the actions of an entity may be traced uniquely to that entity.


Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.


  • The right or permission granted to a system entity to access a system resource.
  • The process of verifying if a requested action or service is approved for a specific entity.

Accounting vs Auditing

When the accounting process ends, auditing begins. Accounting is an activity of record-keeping and preparation & presentation of the financial statement. Accounting is used by the firms for keeping a track of their monetary transactions. Auditing is an activity of verification and evaluation of financial statement. It aims at checking and confirming the authenticity of financial books prepared by the accounting staff of the enterprise. (Source)

When we are talking about AAA (Authentication, Authorization, Accounting), the third A should refer to Accounting; however, people tend to use accounting and auditing interchangeably. If we borrow the concept from the business world, the third A should be accounting (record keeping); that is, writing logs, while auditing is about reviewing logs or audit trails specifically.

Audit Trail

A chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to the final result.


  • The inability to deny responsibility for performing a specific act.
  • Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.



您是開發團隊的負責人,最近發現您的夜間構建有時會失敗。 Eve是您團隊中不滿的開發人員,上個月剛辭職。 她負責解決方案的一部分,未被授權整合解決方案。 她安裝了一個在本地系統特權下運行的程序,以便在星期一午夜刪除本地代碼存儲庫中的某些源代碼,並將其推送到中央代碼存儲庫中進行集成。 您認為夏娃應對夜間構建的失敗負責。 以下哪一項是最不重要的?
A. Authentication
B. Authorization
C. Auditing
D. Non-repudiation

Leave a Reply