CISSP PRACTICE QUESTIONS – 20200825

Effective CISSP Questions

DevOps is a set of practices that engages the development and operation team with the purpose of shortening the software development life cycle and delivering quality software continuously. Secure DevOps (DevSecOps) advances DevOps and emphasizes engaging more stakeholders and addressing security requirements. Which of the following is not true?
A. DevOps facilitates collaborations between stakeholders with no need for cultural changes.
B. DevOps streamlines pipelines and processes by automation and technologies.
C. DevSecOps can provide high visibility that helps the IT team monitors system operations.
D. DevSecOps can support continuous authorization.


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. DevOps facilitates collaborations between stakeholders with no need for cultural changes.

Focus Areas

  • Collaboration between project team roles
  • Infrastructure as Code: Scripted Infrastructure Configuration
  • Automation of Tasks / Processes / Workflows
  • Monitoring Applications and Infrastructure

Culture and Toolchain

  • As DevOps is intended to be a cross-functional mode of working, those who practice the methodology use different sets of tools—referred to as “toolchains“—rather than a single one.
  • DevOps is as much about culture, as it is about the toolchain.
  • Cultural practices such as information flow, collaboration, shared responsibilities, learning from failures and new ideas are central to DevOps.
  • Team-building and other employee engagement activities are often used to create an environment that fosters this communication and cultural change within an organization.

Source: Wikipedia

Automation

Implementation of DevOps automation in the IT-organization is heavily dependent on tools, which are required to cover different areas of the systems development lifecycle (SDLC):

  • Infrastructure as code
  • CI/CD
  • Test automation
  • Containerization
  • Orchestration
  • Software deployment
  • Software measurement

Some categories are more essential in a DevOps toolchain than others; especially continuous integration (e.g. Jenkins, Gitlab, Bitbucket pipelines) and infrastructure as code (e.g., Terraform, Ansible, Puppet).

Source: Wikipedia

Visibility

High visibility helps in the collaboration between the development and operations team and contributes to monitoring, timely decision-making, and authorization.

To examine the effect of DevOps Visibility, SmartDraw commissioned the 2019 DevOps Visibility Report. The results were decisive: each company surveyed is seeking ways to better DevOps visibility, and 84% of respondents list it as somewhat to extremely important to their organization. But achieving DevOps visibility is not always simple.

A good DevOps process improves quality, lowers cost, and saves time. Yet poor visibility can limit DevOps success and lead to misalignment. Organizations should adopt an automated real-time DevOps visibility solution in order to allow team members to focus on the crucial pieces of their role, provide relevant information to managers, and create digestible visualizations.

Source: Four Ways to Improve DevOps Visibility

Continuous Authorization

  • RMF encourages an alternative approach to the traditional 3 year ATO process through ongoing authorization decisions or continuous reauthorization.
  • RMF assumes these systems have “been evaluated as having sufficiently robust system-level continuous monitoring programs”
  • RMF’s Continuous Reauthorization concept directly aligns with DevOps.

Source: Timothy A. Chick

Use of Automation in the execution of the RMF

Organizations should maximize the use of automation, wherever possible, to increase the speed, effectiveness, and efficiency of executing the steps in the Risk Management Framework (RMF).

Automation is particularly useful in the assessment and continuous monitoring of controls, the preparation of authorization packages for timely decision-making, and the implementation of ongoing authorization approaches—together facilitating a real-time or near real-time risk-based decision-making process for senior leaders.

Organizations have significant flexibility in deciding when, where, and how to use automation or automated support tools for their security and privacy programs. In some situations, automated assessments and monitoring of controls may not be possible or feasible.

Source: NIST SP 800-37 R2

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

DevOps是一組與開發和運營團隊合作的實踐,旨在縮短系統開發生命週期並持續交付優質軟件。 安全DevOps(DevSecOps)將DevOps的發展往前進一步,強調納入更多利益相關者參與並滿足安全要求。 以下哪一項是不正確的?
A. DevOps促進了利益相關者之間的協作,而無需進行文化變革。
B. DevOps通過自動化和技術簡化了管道和流程。
C. DevSecOps提供高可見性,可幫助IT團隊監視系統操作。
D. DevSecOps支持連續授權。

Leave a Reply