Effective CISSP Questions

To improve operational transparency and achieve legal and regulatory compliance, your company is implementing the information governance (IG) program. After taking the inventory of assets, you are considering asset classification and protection. As a member of the steering committee, which of the following is not an appropriate treatment?
A. Recipes, as trade secrets, should be classified by the management.
B. Patents, as confidential contents, should be classified by the data owner.
C. Personal data, as private information, can be anonymized by the data processor.
D. Forensic evidence and e-discovery shall be handled by qualified staff.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Patents, as confidential contents, should be classified by the data owner.


Recipes as Trade Secrets

After inventory-taking, an asset owner is assigned to classify the asset and determine the protection needs. A data owner is accountable for the data he or she owns, so the role of the data owner is typically assumed by the management.

Patents as Public Information

A patent is an exclusive right to use the registered invention for a specified period of time. In contrast to the trade secret, a patent has to be registered and disclosed to the public. Patents are public information; everyone can search in the patent register or database.

For example, a pharmaceutical company cannot manufacture a patented drug if it doesn’t own the drug patent. However, pharmaceutical companies can make patent-expired drugs, better known as generic drugs.

According to ISO 5127:2017 (Information and documentation — Foundation and vocabulary), a patent is an “industrial property title assigning protection to an invention, utility model patent or design for a specified period of time.”

  • Industrial property title is the “exclusive right to industrial property applied for to, or granted or registered by, the competent patent office.”
  • Protection is a “legal guarantee of author’s rights or an industrial property title  given to an intellectual work.”
  • Invention refers to “intellectual work referring to an object, a device, a composition of matter or a process for the production thereof, having patentability characteristics.”
  • Utility model patent is “limited industrial property title, usually granted for a fairly short period of time and under less stringent conditions of protection than those for patentability.”

Personal Data as Private Information

Personal data is typically classified as “Private” in the private sector. It’s common that personal data is anonymized by the data processor as anonymization is part of data processing.

  • Anonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject. It’s the form of processing: adaptation or alteration.
  • Accountability means the controller shall be responsible for and be able to demonstrate compliance with principles relating to the processing of personal data regardless of whether the processing is conducted by the controller itself or by a processor.


  • Personal data means any information relating to an identified or identifiable natural person (data subject).
  • An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • A controller determines the purposes and means of the processing of personal data.
  • A processor processes personal data on behalf of the controller.
  • Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Source: GDPR

Added on 2020/09/02:

What is a patent?

A patent is a property right granted by the Government of the United States of America to an inventor “to exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States” for a limited time in exchange for public disclosure of the invention when the patent is granted. (Source: USPTO Patent FAQs)

US Patent Process Overview

  1. Determine the type of Intellectual Property protection that you need
  2. Determine if your invention is patentable
  3. What kind of patent do you need?
  4. Get ready to apply
  5. Prepare and submit your initial application
  6. Work with your examiner
  7. Receive your approval
  8. Maintain your patent

Source: USPTO

18-Month Publication of Patent Applications (Country-specific)

A patent application, in confidential status, is not the patent itself. The inventor is not granted the patent just by submitting an application. However, once a patent application gets published (not approved), the application goes public and the inventor receives provisional protection.

  • In the early days, patent applications took a long time to be approved. For example, it takes 38 years for Lemelson to be granted the patent (from 1954 to 1992). Hyatt takes 21 years to get its patent (from 1969 to 1990).
  • The 18-month publication aims to address non-published pending patent applications, or the so-called “Submarine Patents” as the Lemelson and Hyatt cases demonstrate. It makes patent applications public and grants provisional protection.


Search for Patents

Patents are public information; everyone can search for patents online.

Examples of patents:

Patent Ownership

The ownership of a patent can be complicated as it can be shared with multiple parties, internal or external.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

為了提高運營透明度並實現法律法規的合規性,貴公司正在實施信息治理計畫(Information Governance Program)。 盤點資產後,您正在考慮資產分類和保護。 作為指導委員會的成員,以下哪一項是不適當的處置?
A. 食譜是商業秘密,應由管理層進行分類。
B. 專利作為機密內容,應由數據所有者(data owner)分類。
C. 個人數據是私人信息,可以由數據處理器(data processor)匿名化。
D. 法律證據和電子發現(e-discovery)必須由合格的人員處理。

1 thought on “CISSP PRACTICE QUESTIONS – 20200830

  1. Pingback: What is a Patent? - Wentz Wu

Leave a Reply