Effective CISSP Questions

You are developing a contingency plan for an information system and considering system availability and product life and support. Which of the following is true?
A. Hard drives should be evaluated in terms of mean time to repair (MTTR).
B. A product is not available on the market if it is at the end of support
C. Product support is not available after the product is announced end-of-life.
D. Implementing a redundant site to meet the recovery time objective (RTO) is mandatory.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. A product is not available on the market if it is at the end of support.

The definitions of end-of-life (EOL) and end-of-support (EOS) can vary across vendors. Product support may or may not be available after the product is announced end-of-life. It depends on how the vendor’s EOL policy defines them. However, it’s common that a product is not available on the market if it is at the end of support.

End-Of-Life (EOL) and Due Diligence

A security professional should exercise due diligence to review a vendor’s EOL policy, which typically defines the product life cycle and terminologies. EOL and End-of-Support (EOS) can be defined inconsistently. Some may treat EOS as a phase of the product life cycle (e.g., Wikipedia), while others may refer to EOL as end-of-sales (e.g., HP).

According to Wikipedia, if a product is declared as EOL, it’s typically not available on the market. However, the vendor may keep providing support to current customers, e.g., spare parts, patches, or services.

“End-of-life” (“EOL”) is a term used with respect to a product supplied to customers, indicating that the product is in the end of its useful life (from the vendor’s point of view), and a vendor stops marketing, selling, or rework sustaining it. (The vendor may simply intend to limit or end support for the product.) In the specific case of product sales, a vendor may employ the more specific term “end-of-sale” (“EOS”).

Source: Wikipedia

MTTF and Preventive Maintenance

Malfunctioning hard drives are typically replaced with new ones, so MTTF is a more suitable metric for preventive maintenance.

Mean Time To Repair (MTTR)

  • Mean time to repair (MTTR) is a basic measure of the maintainability of repairable items.
  • It represents the average time required to repair a failed component or device.

Source: Wikipedia

Mean Time Between Failures (MTBF)

  • Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a mechanical or electronic system, during normal system operation.
  • The term is used for repairable systems, while mean time to failure (MTTF) denotes the expected time to failure for a non-repairable system.

Source: Wikipedia

Redundant Site

Not every information system is as critical such that a redundant site is required. For example, an information system categorized with a low-availability security objective does not require alternate storage or a processing site (CP-6 and CP-7, respectively) per the FIPS 199 and NIST SP800-53.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

The Effective CISSP - SRM

The Effective CISSP: Practice Questions

The Effective CISSP: Practice Questions

您正在為資息系統制定應變計劃,並在考慮系統可用性,產品壽命和支持。 以下內容哪些是對的?
A. 應根據平均修復時間(MTTR)評估硬碟。
B. 如果產品支援終止,即無法在市場上買到。
C. 產品生命被宣布終止(end-of-life)後,產品支援即無法取得。
D. 實施冗餘站點以滿足恢復時間目標(RTO)是強制性要求。


Leave a Reply