Effective CISSP Questions

You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way for you to report the fraud?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Lookup the employee manual.

Added on 2020/10/26:

I revised the question sentence from “Which of the following is the best way you should follow?” to “Which of the following is the best way for you to report the fraud?” to be more specific and highlight the reporting procedure.

We should follow organizational policies, but they are not specific enough to denote operational procedures. The roles and responsibilities of the whistleblowing program policy may specify who should do what in terms of implementing the policy; reporting procedures or instructions typically will not be elaborated in this section.

The employee manual or handbook typically has compiled or summarized policies and procedures. It’s a good start point for a whistleblower to find procedures, instructions, or related information to report the fraud. Some whistleblowing policy documents may include instructions or procedures to do so, but they are not addressed in the roles and responsibilities of the policy.

Policy Types

A policy is a statement of the management intent which documents objectives, rules, practices, or regulations, directs the activities, and affects the behavior of people.

  • A program policy is a high-level document created to direct and initiate an organization’s program.
  • Issue-specific policies are developed to address areas of current relevance and concern to an organization.

Information Security Program Policy

Program policy is used to create an organization’s information security program. Program policies set the strategic direction for security and assign resources for its implementation within the organization. A management official—typically the SISO—issues program policy to establish or restructure the organization’s information security program.

This high-level policy defines the purpose of the program and its scope within the organization, addresses compliance issues, and assigns responsibility to the information security organization for direct program implementation as well as other related responsibilities. 

Source: NIST SP 800-12 R1

Whistleblowing Program Policy

The whistleblowing program policy is a high-level document and the section of roles and responsibilities typically won’t address detailed reporting procedures for whistleblowing.

Corporate Compliance and Ethics Program

The corporate compliance and ethics program may address whistleblowing issues as well. However, the purpose of the program plan is not to provide whistleblowers with reporting procedures to report potential fraud. The program plan is developed to implement the program and produce results. Developing whistleblowing procedures can be one of the program plan’s tasks, but reporting fraud is not.

Reporting Channels

Reporting to the regulatory authority is just one of the options. A whistleblower may report to the internal authority, regulatory authority, law enforcement, etc. 

  • Not every company is subject to specific regulations or has an explicit regulatory authority that sets up hotlines to accept reporting.
  • According to Wikipedia, “over 83% of whistleblowers report internally to a supervisor, human resources, compliance or a neutral third party within the company, with the thought that the company will address and correct the issues.”



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您發現您的組織從事欺詐行為,並且違反了法律法規。 以下哪項是您應該遵循的最佳方法?
A. 根據舉報計劃政策的角色和責任行事
B. 請參閱公司合規與道德計劃計劃
C. 查找員工手冊
D. 向監管機構報告


Leave a Reply