Effective CISSP Questions

You intend to monitor, detect, and prevent unknown malicious traffic on your network. Which of the following is the best solution?
A. An appliance that authenticates devices to grant network access
B. A host that examines and filters network packets between zones
C. A device that imitates a legitimate server and behaves like “baiting” a suspect
D. A node that blocks traffic by comparing a sample of traffic against a known baseline

Continue reading


Effective CISSP Questions

You found out that your organization engages in fraud and violates laws and regulations. Which of the following is the best way for you to report the fraud?
A. Act based on the roles and responsibilities of the whistleblowing program policy
B. Refer to the program plan of corporate compliance and ethics
C. Lookup the employee manual
D. Report to the regulatory authority

Continue reading


Effective CISSP Questions

To identify, analyze, and prioritize business continuity requirements is crucial to initiate the business continuity management (BCM) program. Which of the following should be conducted first?
A. Determining the scope of the BCM program
B. Understanding the organization and its context
C. Understanding the needs and expectations of stakeholders
D. Develop project plans

Continue reading

Establishing Policy Framework as Due Diligence

John Smith posts an interesting question about policy framework and due diligence today as follows:

Due diligence, generally speaking, is a cautious investigation that informs decision-making or a course of proactive and preemptive actions. Due care is the reasonable care used by a prudent man to implement the decision, exercise one’s duties, or conduct any activities; negligence, or without exercising due care, might lead to litigations.

Due diligence can be explicitly measured by a standard, while due care is implicit and determined by court judges.

Standard of Due Diligence

The definition of due diligence varies across contexts or industries. There should be a “standard of due diligence” for each context to measure if due diligence is fulfilled. For example, a lawyer is subject to legal due diligence. Kayode Omosehin, Esq. has a good explanation of this topic.

However, when it comes to information security, what is the standard of “security due diligence,” and who is subject to the standard? The CISSP CBK 4th edition proposed a list of tasks as the following diagram shows:

Policy Framework

The management is typically in charge of the creation of Policies, Standards, or Procedures (or policy framework). IMO, setting up the policy framework is the management’s due diligence as policies stand for management intention, and the fact that policies entail informed decisions is proactive in nature.


Effective CISSP Questions

Which of the following best aligns with Zero Trust concepts?
A. Group resources into smaller segments protected by a segmentation gateway
B. Issue a security policy to prohibit connections from public places, e.g., cafeteria
C. Revise the contract to require vendors and contractors to work on-site 
D. Allow remote workers to connect to corporate networks by VPN only

Continue reading

What is Zero Trust?

Zero Trust is a Cybersecurity Paradigm for a Fine-grained, Dynamic, and Data-centric Access Control that supports visibility.
(Access control is mediating the usage of resources by authentication, authorization, and accounting based on the principles of need-to-know and least privileges.)

Zero Trust Cybersecurity Paradigm

The following diagram summarizes my study of Zero Trust that synthesizes various sources, such as Jericho Forum, DoD GIG/Black Core, Forrester’s Zero Trust Network, Google’s BeyondCorp, CSA’s SDP, and NIST SP 800-207.


Continue reading