Effective CISSP Questions

After transforming stakeholder requirements into system requirements, you are selecting controls based upon system security requirements and allocating them to the security architecture. As a security architect, which of the following selection criteria is least likely used to select controls?
A. The attack surface
B. The result of risk assessment
C. The impact level of the system
D. The exploitability of vulnerabilities

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. The exploitability of vulnerabilities.

The first step of RMF is “Categorize Sytem” that determines the impact level of the system of interest. The second step is “Select Control” based on the impact level of the system.

The attack surface is the sum of attack vectors determined through threat modeling against the designs as part of the solution domain. Threat modeling is in essence one form of risk assessment in the context of software or system engineering.

The purpose of selecting controls is part of risk treatment, that follows risk assessment. A risk comprises three essential factors: uncertainty, impact, and objectives. The exploitability of vulnerabilities describes the likelihood or the uncertainty of risk. It’s not sufficient to support informed risk-based decisions. The impact of vulnerabilities should be evaluated to determine risk exposure and prioritize risks.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

將利害關係人的需求轉換為系統需求後,您將根據系統安全需求選擇安全控制並分配到安全架構中。 作為系統安全架構師,以下哪項準則最不可能用於選擇安全控制
A. 攻擊面 (attack surface)
B. 風險評鑑的結果
C. 系統的影響程度
D. 漏洞的可利用性


1 thought on “CISSP PRACTICE QUESTIONS – 20201205

Leave a Reply