CISSP PRACTICE QUESTIONS – 20201209

Effective CISSP Questions

A computer processing top-secret data is an air-gapped one that is disconnected and isolated from networks to avoid attacks. Which of the following is the least effective physical control in terms of the control objectives?
A. Faraday cage
B. White noise
C. Access control policy
D. Security guards

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security guards.

Early Faraday cage, Germany 1931. Via Getty Images.
Early Faraday cage, Germany 1931. Via Getty Images.

control objective is a “statement describing what is to be achieved as a result of implementing controls.” (ISO 27000:2018) Control objectives direct the planning, implementation, and evaluation of security controls. They provide specific targets for auditors to evaluate the effectiveness of security controls. 

This question doesn’t explicitly present the control objective but implicitly suggests the air-gapped computer is subject to the emission of electromagnetic radiation. As a result, this question assumes the control objective is to prevent electromagnetic radiation from emission.

  • “Security guard” is physical control, but it is ineffective in terms of electromagnetic radiation.
  • Faraday cage and white noise are ideal physical controls to achieve the control objectives.
  • Access control policy, in the world of CISSP, is administrative control.

* White noise – broadcasting false traffic at all times to mask and hide the presence of real emanations.
* Faraday cage – a box, mobile room, or entire building designed with an external metal skin, often a wire mesh that fully surrounds an area on all sides (in other words, front, back, left, right, top, and bottom). This metal skin acts as an EMI absorbing capacitor
* Control zone – the implementation of either a Faraday cage or white noise generation or both to protect a specific area in an environment

Source: Sunflower

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

處理最高機密數據的計算機已斷開連接並與網絡隔離,以避免受到攻擊。 就控制目標(control objectives)而言,以下哪項是最無效的物理控制?
A. 法拉第籠 (Faraday cage)
B. 白噪音 (White noise)
C. 訪問控制政策
D. 警衛

 

2 thoughts on “CISSP PRACTICE QUESTIONS – 20201209

  1. Hello Wentz wu, I have a question. The control objective is to ensure that no data in the server is exposed or stolen. In the above scenario data can be exposed through EMI as well the server could be stolen.
    Based on defense in depth/layered design we normally start with physical controls.

    As there is no mention about access controls, locks then having guard is first consideration and then consider EMI radiation reduction through faraday cage and then noise generator.

    • Yes, you’re right. If you can set your own control objective and select appropriate controls to mitigate the risk, then you have the right answer. This question implicitly focuses on the air-gapped computer and its EMR. My justification is based on this assumption. If you understand the concept of control objective, just feel free to skip my suggested answer:)

Leave a Reply