Effective CISSP Questions

A divestiture (or divestment) is the disposal of a company’s assets or a business unit through a sale, exchange, closure, or bankruptcy; it is also a way to stay focused and remain profitable as companies grow and get involved in too many business lines. As a security professional, which of the following should you consider first to facilitate a divestiture?
A. Assets in scope
B. Business disruption
C. Leaks of intellectual property
D. Data privacy non-compliance

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Assets in scope.

What is Risk?

As a security professional, you can start with any of the four options. However, it more effective to consider assets in scope first because business disruption, leaks of intellectual property, and data privacy non-compliance are effects or consequences resulting from assets in scope that determine both the uncertainty and effect.

Image Credit: NIST SP 800-30 R2
Image Credit: NIST SP 800-30 R2

Analysis Approaches

Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.

A threat-oriented approach starts with the identification of threat sources and threat events, and focuses on the development of threat scenarios; vulnerabilities are identified in the context of threats, and for adversarial threats, impacts are identified based on adversary intent.

An asset/impact-oriented approach starts with the identification of impacts or consequences of concern and critical assets, possibly using the results of a mission or business impact analyses and identifying threat events that could lead to and/or threat sources that could seek those impacts or consequences.

A vulnerability-oriented approach starts with a set of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or the environments in which the systems operate, and identifies threat events that could exercise those vulnerabilities together with possible consequences of vulnerabilities being exercised.

Source: NIST SP 800-30 R2



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

A. 資產的範圍
B. 業務中斷
C. 知識產權洩漏
D. 數據隱私不合規

Leave a Reply