- CISSP Exam Outline (Effective Date: April 2018)
- CISSP Exam Outline (Effective Date: May 1, 2021)
- CISSP-ISSAP Exam Outline (Effective Date: October 14, 2020)
- CISSP-ISSEP Exam Outline (Effective Date: November 13, 2020)
- CISSP-ISSMP Exam Outline (Effective Date: May 2018)
- CCSP Exam Outline (Effective Date: August 1, 2019)
- CSSLP Exam Outline (Effective Date: September 15, 2020)
- HCISPP Exam Outline (Effective Date: September 1, 2019)
- CAP Exam Outline (Effective Date: August 15, 2021)
- SSCP Exam Outline (Effective Date: November 2018)
As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first?
A. Select controls
B. Categorize the system
C. Assess risk to the system
D. Determine the impact of data
An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this—testing, examination, and interviewing.
- Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
- Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
- Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.
Assessment results are used to support the determination of security control effectiveness over time.
Source: NIST SP 800-115
As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following is the best source to inform the scoping decision?
A. The assessment of risk to the system
B. The result of business impact analysis (BIA)
C. The design of the security architecture
D. The detailed plan for certification and accreditation
Code of Federal Regulations (CFR)
The Code of Federal Regulations (CFR) is the codification of the general and permanent rules and regulations (sometimes called administrative law) published in the Federal Register by the executive departments and agencies of the federal government of the United States. The CFR is divided into 50 titles that represent broad areas subject to federal regulation.
The CFR annual edition is the codification of the general and permanent rules published by the Office of the Federal Register (part of the National Archives and Records Administration) and the Government Publishing Office. In addition to this annual edition, the CFR is published in an unofficial format online on the Electronic CFR website, which is updated daily.
- Title 3 – The President
- Title 34 – Education
- Title 42 – Public Health
The Federal Register (FR or sometimes Fed. Reg.) is the official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices. It is published every weekday, except on federal holidays.
The final rules promulgated by a federal agency and published in the Federal Register are ultimately reorganized by topic or subject matter and codified in the Code of Federal Regulations (CFR), which is updated annually.
The Federal Register is compiled by the Office of the Federal Register (within the National Archives and Records Administration) and is printed by the Government Publishing Office. There are no copyright restrictions on the Federal Register; as a work of the U.S. government, it is in the public domain.
Executive Order 12356
Source: The provisions of Executive Order 12356 of Apr. 2, 1982, appear at 47 FR 14874 and 15557, 3 CFR, 1982 Comp., p. 166, unless otherwise noted.
- (a) National security information (hereinafter “classified information”) shall be classified at one of the following three levels:
- (1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
- (2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
- (3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
- (b) Except as otherwise provided by statute, no other terms shall be used to identify classified information.
- (c) If there is reasonable doubt about the need to classify information, it shall be safeguarded as if it were classified pending a determination by an original classification authority, who shall make this determination within thirty (30) days. If there is reasonable doubt about the appropriate level of classification, it shall be safeguarded at the higher level of classification pending a determination by an original classification authority, who shall make this determination within thirty (30) days.
- Executive Order 12356
- CFR: Table Of Contents
- Section sign (§)
- General Writing Resources
- 852.102 Incorporating provisions and clauses.
- Difference between a provision, clause, condition and term?
- What is the difference between clause and provision?
- What is the difference between clause and provision? (WikiDiff)
- [字辨] provision and clause
To Succeed in 2021!
I want to share my success story by presenting my accomplishment in the certification exams and introducing my books to help you succeed in 2021!
After working in the IT industry for 26 years and engaging in various business areas, I effectively and efficiently passed several major cybersecurity exams. I passed the CISSP exam in 53 days and other ISC2 certification exams in less than two weeks, as the following diagram shows.
Core Cybersecurity Concepts
In addition to work experience and security certifications, I am also certified in various areas:
– SCRUM: PSM Level I/PSPO Level I/PSD Level I
– ISO 27001 LA/ISO 27701 LA Courses Completed
So, it’s an advantage for me to organize the core cybersecurity concepts from multiple disciplines, such as business administration, information technologies, information security, risk management, systems and software engineering, requirement engineering, project management, agile, cloud computing, ISO standards, NIST guidelines, etc.
My first book introduces those core cybersecurity concepts that:
- contribute to both the CISSP and CISM exams and
- apply to the new CISSP exam outline, effective on May 1st, 2021.
My second book is a compilation of the CISSP question of the day or QOTD (aka Wentz QOTD). While they are available for free on my blog, this book organizes QOTDs into categories, which helps you learn more efficiently.
Purchase My Books on Amazon
You can get my books on Amazon through the following links:
#1 The Effective CISSP:
Security and Risk Management
#2 The Effective CISSP:
I hope you enjoy the journey to success in 2021 and look forward to your good news!
As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the compensating security control for replacing a baseline control. Which of the following best describes the process you are conducting?
Belief and value dominate behavior. What do we believe in and cherish? That is the question.
What’s the belief and value behind the CCP? I’m afraid what comes to your mind is an economic boom through dictatorship, censorship, and corruption.
Traditional China is gone. It is destroyed and replaced by the CCP? Those pro-China activists in Taiwan should think twice about this question.
Taiwan is a new paradise. I believe it will take the lead to let the world know the real color of the CCP – anti-humanism.
According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)?
A. Software Assurance Maturity Model (SAMM)
B. Capability Maturity Model Integration (CMMI)
C. Cybersecurity Maturity Model Certification (CMMC)
D. Systems Security Engineering Capability Maturity Model (SSE-CMM)