ISC2 Certification Exam Outlines

  1. CISSP Exam Outline (Effective Date: April 2018)
  2. CISSP Exam Outline (Effective Date: May 1, 2021)
  3. CISSP-ISSAP Exam Outline (Effective Date: October 14, 2020)
  4. CISSP-ISSEP Exam Outline (Effective Date: November 13, 2020)
  5. CISSP-ISSMP Exam Outline (Effective Date: May 2018)
  6. CCSP Exam Outline (Effective Date: August 1, 2019)
  7. CSSLP Exam Outline (Effective Date: September 15, 2020)
  8. HCISPP Exam Outline (Effective Date: September 1, 2019)
  9. CAP Exam Outline (Effective Date: August 15, 2021)
  10. SSCP Exam Outline (Effective Date: November 2018)

CISSP PRACTICE QUESTIONS – 20210117

Effective CISSP Questions

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following actions should be taken first?
A. Select controls
B. Categorize the system
C. Assess risk to the system
D. Determine the impact of data

Continue reading

Information Security Assessment

Security Assessment Overview
Security Assessment Overview

An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person—known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this—testingexamination, and interviewing.

  • Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors.
  • Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence.
  • Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence.

Assessment results are used to support the determination of security control effectiveness over time.

Source: NIST SP 800-115

歡迎加入[追求高效能的CISSP]臉書中文群組!

追求高效能的CISSP!

CISSP不是黃金證照,它只是資安專業人員的入門磚。建立這個基本的專業要求,是本群組成立的主要宗旨。

基本資安素養

Effective CISSP英文群組自2019年08月成立以來,至今1年半的時間,會員人數已成長至4200人左右。但其內容以英文為主,台灣的朋友參與英文群組或論壇的程度仍相當有限。希望透過中文群組”追求高效能的CISSP“,能啟動台灣資安人員對於CISSP認證的重視。也希望能透過CISSP證照的推廣,為台灣業界對於基本資安素養的要求,立下新標竿!

台灣至少需要1500位CISSP!

期待不久的未來,台灣每一位把資安作為專業的人員,都有一張CISSP的基本證照!

學而時習之,不亦說乎!祝大家考試順利!

Continue reading

CISSP PRACTICE QUESTIONS – 20210116

Effective CISSP Questions

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the scope of security controls. Which of the following is the best source to inform the scoping decision?
A. The assessment of risk to the system
B. The result of business impact analysis (BIA)
C. The design of the security architecture
D. The detailed plan for certification and accreditation

Continue reading

Code of Federal Regulations (CFR)

CFR Outline Structure

Code of Federal Regulations (CFR)

The Code of Federal Regulations (CFR) is the codification of the general and permanent rules and regulations (sometimes called administrative law) published in the Federal Register by the executive departments and agencies of the federal government of the United States. The CFR is divided into 50 titles that represent broad areas subject to federal regulation.

The CFR annual edition is the codification of the general and permanent rules published by the Office of the Federal Register (part of the National Archives and Records Administration) and the Government Publishing Office.[1] In addition to this annual edition, the CFR is published in an unofficial format online on the Electronic CFR website, which is updated daily.

Source: Wikipedia

  • Title 3 – The President
    • Chapter
      • Part
        • Section
  • Title 34 – Education
    • Subtitle
      • Part
        • Section
  • Title 42 – Public Health
    • Chapter
      • Subchapter
        • Part
          • Subpart
            • Section

Federal Register

The Federal Register (FR or sometimes Fed. Reg.) is the official journal of the federal government of the United States that contains government agency rules, proposed rules, and public notices. It is published every weekday, except on federal holidays.

The final rules promulgated by a federal agency and published in the Federal Register are ultimately reorganized by topic or subject matter and codified in the Code of Federal Regulations (CFR), which is updated annually.

The Federal Register is compiled by the Office of the Federal Register (within the National Archives and Records Administration) and is printed by the Government Publishing Office. There are no copyright restrictions on the Federal Register; as a work of the U.S. government, it is in the public domain.

Source: Wikipedia

Executive Order 12356

Source: The provisions of Executive Order 12356 of Apr. 2, 1982, appear at 47 FR 14874 and 15557, 3 CFR, 1982 Comp., p. 166, unless otherwise noted.

  • (a) National security information (hereinafter “classified information”) shall be classified at one of the following three levels:
    • (1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
    • (2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
    • (3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.
  • (b) Except as otherwise provided by statute, no other terms shall be used to identify classified information.
  • (c) If there is reasonable doubt about the need to classify information, it shall be safeguarded as if it were classified pending a determination by an original classification authority, who shall make this determination within thirty (30) days. If there is reasonable doubt about the appropriate level of classification, it shall be safeguarded at the higher level of classification pending a determination by an original classification authority, who shall make this determination within thirty (30) days.

References

Core Cybersecurity Concepts You Need to Succeed in CISSP and CISM

To Succeed in 2021!

I want to share my success story by presenting my accomplishment in the certification exams and introducing my books to help you succeed in 2021!

After working in the IT industry for 26 years and engaging in various business areas, I effectively and efficiently passed several major cybersecurity exams. I passed the CISSP exam in 53 days and other ISC2 certification exams in less than two weeks, as the following diagram shows.

Days Spent in My Exam Preparation
Days Spent in My Exam Preparation

Core Cybersecurity Concepts

In addition to work experience and security certifications, I am also certified in various areas:

– EMBA/CBAP/PMP/ACP/PBA/RMP
– CGEIT/CISM/CRISC/CISA
– CISSP-ISSMP,ISSEP,ISSAP/CCSP/CSSLP
– CEH/ECSA/AWS-CSAA/MCSD/MCSE/MCDBA
– SCRUM: PSM Level I/PSPO Level I/PSD Level I
– ISO 27001 LA/ISO 27701 LA Courses Completed

So, it’s an advantage for me to organize the core cybersecurity concepts from multiple disciplines, such as business administration, information technologies, information security, risk management, systems and software engineering, requirement engineering, project management, agile, cloud computing, ISO standards, NIST guidelines, etc.

Study Guide

My first book introduces those core cybersecurity concepts that:

  1. contribute to both the CISSP and CISM exams and
  2. apply to the new CISSP exam outline, effective on May 1st, 2021.

Practice Questions

My second book is a compilation of the CISSP question of the day or QOTD (aka Wentz QOTD). While they are available for free on my blog, this book organizes QOTDs into categories, which helps you learn more efficiently.

Purchase My Books on Amazon

You can get my books on Amazon through the following links:

#1 The Effective CISSP:
Security and Risk Management

The Effective CISSP: Practice Questions

#2 The Effective CISSP:
Practice Questions

I hope you enjoy the journey to success in 2021 and look forward to your good news!

CISSP PRACTICE QUESTIONS – 20210115

Effective CISSP Questions

As the customer relationship management (CRM) system owner, you collaborate with data owners and other stakeholders to determine the compensating security control for replacing a baseline control. Which of the following best describes the process you are conducting?
A. Validation
B. Verification
C. Tailoring
D. Scoping

Continue reading

The CCP – Anti-humanism

Belief and value dominate behavior. What do we believe in and cherish? That is the question.

What’s the belief and value behind the CCP? I’m afraid what comes to your mind is an economic boom through dictatorship, censorship, and corruption.

Traditional China is gone. It is destroyed and replaced by the CCP? Those pro-China activists in Taiwan should think twice about this question.

Taiwan is a new paradise. I believe it will take the lead to let the world know the real color of the CCP – anti-humanism.

CISSP PRACTICE QUESTIONS – 20210114

Effective CISSP Questions

According to Martin Fowler, a maturity model is a tool that helps people assess the current effectiveness of a person or group and supports figuring out what capabilities they need to acquire next in order to improve their performance. Which of the following is an open-source maturity model to help organizations assess, formulate, and implement a software security strategy that can be integrated into their existing Software Development Lifecycle (SDLC)?
A. Software Assurance Maturity Model (SAMM)
B. Capability Maturity Model Integration (CMMI)
C. Cybersecurity Maturity Model Certification (CMMC)
D. Systems Security Engineering Capability Maturity Model (SSE-CMM)

Continue reading