CISSP PRACTICE QUESTIONS – 20210131

Effective CISSP Questions

Your organization hired an external security team to conduct penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is your organization least concerned in terms of the penetration test?
A. Thoroughly document all activities performed during the test.
B. Produce results indicating the risk exposure for exploited and validated vulnerabilities.
C. Validate existing security and privacy controls.
D. Provide actionable results with information about possible remediation measures.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Produce results indicating the risk exposure for exploited and validated vulnerabilities.

Organizations typically conduct penetration testing to validate existing security and privacy controls and enhance their understanding of the system by uncovering vulnerabilities and exploiting them, thoroughly documenting all activities performed during the test, and providing actionable results with information about possible remediation measures. Please refer to Appendix E: Penetration Testing in NIST SP 800-53A for detail.

What is Risk?
What is Risk?

Uncertainty: Likelihood Analysis

Likelihood analysis is required and crucial in a penetration test. According to NIST SP 800-53A, an effective penetration test produces results indicating the likelihood of a compromise by an attacker as the indicator of the system’s penetration resistance, based on the team’s level of effort in penetrating the system.

Effect: Impact Analysis

Business impact analysis is not mandatory or even infeasible. Organizations are more interested in business value and business impact analysis. It’s difficult for an external security team, as an outsider, to analyze the business impact and evaluate the risk exposure. Even though it can evaluate the risk exposure of exploited vulnerabilities in terms of technical impact, your organization has to evaluate the business impact by itself and may not expect or be concerned that the external security team can submit a report with estimated risk exposure.

Risk Exposure

Risk exposure is commonly defined as the product of the uncertainty and effect of risk, as an expected value or expected exposure.

  1. Potential loss presented to an individual, project, or organization by a risk. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
  2. Function of the likelihood that the risk will occur and the magnitude of the consequences of its occurrence. (ISO/IEC 16085:2006 Systems and software engineering — Life cycle processes — Risk management)
  3. Product of probability times potential loss for a risk factor. (ISO/IEC/IEEE 24765:2017 Systems and software engineering — Vocabulary)

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的組織僱用了一個外部安全團隊來進行滲透測試,以評鑑組織資訊系統中的安全和隱私控制。 在滲透測試方面,您的組織最不用擔心以下哪項?
A. 徹底記錄測試期間執行的所有活動。
B. 產出結果,指出被利用(exploited)和已驗證(validated)的漏洞的曝險值(risk exposure)。
C. 驗證(validate)現有的安全性和隱私控制。
D. 提供可行的(actionable)結果,以及可能的補救(remediation)措施的相關信息。

Leave a Reply