CISSP PRACTICE QUESTIONS – 20210214

Effective CISSP Questions

As the head of research and development, you are classifying assets based on the corporate asset classification guideline. Which of the following is least likely to happen?
A. Identify the original purchase cost
B. Evaluate the impact of data compromises
C. Establish the classification scheme in terms of business value
D. Determine the security level to support mandatory access control

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Establish the classification scheme in terms of business value.

The classification scheme is applied organization-wide. It’s inappropriate for the RD head to define one. Moreover, since an asset classification guideline is released, it implies the classification scheme as an organizational standard has been done.

  • There are many types of assets; data is just one of them. An asset purchased at the cost of one million dollars is apparently more valuable than a two-thousand one and worthy of more protection measures.
  • An asset that may cause the loss of one million dollars requires more security controls than one with a two-thousand loss does.
  • Mandatory access control (MAC) is commonly implemented in government departments; few or some private businesses may implement it. However, in Windows Vista and later versions, Microsoft provides the Mandatory Integrity Controls (MIC), an implementation of MAC that enforces integrity, in which all subjects and objects are given MIC labels as the following image shows.
Mandatory Integrity Control in Windows 10 (Credit: The Windows Club)

Asset classification is the process of a systematic arrangement of assets by assigning an asset to a named class (group, category, tier, or level) based on criteria such as legal or regulatory requirements, sensitivity, criticality, impact, or business value to determine its protection requirements. A classification scheme refers to the named classes, criteria, and procedures used for classification.” (Wentz Wu, The Effective CISSP: Security and Risk Management) Executive Order 12356 is a good example of the classification scheme in terms of confidentiality.

Executive Order 12356

Section 1.1 Classification Levels.
(a) National security information (hereinafter “classified information“) shall be classified at one of the following three levels:
(1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security.
(2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security.
(3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

身為研發部門主管,您正在根據公司資產分類指引(guideline)對資產進行分類。 以下哪項最不可能發生?
A. 確定原始購買成本
B. 評估數據洩露的影響
C. 根據業務價值建立分類表(classification scheme)
D. 確定安全級別以支持強制型訪問控制(MAC)

1 thought on “CISSP PRACTICE QUESTIONS – 20210214

  1. Pingback: 資產分類準則(asset classification guideline) – Choson資安大小事

Leave a Reply