Effective CISSP Questions

Your company charted a committee to evaluate an initiative to construct a data center in Taiwan located in the circum-Pacific seismic belt or ring of fire and subject to earthquakes. It will operate as a region of the global infrastructure for cloud services. The committee approved the investment despite the concern of frequent earthquakes. Which of the following is the best justification for the decision?
A. The reliability of the data center is assured.
B. The residual risk is higher than the risk appetite of the board.
C. The data center can be recovered within the recovery point objective.
D. The recovery time objective is less than the maximum tolerable downtime (MTD).

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. The reliability of the data center is assured.

What is Risk?
What is Risk?

Option B provides the best perspective, but the correct version should be “The residual risk is LOWER than the risk appetite of the board.”

The risk-based decision should be exercised in the evaluation process of the investment. Earthquakes may happen frequently and result in power and communication interruption, building destruction, business disruption, loss of property and human life, etc.

  • “The reliability of the data center is assured” implies some risk treatment is considered and evaluated so that the data center is resistant to an acceptable level of earthquakes. It mitigates the risk, or to be more specific, reduces the likelihood of disaster.
  • The investment is feasible only if disaster recovery won’t happen again and again. The board will not be happy about facilities or services are rebuilt or recovered this year, and the company will do it again in the coming year.
  • Moreover, every disaster recovery must meet objectives like RTO, RPO (if any), and SDO (service delivery objective); and the RTO “shall be” less than the MTD. In other words, option C and D are necessary but not sufficient. Disaster recovery reduces the loss or impact from the risk management perspective; it won’t deal with the likelihood or possibility.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

貴公司組建了一個委員會,以評估在台灣建立一個數據中心的計畫。該數據中心位於環太平洋地震帶(火圈)易遭受地震的影響,是全球雲服務基礎設施的一個區域(region)。 儘管地震頻繁,委員會仍批准了這項投資。 以下哪項是這個決定的最佳理由?
A. 數據中心的可靠性可以獲得確保(assured)。
B. 殘餘風險高於董事會的風險承受能力。
C. 可以在恢復點目標(RPO)內恢復數據中心。
D. 恢復時間目標(RTO)小於最大容許停擺時間(MTD)。

1 thought on “CISSP PRACTICE QUESTIONS – 20210215

  1. Pingback: 風險的決策應在投資評估過程中行使(The risk-based decision should be exercised in the evaluation process of the investment.) – Choson資安大小事

Leave a Reply