Effective CISSP Questions

Your organization suffered from data compromise. A local hacker group was identified during the incident response process and regarded responsible based on collected evidence. If your organization decides to prosecute the hacker group, which of the following is most critical?
A. Timely e-discovery
B. Sound information governance
C. Compliance with CPTED principles
D. Effective administrative investigation

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Sound information governance.

Electronic Discovery Reference Model
Electronic Discovery Reference Model

Witnesses and evidence determine the juridical result. Timely e-discovery actions collect evidence, while sound data governance determines if the evidence is admissible.

  • Administrative investigation means an internal investigation of alleged misconduct by an employee. (Law Insider) This incident may require many forms of investigation, such as civilian, criminal, and administrative investigation.
  • The hacker group may conduct site surveys, observation, dumpster diving, tailgating, etc. Compliance with CPTED (Crime prevention through environmental design) principles may contribute to the facility and physical security.


After many weeks or months of preparation, the prosecutor is ready for the most important part of his job: the trial. The trial is a structured process where the facts of a case are presented to a jury, and they decide if the defendant is guilty or not guilty of the charge offered.

During trial, the prosecutor uses witnesses and evidence to prove to the jury that the defendant committed the crime(s). The defendant, represented by an attorney, also tells his side of the story using witnesses and evidence.

In a trial, the judge — the impartial person in charge of the trial — decides what evidence can be shown to the jury. A judge is similar to a referee in a game, they are not there to play for one side or the other but to make sure the entire process is played fairly.



“Discovery” is a legal term that refers to the pre-trial means of finding and disclosing any information that might constitute evidence in litigation. Timely e-discovery refers to taking legal action to request the adversary for producing and submitting information stored in electronic format. Your adversary may also exercise e-discovery to ask for your submission of evidence.

“Failure to disclose evidence is a crime, even if done inadvertently, and the penalties are much higher if it can be demonstrated that the organization failed to disclose evidence on purpose.” (Malisow, Ben) The Electronic Discovery Reference Model helps organizations align with the e-discovery requirements.

The following are common discovery means:

  1. Requests for answers to interrogatories
  2. Requests for production of documents and things
  3. Requests for admissions
  4. Depositions

Discovery is the pre-trial phase in a lawsuit in which each party investigates the facts of a case, through the rules of civil procedure, by obtaining evidence from the opposing party and others by means of discovery devices including requests for answers to interrogatories, requests for production of documents and things, requests for admissions, and depositions.


To obtain information that is in the adversary’s possession, or that can be most easily obtained from the adversary even though it may be available elsewhere, a party can interview the other party under oath, called a deposition; submit written questions, called interrogatories; demand that documents or other physical evidence be produced; require the other party to submit to a physical examination; and ask the other party to admit the truth of facts relevant to the litigation.

Source: Feinman, Jay M.. Law 101 (p. 120). Oxford University Press. Kindle Edition.

Cease Destruction Notice, Warrant, and Subpoena

In the legal realm, the term “discovery” is the concept of finding and disclosing any information that might constitute evidence. Discovery can be used to gather evidence for either criminal or civil proceedings. For instance, when an organization receives a warrant or subpoena from a regulator/law enforcement entity to disclose any information pertaining to X, or when the organization receives notice from a plaintiff that the organization is being sued for X, the organization must, by law, go through all its data, locate material pertaining to X, and deliver it to the agency/plaintiff. Failure to disclose evidence is a crime, even if done inadvertently, and the penalties are much higher if it can be demonstrated that the organization failed to disclose evidence on purpose.

The process of ediscovery begins even before the investigation/lawsuit commences; as soon as the organization receives notice that an investigation or lawsuit is pending (that is, before receiving a warrant or subpoena), the organization must begin preparations for ediscovery. This notice is called many things: cease destruction notice, records retention notice, litigation hold notice, legal hold, and similar terms. When the organization is so notified, it must stop all data destruction activities throughout the organization. This includes all data destruction requirements stipulated by regulation, internal policy, or other laws. In the United States, for the duration of the prosecution/litigation, the federal rules of evidence, dictated by Congress, supersedes all other directives, and the organization can’t destroy any data. Destroying data that is or could be considered evidence is called spoliation, and is a crime as well.

Source: Malisow, Ben. How To Pass Your INFOSEC Exam: A Guide To Passing The SSCP, CISSP, CCSP, CISA, CISM, Security+, and CCSK (pp. 31-32). Maladjusted Works. Kindle Edition.

Electronic discovery

Electronic discovery or “e-discovery” refers to the discovery of information stored in electronic format (often referred to as Electronically Stored Information, or ESI).


The Concept of “Admissibility”

Admissible evidence shall be relevant, material, and competent.

Basically, if evidence is to be admitted at court, it must be relevant, material, and competent. To be considered relevant, it must have some reasonable tendency to help prove or disprove some fact. It need not make the fact certain, but at least it must tend to increase or decrease the likelihood of some fact.

Once admitted as relevant evidence, the finder of fact (judge or jury) will determine the appropriate weight to give a particular piece of evidence. A given piece of evidence is considered material if it is offered to prove a fact that is in dispute in a case. Evidence is considered “competent” if it complies with certain traditional notions of reliability. Courts are gradually diminishing the competency rules of evidence by making them issues related to the weight of evidence.

Source: Thomson Reuters

Burden of Proof

There are different standards of persuasiveness ranging from a preponderance of the evidence, where there is just enough evidence to tip the balance, to proof beyond a reasonable doubt, as in United States criminal courts.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您的組織發生數據外洩。 在事件回應過程中發現了一個本地駭客組織,並根據收集的證據認為是這個駭客組織所為。 如果您的組織決定控告他們,那麼以下哪項最關鍵?
A. 及時的電子發現 (e-discovery)
B. 健全的資訊治理 (information governance)
C. 符合 (compliance with) CPTED原則
D. 有效的行政調查 (administrative investigation)

Leave a Reply