Effective CISSP Questions

You are the head of a public company’s manufacturing department in Taiwan as an original equipment manufacturer (OEM) that accepts orders from the globe. Your department has collected manufacturing parameters, accumulated rich experience to improve efficiency and optimize costs, and created sustainable competitive advantages. Which of the following is the most critical concern to protect the manufacturing parameters from the perspective of intellectual property?
A. The ownership of the parameters
B. The secrecy of the parameters
C. The innovation of the parameters
D. The expression of the parameters

Continue reading


You are the head of the research and development (R&D) department. As the data owner of R&D data sets, you are responsible for classifying data and accountable for the results. Which of the following is the best criterion that justifies your classification decision?
A. The importance or meaning to stakeholders
B. The risk of the unauthorized disclosure of information
C. The risk of the unauthorized modification or destruction of information
D. The risk of the disruption of access to or use of information or an information system

Continue reading

Data Governance for Regulation

Regarding security within data governance, the European Union’s General Data Protection Regulation (GDPR) and Markets in Financial Instruments Directive II (MiFID II) are applicable, as is US 31 USC 310, a regulation addressing data in the context of financial crimes.

On a broader scale, the US Dodd-Frank Act addresses record-keeping transparency. The US Comprehensive Capital Analysis and Review (CCAR) framework addresses data quality and management. In Europe, MiFID II addresses data collection processes, while Basel III contains data governance provisions within the context of risk management and capital adequacy concerns.

In China, the Banking and Insurance Regulatory Commission (CBIRC) issued guidelines in May 2018 that include provisions for financial firms, assigning responsibility for setting up data governance systems, data quality control and related incentive and accountability systems.

Although MiFID II, Basel III and the BCBS 239 rules addressing risk data aggregation come from Europe, they do influence compliance throughout Asia and globally. In addition, the International Financial Reporting Standard (IFRS) created by the International Accounting Standards Board (IASB) sets classification and accounting rules that can figure into data governance. Any firm forming their governance framework should be aware of these provisions.

So, with a good handle on data governance traits and rules, firms may also deploy enterprise data management (EDM) and master data management (MDM) systems as a means to carry out the provisions made in data governance. These systems scrub, enrich and curate data, to standardize how data is defined and produce metadata that helps implement data governance frameworks, with integrity, accountability and security.

With knowledge of the elements of data governance, both as part of a firm’s native efforts and its compliance requirements, management will be better equipped to do business in the markets and lower their operational and regulatory risk.

Source: GoldenSource

CISSP考試心得 – 陳昭名(Jaumin Chen)

Image Source : Kaplan Finance

~ Wentz Wu

感謝社群各位大大這些日子不吝指導與分享,讓自己有幸在上週(2/3)通過CISSP考試,整理一下自己的歷程當lesson learned,並和大家交流,謝謝~~


You are evaluating and selecting software vendors to customize the transportation management system in a procurement project. Which of the following is least likely to be part of the evaluation criteria for the vendor qualification?
A. FOCI (Foreign Ownership, Control, and Influence)
B. Capability Maturity Model Integration (CMMI)
C. Software Assurance Maturity Model (SAMM)
D. Common Criteria (ISO 15408)

Continue reading

PI-shaped CISSP

CISSP is a PI journey that transforms a technical mindset into a business one, a wide plane supported by two pillars: technology and management.

Credit: Marian Sigler

T-shaped, M-shaped, PI-shaped, or Comb-shaped? No matter which shape you are, either one is a good path to your professional career.

Source: People Centre
Source: Ben M Roberts


Based on the NIST Risk Management Framework (RMF), you are categorizing the Transportation Management System (TMS) that handles the information types of Ground Transportation and Air Transportation. Which of the following is the most possible outcome of the system categorization?
A. Public
B. Moderate
C. Confidential
D. Catastrophic

Continue reading

Due Diligence (DD) and Due Care (DC)

Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.

Due Diligence (DD)

“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.

Generally speaking, DD emphasizes investigation as a preventive/proactive measure, establishing and maintaining the management system (policies, standards, procedures, controls, etc.) and ensuring its effectiveness.

Due Care (DC)

DC focuses on exercising best effort and reasonable care to conduct activities and take preventive, detective, corrective, or recovery actions. However, it is not easy to measure the degree of the endeavor of DC. That’s why a defender in the court has to justify he or she has exercised “due care” to the judge.

DD and DC

It’s common for CISSP aspirants to use the following mnemonics:

  • DD: Do Detect
  • DC: Do Correct


Sanitization methods address the data remanence problem to different levels of effectiveness. Which of the following is the best method that makes the data recovery and media reuse infeasible using state of the art laboratory techniques per NIST SP 800-88 R1?
A. Purge
B. Destroy
C. Degaussing
D. Physical destruction

Continue reading