Effective CISSP Questions

An online bank relying solely on internet banking intends to increase customer’s confidence and plans to engage in security assurance. Which of the following is the least practical approach to assuring customers?
A. Provide the SOC 3 report attested by a certified public accountant (CPA)
B. Present a certificate of information security management system of ISO 27001
C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework
D. Complete the CSA STAR assessment conducted by an independent certification body

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Complete the CSA STAR assessment conducted by an independent certification body.

The bank is not a cloud service provider and primarily provides banking services instead of cloud services, so there is no need to pursue CSA STAR Certification (Level 2), a rigorous third-party independent assessment of the security of a cloud service provider.

However, you can justify the bank’s seeking CSA STAR Certification because it builds a private cloud to serve internal customers. If so, the answer will be C. Conduct and demonstrate self-assessment against the NIST cybersecurity framework.

Image Credit: CSA

The Cloud Security Alliance (CSA) divides the Security, Trust & Assurance Registry (STAR) program into three levels:

  1. CSA STAR Level 1: Self-assessment
  2. CSA STAR Level 2: Third-Party Certification
    • CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix.
    • The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider.
  3. CSA STAR Level 3: Full Cloud Assurance and Transparency

The Cloud Security Alliance is a non-profit organization whose mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”

The CSA’s Security, Trust & Assurance Registry Program (CSA STAR) is designed to help customers assess and select a Cloud Service Provider through a three-step program of self-assessment, third-party audit, and continuous monitoring.

Source: Google

System and Organization Controls (SOC)

According to the AICPA, “System and Organization Controls (SOC) is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations.” (AICPA)

SOC 3 refers to “system and organization controls (SOC) for service organizations: trust services criteria for general use report.” SOC 3 reports are designed to meet the needs of users who need assurance about the controls at a service organization relevant to security, availability, processing integrity confidentiality, or privacy, but do not have the need for or the knowledge necessary to make effective use of a SOC 2® Report. Because they are general use reports, SOC 3® reports can be freely distributed. (AICPA: SOC3)

Service Organization Control (SOC)
Service Organization Control (SOC)

ISO/IEC 27001:2013

“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.” (ISO)


Self-assessment and NIST CSF

Self-declaration based on self-assessment seems silly. However, it is a legitimate means and does provide some extent or low degree of assurance. Moreover, and it is a common practice. NIST Cybersecurity Framework (CSF) is a voluntary framework, initiated by Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. There is no certification program to assess the compliance of NIST CSF so far, so it’s reasonable to use self-assessment and self-declaration.

Assurance, Attestation, and Audit (Image Credit: CheggStudy)

What is Assurance?

For security engineering, “assurance” is defined as the degree of confidence that the security needs of a system are satisfied. … Confidence is realized by reviewing the assurance evidence gained through assessment processes and activities during development, deployment and operation and through experience gained in using the IT system. Any activities that can reduce uncertainty by producing evidence attesting to the correctness, effectiveness and quality of the IT system’s attributes are useful in determining security assurance.

Source: Haris Hamidovic

Assurance Services

The International Federation of Accountants (IFAC) definition of an assurance engagement:

An engagement in which a practitioner aims to obtain sufficient, appropriate evidence in
order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information.

Asurance Methods

Assurance methods produce specific types of assurance depending on their technical and life-cycle focus. Some of the more widely known assurance methods for a given focus include:

ISO/IEC 21827—Assurance focus on quality and development process
Developer’s pedigree—Assurance focus on branding; recognition that a company produces quality deliverables (based on historical relationship or data)
Warranty—Assurance focus on insurance, supported by a manufacturer’s promise to correct a flaw in a deliverable
Supplier’s declaration—Assurance focus on self-declaration
Professional certification and licensing—Assurance focus on personnel expertise and knowledge
ISO/IEC 14598-1 Information technology—Software product evaluation—Part 1: General overview—Assurance focus on direct assessment of deliverable
ISO/IEC 27001—Assurance focus on security management

Source: Haris Hamidovic



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

一家純網銀想要提升客戶的信心,因此正在規劃實施安全保證制度。 以下哪項是最不可行的客戶保證方法?
A. 提供經過註冊會計師(CPA)認證的SOC 3報告
B. 呈現ISO 27001資訊安全管理系統證書
C. 根據NIST網絡安全框架(CSF)進行自我評估並向客戶展現
D. 完成由獨立認證機構進行的CSA STAR評鑑

1 thought on “CISSP PRACTICE QUESTIONS – 20210323

  1. Pingback: 雲安全聯盟(CSA)-安全信任和保證註冊(STAR) – Choson資安大小事

Leave a Reply