Effective CISSP Questions

Your organization’s PBX has been end-of-support. The Original Equipment Manufacturer (OEM) offered a costly newer model as a replacement. However, secondary market suppliers can provide the same model with lower prices. Which of the following is the most concern if the replacement from a secondary market supplier is selected? (Wentz QOTD)
A. The clause of End-of-Life (EOL)
B. The new clause of End-of-Support (EOS)
C. Product counterfeits
D. Non-compliance with Common Criteria (CC)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Product counterfeits.

ICT SCRM Pillars and Visibility
ICT SCRM Pillars and Visibility (Source: NIST SP 800-161)

End-of-Life (EOL) and End-of-Support (EOS) are crucial concerns only if a genuine product is purchased. The OEM or provider won’t support counterfeits. A product that complies with the Common Criteria (CC) is good to have, but it’s not mandatory in most organizations. Moreover, it makes no sense to a counterfeit either.

The following are common risks to the ICT supply chain from NIST:

  1. Insertion of counterfeits
  2. Unauthorized production
  3. Tampering
  4. Theft
  5. Insertion of malicious software and hardware
  6. Poor manufacturing and development practices

These ICT supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain. These risks are associated with an organization’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.

Source: NIST SP 800-161

Product Sales and Support

The policy for the end of product sales and support varies from vendor to vendor. The following diagram is an example of product EOL and EOS.

EOL and EOS: Product Sales and Support
EOL and EOS: Product Sales and Support



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您組織的PBX已終止支持(end-of-support)。 原始設備製造商(OEM)提供了昂貴的新款機型來替代。 但是,二級市場供應商可以用較低的價格提供相同的機型。 如果選擇了二級市場供應商的替代產品,那麼以下哪一項是最值得關注的? (Wentz QOTD)
A. 產品停售條款(EOL)
B. 新的終止支援(EOS)條款
C. 產品的仿冒品
D. 產品不符合共同標準(CC)

4 thoughts on “CISSP PRACTICE QUESTIONS – 20210414

  1. Pingback: NIST 對 ICT 供應鏈的常見風險 – Choson資安大小事

Leave a Reply