Organizations have to ensure the alignment of the security function to business strategy, goals, mission, and objectives. Which of the following statements is least related to the security function? (Wentz QOTD)
A. Employ symmetric cryptographic algorithms to encrypt files.
B. Conduct internal audits to ensure the effectiveness of security controls.
C. Establish a security perimeter to partition nonsecurity functions in a computer system.
D. Assign a person to be in charge of information security and report to senior management.
Monthly Archives: May 2021
CISSP PRACTICE QUESTIONS – 20210522
Your company collects and processes consumer information for business purposes and shall comply with laws and regulations that require it to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. If a disposal company will be employed, which of the following least likely belongs to your company’s due diligence? (Wentz QOTD)
A. Review an independent audit of the disposal company’s operations.
B. Review and evaluate the disposal company’s information security policies.
C. Enter into and monitor compliance with a contract with the disposal company.
D. Require that the disposal company be certified by a recognized trade association.
CISSP PRACTICE QUESTIONS – 20210521
Committees established at the board level are also known as board or governance committees. Which of the following is least likely to be established at the board level? (Wentz QOTD)
A. Audit committee
B. Governance committee
C. Compensation committee
D. Business continuity steering committee
Introduction to Strategy Formulation
Continue readingI introduce strategic management in this post. My book, The Effective CISSP: Security and Risk Management, has details.
CISSP PRACTICE QUESTIONS – 20210520
As a CISO, you are developing the information security strategy that needs to be aligned with the corporate strategy and business objectives. Which of the following task should be done first? (Wentz QOTD)
A. Conduct the SWOT analysis
B. Develop a portfolio of initiatives
C. Issue information security policies
D. Determine the gap between the desired and current state
Security Control Frameworks
Continue readingA security control framework is a collection of security controls and implementation and audit guidelines well-organized as a template or solution for organizations to mitigate risks.
CISSP PRACTICE QUESTIONS – 20210519
As part of the e-discovery in a legal proceeding on salary controversy, an unfriendly ex-employee submitted a legal request for the printout of audit trails in question stored on the SIEM server to your company. Which of the following least affects the admissibility of the printout as evidence? (Wentz QOTD)
A. The best evidence rule
B. Exceptions to the rule against hearsay
C. The beyond a reasonable doubt standard
D. The preponderance of the evidence standard
Business Impact Analysis (BIA) and Risk Assessment
Many organizations proposed business continuity methodologies, approaches, frameworks, or standards. The International Organization for Standardization (ISO) is one of the most well-known, which defined the ISO 22301:2019 standard of the business continuity management system (BCMS). The following verbal forms are used in the ISO standard. Similar keywords for use in RFCs to indicate requirement levels can be found in RFC 2119.
- “shall” indicates a requirement;
- “should” indicates a recommendation;
- “may” indicates a permission;
- “can” indicates a possibility or a capability.
CISSP PRACTICE QUESTIONS – 20210518
As part of the e-discovery, an unfriendly ex-employee submitted a legal request for producing certain files stored on the server to your company. Which of the following investigations is most likely conducted? (Wentz QOTD)
A. Administrative investigation
B. Criminal investigation
C. Civil investigation
D. Regulatory investigation
CISSP PRACTICE QUESTIONS – 20210517
Your company initiated a business continuity program (BCP) to implement the business continuity management system (BCMS) compliant with ISO 22301. The BCP team is planning for business continuity. Which of the following is the most feasible requirement? (Wentz QOTD)
A. The BCP team shall also consider the incident response.
B. Risk assessment shall be completed before business impact analysis.
C. Risk assessment shall be completed during business impact analysis.
D. The scope of BCP shall be enterprise-wide to cover the enterprise as a whole.