Effective CISSP Questions

An online book retailer accepts orders from their website that turn into SQL statements like INSERT Orders(BookTitle, Price, CustomerId) VALUES (‘Effective CISSP Study Guide’, 59.99, 1001). To enforce security, which of the following controls is impractical and least likely to be implemented? (Wentz QOTD)
A. Acceptable use policy
B. Transaction control
C. Polyinstantiation
D. Address space layout randomization (ASLR)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Polyinstantiation.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.



Polyinstantiation in computer science is the concept of type (class, database row or otherwise) being instantiated into multiple independent instances (objects, copies). It may also indicate, such as in the case of database polyinstantiation, that two different instances have the same name (identifier, primary key).

Source: Wikipedia

Strictly, polyinstantiation is a database feature in the mandatory access control (MAC) environment that enforces security by comparing an object’s label and a subject’s security clearance. So, it’s impractical to implement polyinstantiation in the private sector.

Acceptable Use Policy (AUP)

An acceptable use policy (AUP), acceptable usage policy or fair use policy is a set of rules applied by the owner, creator or administrator of a computer network website, or service. That restricts the ways in which the network, website or system may be used and sets guidelines as to how it should be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers (ISPs), and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear. While at the same time covering the most important points about what users are, and are not allowed to do with the IT systems of an organization, it should refer users to the more comprehensive security policy we’re relevant. It should also, and very notably define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should as usual, be measured by regular audits.

Source: Wikipedia

Security controls are generally categorized into three categories: administrative, technical, and physical. Acceptable use policy (AUP) is one of the most commonly implemented administrative control.


在線圖書零售商接受來自其網站的訂單,這些訂單會變成 SQL 語句,例如 INSERT Orders(BookTitle, Price, CustomerId) VALUES (‘Effective CISSP Study Guide’, 59.99, 1001)。為了加強安全性,以下哪項控制是不切實際且最不可能實施的? (Wentz QOTD)
A. 可接受的使用政策
B. 交易控制
C. 多實例化
D. 地址空間佈局隨機化 (ASLR)

Leave a Reply