Effective CISSP Questions

Which of the following best describes configuration baselines, procedures, vulnerabilities, and related security contents to streamline patch management processes? (Wentz QOTD)
A. Security Content Automation Protocol (SCAP)
B. Common Vulnerabilities and Exposures (CVE)
C. Open Vulnerability and Assessment Language (OVAL)
D. eXtensible Configuration Checklist Description Format (XCCDF)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Security Content Automation Protocol (SCAP).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Key SCAP Components
Key SCAP Components (Credit: Rafał Karol Kasprzyk, et al.)

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

Source: Wikipedia

According to the MITRE Corp., the Security Content Automation Protocol (SCAP) is a super-standard that comprises 7 individually maintained standards as follows:

  1. CVE (Common Vulnerabilities and Exposures) – Enumeration of software vulnerabilities
  2. CCE (Common Configuration Enumeration) – Enumeration of configurable controls of software
  3. CPE (Common Platform Enumeration) – Enumeration of identities of software/hardware entities
  4. CVSS (Common Vulnerability Scoring System) – Metric used to assign a severity score to vulnerabilities entries
  5. XCCDF (eXtensibleConfiguration Checklist Description Format) – Language for encapsulating structure and content of security guidance
  6. OVAL (Open Vulnerability and Assessment Language) – Language to describe tests against system state
  7. OCIL (Open Checklist Interactive Language) – Language for user questionnaires (coming in SCAP 1.1)
SCAP Interpreter
SCAP Interpreter (Credit: @hogehuga)
XCCDF interaction with the system
XCCDF interaction with the system (Credit: Gabriel Peterside et al.)


以下哪一項最恰當地描述了配置基線、程序、漏洞和相關安全內容以用於流暢化補丁管理流程? (Wentz QOTD)
A. 安全內容自動化協議 (SCAP)
B. 常見漏洞和暴露 (CVE)
C. 開放漏洞和評估語言 (OVAL)
D. 可擴展配置清單描述格式 (XCCDF)

Leave a Reply