Effective CISSP Questions

You are conducting a security assessment. Which of the following is not an assessment object? (Wentz QOTD)
A. Specifications
B. Mechanisms
C. Activities
D. Depth and coverage

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Depth and coverage.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

The following is an excerpt from NIST SP 800-53A R5 (draft):


Assessment objects identify the specific items being assessed and include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, plans, system security and privacy requirements, functional specifications, architectural designs) associated with a system or common control. Mechanisms are the specific hardware, software, or firmware safeguards and countermeasures employed within a system or common control. Activities are the specific protection-related actions supporting a system or common control that involve people (e.g., conducting system backup operations, monitoring network traffic, exercising a contingency plan). Individuals or groups of individuals are people applying the specifications, mechanisms, or activities described above.


Assessment methods define the nature of the assessor actions and include examine, interview, and test.
• The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence.
• The interview method is the process of holding discussions with individuals or groups of individuals within an organization to facilitate assessor understanding, achieve clarification, or obtain evidence.
• The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare an actual and desired state or expected behavior.

In all three assessment methods, the results are used to make specific determinations called for in the determination statements and thereby achieve the objectives for the assessment procedure.

Assessment methods have a set of associated attributes – depth and coverage – which help define the level of effort for the assessment. The attributes are hierarchical in nature, providing the means to define the rigor and scope of the assessment for the increased assurances that may be needed for some systems.


您正在進行安全評鑑。 以下哪項估對象(assessment object)? (Wentz QOTD)
A. 規格
B. 機制
C. 活動
D. 深度和覆蓋範圍

Leave a Reply