An offboarding sales representative downloaded customer profiles owned by the head of the sales department from the file server onto a USB dongle on the day he left and sold it online. This data breach occurred because of the miscommunication between the HR and IT departments. The HR department didn’t notify the IT department to disable the user accounts and revoke the privileges of the unhappy employee in time. Which of the following best contributes to the solution that can prevent the data breach?
A. LDAP
B. XACML
C. SAML
D. SPML

Continue reading →

You have been just officially endorsed as a CISSP and got promoted as the CISO. To meet legal and regulatory requirements, you issued a policy to direct and sponsor the data governance program. Which of the following should be conducted first?
A. Classify data
B. Scope and tailer security controls
C. Take inventory
D. Develop an information security strategy

Continue reading →

A bank is evaluating two models of one-time password tokens for multi-factor authentication. Both models have a button, an LCD, volatile memory, and a battery, but no keypad. Model A uses a non-replaceable battery, while the battery of Model B must be replaced in three minutes if the low battery. Which of the following token types is most likely implemented by Model B?
A. Static password token
B. Synchronous dynamic password token
C. Asynchronous password token
D. Challenge-response token

Continue reading →

A bank is evaluating two models of one-time password tokens for multi-factor authentication. Both models have a button, an LCD, volatile memory, and a battery, but no keypad. Model A uses a non-replaceable battery, while the battery of Model B must be replaced in three minutes if the low battery. Which of the following token types is most likely implemented by Model A?
A. Static password token
B. Synchronous dynamic password token
C. Asynchronous password token
D. Challenge-response token

Continue reading →

TEMPEST (Telecommunications Electronics Materials Protected from Emanating Spurious Transmissions) is about spying on information systems through leaking electromagnetic emanations, sounds, and mechanical vibrations and how to shield equipment against such spying. Which of the following is the most effective countermeasure against the concern of TEMPEST?
A. Captive portal
B. Awareness training
C. Air-gapped network
D. Wire-meshed space

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

Which of the following least contributes to access control on the need-to-know basis?
A. An object with non-hierarchical label
B. A subject’s capability table
C. A subject’s security clearance
D. A compartmented object

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →

Your company decides to subscribe to SaaS from a well-known cloud service provider. As a security professional, you are tasked to prepare for a security plan. Which of the following should you do first?
A. Determine data types processed by the SaaS cloud services.
B. Categorize the system based on its impact level
C. Scope and tailor security controls
D. Identify stakeholders

Wentz’s Book, The Effective CISSP: Security and Risk Management https://www.amazon.com/dp/B087JL6BXR

Continue reading →