Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. The EC system accepts credit cards and processes personal data. Which of the following addresses those concerns and provides the best assurance?
A. PCI-DSS
B. Risk Assessment
C. Security Assessment
D. Third-party Audit
Courtesy of Sven De Preter
This concise document is the courtesy of Sven De Preter (The Strategist of the new study group, Certification Stage) and shared with his permission.
Sven adds a new perspective, CAPEX, OPEX, and TCO, on top of the concept of ALE (Annual Loss Expectancy) introduced in most of the CISSP study guides.
Your company sells toys online worldwide. A web-based E-Commerce system developed in-house and deployed to a public cloud supports the business. As a security professional, you suggest penetration testing should be conducted. Which of the following is your most concern?
A. The decision of employment of internal or external penetration test team
B. The capability and experience of the penetration test team
C. The procedure that the penetration test team asks for permission to conduct penetration testing
D. The escalation path to the senior management if testing takes down the system
As a CISO, you issue a policy that mandates every employee shall be aware of social engineering attacks. A supporting standard is then developed that requires everyone shall accept at least three or more hours of awareness training each year. Which of the following activities is the best upcoming activity conducted to enforce the policy?
A. Penetration testing
B. Security assessment
C. Vulnerability assessment
D. Risk assessment
According to ISO 31000, the risk is the “effect of uncertainty on objectives.” Which of the following is a risk?
A. The mother nature
B. Sabotage
C. The loss of 5 million of monetary value
D. None of the above
Hi everyone,
Last call for the promotion of my book.
It is ticking to the end, Day 3 of 3!
This book is nominally on Domain 1 only. The truth is, it weaves the core management concepts across the CISSP exam!
The Kindle version is now 50% off for US$4.99. 👍🎉
I hope you enjoy it! Please don’t hesitate to comment on my book on Amazon. Thank you for your attention!🙏😀
J. Stapp
Mr Wu is going to help you pass your exam and understand the content!
This book should be part of your study plan for the CISSP. I recommend reading it before you begin with other texts on the subject. Mr. Wu is an expert in the field and is able to explain difficult concepts in a concise and easy to understand way.
Background on me: I hold the CISSP as well as other certifications in IT and management.
NING, EN-WEI
Excellent and effective CISSP
Wentz Wu is a very good scholar, the leader has the correct security concept, and maintains a high degree of enthusiasm and optimism. Purchasing Wentz Wu’s book is exactly the right way to get you to the security CISSP
Amazon Customer
Highly recommended for every information security consultant !
Highly recommended for every information security consultant ,especially if you want planing to pass the CISSP exam.
Excellent book that explains in detail all the security concepts.
My rate – 5 of 5 stars.
pascual del rosario
Superb book
There’s no better way to name this book other than “The Effective CISSP”. The author has a great outline of objectives for those looking to obtain the CISSP certification. It is spelled out that the official isc2 book should still be your main resource for studying for this exam. This book highlights all of the main objectives for the exam and really gives you a high level (managerial) way of thinking which is what’s ultimately needed for this exam. Strongly encourage anyone studying to read this book during and right before taking this exam.
jamie garcia
Worth The Wait!
I was so happy to hear Mr. Wu talk about this book he was writing and coming out soon. I waited for months for this book and I knew it would be worth the wait. It definitely is worth it and I’m so glad it’s now available during my CISSP studies!
Mohammad Usman
Excellent write up and highly recommended
The book is an excellent write up by the author. It goes in great detail explaining the core concepts of Risk management processes which is one of challenging domain of CISSP exam. I highly recommend this book if you are weak in this domain.
Brad E.
A MUST-HAVE FOR THOSE THAT WANT TO PASS CISSP!!!!!!
Ohhhhhhh I wish I had this book when I was preparing for the CISSP exam last year!!! I bought my copy the day after it came out and the book instantly became a cherished favorite of mine!! Wentz knows how to write a well-polished, captivating showpiece. This is not your ordinary book that you read once and then put back on the shelf. This is something that you should treasure and keep as a prized collection!! As somebody who has taken the exam before, I can say that one of the CISSP exam’s MAIN focus is on the roles and responsibilities of risk management. So it’s no wonder why I’m stressing that everybody should get this book!! You will see various security models, straightforward breakdowns of CISSP concepts and vocabulary terms, review questions, well-written references for ISO/NIST standards, and MUCH MUCH MORE!!! Trust me, you will definitely love this book and won’t be disappointed in adding it to your CISSP study materials!! Put this as a priority!!!
P.S.: The image is a photo of The Effective CISSP book that I bought for my Amazon Kindle Fire.
Sagar Bansal
Deep Dive Knowledge
I think Wentz has done a marvelous work with this book.
It’s not a CISSP cheatsheet like passing material.
I think this book is for serious people who actually want to study the subject in deep and want to gain expertise.
There are tons of mind maps amd charts in the book which made reading and remembering stuff easier.
In short, Highly Recommended
Basant Kumar Sharma
It’s a good collection on multiple aspects
It’s have good and understandable content,it may help to gain more knowledge on Domain 1 in Cissp, hope may help to gain more knowledge on R&A
When talking about the sensitivity of the information, which of the following is least related?
A. Confidentiality
B. Integrity
C. Non-repudiation
D. Availability
Your company decides to sell toys online worldwide, which will be supported by a three-tiered web-based E-Commerce system developed in-house. The web servers for the production environment have been implemented but not baselined and approved by the management. After the stress testing, the system engineer proposes that the memory size of the database server should be expanded to 64GB to meet the performance target. If the memory modules needed are available, which of the following should the system engineer do first?
A. Install the memory modules and conduct another run of stress testing
B. Submit a request for configuration change
C. Justify the change to the change control board (CCB)
D. Document security implications in the change request
Information systems are certified and accreditated by the officer of authorization to operate under the approved Security Mode of Operation, which determines the baseline controls. There are four types of security modes:
In the environment of mandatory access control (MAC), data can be classified into different hierarchical levels (Confidential, Secret, and Top Secret) and non-hierarchical categories in terms of sensitivity.
Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as:
It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation (e.g. SSI, CII) while others, including FOUO, do not.
Source: Wikipedia
Sensitive compartmented information (SCI) is a type of United States classified information concerning or derived from sensitive intelligence sources, methods, or analytical processes. All SCI must be handled within formal access control systems established by the Director of National Intelligence.
SCI is not a classification. SCI clearance has sometimes been called “above Top Secret,” but information at any classification level may exist within an SCI control system. When “decompartmentalized” this information is treated the same as collateral information at the same classification level.
Source: Wikipedia
Special Access Programs (SAPs) in the U.S. Federal Government are security protocols that provide highly classified information with safeguards and access restrictions that exceed those for regular (collateral) classified information. SAPs can range from black projects to routine but especially-sensitive operations, such as COMSEC maintenance or Presidential transportation support. In addition to collateral controls, a SAP may impose more stringent investigative or adjudicative requirements, specialized nondisclosure agreements, special terminology or markings, exclusion from standard contract investigations (carve-outs), and centralized billet systems. Within the Department of Defense, SAP is better known as “SAR” by the mandatory Special Access Required (SAR) markings.
Source: Wikipedia
