Change Management

Posted on by
Reply

CISSP Practice Questions

I bumped into this question in Luke’s group today.

What is the primary purpose of change management?
A. To prevent unwanted reductions to security
B. To allow management to review all changes
C. To delay the release of mission-critical patches
D. To improve the productivity of end-users

Charlie Lindell’s comment encloses a screenshot as follows:

Sybex_ChangeManagement

The General Change Management Process

Any change request has to be documented, evaluated, approved, implemented, reported and communicated so that the risk of the change can be managed to prevent unwanted reductions to security. As changes are documented, they can be reviewed for lessons learned or continuous improvement.

Change Management

The “Correct” Answer

All the benefits stated above are critical factors to improve the productivity of end-users, that contributes to the ultimate goal of security, to deliver values. So, in terms of the primary “purpose”, I had chosen D because that is a step further from avoiding loss to delivering values, but I have a second thought.

I have to admit that we usually request for changes to respond to certain security events or issues passively so that we can keep our security objectives unharmed. We don’t do change management proactively to primarily improve the productivity of end-users.

To proactively deliver values, we can evaluate the change request from both the perspectives of threats and opportunities. The security objectives must be achieved first by handling the threats and then the opportunities that contribute to the business objectives.

As all the security efforts are directed by objectives or CIA specifically, I consider the option “To allow management to review all changes” a means, not an end or purpose.

In conclusion, I will choose “to prevent unwanted reductions to security” as the primary purpose of change management.

InformationSecurityDefinition

The real world is volatile and fuzzy

As a CISSP aspirant, learning information security is not about the right or wrong answers. What it matters is about the concept, justification, logic, and reasoning process, because it’s much complicated in the real world situation. No single correct answer or solution will solve the question or problem.

Think about it!

So, how do we distinguish between the following concept:

  • goal and purpose
  • overall and primary
  • threat and opportunity
  • security and risk

This is an interesting question that deserves your thinking.

CISSP PRACTICE QUESTIONS – 20190806

Posted on by
Reply

PRP

  1. Which of the following best describes the control that access to data or resources is necessary for the performance of official duties?
    A. Separation of Duties
    B. Need-to-Know
    C. Least Privilege
    D. Job Rotation
  2. Which of the following best ensures that a person has been determined to be trustworthy?
    A. Security clearance
    B. Identification
    C. Need-to-Know
    D. Access Control
  3. Which of following is of most concern when determining if a HIDS or NIDS should be implemented as a safeguard?
    A. Analysis of the frequency of network attacks
    B. The effectiveness of the solution
    C. The risk exposure of being breached
    D. Identify, analyze, and evaluate the risks

Continue reading

Accounting, Auditing, and Accountability

Posted on by
1

I3A

The diagram and the following concepts are addressed in the official study guide, (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide:

  • Auditing: recording a log of the events and activities related to the system and subjects.
  • Accounting (aka accountability): reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.

But I don’t agree with it,  I would address Accounting, Auditing, and Accountability as follows:

Accountability can be concluded through auditing, an independent and systematic security assessment. Accounting is the process of writing logs of the activities of subjects and objects. An audit trail is a collection of logs to conclude accountability. Log review is one of the most common security assessment techniques used in an information systems audit.

In summary,

  • Accountability is concluded by auditing.
  • Auditing is an independent and systematic security assessment; log review is one of the most common security assessment techniques.
  • Accounting produces logs as audit trails to support auditing.
  • Logs reflect the activities of the authenticated subject.

Your feedback and comment are always welcome!

Data Remanence Question

Posted on by
Reply

Data Remanence Question

The following is my response to the post as above from Luke’s CISSP group:

According to NIST SP 800-88 R1, it depends on the data types the system was processing or the system category. If the workstation in question was categorized as High impact system, the media must be purged, while Low or Medium be cleared (erase or delete).

Since this question does not provide a specific context, the BEST way to recycle and protect sensitive data from leaking is “purge”.

Data Sanitization

Is PPTP a Layer 2 or Layer 4 Protocol?

Posted on by
Reply

PPTP

The following is my response to the post as above from Luke’s CISSP group:

Definitions

  • A session is an interaction between two parties using a communication channel that can be set up and torn down by either party during a period of time.
  • A data link is a logical connection between two adjacent nodes for data transmission.

Justifications

  • PPTP is a protocol that sets up a VPN tunnel as a logical connection between the VPN client and the VPN server. PPTP works at the data link layer, or logical link control (LLC) layer specifically, in terms of its result, the tunnel.
  • The VPN client authenticates to the VPN server to set up the VPN tunnel as the communication channel that can be set up and torn down by either party during a period of time. From the perspective of the tunnel building process, it’s reasonable to argue that PPTP works at the session layer.

Personally, I consider PPTP a layer 2 (data link layer) protocol.

Reminders for CISSP Aspirants

Posted on by
Reply

Reminders for CISSP Aspirants

Why is CISSP so challenging? Its comprehensiveness that we all agree with is just the exposed tip of the CISSP iceberg; The general management concepts as the hidden part of it under the sea is the substantial stumbling block.

CISSP is an experience-based exam. It requires at least 5 years of security-related work experience for CISSP aspirants to sit for the exam. Why is the 5-year experience one of the prerequisites? One should develop general management concepts and fundamental project management capabilities that are required in almost every business setting before or during your CISSP journey.

IMHO, The following are some of the key concepts or skills:

  • Focus on effectiveness and understand the difference between effectiveness and efficiency.
  • Understand leadership and management. Lead and/or follow people passionately and strategically; manage things or projects effectively and efficiently.
  • Management by objectives; Plan-Do-Check-Act.
  • Be curious and learn how the business works.
  • Think strategically and integrate projects, programs, and portfolios.

Security is a business issue and by far beyond the scope of IT. CISSP aspirants have to be acquainted with specific technical and business areas, eg. operations, governance, and risk management.

CISSP Perspectives

Posted on by
1

CISSP Perspectives

CISSP is one of the most challenging exams ever because of its comprehensive perspectives and requirements of solid conceptual level understanding and in-depth insights into managerial and technical issues.

The following is my two cents for CISSP aspirants to get started his or her CISSP journey:

https://wentzwu.com/cissp