Effective CISSP Questions

In the Kerberos network authentication system, clients, the KDC, and application servers are the well-known three-headed architectural components. Which of the following best describes the operations of Kerberos? (Source: Wentz QOTD)
A. The KDC manages all the keys and is resistant to denial-of-service attacks.
B. Clients on the network interact with the KDC and servers asynchronously.
C. Realms must be organized hierarchically to support cross-realm authentication.
D. Initial ticket requests from clients are handled by the authentication service (AS).

Continue reading

Digest of AICPA SSAE 18

Service Organization Control (SOC)


Statement on Standards for Attestation Engagements 18

In addition to complying with this section, a practitioner is required to comply with section 105, Concepts Common to All Attestation Engagements, and section 205, Examination Engagements.

  • 100 Common Concepts
    • 105 Concepts Common to All Attestation Engagements
  • 200 Level of Service
    • 205 Examination Engagements
    • 210 Review Engagements
    • 215 Agreed-Upon Procedures Engagements
  • 300 Subject Matter
    • 305 Prospective Financial Information
    • 310 Reporting on Pro Forma Financial Information
    • 315 Compliance Attestation
    • 320 Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting
    • 395 [Designated for AT Section 701, Management’s Discussion and Analysis
      (AICPA, Professional Standards)]

Continue reading


Effective CISSP Questions

You’re implementing IPsec to protect data in transit. Which of the following is the least feasible through IPsec? (Source: Wentz QOTD)
A. Build a virtual data link over frame relay to connect two remote offices
B. Secure TFTP traffic that updates the firmware of network devices
C. Protect traffic between browsers and the enterprise information portal over LAN
D. Authenticate security gateways that establish the tunnel between two remote offices

Continue reading


Effective CISSP Questions

You’re implementing an L2TP/IPsec VPN solution to support remote employees. Which of the following is not true? (Source: Wentz QOTD)
A. AH may not be available in IPsec
B. AH ensures integrity only, but not confidentiality through encryption
C. Implementation of ESP is a mandatory requirement of IPsec
D. ESP ensures both confidentiality and the same level of integrity as AH does

Continue reading

What is Assurance?

International Accreditation Forum

The diagram demonstrates the ISO assurance system in terms of management systems. The following are common management systems:

  • Quality Management System (QMS, ISO 9001)
  • Environmental management systems (EMS, ISO 14001)
  • Food Safety Management System (FSMS, ISO 22001)
  • Business Continuity Management System (BCMS, ISO 22301)
  • Information Security Management System (ISMS, ISO 27001)
  • Occupational health and safety management systems (OHSMS, ISO 45001)

Continue reading


I added more information about the confusing C&A process into the post, Jargons: V&V and C&A. The newly added materials are included as follows.

Added on 2020/07/30:

There were various information system certification and accreditation processes across the US federal agencies, such as DITSCAP, DIACAP, NIACAP, NISCAP, and DCID 6/3. Those legacy C&A processes can be confusing because of the diversity and inconsistency across agencies. For example, the obsolete DITSCAP C&A process treated V&V as phases in its C&A process. Thanks to the NIST RMF (SP 800-37 R2), it becomes the latest and unified version of C&A.

C&A Systems

The NIST RMF is integrated with the SDLC detailed in NIST SP 800-160 v1, which is aligned with the SDLC introduced in ISO 15288. In other words, terminologies certification and accreditation are not used in the NIST RMF any more. C&A (Certification and Accreditation) is replaced by A&A (Assessment and Authorization) in RMF and V&V (Verification and Validation) in ISO 15288.

NIST SP 800-160 V1 and ISO 15288