the security policy and implementing it?Senior managementSecurity professionalCustodianAuditor
9 Control Objectives for Information and Related Technology (COBIT) is a documented set of best IT security practices crafted by the Information Systems Audit and Control Association (ISACA). It prescribes goals and requirements for security controls and encourages the mapping of IT security ideals to business objectives. COBIT is based on six key principles for governance and management of enterprise IT. Which of the following are among these key principles? (Choose all that apply.)Holistic ApproachEnd-to-End Governance SystemProvide Stakeholder ValueMaintaining Authenticity and AccountabilityDynamic Governance System
10 In today's business environment, prudence is mandatory. Showing due diligence and due care is the only way to disprove negligence in an occurrence of loss. Which of the following are true statements? (Choose all that apply.)Due diligence is establishing a plan, policy, and process to protect the interests of an organization.Due care is developing a formalized security structure containing a security policy, standards, baselines, guidelines, and procedures.Due diligence is the continued application of a security structure onto the IT infrastructure of an organization.Due care is practicing the individual activities that maintain the security effort.Due care is knowing what should be done and planning for it.Due diligence is doing the right action at the right time.
11 Security documentation is an essential element of a successful security program. Understanding the components is an early step in crafting the security documentation. Match the following components to their respective definitions.PolicyStandardProcedureGuidelineA detailed, step-by-step how-to document that describes the exact actions necessary to implement a specific security mechanism, control, or solution.A document that defines the scope of security needed by the organization and discusses the assets that require protection and the extent to which security solutions should go to provide the necessary protection.A minimum level of security that every system throughout the organization must meet.Offers recommendations on how security requirements are implemented and serves as an operational guide for both security professionals and users.Defines compulsory requirements for the homogenous use of hardware, software, technology, and security controls.1 – I; 2 – IV; 3 – II; 4 - V1 – II; 2 – V; 3 – I; 4 - IV1 – IV; 2 – II; 3 – V; 4 - I1 – V; 2 – I; 3 – IV; 4 - III
12 STRIDE is often used in relation to assessing threats against applications or operating systems. When confidential documents are exposed to unauthorized entities, which element of STRIDE is used to reference that violation?STRIDE
13 A development team is working on a new project. During the early stages of systems development, the team considers the vulnerabilities, threats, and risks of their solution and integrates protections against unwanted outcomes. What concept of threat modeling is this?Threat huntingProactive approachQualitative approachAdversarial approach
14 Supply chain risk management (SCRM) is a means to ensure that all the vendors or links in the supply chain are reliable, trustworthy, reputable organizations. Which of the following are true statements? (Choose all that apply.)Each link in the supply chain should be responsible and accountable to the next link in the chain.Commodity vendors are unlikely to have mined their own metals or processed the oil for plastics or etched the silicon of their chips.If the final product derived from a supply chain meets expectations and functional requirements, it is assured to not have unauthorized elements.Failing to properly secure a supply chain can result in flawed or less reliable products, or even embedded listing or remote control mechanisms.
15 Your organization has become concerned with risks associated with the supply chain of their retail products. Fortunately, all coding for their custom product is done in-house. However, a thorough audit of a recently completed product revealed that a listening mechanism was integrated into the solution somewhere along the supply chain. The identified risk is associated with what product component in this scenario?SoftwareServicesDataHardware
16 Cathy's employer has asked her to perform a documentation review of the policies and procedures of a third-party supplier. This supplier is just the final link in a software supply chain. Their components are being used as a key element of an online service operated for high-end customers. Cathy discovers several serious issues with the vendor, such as failing to require encryption for all communications and not requiring multifactor authentication on management interfaces. What should Cathy do in response to this finding?Write up a report and submit it to the CIO.Void the ATO of the vendor.Require that the vendor review their terms and conditions.Have the vendor sign an NDA.
17 Whenever an organization works with a third party, its supply chain risk management (SCRM) processes should be applied. One of the common requirements is the establishment of minimum security requirements of the third party. What should these requirements be based on?Existing security policyThird-party auditOn-site assessmentVulnerability scan results
18 It's common to pair threats with vulnerabilities to identify threats that can exploit assets and represent significant risks to the organization. An ultimate goal of threat modeling is to prioritize the potential threats against an organization's valuable assets. Which of the following is a risk-centric threat-modeling approach that aims at selecting or developing countermeasures in relation to the value of the assets to be protected?VASTSD3+CPASTASTRIDE
19 The next step after threat modeling is reduction analysis. Reduction analysis is also known as decomposing the application, system, or environment. The purpose of this task is to gain a greater understanding of the logic of the product, its internal components, as well as its interactions with external elements. Which of the following are key components to identify when performing decomposition? (Choose all that apply.)Patch or update versionsTrust boundariesDataflow pathsOpen vs. closed source code useInput pointsPrivileged operationsDetails about security stance and approach
20 Defense in depth is simply the use of multiple controls in a series. No one control can protect against all possible threats. Using a multilayered solution allows for numerous, different controls to guard against whatever threats come to pass. Which of the following are terms that relate to or are based on defense in depth? (Choose all that apply.)LayeringClassificationsZonesRealmsCompartmentsSilosSegmentationsLattice structureProtection rings
Chapter 2 Personnel Security and Risk Management Concepts
THE CISSP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 1.0: Security and Risk Management1.9 Contribute to and enforce personnel security policies and procedures1.9.1 Candidate screening and hiring1.9.2 Employment agreements and policies1.9.3 Onboarding, transfers, and termination processes1.9.4 Vendor, consultant, and contractor agreements and controls1.9.5 Compliance policy requirements1.9.6 Privacy policy requirements1.10 Understand and apply risk management concepts1.10.1 Identify threats and vulnerabilities1.10.2 Risk assessment/analysis1.10.3 Risk response1.10.4 Countermeasure selection and implementation1.10.5 Applicable types of controls (e.g., preventive, detective, corrective)1.10.6 Control assessments (security and privacy)1.10.7 Monitoring and measurement1.10.8 Reporting1.10.9 Continuous improvement (e.g., Risk maturity modeling)1.10.10 Risk frameworks 1.13 Establish and maintain a security awareness, education, and training program1.13.1 Methods and techniques to present awareness and training (e.g., social engineering, phishing, security champions, gamification)1.13.2 Periodic content reviews1.13.3 Program effectiveness evaluation
The Security and Risk Management domain of the CISSP certification exam deals with many of the foundational elements of security solutions, such as design, implementation, and administration of security mechanisms. Additional elements of this domain are discussed in various chapters: Chapter 1, “Security Governance Through Principles and Policies”; Chapter 3, “Business Continuity Planning”; and Chapter 4, “Laws, Regulations, and Compliance.” Please be sure to