Pass the ISC ISC 2 Credentials CISSP Questions and answers with CertsForce

 When assigning ownership of an asset to a department, the most important factor is to ensure individual accountability for the asset. Individual accountability means that each person who has access to or uses the asset is responsible for its protection and proper handling. Individual accountability also implies that each person who causes or contributes to a security breach or incident involving the asset can be identified and held liable. Individual accountability can be achieved by implementing security controls such as authentication, authorization, auditing, and logging.

The other options are not as important as ensuring individual accountability, as they do not directly address the security risks associated with the asset. The department should report to the business owner is a management issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.

The best description of the responsibilities of a data owner is determining the impact the information has on the mission of the organization. A data owner is a person or entity that has the authority and accountability for the creation, collection, processing, and disposal of a set of data. A data owner is also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. A data owner should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data.

The other options are not the best descriptions of the responsibilities of a data owner, but rather the responsibilities of other roles or functions related to data management. Ensuring quality and validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining fundamental data availability, including data storage and archiving is a responsibility of a data custodian, who is a person or entity that implements and maintains the technical and physical security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security is a responsibility of a data controller, who is a person or entity that determines the purposes and means of processing the data.

Asymmetric Card Authentication Key (CAK) challenge-response is an effective control in preventing electronic cloning of RFID based access cards. RFID based access cards are contactless cards that use radio frequency identification (RFID) technology to communicate with a reader and grant access to a physical or logical resource. RFID based access cards are vulnerable to electronic cloning, which is the process of copying the data and identity of a legitimate card to a counterfeit card, and using it to impersonate the original cardholder and gain unauthorized access. Asymmetric CAK challenge-response is a cryptographic technique that prevents electronic cloning by using public key cryptography and digital signatures to verify the authenticity and integrity of the card and the reader. Asymmetric CAK challenge-response works as follows:

The card and the reader each have a pair of public and private keys, and the public keys are exchanged and stored in advance.

When the card is presented to the reader, the reader generates a random number (nonce) and sends it to the card.

The card signs the nonce with its private key and sends the signature back to the reader.

The reader verifies the signature with the card’s public key and grants access if the verification is successful.

The card also verifies the reader’s identity by requesting its signature on the nonce and checking it with the reader’s public key.

Asymmetric CAK challenge-response prevents electronic cloning because the private keys of the card and the reader are never transmitted or exposed, and the signatures are unique and non-reusable for each transaction. Therefore, a cloned card cannot produce a valid signature without knowing the private key of the original card, and a rogue reader cannot impersonate a legitimate reader without knowing its private key.

The other options are not as effective as asymmetric CAK challenge-response in preventing electronic cloning of RFID based access cards. Personal Identity Verification (PIV) is a standard for federal employees and contractors to use smart cards for physical and logical access, but it does not specify the cryptographic technique for RFID based access cards. Cardholder Unique Identifier (CHUID) authentication is a technique that uses a unique number and a digital certificate to identify the card and the cardholder, but it does not prevent replay attacks or verify the reader’s identity. Physical Access Control System (PACS) repeated attempt detection is a technique that monitors and alerts on multiple failed or suspicious attempts to access a resource, but it does not prevent the cloning of the card or the impersonation of the reader.

 When implementing a data classification program, it is important to avoid too much granularity, because the process will require too many resources. Data classification is the process of assigning a level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data classification helps to determine the appropriate security controls and handling procedures for the data. However, data classification is not a simple or straightforward process, as it involves many factors, such as the nature, context, and scope of the data, the stakeholders, the regulations, and the standards. If the data classification program has too many levels or categories of data, it will increase the complexity, cost, and time of the process, and reduce the efficiency and effectiveness of the data protection. Therefore, data classification should be done with a balance between granularity and simplicity, and follow the principle of proportionality, which means that the level of protection should be proportional to the level of risk.

The other options are not the main reasons to avoid too much granularity in data classification, but rather the potential challenges or benefits of data classification. It will be difficult to apply to both hardware and software is a challenge of data classification, as it requires consistent and compatible methods and tools for labeling and protecting data across different types of media and devices. It will be difficult to assign ownership to the data is a challenge of data classification, as it requires clear and accountable roles and responsibilities for the creation, collection, processing, and disposal of data. The process will be perceived as having value is a benefit of data classification, as it demonstrates the commitment and awareness of the organization to protect its data assets and comply with its obligations.

In a data classification scheme, the data is owned by the business managers. Business managers are the persons or entities that have the authority and accountability for the creation, collection, processing, and disposal of a set of data. Business managers are also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. Business managers should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data.

The other options are not the data owners in a data classification scheme, but rather the other roles or functions related to data management. System security managers are the persons or entities that oversee the security of the information systems and networks that store, process, and transmit the data. They are responsible for implementing and maintaining the technical and physical security of the data, as well as monitoring and auditing the security performance and incidents. Information Technology (IT) managers are the persons or entities that manage the IT resources and services that support the business processes and functions that use the data. They are responsible for ensuring the availability, reliability, and scalability of the IT infrastructure and applications, as well as providing technical support and guidance to the users and stakeholders. End users are the persons or entities that access and use the data for their legitimate purposes and needs. They are responsible for complying with the security policies and procedures for the data, as well as reporting any security issues or violations.

 According to the CISSP For Dummies3, the goal of a Business Impact Analysis (BIA) is to determine the resource priorities for recovery and Maximum Tolerable Downtime (MTD) for each business process and function. This means that the BIA should identify the criticality and dependencies of each business process and function, and the maximum amount of time that they can be disrupted without causing unacceptable consequences to the organization. The BIA should also determine the recovery point objectives (RPOs) and recovery time objectives (RTOs) for each business process and function, which are the acceptable levels of data loss and downtime respectively. The BIA should not focus on the cost effectiveness of business recovery or installing software security patches, as these are not the primary objectives of the BIA. The BIA should also not determine which security measures should be implemented, as this is the role of the risk assessment and risk management processes. References: 3

One way to mitigate the risk of security flaws in custom software is to include security assurance clauses in the Service Level Agreement (SLA) between the customer and the software developer. The SLA is a contract that defines the expectations and obligations of both parties, such as the scope, quality, performance, and security of the software. By including security assurance clauses, the customer can specify the security requirements and standards that the software must meet, and the developer can agree to provide evidence of compliance and remediation of any defects. The other options are not effective ways to mitigate the risk of security flaws in custom software. Including security language in the Earned Value Management (EVM) contract is not relevant, as EVM is a project management technique that measures the progress and performance of a project, not the security of the software. Purchasing only Commercial Off-The-Shelf (COTS) products or software with no open source Application Programming Interfaces (APIs) does not guarantee that the software is free of security flaws, as COTS and closed source software can also have vulnerabilities and may not meet the customer’s specific needs and expectations. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21, p. 1119; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, p. 507.

The business case justification is crucial as it outlines the reasons for making the change, including the benefits, costs, and impacts on the organization. It helps stakeholders understand why the change is necessary and aids in gaining their support34 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations, p. 457; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7: Security Operations, p. 868.

Discretionary Access Control (DAC) restricts access according to authorizations granted to the user. DAC is a type of access control that allows the owner or creator of a resource to decide who can access it and what level of access they can have. DAC uses access control lists (ACLs) to assign permissions to resources, and users can pass or change their permissions to other users

4 the main reason for using configuration management is to provide consistency in security controls. Configuration management is the process of identifying, documenting, controlling, and verifying the characteristics and settings of the hardware, software, data, and network components of a system. Configuration management helps to ensure that the system is configured and maintained according to the security policies, standards, and baselines, and that any changes to the system are authorized, recorded, and tracked. Configuration management also helps to prevent or detect unauthorized or unintended changes to the system, which may introduce vulnerabilities, errors, or inconsistencies. Configuration management does not necessarily provide centralized administration, although it may involve some centralized tools or processes to facilitate the configuration management activities. Configuration management does not aim to reduce the number of changes, although it may help to prioritize, schedule, and coordinate the changes to minimize the impact and disruption to the system. Configuration management does not aim to reduce errors during upgrades, although it may help to test, validate, and verify the upgrades before implementing them on the system. 

The policy that should be updated to address the problem of having only six days of audit logs from the last month available while investigating a malicious event is the retention policy. A retention policy is a policy that defines and specifies the duration and conditions for keeping or storing the records or data of an organization, such as audit logs, backups, or archives. A retention policy should be based on the legal, regulatory, operational, or business requirements of the organization, and should balance the costs and benefits of retaining or disposing the records or data. The problem of having only six days of audit logs from the last month available while investigating a malicious event indicates that the retention policy is inadequate or ineffective, as it does not ensure the availability or accessibility of the audit logs for the investigation purposes. The retention policy should be updated to address this problem by extending or adjusting the retention period or criteria for the audit logs, and by enforcing or monitoring the compliance with the retention policy. The other options are not the policies that should be updated to address this problem, but rather different or irrelevant policies. A reporting policy is a policy that defines and specifies the procedures and actions for communicating or disclosing the information or incidents of an organization, such as audit results, security breaches, or performance metrics. A reporting policy should be based on the legal, regulatory, operational, or business requirements of the organization, and should ensure the accuracy, timeliness, and completeness of the reporting. A recovery policy is a policy that defines and specifies the objectives and strategies for restoring the normal operations of an organization after a disaster or disruption, such as recovery time objective, recovery point objective, or recovery methods. A recovery policy should be based on the business impact analysis and risk assessment of the organization, and should ensure the continuity, resilience, and availability of the organization. A remediation policy is a policy that defines and specifies the procedures and actions for correcting or improving the security or performance of an organization, such as vulnerability remediation, incident response, or root cause analysis. A remediation policy should be based on the security assessment and audit findings of the organization, and should ensure the effectiveness, efficiency, and compliance of the organization. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, p. 376; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, p. 406.

A disaster recovery test plan is a document that describes the methods and procedures for testing the effectiveness and readiness of a disaster recovery plan (DRP), which is a subset of a BCP that focuses on restoring the organization’s IT systems and data after a disruption or disaster. A disaster recovery test plan can have different types and levels of testing, depending on the objectives, scope, and resources of the organization. A parallel test is a type of disaster recovery test plan that involves activating the backup site and running the critical systems and processes in parallel with the primary site, without disrupting the normal operations. A parallel test is the most effective type of disaster recovery test plan, as it simulates a realistic scenario of a disruption or disaster, and allows the organization to evaluate the performance and functionality of the backup site, as well as the communication and coordination between the primary and backup sites. A parallel test also provides minimal risk, as it does not affect the normal operations of the primary site, and does not require switching over to the backup site. A read-through test is a type of disaster recovery test plan that involves reviewing the DRP document and verifying its accuracy and completeness, without performing any actual actions. A read-through test is the least effective type of disaster recovery test plan, as it does not test the actual implementation and execution of the DRP, and does not identify any potential issues or gaps in the DRP. A full interruption test is a type of disaster recovery test plan that involves shutting down the primary site and switching over to the backup site, and performing the normal operations from the backup site. A full interruption test is the most realistic type of disaster recovery test plan, as it tests the actual implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a full interruption test also provides the highest risk, as it affects the normal operations of the primary site, and may cause data loss, downtime, or customer dissatisfaction. A simulation test is a type of disaster recovery test plan that involves simulating a disruption or disaster scenario and performing the actions and procedures of the DRP, without activating the backup site or affecting the normal operations. A simulation test is a moderately effective type of disaster recovery test plan, as it tests the implementation and execution of the DRP, and identifies any potential issues or gaps in the DRP. However, a simulation test also provides moderate risk, as it does not test the performance and functionality of the backup site, and may not simulate a realistic scenario of a disruption or disaster. References: [Disaster Recovery Test Plan], [CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7: Security Operations]2

The security risk that the role-based access approach mitigates most effectively is excessive access rights to systems and data. Role-based access control (RBAC) is a model of access control that assigns permissions to roles rather than individual users, and then assigns users to those roles based on their job functions and responsibilities. This way, RBAC ensures that users have the minimum necessary access rights to perform their tasks and reduces the risk of unauthorized or inappropriate access.

B. Segregation of duties conflicts within business applications is not the security risk that the role-based access approach mitigates most effectively, but rather a security principle that RBAC supports by enforcing the separation of incompatible functions and preventing collusion or fraud.

C. Lack of system administrator activity monitoring is not the security risk that the role-based access approach mitigates most effectively, but rather a security requirement that RBAC facilitates by providing audit trails and logs of the access activities and events.

D. Inappropriate access requests is not the security risk that the role-based access approach mitigates most effectively, but rather a security challenge that RBAC addresses by simplifying the access management process and reducing the administrative overhead.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, page 133; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, page 109

According to the CISSP CBK Official Study Guide, a chosen plaintext attack is a type of cryptanalysis that allows the cryptanalyst to generate ciphertext from arbitrary text. A cryptanalysis is the process of breaking or analyzing a cryptographic system or algorithm, by finding the plaintext, the key, or the algorithm from the ciphertext, or by exploiting the weaknesses or vulnerabilities of the system or algorithm. A chosen plaintext attack is a scenario where the cryptanalyst has access to the encryption function or device, and can choose any plaintext and obtain the corresponding ciphertext. A chosen plaintext attack can help the cryptanalyst to deduce the key or the algorithm, or to create a codebook or a dictionary that maps the plaintext to the ciphertext. The cryptanalyst does not examine the communication being sent back and forth, as this would be a ciphertext-only attack, where the cryptanalyst only has access to the ciphertext, and tries to infer the plaintext, the key, or the algorithm from the statistical or linguistic analysis of the ciphertext. The cryptanalyst does not choose the key and algorithm to mount the attack, as this would be a known plaintext attack, where the cryptanalyst has access to some pairs of plaintext and ciphertext that are encrypted with the same key and algorithm, and tries to find the key or the algorithm from the correlation or pattern between the plaintext and the ciphertext. The cryptanalyst is not presented with the ciphertext from which the original message is determined, as this would be a decryption problem, where the cryptanalyst has access to the ciphertext and the key or the algorithm, and tries to recover the plaintext from the ciphertext.

The primary characteristic of a Distributed Denial of Service (DDoS) attack is that it looks like normal network activity. A DDoS attack is a type of attack or a threat that aims or intends to disrupt or to degrade the availability or the performance of a system or a service, by overwhelming or flooding the system or the service with a large amount or a high volume of traffic or requests, from multiple or distributed sources or locations, such as the compromised or infected computers, devices, or networks, that are controlled or coordinated by the attacker or the malicious actor. The primary characteristic of a DDoS attack is that it looks like normal network activity, which means that it is difficult or challenging to detect or to prevent the DDoS attack, as it is hard or impossible to distinguish or to differentiate the legitimate or the authentic traffic or requests from the illegitimate or the malicious traffic or requests, and as it is hard or impossible to block or to filter the illegitimate or the malicious traffic or requests, without affecting or impacting the legitimate or the authentic traffic or requests. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 115; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 172