CISSP Exam Dumps - ISC 2 Credentials Questions and Answers

Service Organization Control (SOC) 2 is a report that provides information about the security, availability, processing integrity, confidentiality, and privacy of a service organization’s system. It is intended for users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. A SOC 2 report can help an organization assess the business continuity/disaster recovery policy and procedures for an application that is outsourced to a third-party service provider.

 The primary objective for conducting an internal security audit is to verify that applicable security controls are implemented and effective. A security audit is a systematic and independent examination of the security posture and performance of an organization, system, or network, against a set of predefined criteria, standards, or regulations. A security audit can be conducted by internal or external parties, depending on the purpose, scope, and frequency of the audit. An internal security audit is a type of security audit that is conducted by the organization itself, or by a third party hired by the organization, to assess the compliance, effectiveness, and efficiency of the security controls and measures that are implemented on the organization, system, or network. An internal security audit can help to verify that applicable security controls are implemented and effective, by ensuring that the security controls and measures are aligned with the security policies and objectives of the organization, and that they are able to protect the organization, system, or network from various security threats and risks. An internal security audit can also help to identify and resolve any security issues or gaps, as well as to provide recommendations and solutions to improve the security posture and performance of the organization, system, or network. Verifying that all systems and Standard Operating Procedures (SOP) are properly documented, verifying that all personnel supporting a system are knowledgeable of their responsibilities, or verifying that security controls are established following best practices are not the primary objectives for conducting an internal security audit, as they are more related to the documentation, training, or design aspects of security.

 The role that the CIO has a primary obligation to work with in order to ensure proper protection of data during and after the cloud migration is the Chief Information Security Officer (CISO). The CISO is the senior executive who is responsible for establishing, implementing, and maintaining the information security strategy, policies, and programs of the organization, and for ensuring the alignment and integration of the information security objectives and activities with the business goals and operations of the organization. The CISO is the role that the CIO has a primary obligation to work with in order to ensure proper protection of data during and after the cloud migration, as the CISO can provide the leadership, guidance, and expertise for the information security aspects of the cloud migration, such as the risk assessment, the security controls, the compliance requirements, the incident response, and the security monitoring of the cloud services . References: [CISSP CBK, Fifth Edition, Chapter 1, page 28]; [100 CISSP Questions, Answers and Explanations, Question 20].

WPA2 is a security protocol that encrypts the data sent over wireless networks. It provides stronger protection than WEP or WPA, which are older and weaker protocols. WPA2 prevents unauthorized access to the wireless network and ensures the confidentiality of the information transmitted. Configuring the APs to use WPA2 is a logical control that can reduce the risk of wireless eavesdropping or interception outside the campus area. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Communication and Network Security, page 237. CISSP Practice Exam Questions and Answers in 2023, Question 14.

 The best way to protect an organization’s data assets is to encrypt data in transit and at rest using up-to-date cryptographic algorithms. Encryption is a process of transforming data into an unintelligible form using a secret key, so that only authorized parties can access or modify the data. Encryption can protect data in transit, which is data that is moving across a network or a communication channel, from eavesdropping, interception, or modification. Encryption can also protect data at rest, which is data that is stored on a device or a media, from unauthorized access, theft, or loss. Encryption should use up-to-date cryptographic algorithms, such as AES, RSA, or SHA, that are proven to be secure and resistant to attacks. Monitoring and enforcing adherence to security policies is a good practice, but it may not be sufficient to protect data assets from internal or external threats. Creating the DMZ with proxies, firewalls, and hardened bastion hosts is a way to isolate and protect the network perimeter, but it may not protect data assets that are inside or outside the network. Requiring MFA and SoD is a way to enhance the identity and access management, but it may not protect data assets from unauthorized disclosure or modification. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Cryptography and Symmetric Key Algorithms, page 331.

Federated identity is a mechanism that allows users to use a single identity across multiple systems or organizations, without requiring the creation or management of separate accounts for each system or organization. Federated identity relies on trust relationships between the identity providers (IdPs) and the service providers (SPs) that participate in the federation. The IdPs are responsible for authenticating the users and issuing security tokens that contain identity attributes or claims. The SPs are responsible for validating the security tokens and granting access to the users based on the identity attributes or claims. Federated identity enables users to have a seamless and consistent user experience, while reducing the administrative overhead and security risks associated with multiple accounts. Federated identity also supports the principle of data minimization, as the IdPs only share the necessary identity attributes or claims with the SPs, and the SPs do not store any user identity information. Federated identity is often implemented using standards such as Security Assertion Markup Language (SAML), OpenID Connect, or OAuth. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 295. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), page 609.

 Collection Limitation is the privacy principle that states that the collection of personal information should be limited, relevant, and lawful. It also implies that personal information should not be collected unless it is necessary for a specific purpose. This principle is aligned with the concept of data minimization, which means that only the minimum amount of data required to achieve a legitimate goal should be collected and processed. A mobile device application that restricts the storage of user information to just that which is needed to accomplish lawful business goals adheres to this principle by minimizing the amount of personal data it collects and stores. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 35; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 28

The Security Assessment and Authorization (SA&A) process is a framework that ensures that information systems meet the security requirements and standards of the organization and the applicable laws and regulations. The SA&A process consists of four phases: initiation, assessment, authorization, and monitoring. During the initiation phase, one of the primary purposes for conducting a hardware and software inventory is to define the boundaries of the information system, i.e., the scope and extent of the system components, interfaces, and data flows. Defining the boundaries of the information system helps to identify the security risks, controls, and responsibilities associated with the system, as well as to determine the level of effort and resources required for the assessment and authorization phases12. References:

• Security Assessment and Authorization - NIST, Section: 2.1 Initiation Phase
• Security Assessment and Authorization - NIST, Section: 2.1.1 Identify Information System Boundaries

According to the CISSP Official (ISC)2 Practice Tests, the property that is prioritized by a Mandatory Access Control (MAC) model for implementation is confidentiality. Confidentiality is the property that ensures that the data or information is only accessible or disclosed to the authorized parties, and is protected from unauthorized or unintended access or disclosure. A MAC model is a type of access control model that grants or denies access to an object based on the security labels of the subject and the object, and the security policy enforced by the system. A security label is a tag or a marker that indicates the classification, sensitivity, or clearance of the subject or the object, such as top secret, secret, or confidential. A security policy is a set of rules or criteria that defines how the access decisions are made based on the security labels, such as the Bell-LaPadula model or the Biba model. A MAC model prioritizes confidentiality, as it ensures that the data or information is only accessible or disclosed to the subjects that have the appropriate security labels and clearance, and that the data or information is not leaked or compromised by the subjects that have lower security labels or clearance. Integrity is not the property that is prioritized by a MAC model for implementation, although it may be a property that is supported or enhanced by a MAC model. Integrity is the property that ensures that the data or information is accurate, complete, and consistent, and is protected from unauthorized or unintended modification or corruption. A MAC model may support or enhance integrity, as it ensures that the data or information is only modified or corrupted by the subjects that have the appropriate security labels and clearance, and that the data or information is not altered or damaged by the subjects that have lower security labels or clearance. However, a MAC model does not prioritize integrity, as it does not prevent or detect the modification or corruption of the data or information by the subjects that have the same or higher security labels or clearance, or by the external factors or events, such as errors, failures, or accidents. Availability is not the property that is prioritized by a MAC model for implementation, although it may be a property that is supported or enhanced by a MAC model. Availability is the property that ensures that the data or information is accessible and usable by the authorized parties, and is protected from unauthorized or unintended denial or disruption of access or use. A MAC model may support or enhance availability, as it ensures that the data or information is accessible and usable by the subjects that have the appropriate security labels and clearance, and that the data or information is not denied or disrupted by the subjects that have lower security labels or clearance. However, a MAC model does not prioritize availability, as it does not prevent or detect the denial or disruption of access or use of the data or information by the subjects that have the same or higher security labels or clearance, or by the external factors or events, such as attacks, failures, or disasters. Accessibility is not the property that is prioritized by a MAC model for implementation, as it is not a security property, but a usability property. Accessibility is the property that ensures that the data or information is accessible and usable by the users with different abilities, needs, or preferences, such as the users with disabilities, impairments, or limitations. Accessibility is not a security property, as it does not protect the data or information from unauthorized or unintended access, disclosure, modification, corruption, denial, or disruption. Accessibility is a usability property, as it enhances the user experience and satisfaction of the data or information. 

Baseline configuration information is the set of data that describes the state of a computer system at a specific point in time. It is used to monitor and control changes to the system, as well as to assess its compliance with security standards and policies. Baseline configuration information must include the operating system and version, patch level, applications running, and versions, because these are the essential components that define the functionality and security of the system. These components can also affect the compatibility and interoperability of the system with other systems and networks. Therefore, it is important to maintain accurate and up-to-date records of these components for each computer system123. References:

• Create configuration baselines - Configuration Manager, Section: Configuration baselines
• About Configuration Baselines - Configuration Manager, Section: Configuration Baseline Rules
• About Configuration Baselines and Items - Configuration Manager, Section: Configuration Baselines

According to the CISSP All-in-One Exam Guide2, when designing a vulnerability test, mapping tools are likely to give the best indication of what components currently operate on the network. Mapping tools are software applications that scan and discover the network topology, devices, services, and protocols. They can provide a graphical representation of the network structure and components, as well as detailed information about each node and connection. Mapping tools can help identify potential vulnerabilities and weaknesses in the network configuration and architecture, as well as the exposure and attack surface of the network. Topology diagrams are not likely to give the best indication of what components currently operate on the network, as they may be outdated, inaccurate, or incomplete. Topology diagrams are static and abstract representations of the network layout and design, but they may not reflect the actual and dynamic state of the network. Asset register is not likely to give the best indication of what components currently operate on the network, as it may be outdated, inaccurate, or incomplete. Asset register is a document that lists and categorizes the assets owned by an organization, such as hardware, software, data, and personnel. However, it may not capture the current status, configuration, and interconnection of the assets, as well as the changes and updates that occur over time. Ping testing is not likely to give the best indication of what components currently operate on the network, as it is a simple and limited technique that only checks the availability and response time of a host. Ping testing is a network utility that sends an echo request packet to a target host and waits for an echo reply packet. It can measure the connectivity and latency of the host, but it cannot provide detailed information about the host’s characteristics, services, and vulnerabilities. References: 2

The most efficient way to secure a production program and its data is to harden the application and encrypt the data. Hardening the application means applying the security best practices and standards to the development, testing, deployment, and maintenance of the application, such as input validation, output encoding, error handling, logging, patching, and configuration. Encrypting the data means applying the cryptographic techniques and algorithms to the data at rest and in transit, such as symmetric encryption, asymmetric encryption, hashing, and digital signatures. These two measures can provide a comprehensive and effective protection for the application and its data against various threats and attacks.

• A. Disable default accounts and implement access control lists (ACL) is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is access control. Disabling default accounts and implementing ACLs can prevent unauthorized or inappropriate access to the application and its data, but it does not protect the application and its data from other vulnerabilities or risks, such as injection, cross-site scripting, denial-of-service, or data leakage.
• C. Disable unused services and implement tunneling is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is network security. Disabling unused services and implementing tunneling can reduce the attack surface and enhance the confidentiality and integrity of the data in transit, but it does not protect the application and its data from other vulnerabilities or risks, such as logic flaws, broken authentication, insecure storage, or data tampering.
• D. Harden the servers and backup the data is not the most efficient way to secure a production program and its data, because it only addresses one aspect of security, which is system security. Hardening the servers and backing up the data can improve the performance and availability of the application and its data, but it does not protect the application and its data from other vulnerabilities or risks, such as code injection, session hijacking, privilege escalation, or data disclosure.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 481; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 437

The role that has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization is the data owner. A data owner is a person or an entity that has the authority or the responsibility for the data or the information within an organization, and that determines or defines the classification, the usage, the protection, or the retention of the data or the information. A data owner has the obligation to ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, as the data owner is ultimately accountable or liable for the security or the quality of the data or the information, regardless of who processes or handles the data or the information. A data owner can ensure that a third party provider is capable of processing and handling data in a secure manner and meeting the standards set by the organization, by performing the tasks or the functions such as conducting due diligence, establishing service level agreements, defining security requirements, monitoring performance, or auditing compliance. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 61; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 67

 Incorporating business continuity concepts effectively into an organization requires developing training and awareness programs that involve all stakeholders. This ensures that everyone understands their roles, responsibilities, and actions required during a disruption or crisis. References: CISSP Official (ISC)2 Practice Tests, Chapter 9, page 249; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 9, page 440

According to the CISSP CBK Official Study Guide1, an information librarian is responsible for managing, maintaining, and protecting the organization’s knowledge resources, including ensuring that media (such as hard drives, USBs, CDs) are free from corruption or contamination to protect the enterprise’s data integrity. An information librarian is also responsible for cataloging, indexing, and classifying the media, as well as providing access and retrieval services to the authorized users. An information librarian may also perform backup, recovery, and disposal of the media, as well as monitor and audit the usage and security of the media. An information security practitioner is not the operations role that is responsible for protecting the enterprise from corrupt or contaminated media, although they may be involved in defining and enforcing the policies and standards for the media security. An information security practitioner is a general term for a person who performs various functions and tasks related to the information security of the organization, such as planning, designing, implementing, testing, operating, or auditing the information security systems and controls. An information security practitioner may also provide guidance, advice, and training to the other roles and stakeholders on the information security matters. A computer operator is not the operations role that is responsible for protecting the enterprise from corrupt or contaminated media, although they may be involved in using and handling the media. A computer operator is a person who operates and controls the computer systems and devices of the organization, such as the servers, workstations, printers, or scanners. A computer operator may also perform tasks such as loading and unloading the media, running and monitoring the programs and applications, troubleshooting and resolving the errors and problems, and reporting and documenting the activities and incidents. A network administrator is not the operations role that is responsible for protecting the enterprise from corrupt or contaminated media, although they may be involved in configuring and connecting the media. A network administrator is a person who administers and manages the network systems and devices of the organization, such as the routers, switches, firewalls, or wireless access points. A network administrator may also perform tasks such as installing and updating the network software and hardware, setting and maintaining the network parameters and security, optimizing and troubleshooting the network performance and availability, and supporting and assisting the network users and clients. References: 1