CISSP Exam Dumps - ISC 2 Credentials Questions and Answers

In a data classification scheme, the data is owned by the business managers. Business managers are the persons or entities that have the authority and accountability for the creation, collection, processing, and disposal of a set of data. Business managers are also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. Business managers should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data.

The other options are not the data owners in a data classification scheme, but rather the other roles or functions related to data management. System security managers are the persons or entities that oversee the security of the information systems and networks that store, process, and transmit the data. They are responsible for implementing and maintaining the technical and physical security of the data, as well as monitoring and auditing the security performance and incidents. Information Technology (IT) managers are the persons or entities that manage the IT resources and services that support the business processes and functions that use the data. They are responsible for ensuring the availability, reliability, and scalability of the IT infrastructure and applications, as well as providing technical support and guidance to the users and stakeholders. End users are the persons or entities that access and use the data for their legitimate purposes and needs. They are responsible for complying with the security policies and procedures for the data, as well as reporting any security issues or violations.

 When developing an information security management system (ISMS), an initial consideration is to understand the value of the information assets that the organization owns or processes. An information asset is any data, information, or knowledge that has value to the organization and supports its mission, objectives, and operations. Understanding the value of the information assets helps to determine the appropriate level of protection and investment for them, as well as the potential impact and consequences of losing, compromising, or disclosing them. Understanding the value of the information assets also helps to identify the stakeholders, owners, and custodians of the information assets, and their roles and responsibilities in the ISMS.

The other options are not initial considerations, but rather subsequent or concurrent considerations when developing an ISMS. Identifying the contractual security obligations that apply to the organizations is a consideration that depends on the nature, scope, and context of the information assets, as well as the relationships and agreements with the external parties. Identifying the level of residual risk that is tolerable to management is a consideration that depends on the risk appetite and tolerance of the organization, as well as the risk assessment and analysis of the information assets. Identifying relevant legislative and regulatory compliance requirements is a consideration that depends on the legal and ethical obligations and expectations of the organization, as well as the jurisdiction and industry of the information assets.

The best description of the responsibilities of a data owner is determining the impact the information has on the mission of the organization. A data owner is a person or entity that has the authority and accountability for the creation, collection, processing, and disposal of a set of data. A data owner is also responsible for defining the purpose, value, and classification of the data, as well as the security requirements and controls for the data. A data owner should be able to determine the impact the information has on the mission of the organization, which means assessing the potential consequences of losing, compromising, or disclosing the data. The impact of the information on the mission of the organization is one of the main criteria for data classification, which helps to establish the appropriate level of protection and handling for the data.

The other options are not the best descriptions of the responsibilities of a data owner, but rather the responsibilities of other roles or functions related to data management. Ensuring quality and validation through periodic audits for ongoing data integrity is a responsibility of a data steward, who is a person or entity that oversees the quality, consistency, and usability of the data. Maintaining fundamental data availability, including data storage and archiving is a responsibility of a data custodian, who is a person or entity that implements and maintains the technical and physical security of the data. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security is a responsibility of a data controller, who is a person or entity that determines the purposes and means of processing the data.

 When assigning ownership of an asset to a department, the most important factor is to ensure individual accountability for the asset. Individual accountability means that each person who has access to or uses the asset is responsible for its protection and proper handling. Individual accountability also implies that each person who causes or contributes to a security breach or incident involving the asset can be identified and held liable. Individual accountability can be achieved by implementing security controls such as authentication, authorization, auditing, and logging.

The other options are not as important as ensuring individual accountability, as they do not directly address the security risks associated with the asset. The department should report to the business owner is a management issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.

Asymmetric Card Authentication Key (CAK) challenge-response is an effective control in preventing electronic cloning of RFID based access cards. RFID based access cards are contactless cards that use radio frequency identification (RFID) technology to communicate with a reader and grant access to a physical or logical resource. RFID based access cards are vulnerable to electronic cloning, which is the process of copying the data and identity of a legitimate card to a counterfeit card, and using it to impersonate the original cardholder and gain unauthorized access. Asymmetric CAK challenge-response is a cryptographic technique that prevents electronic cloning by using public key cryptography and digital signatures to verify the authenticity and integrity of the card and the reader. Asymmetric CAK challenge-response works as follows:

• The card and the reader each have a pair of public and private keys, and the public keys are exchanged and stored in advance.
• When the card is presented to the reader, the reader generates a random number (nonce) and sends it to the card.
• The card signs the nonce with its private key and sends the signature back to the reader.
• The reader verifies the signature with the card’s public key and grants access if the verification is successful.
• The card also verifies the reader’s identity by requesting its signature on the nonce and checking it with the reader’s public key.

Asymmetric CAK challenge-response prevents electronic cloning because the private keys of the card and the reader are never transmitted or exposed, and the signatures are unique and non-reusable for each transaction. Therefore, a cloned card cannot produce a valid signature without knowing the private key of the original card, and a rogue reader cannot impersonate a legitimate reader without knowing its private key.

The other options are not as effective as asymmetric CAK challenge-response in preventing electronic cloning of RFID based access cards. Personal Identity Verification (PIV) is a standard for federal employees and contractors to use smart cards for physical and logical access, but it does not specify the cryptographic technique for RFID based access cards. Cardholder Unique Identifier (CHUID) authentication is a technique that uses a unique number and a digital certificate to identify the card and the cardholder, but it does not prevent replay attacks or verify the reader’s identity. Physical Access Control System (PACS) repeated attempt detection is a technique that monitors and alerts on multiple failed or suspicious attempts to access a resource, but it does not prevent the cloning of the card or the impersonation of the reader.

The passage of time is one of the factors that affects the classification of data. Data classification is the process of assigning a level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data classification helps to determine the appropriate security controls and handling procedures for the data. However, data classification is not static, but dynamic, meaning that it can change over time depending on various factors. One of these factors is the passage of time, which can affect the relevance, usefulness, or sensitivity of the data. For example, data that is classified as confidential or secret at one point in time may become obsolete, outdated, or declassified at a later point in time, and thus require a lower level of protection. Conversely, data that is classified as public or unclassified at one point in time may become more valuable, sensitive, or regulated at a later point in time, and thus require a higher level of protection. Therefore, data classification should be reviewed and updated periodically to reflect the changes in the data over time.

The other options are not factors that affect the classification of data, but rather the outcomes or components of data classification. Assigned security label is the result of data classification, which indicates the level of sensitivity or criticality of the data. Multilevel Security (MLS) architecture is a system that supports data classification, which allows different levels of access to data based on the clearance and need-to-know of the users. Minimum query size is a parameter that can be used to enforce data classification, which limits the amount of data that can be retrieved or displayed at a time.

 When implementing a data classification program, it is important to avoid too much granularity, because the process will require too many resources. Data classification is the process of assigning a level of sensitivity or criticality to data based on its value, impact, and legal requirements. Data classification helps to determine the appropriate security controls and handling procedures for the data. However, data classification is not a simple or straightforward process, as it involves many factors, such as the nature, context, and scope of the data, the stakeholders, the regulations, and the standards. If the data classification program has too many levels or categories of data, it will increase the complexity, cost, and time of the process, and reduce the efficiency and effectiveness of the data protection. Therefore, data classification should be done with a balance between granularity and simplicity, and follow the principle of proportionality, which means that the level of protection should be proportional to the level of risk.

The other options are not the main reasons to avoid too much granularity in data classification, but rather the potential challenges or benefits of data classification. It will be difficult to apply to both hardware and software is a challenge of data classification, as it requires consistent and compatible methods and tools for labeling and protecting data across different types of media and devices. It will be difficult to assign ownership to the data is a challenge of data classification, as it requires clear and accountable roles and responsibilities for the creation, collection, processing, and disposal of data. The process will be perceived as having value is a benefit of data classification, as it demonstrates the commitment and awareness of the organization to protect its data assets and comply with its obligations.

According to the CISSP CBK Official Study Guide1, the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test is blind. Security testing is the process of assessing or evaluating the security or the vulnerability of the system or the network, by performing or conducting various tests or methods, such as the scanning, the analysis, or the penetration of the system or the network. Security testing can be classified into four types, based on the level of knowledge or information that the tester or the ethical hacker has about the target system or the network, as well as the level of notification or consent that the testing target or the owner has about the test, which are:

• Reversal: Security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has no or zero notification or consent about the test, such as the reverse engineering or the decompiling of the system or the network.
• Gray box: Security testing that is performed or conducted when the tester or the ethical hacker has partial or limited knowledge or information about the target system or the network, and the testing target or the owner has partial or limited notification or consent about the test, such as the vulnerability assessment or the code review of the system or the network.
• Blind: Security testing that is performed or conducted when the tester or the ethical hacker has no or zero knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test, such as the black box testing or the penetration testing of the system or the network.
• White box: Security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test, such as the white box testing or the auditing of the system or the network.

The type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test is blind, as it matches the definition or the description of the blind security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has no or zero knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test. Reversal is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the reversal security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has no or zero notification or consent about the test. Gray box is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the gray box security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has partial or limited knowledge or information about the target system or the network, and the testing target or the owner has partial or limited notification or consent about the test. White box is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the white box security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test. References: 1

 Revocation is the final phase of the identity and access provisioning lifecycle. The identity and access provisioning lifecycle is the set of activities and stages that govern the creation, modification, and deletion of user accounts and access privileges in an organization. The identity and access provisioning lifecycle consists of six phases: request, approval, provision, test, review, and audit. Revocation is the process of terminating or disabling the user accounts and access privileges when they are no longer needed, used, or authorized, such as when a user leaves the organization, changes roles, or violates the policies. Revocation can be done manually or automatically, depending on the triggers and the mechanisms used. Revocation ensures that the user accounts and access privileges are removed in a timely and secure manner, and that the principle of least privilege and the separation of duties are maintained. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 206. CISSP Testking ISC Exam Questions, Question 11.

Multiprotocol Label Switching (MPLS) is a WAN technology that requires the first router in the path to determine the full path the packet will travel, removing the need for other routers in the path to make independent determinations. MPLS works by adding a label to each packet at the ingress router, which indicates the forwarding equivalence class (FEC) of the packet. The FEC is a group of packets that share the same destination and quality of service (QoS) requirements. The label is then used by the intermediate routers to forward the packet along a predetermined label-switched path (LSP), without inspecting the packet header or performing routing lookups. The label is removed at the egress router, and the packet is delivered to the destination. MPLS can improve the performance, scalability, and efficiency of WAN networks, as well as support multiple protocols and services12. References: CISSP CBK, Fifth Edition, Chapter 4, page 343; CISSP Practice Exam – FREE 20 Questions and Answers, Question 15.

Runtime application self-protection (RASP) is a technology that can be used to monitor and dynamically respond to potential threats on web applications. RASP is a software component that is integrated into the web application or the runtime environment, and it analyzes the behavior and the context of the application and the requests. RASP can detect and prevent attacks such as SQL injection, cross-site scripting, or buffer overflow, by blocking or modifying the malicious requests or responses. RASP can also provide alerts and logs for the security team or the developers. The other options are not correct. Security Assertion Markup Language (SAML) is a standard that enables single sign-on (SSO) and federated identity management for web applications, but it does not monitor or respond to threats. Web application vulnerability scanners are tools that scan web applications for common vulnerabilities and misconfigurations, but they do not provide real-time protection or response. Field-level tokenization is a technique that replaces sensitive data fields with random tokens, and it can reduce the exposure or the impact of a data breach, but it does not monitor or respond to threats. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4: Security Architecture and Engineering, page 512. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4: Security Architecture and Engineering, page 513.

An access control list (ACL) is a security tool that will ensure authorized data is sent to the application when implementing a cloud-based application. An ACL is a list of rules or policies that specify which users, groups, roles, or processes are allowed or denied access to a resource, such as a file, folder, network, or application. An ACL can also define the type and level of access that is granted or denied, such as read, write, execute, or delete. An ACL can help to protect the confidentiality, integrity, and availability of the data and the application in the cloud environment, by preventing unauthorized access, modification, or deletion. An ACL can also help to enforce the principle of least privilege, by granting only the minimum access required for the legitimate purpose. A host-based intrusion prevention system (HIPS) is a security tool that monitors and blocks malicious or anomalous activities on a host, such as a server, workstation, or device. A HIPS can help to protect the host from attacks, such as malware, exploits, or unauthorized changes, but it does not ensure authorized data is sent to the application. A file integrity monitoring (FIM) tool is a security tool that monitors and detects changes to files or directories, such as creation, deletion, modification, or renaming. A FIM tool can help to protect the integrity and availability of the files or directories, by alerting or reporting on unauthorized or unexpected changes, but it does not ensure authorized data is sent to the application. A data loss prevention (DLP) tool is a security tool that monitors and prevents the leakage or exfiltration of sensitive or confidential data, such as personal information, intellectual property, or trade secrets. A DLP tool can help to protect the confidentiality and integrity of the data, by blocking or encrypting the data before it is transferred, copied, printed, or emailed, but it does not ensure authorized data is sent to the application. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5, Identity and Access Management, page 513. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 470.

 The application type that is considered high risk and that provides a common way for malware and viruses to enter a network is peer-to-peer (P2P) file sharing applications. An application is a type of software or program that can be installed or run on a system or a network, and that can provide various functions or features for the user or the customer, such as communication, entertainment, or productivity. An application can also pose a security risk, as it can introduce or expose various threats or attacks to the system or the network, such as malware or viruses. Malware is a type of malicious or harmful software or code that can be installed or executed on a system or a network, and that can perform various actions or tasks that can cause harm or damage to the system or the network, or to the user or the customer, such as stealing, deleting, or encrypting the data or the information. A virus is a type of malware that can replicate or copy itself, and that can infect or spread to other systems or networks, or to other files or programs, using various methods, such as e-mail, USB, or network.

The most appropriate strategy for the log retention of a cloud service provider that requires its customer organizations to enable maximum audit logging for its data storage service and to retain the logs for the period of three months, given that the audit logging generates extremely high amount of logs, is to keep last week’s logs in an online storage and the rest in a near-line storage. Online storage is a type of storage that is directly accessible by the system or application, such as hard disk drives, solid state drives, or flash drives. Online storage is fast, convenient, and reliable, but it is also expensive and consumes more power. Near-line storage is a type of storage that is not directly accessible by the system or application, but can be made accessible within a short time, such as tape drives, optical disks, or removable media. Near-line storage is slower, less convenient, and less reliable than online storage, but it is also cheaper and consumes less power. By keeping last week’s logs in an online storage and the rest in a near-line storage, the cloud service provider can balance the trade-offs between performance, cost, and availability of the logs. The logs that are most likely to be accessed or analyzed are kept in the online storage, while the logs that are less likely to be accessed or analyzed are kept in the near-line storage. This way, the cloud service provider can meet the log retention requirement without wasting too much resources or compromising the security of the logs. Keeping all logs in an online storage, keeping all logs in an offline storage, or keeping last week’s logs in an online storage and the rest in an offline storage are not appropriate strategies for the log retention of the cloud service provider. Keeping all logs in an online storage would be too costly and inefficient, as it would consume too much disk space and power for logs that are rarely accessed or analyzed. Keeping all logs in an offline storage or keeping last week’s logs in an online storage and the rest in an offline storage would be too risky and inconvenient, as it would make the logs inaccessible or difficult to access in case of an audit, investigation, or incident response. Offline storage is a type of storage that is not accessible by the system or application, and requires manual intervention to access, such as archived tapes, disks, or media. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 7, Security Operations, page 697. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 660.

The first step required in establishing a records retention program is to draft a records retention policy. A records retention policy is a document that defines the objectives, scope, roles, and responsibilities of the records retention program. A records retention policy also specifies the criteria and procedures for identifying, classifying, storing, preserving, retrieving, and disposing of records, as well as the legal, regulatory, and business requirements for records retention. A records retention policy provides the foundation and guidance for the records retention program, and helps to ensure the compliance, security, and availability of the records. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2: Asset Security, page 66; [Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2: Asset Security, page 128]