CISSP Premium Exam Questions

An organization should request a SOC 2 Type 2 report if they require a period of time report covering security and availability for a particular system. A SOC 2 report is a type of System and Organization Controls (SOC) report that evaluates the controls of a service organization based on the Trust Services Criteria (TSC), which are security, availability, processing integrity, confidentiality, and privacy. A SOC 2 report can be either Type 1 or Type 2. A SOC 2 Type 1 report describes the design and implementation of the controls at a point in time, while a SOC 2 Type 2 report tests the operating effectiveness of the controls over a period of time, usually six or twelve months. A SOC 2 Type 2 report provides more assurance and credibility than a SOC 2 Type 1 report, as it demonstrates how well the controls performed over time. A SOC 2 report can be customized to include only the relevant TSC for a particular system or service. If an organization requires a report covering security and availability, they should request a SOC 2 report that includes only those two TSC. References:

• SOC 2 Compliance: What It Is, And Why You Need It
• SOC 2 Type 1 vs. Type 2: Here Is What You Need To Know
• SOC 2 Reports: What Are They and Why Do They Matter?

Role-Based Access Control (RBAC) is an access control method that assigns permissions to users based on their roles or functions within an organization. RBAC requires a consistent set of rules for controlling and limiting access, as each role is defined by a set of access rights that correspond to the level of authority and responsibility of the role. RBAC can simplify access management, enforce the principle of least privilege, improve security and compliance, and reduce administrative overhead. References:

• Access Control Models and Methods
• What Are the Different Types of Access Control?
• 3 Types of Access Control: IT Security Models Explained

The second phase of public key infrastructure (PKI) key/certificate life-cycle management is the issued phase, where the certificate authority (CA) issues a digital certificate to the requester after verifying their identity and public key. The certificate contains the public key, the identity of the owner, the validity period, the serial number, and the digital signature of the CA. The certificate is then published in a repository or directory for others to access and validate. References: CISSP Study Guide: Key Management Life Cycle, Key Management - OWASP Cheat Sheet Series, CISSP 2021: Software Development Lifecycles & Ecosystems

A site-to-site VPN is a type of VPN that connects two or more remote networks securely over an untrustworthy network, such as the Internet. A site-to-site VPN uses a VPN gateway at each site to establish an encrypted tunnel between the networks, allowing the devices at each site to access the network resources at the other site. A site-to-site VPN is the best option to provide the functionality of connecting two remote offices securely over an untrustworthy MAN and allowing each office to access network shares at the other site. The other options are not types of VPN that can provide the same functionality, as they either do not connect networks, do not use VPN gateways, or do not separate the Internet and corporate traffic. References: CISSP - Certified Information Systems Security Professional, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.1 Establish secure communication channels, 4.2.1.2 Transmission methods; CISSP Exam Outline, Domain 4. Communication and Network Security, 4.2 Secure network components, 4.2.1 Establish secure communication channels, 4.2.1.2 Transmission methods