ISC 2 Credentials CISSP Book

 Threat modeling is a technique that evaluates the security risks and vulnerabilities of a network or software architecture, by identifying the potential threats, their likelihood, and their impact. Threat modeling can help design secure systems by applying the appropriate countermeasures and controls. Risk modeling is a similar technique, but it focuses on the overall business risks and their mitigation strategies, rather than the specific security threats. Fuzzing is a technique that tests the robustness and security of software by sending random or malformed inputs to trigger errors or crashes. Waterfall method is a software development methodology that follows a sequential and linear process, but it does not evaluate the security design principles of the architecture. References: 1, 2, 4

Role-Based Access Control (RBAC) is the type of access control that determines the authorization to resources based on predefined job titles within an organization. RBAC is a model of access control that assigns roles to users based on their functions, responsibilities, or qualifications, and grants permissions to resources based on the roles. RBAC simplifies the management and administration of access control, as it reduces the complexity and redundancy of assigning permissions to individual users or groups. RBAC also enhances the security and compliance of access control, as it enforces the principle of least privilege and the separation of duties. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 203. Free daily CISSP practice questions, Question 4.

Service Organization Control (SOC) 2 is a report that provides information about the security, availability, processing integrity, confidentiality, and privacy of a service organization’s system. It is intended for users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. A SOC 2 report can help an organization assess the business continuity/disaster recovery policy and procedures for an application that is outsourced to a third-party service provider.

 The primary objective for conducting an internal security audit is to verify that applicable security controls are implemented and effective. A security audit is a systematic and independent examination of the security posture and performance of an organization, system, or network, against a set of predefined criteria, standards, or regulations. A security audit can be conducted by internal or external parties, depending on the purpose, scope, and frequency of the audit. An internal security audit is a type of security audit that is conducted by the organization itself, or by a third party hired by the organization, to assess the compliance, effectiveness, and efficiency of the security controls and measures that are implemented on the organization, system, or network. An internal security audit can help to verify that applicable security controls are implemented and effective, by ensuring that the security controls and measures are aligned with the security policies and objectives of the organization, and that they are able to protect the organization, system, or network from various security threats and risks. An internal security audit can also help to identify and resolve any security issues or gaps, as well as to provide recommendations and solutions to improve the security posture and performance of the organization, system, or network. Verifying that all systems and Standard Operating Procedures (SOP) are properly documented, verifying that all personnel supporting a system are knowledgeable of their responsibilities, or verifying that security controls are established following best practices are not the primary objectives for conducting an internal security audit, as they are more related to the documentation, training, or design aspects of security.