ISC CISSP Online Access

 Revocation is the final phase of the identity and access provisioning lifecycle. The identity and access provisioning lifecycle is the set of activities and stages that govern the creation, modification, and deletion of user accounts and access privileges in an organization. The identity and access provisioning lifecycle consists of six phases: request, approval, provision, test, review, and audit. Revocation is the process of terminating or disabling the user accounts and access privileges when they are no longer needed, used, or authorized, such as when a user leaves the organization, changes roles, or violates the policies. Revocation can be done manually or automatically, depending on the triggers and the mechanisms used. Revocation ensures that the user accounts and access privileges are removed in a timely and secure manner, and that the principle of least privilege and the separation of duties are maintained. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 206. CISSP Testking ISC Exam Questions, Question 11.

According to the CISSP CBK Official Study Guide1, the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test is blind. Security testing is the process of assessing or evaluating the security or the vulnerability of the system or the network, by performing or conducting various tests or methods, such as the scanning, the analysis, or the penetration of the system or the network. Security testing can be classified into four types, based on the level of knowledge or information that the tester or the ethical hacker has about the target system or the network, as well as the level of notification or consent that the testing target or the owner has about the test, which are:

• Reversal: Security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has no or zero notification or consent about the test, such as the reverse engineering or the decompiling of the system or the network.
• Gray box: Security testing that is performed or conducted when the tester or the ethical hacker has partial or limited knowledge or information about the target system or the network, and the testing target or the owner has partial or limited notification or consent about the test, such as the vulnerability assessment or the code review of the system or the network.
• Blind: Security testing that is performed or conducted when the tester or the ethical hacker has no or zero knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test, such as the black box testing or the penetration testing of the system or the network.
• White box: Security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test, such as the white box testing or the auditing of the system or the network.

The type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test is blind, as it matches the definition or the description of the blind security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has no or zero knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test. Reversal is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the reversal security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has no or zero notification or consent about the test. Gray box is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the gray box security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has partial or limited knowledge or information about the target system or the network, and the testing target or the owner has partial or limited notification or consent about the test. White box is not the type of security testing that is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test, as it does not match the definition or the description of the white box security testing, which is the security testing that is performed or conducted when the tester or the ethical hacker has full or complete knowledge or information about the target system or the network, and the testing target or the owner has full or complete notification or consent about the test. References: 1

 Collection Limitation is the privacy principle that states that the collection of personal information should be limited, relevant, and lawful. It also implies that personal information should not be collected unless it is necessary for a specific purpose. This principle is aligned with the concept of data minimization, which means that only the minimum amount of data required to achieve a legitimate goal should be collected and processed. A mobile device application that restricts the storage of user information to just that which is needed to accomplish lawful business goals adheres to this principle by minimizing the amount of personal data it collects and stores. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 35; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 28

The Security Assessment and Authorization (SA&A) process is a framework that ensures that information systems meet the security requirements and standards of the organization and the applicable laws and regulations. The SA&A process consists of four phases: initiation, assessment, authorization, and monitoring. During the initiation phase, one of the primary purposes for conducting a hardware and software inventory is to define the boundaries of the information system, i.e., the scope and extent of the system components, interfaces, and data flows. Defining the boundaries of the information system helps to identify the security risks, controls, and responsibilities associated with the system, as well as to determine the level of effort and resources required for the assessment and authorization phases12. References:

• Security Assessment and Authorization - NIST, Section: 2.1 Initiation Phase
• Security Assessment and Authorization - NIST, Section: 2.1.1 Identify Information System Boundaries