New Release CISSP ISC 2 Credentials Questions

WS-Authorization

The first step in protecting privacy in an information system is data minimization. Data minimization is the principle and practice of collecting and processing only the minimum amount and type of data that is necessary and relevant for the intended purpose, and retaining the data only for the required duration. Data minimization reduces the risk and impact of data breaches, as well as the cost and complexity of data protection.

• A. Data Redaction is not the first step in protecting privacy in an information system, but rather a technique or tool that can be used to protect privacy in an information system. Data redaction is the process of removing or obscuring sensitive or personal data from a document or a record, while preserving the rest of the data. Data redaction can be used to protect the privacy of the data subjects when the data is shared or disclosed to unauthorized or untrusted parties.
• C. Data Encryption is not the first step in protecting privacy in an information system, but rather a technique or tool that can be used to protect privacy in an information system. Data encryption is the process of transforming or encoding data into an unreadable or unintelligible form, using a secret key or algorithm. Data encryption can be used to protect the confidentiality and integrity of the data when the data is stored or transmitted over a network.
• D. Data Storage is not the first step in protecting privacy in an information system, but rather a component or function that is involved in an information system. Data storage is the process of saving or retaining data in a physical or logical medium, such as a disk, a tape, a cloud, or a database. Data storage can affect the privacy of the data, depending on the location, format, and security of the storage medium.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 2, page 83; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 2, page 79

According to the CISSP Official (ISC)2 Practice Tests3, the most suitable approach that the administrator should take when a user requests read-only access to files that are not considered sensitive in a Discretionary Access Control (DAC) methodology is to request data owner approval to the user access. DAC is a type of access control that grants or denies access to an object based on the identity and permissions of the subject, and the discretion of the owner of the object. The owner of the object has the authority and responsibility to determine who can access the object and what level of access they can have, such as read, write, execute, or delete. The owner can also delegate the access rights to other subjects or groups, or revoke them as needed. The administrator is the person who manages and maintains the system and the access control mechanisms, but does not have the authority to grant or deny access to the objects without the owner’s consent. Therefore, the administrator should request data owner approval to the user access, regardless of the sensitivity of the files, to ensure that the access is authorized and compliant with the DAC methodology. Requesting manager approval for the user access is not the most suitable approach, as the manager may not be the owner of the files, and may not have the authority or knowledge to grant or deny access to the files. Directly granting the access to the non-sensitive files is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. Assessing the user access need and either granting or denying the access is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. References: 3

According to the CISSP For Dummies4, the activity that would present a significant security risk to organizations when employing a VPN solution is simultaneous connection to other networks. A VPN is a technology that creates a secure and encrypted tunnel over a public or untrusted network, such as the internet, to connect remote users or sites to the organization’s private network, such as the intranet. A VPN provides security and privacy for the data and communication that are transmitted over the tunnel, as well as access to the network resources and services that are available on the private network. However, a VPN also introduces some security risks and challenges, such as configuration errors, authentication issues, malware infections, or data leakage. One of the security risks of a VPN is simultaneous connection to other networks, which occurs when a VPN user connects to the organization’s private network and another network at the same time, such as a home network, a public Wi-Fi network, or a malicious network. This creates a potential vulnerability or backdoor for the attackers to access or compromise the organization’s private network, by exploiting the weaker security or lower trust of the other network. Therefore, the organization should implement and enforce policies and controls to prevent or restrict the simultaneous connection to other networks when using a VPN solution. VPN bandwidth is not an activity that would present a significant security risk to organizations when employing a VPN solution, although it may be a factor that affects the performance and availability of the VPN solution. VPN bandwidth is the amount of data that can be transmitted or received over the VPN tunnel per unit of time, which depends on the speed and capacity of the network connection, the encryption and compression methods, the traffic load, and the network congestion. VPN bandwidth may limit the quality and efficiency of the data and communication that are transmitted over the VPN tunnel, but it does not directly pose a significant security risk to the organization’s private network. Users with IP addressing conflicts is not an activity that would present a significant security risk to organizations when employing a VPN solution, although it may be a factor that causes errors and disruptions in the VPN solution. IP addressing conflicts occur when two or more devices or hosts on the same network have the same IP address, which is a unique identifier that is assigned to each device or host to communicate over the network.