Domain 1 CISSP Exam:Security and Risk Management

Explanation: An asset-centric threat model first identifies the assets of value to an organization and then evaluates means by which these assets are managed, manipulated, used, and stored to identify how an attacker might compromise them. This approach is particularly useful when protecting other high-value assets such as intellectual property and security credentials.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

Explanation: The attacker-centric approach starts with profiling potential attackers, including their characteristics, skillset, and motivation, and then uses that profile to identify attackers who would be most likely to execute specific types of attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

Explanation: Legal, regulatory, and compliance requirements are a key aspect of DOMAIN 1: Security and Risk Management. Domain 1 focuses on the establishment and maintenance of a comprehensive information security management program that incorporates the legal, regulatory, and compliance requirements, as well as understanding the impact of related ethics and theories on privacy, confidentiality, and data handling practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

Explanation: Due care is related to taking reasonable care to protect the interests of an organization. On the other hand, due diligence refers to the ongoing execution and monitoring of due care to ensure organizational assets are reasonably protected.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 61 in PDF)

Explanation: The primary objective of a Disaster Recovery Plan (DRP) is to minimize business downtime and reclaim normal operations as soon as possible. DR is the subset of BC (Business Continuity) whose primary objective is to minimize business downtime and reclaim normal operations as soon as possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

Explanation: As the plaintiff, your organization is seeking restitution for the harm caused by the defendant. Thus, your main objective in overseeing the collection of evidence is to gather proof that the defendant caused harm to the organization, which is necessary to support your claim for damages.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 101 in PDF)

Explanation: ISO 28000:2007 relies heavily on the continuous process improvement model of plan, do, check, act (PDCA) to improve the security management system and to assure organizational conformance to the security practice. This approach facilitates the integration of supply chain risk with broader organizational risk management activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 157 in PDF)

Explanation: ARO is the estimated annual frequency of occurrence for a given adverse event. In other words, ARO is the number of times that you expect a particular risk event to occur every year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

Explanation: When merging with or acquiring another organization, you are absorbing its entire IT infrastructure — good or bad. This means that you are acquiring systems that are likely managed differently from your own, and there may be significant differences in the security controls and processes in place. Differences in security processes may result in operational challenges and inconsistent procedures during and after integration of the two businesses. Therefore, it is important to review the companys information security policies and procedures to determine how thorough they are and take note of any missing security policies/procedures that may indicate a low level of security maturity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

Explanation: Business continuity (BC) and disaster recovery (DR) are closely related concepts that help an organization continue essential operations during a security incident and recovery from a disaster (or major disruptive event) as quickly and securely as possible.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

Explanation: The purpose of PCI DSS is to mandate security best practices for organizations that handle payment card data. PCI DSS establishes technical and operational requirements for merchants and service providers that accept or process cardholder data and/or sensitive authentication data, as well as for software developers and manufacturers of the applications and devices used in payment card transactions. The requirements are generally aligned with industry best practices to maintain the confidentiality, integrity, and availability of payment card information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 67 in PDF)

Explanation: Under the HITECH Act, maximum financial penalties for HIPAA compliance violations were raised to $1.5 million per violation category, per year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 90 in PDF)

Explanation: The Homeland Security Act created a new cabinet-level position, Secretary of Homeland Security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

Explanation: Risk mitigation involves the selection and implementation of one or more countermeasures with the goal of reducing the likelihood of an adverse event or the impact of that event occurring. Countermeasures generally fall into three categories: Personnel-related, Process-related, and Technology-related. While budget and software can play a role, they are not considered among the most common countermeasure categories in risk mitigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

Explanation: During an employee orientation program, one of the items that should be addressed is information security expectations and requirements. This includes reminding employees of their obligations to protect information, current threats to the organizations information assets, and the processes for reporting security incidents. They should also be made aware of the existence of controls that monitor their use of the organizations assets. The goal is to set the expectation for work behavior and provide assurance that the organization takes action to protect its information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 120 in PDF)

Explanation: Section 815 of the USA PATRIOT Act of 2001 absolves an organization from civil penalties associated with violations of the ECPA if the organization is responding to a request of a governmental entity. The provision helps organizations avoid being held liable for violating privacy laws when sharing private user data with the government in response to legitimate national security requests. This provision is relevant to the CISSP exam as it is a key component of the legal framework governing data protection in the United States.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

Explanation: The first step of the NIST RMF involves categorizing all information systems based on the potential impact to the organization due to the loss of confidentiality, integrity, or availability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 142 in PDF)

Explanation: Section 1030(a)(5) describes the felony act associated with altering, damaging, or destroying a protected computer or its information, or preventing authorized use of the computer or information, such that it results in an aggregate loss of $1,000 or more during a one-year period. Although this provision was later rewritten and now more generally describes a misdemeanor act associated with knowingly and intentionally causing damage to a computer or information, it can still upgrade the crime to a felony if the damage results in losses of $5,000 or more during one year, modifies medical care of a person, causes physical injury, threatens public health or safety, damages systems used for administration of justice or national security, or if the damage affects 10 or more protected computers within 1 year.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 74 in PDF)

Explanation: The General Data Protection Regulation (GDPR) requires organizations to collect and process the minimum amount of data necessary to provide the agreed-upon services. This principle is known as data minimization and is intended to limit the amount of personal data that is collected and processed, thereby reducing the risk of data breaches and unauthorized disclosures. By collecting only the necessary data, organizations can also manage data more effectively and minimize storage costs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: The SUNBURST attack is a vulnerability within the SolarWinds Orion Platform that allows an attacker to compromise the server on which the Orion product is running. This widespread attack is particularly concerning because it impacted a SolarWinds product that is used for IT monitoring and management. With the SolarWinds Orion product being used by companies around the globe, large and small, this is a devasting example of how important supply chain management is.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 154 in PDF)

Explanation: The General Data Protection Regulation (EU) requires personal data to be kept accurate and up-to-date. This helps promote transparency and ensures that individuals have control over their personal data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: The Safe Harbor agreement was established to reconcile differences between U.S. and EU privacy laws. It allowed a US company to self-certify that it met data privacy requirements agreed upon by the US and EU. This agreement was important to ensure that U.S. companies can transfer data across the Atlantic by complying with the EUs strict privacy guidelines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

Explanation: SOC 3 is a “lite” version of a SOC 2 report and abstracts or removes all sensitive details. A SOC 3 report generally indicates whether an organization has demonstrated each of the five Trust Services principles without disclosing specifics (like exactly what they do or dont do).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

Explanation: The method of introducing malware through COTS vendors has become increasingly popular because the updates are from a trusted source.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 153 in PDF)

Explanation: The RiskIT framework was developed by ISACA to provide a structure for the identification, evaluation, and monitoring of information technology risk. It simplifies the integration of IT risk into the larger organization enterprise risk management (ERM) activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 144 in PDF)

Explanation: A security champions role is to raise security awareness within an organization and advocate for security best practices for employees who do not work on security as their primary job. Their role is to be a liaison between an organizations security team and the rest of the company. They also work with nonsecurity teams to ensure security practices are being followed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

Explanation: According to the Federal Trade Commission (FTC), civil penalties of up to $43,280 may be levied for each violation of COPPA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 89 in PDF)

Explanation: Procedures are detailed instructions for how to implement a control or perform an action. Policies provide high-level guidance and direction, standards establish specific requirements and constraints, and guidelines offer suggestions and best practices. Procedures are critical because they ensure that policies, standards, and guidelines are followed in a consistent manner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 106 in PDF)

Explanation: Section 209 of the USA PATRIOT Act of 2001 authorizes investigators to seize voicemail messages with a search warrant. Prior to the Patriot Act, voicemail was only authorized for seizure with a harder-to-obtain wiretap order.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 76 in PDF)

Explanation: The Identity Theft and Assumption Deterrence Act of 1998 formally established identity theft as a criminal act under U.S. federal law. Prior to the act, identity theft was not regulated or investigated as a crime, making it difficult to prosecute cases. Now, identity theft is a federal crime that can be prosecuted, as well as a felony in some states.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

Explanation: Transborder data flow refers to the process of restricting certain data to or from specific geographic locations or jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 85 in PDF)

Explanation: The Data Protection Act 1998 was established to give UK citizens the legal right to control their personal information stored on computing systems and was designed to enforce privacy of personal data. It aimed to regulate the processing of personal data, including obtaining, holding, use and disclosure of the data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

Explanation: Healthcare providers that transmit health information are considered covered entities under HIPAA. Covered entities are required to comply with HIPAA Privacy and Security Rules and must take measures to protect patient health information. Any company or organization that does not fall under the three categories of covered entities is not required to comply with HIPAA rules.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

Explanation: The Information Technology Act was passed by the Indian Parliament in 2000 and amended in 2008. The act established legal recognition of electronic documents and digital signatures, while it also established definitions and penalties for cybercrimes such as data theft, identity theft, child pornography, and cyber terrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

Explanation: Maximum tolerable downtime (MTD), or maximum acceptable outage (MAO), expresses the total length of time a critical business function can be unavailable without causing significant, long-term harm to the business; it is the longest time a CBF can remain disabled before it threatens the organizations long-term survival. Exceeding the MTD is an expression of unacceptable risk by the business owner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

Explanation: ITAR is a regulation that controls the export of defense articles and defense services to keep those sensitive materials out of the hands of foreign nationals in the United States. It applies to both government agencies and contractors or subcontractors who handle regulated materials outlined in the United States Munitions List (USML). Sending an email containing ITAR-controlled data is considered an export under ITAR.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 84 in PDF)

Explanation: The text specifically mentions STRIDE, PASTA, NIST 800-154, and DREAD as important threat modeling methodologies. Cisco is not mentioned and is therefore not a valid answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

Explanation: According to the text, security awareness, education, and training program content should be reviewed and updated annually, at a minimum, to ensure that it remains relevant.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

Explanation: Confidentiality is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties. In other words, confidentiality guarantees that only intended people are able to access information and resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 38 in PDF)

Explanation: Analyzing training completion rates is a simple metric that is a great place to start when evaluating the effectiveness of your security awareness program. These types of metrics can tell you whether your training resources are reaching a sufficient percentage of your employees and may alert you if alternate delivery methods are necessary. It is an effective method for measuring program effectiveness through knowledge retention.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 161 in PDF)

Explanation: Risk is defined as the potential for negative impact on the organization, its goals or objectives, or its assets (including people, systems, and data) due to a threat exploiting a vulnerability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 124 in PDF)

Explanation: According to GDPR, the maximum fine for GDPR infringement for controllers and processors under Articles 8, 11, 25–39, 42, 43 is up to €10 million, or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 95 in PDF)

Explanation: When an organization is considering a merger or acquisition, its important to review the acquired companys information security policies and procedures to determine how thorough they are. By doing so, the organization can identify any missing security policies/procedures that may indicate a low level of security maturity. This is important because if the acquired company has a low level of security maturity, it may pose a risk to the acquiring companys security posture. Therefore, its important for the acquiring company to address any security gaps in the acquired companys policies and procedures before connecting the two companys networks and systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 47 in PDF)

Explanation: ISO 31000:2018 is intended to be applicable to any organization, regardless of the governance structure or industry, and encourages the integration of risk management activities across organizational lines and levels to provide the organization with a consistent approach to management of operational and strategic risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 139 in PDF)

Explanation: A data breach is a specific cybercrime where information is accessed or stolen by a cybercriminal without authorization. The target of a data breach is the information system and the data stored within it. It poses a significant threat to individuals, companies, or entire nations causing huge financial losses and reputational damage. Organizations must take preventative measures to ensure the best possible protection of sensitive data and must develop a proactive response plan in case of its breach.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

Explanation: Trike is an open-source threat modeling approach and tool that focuses on using threat models as a risk management tool. It is a collaborative project between a number of security professionals and enthusiasts. Trike provides a novel way of conducting threat modeling exercises that is both simple and precise, requiring little in the way of technical knowledge or specialized tools. Trike is available free of charge, under the GPL open source license.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 151 in PDF)

Explanation: A security analyst is someone with technical expertise in one or more security domains who executes the day-to-day security work, such as data analysis, firewall rule management, incident handling, and other operational activities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

Explanation: The CIS Critical Security Controls is a publication of 18 best-practice guidelines for information security, created by the Center for Internet Security (CIS).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 60 in PDF)

Explanation: Gamification in security awareness refers to the use of game techniques in nongame applications to engage and educate an audience. It provides a fun and engaging way to educate employees and promote strong security practices.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 159 in PDF)

Explanation: The Data Protection Directive aimed at regulating the processing of the personal data of European citizens.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 90 in PDF)

Explanation: According to NIST 800-154, the first step in data-centric system threat modeling is to identify and characterize the system and data of interest. This is crucial because different types of data may require different security controls and protections.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 150 in PDF)

Explanation: The correct answer is B. The Budapest Convention, also known as the Convention on Cybercrime, is the first international treaty established to address cybercrime. The treaty was first signed in 2001 and became effective in 2004, with the aim of increasing cooperation among nations and establishing more consistent national laws related to preventing and prosecuting cybercrime.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

Explanation: A Business Continuity Plan (BCP) is a methodology and set of protocols that deals with allowing an organization to keep their key business functions running in the event of a crisis; this is sometimes referred to as continuity of operations (COOP). This plan ensures that essential business operations continue during and after a disaster, minimizing financial and reputational damages.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 110 in PDF)

Explanation: Healthcare providers like hospitals are one of the three categories of covered entities under HIPAA requirements, and must comply with both the HIPAA Privacy Rule and Security Rule. They are responsible for protecting the confidentiality, integrity, and availability of patient health information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

Explanation: ISO/IEC 27037:2012 provides guidelines for handling digital evidence, covering a four-step process of identification, collection, acquisition, and preservation, across many types of media and scenarios. This publication also covers chain of custody procedures and how to properly exchange evidence between jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 103 in PDF)

Explanation: Security governance is the set of all organizational processes involved in defining and managing information security policies and procedures, including the oversight to ensure that those policies and procedures follow the direction of the organizations strategy and mission.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 46 in PDF)

Explanation: According to the text, Quizzes are the most effective methods of measuring program effectiveness through knowledge retention. Analysis of quiz results should be conducted to identify trends that reveal necessary modifications to your training materials; if a substantial number of your employees get the same question wrong, it likely means you need to provide further (or clearer) information about that topic.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

Explanation: Minimum Security Requirements (MSRs) define the lowest level of security that an organization is willing to accept from a third party.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 155 in PDF)

Explanation: In civil investigations, when your organization is the defendant, you may have to oversee the collection of evidence and prevent the destruction of potential evidence upon request by courts or attorneys. It is important to cooperate with the plaintiff and their attorney to collect and preserve evidence, as failing to do so may result in legal consequences for the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 101 in PDF)

Explanation: According to the text, maximum tolerable downtime (MTD) or maximum acceptable outage (MAO) expresses the total length of time a critical business function can be unavailable without causing significant, long-term harm to the business; it is the longest time a CBF can remain disabled before it threatens the organizations long-term survival. Exceeding the MTD is an expression of unacceptable risk by the business owner.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 111 in PDF)

Explanation: Continual improvement in risk management allows for the adaptation of risk management strategies based on learning and experience. This helps to ensure that the risk management process is constantly evolving and improving to address new and emerging risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

Explanation: As a CISSP, one should be aware of the legal and regulatory requirements that pertain to information security. It is important to have a strong understanding of legal and regulatory issues in order to be familiar with the security threats that face information systems as well as the national, state, and local regulations that govern an organizations handling of sensitive data and systems. Knowledge of these laws and regulations enables one to better comply with them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 70 in PDF)

Explanation: The U.S. Computer Security Act of 1987 established the National Institute for Standards and Technology (NIST) as the organization responsible for setting computer security standards for unclassified, nonmilitary government computer systems. The National Security Agency (NSA) is responsible for setting security guidance for classified government and military systems and applications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 64 in PDF)

Explanation: As the senior-level executive within an organization, the Chief Information Security Officer (CISO) is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

Explanation: Property assets include tangible things like servers and equipment, as well as intangible things like software code and other intellectual property.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 126 in PDF)

Explanation: The U.S. Sarbanes-Oxley Act of 2002 (SOX) is a federal law that requires public companies to establish internal controls and procedures to ensure that financial reports are accurate and reliable. It was enacted in response to financial scandals that occurred in the early 2000s.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 65 in PDF)

Explanation: NDAs and other employment agreement policies play a big part in establishing expectations with third parties and can lead to additional compliance burden on the organization who must enforce them. The text states that information security policies should be in place to ensure that these relationships do not expose sensitive information to an unreasonable amount of risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 123 in PDF)

Explanation: Risk acceptance is the way to go if avoiding, mitigating, or transferring the risk would cost more than the expected losses of the realized threat. Therefore, when mitigating the risk would be too costly, risk acceptance is the appropriate risk response.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

Explanation: As more and more personal data moves online, privacy has become one of the biggest security-related concerns for regulators, organizations, and users. Personal information such as your name, address, and Social Security number is considered personally identifiable information, which must be kept confidential.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 69 in PDF)

Explanation: SOC 1 is an audit and compliance report that focuses strictly on a companys financial statements and controls that can impact a customers financial statements, particularly companies that perform credit card processing.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

Explanation: Compliance audits are not part of a standard security awareness program. A security awareness program should include new user orientation, lectures or computer-based trainings (CBTs), and printed materials like posters and handouts that share security tips.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 158 in PDF)

Explanation: Intellectual property (IP) theft is an example of a cybercrime against property. Cybercrimes against property refer to crimes committed against information stored within a computer or the computer itself. These types of crimes include hacking, distribution of computer viruses, computer vandalism, and copyright infringement. IP theft involves the stealing of copyrighted materials such as music, videos, and software. It is considered a significant threat and can result in significant financial loss for the owner of the intellectual property.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

Explanation: Section 814 of the USA PATRIOT Act of 2001 aims to deter and prevent cyberterrorism by strengthening the penalties associated with violations in the Computer Fraud and Abuse Act (CFAA). It doubles the maximum prison sentence from 10 to 20 years for persons convicted of cyberterrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

Explanation: Developing key performance indicators (KPIs) allows an organization to quantify and measure the long-term performance of its controls. KPIs help to assess the effectiveness of the security program and support risk management decisions. By tracking these measurements over time, organizations can determine whether their security controls are improving, deteriorating or remaining constant.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

Explanation: Spoofing involves a malicious party assuming the identity of another party by falsifying information. A common example of identity spoofing occurs when email spammers modify the “From:” field to depict the name of a sender that the target recipient is more likely to trust. Within applications, spoofing can occur if an attacker steals and uses a victims authentication information (like username and password) to impersonate them within the application.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 148 in PDF)

Explanation: Quizzes are one of the most effective methods of measuring program effectiveness through knowledge retention in security awareness program evaluation. Analysis of quiz results can help identify trends and necessary modifications to training materials. Quizzes are most reliable when measuring the effectiveness of security policies and related information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

Explanation: Corrective controls are designed to minimize and repair damages following an adverse security event; they are typically put in place after a detective control identifies a problem.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

Explanation: The purpose of measuring the security-effectiveness of a security control during the selection and implementation process is to ensure that every risk identified in the risk analysis is addressed. This helps to ensure that the specific policy, technology, or operational control selected is able to directly address a risk identified during the risk analysis process.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

Explanation: Healthcare clearinghouses are public and private organizations, like billing services, that process or facilitate the processing of nonstandard health information and convert it into standard data types. A healthcare clearinghouse is usually the intermediary between a healthcare provider and a health plan or payer of health services. Therefore, billing services are classified as healthcare clearinghouses under HIPAA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

Explanation: According to the text, copyrights created by an individual are protected for the life of the author plus 70 years.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 83 in PDF)

Explanation: The use of unlicensed software increases the risk of software vulnerabilities, as the users are unable to get patches and updates. This leaves the users of bootleg software at risk when compromises are found in the software.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 81 in PDF)

Explanation: For (ISC)2 purposes, the term administrative refers to actions constrained to those conducted within a single organization, such as an internal investigation. The organization can task staff and employees within the organization or specialized contractors hired by the organization to conduct an administrative investigation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 98 in PDF)

Explanation: The ECPA complements the CFAA by prohibiting eavesdropping, interception, and unauthorized monitoring of all electronic communications, including those sent over computer networks. It was enacted by the U.S. Congress in 1986 to extend restrictions on government wire taps to include computer and network-based communications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

Explanation: The main purpose of control assessments via interview is to gain additional clarity on what security controls are in place and how they work, after reviewing any evidence provided during the examine phase.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

Explanation: The biggest security concern in a divestiture is maintaining confidentiality as the company gets rid of assets that may contain sensitive or proprietary information. Information usually accompanies the physical assets and interests that a company divests, so creating a complete inventory of all impacted assets is a critical first step to ensuring a secure divestiture.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 49 in PDF)

Explanation: Timeliness refers to the time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

Explanation: Section 816 of the USA PATRIOT Act of 2001 requires the U.S. Attorney General to establish regional computer forensic laboratories to support forensic examinations on seized or intercepted computer evidence. These laboratories are also required to provide forensic analysis training and education to law enforcement personnel and prosecutors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 78 in PDF)

Explanation: Implementing data anonymization techniques is necessary to protect customer identities and ensure their confidentiality. Anonymization involves removing identifiable information from personal data so that individuals cannot be identified. This is required by the General Data Protection Regulation (GDPR) to ensure appropriate security of personal data and protect against unauthorized access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: According to (ISC)2, compliance is the adherence to a mandate, including applicable laws, regulatory requirements, industry standards, and contractual agreements, to ensure that organizations understand and satisfy these requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 63 in PDF)

Explanation: ISO 31000 principles promote a structured and comprehensive approach to risk management, which helps organizations to identify, assess, and manage risks more effectively. It provides a generic framework for risk management that can be applied to any organization, regardless of its size, sector, or nature of operations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

Explanation: Recovery controls include measures designed to help a system return to normal as quickly as possible after an incident. Examples of recovery controls include data backups and disaster recovery sites.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

Explanation: Cost-effectiveness of a countermeasure can be calculated by comparing the cost of a countermeasure to the costs that would be realized by a compromise of the risks that the countermeasures are intended to mitigate. A countermeasure can be considered cost-effective if the annual loss expectancy (ALE) with the countermeasure plus the cost of countermeasure is less than ALE without the countermeasure.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 133 in PDF)

Explanation: Identifying the classification or sensitivity of a role based on the level of damage that can be done by a person in that role helps to inform the types of authorizations an employee will receive once they are hired. The thoroughness of a candidate screening process should match the security of the position being filled. By doing so, an organization can mitigate the risks associated with granting access to sensitive information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 117 in PDF)

Explanation: NIST 800-53 is a security control framework that defines hundreds of security controls across 18 control families.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 57 in PDF)

Explanation: The scope of a typical BCP should include critical business functions, threats, vulnerabilities, and risks, data backup and recovery plan, BCP personnel, communications plan, and BCP testing requirements. Therefore, option A is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 113 in PDF)

Explanation: Mergers and acquisitions involve integrating systems and platforms from different organizations, which can create new attack vectors for cybercriminals. This can be particularly risky if the merging companies have vastly different IT infrastructures that need to be securely integrated. The other choices (A, B, and D) are incorrect because they do not address the potential impact on resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

Explanation: The (ISC)2 Code of Ethics Preamble states that it is required that every CISSP certified member not only follows the Code of Ethics but must be visibly seen as following the Code of Ethics. Therefore, strict adherence to this Code of Ethics is a condition of certification. The purpose of the Preamble is to ensure that every CISSP certified member adheres to the highest ethical standards of behavior and is visibly seen as doing so.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 34 in PDF)

Explanation: According to ISO 31000, the appropriate and timely involvement of stakeholders is necessary for effective risk management. This principle emphasizes the importance of taking into account the perspectives and expertise of all relevant stakeholders in the risk management process. By doing so, organizations can make more informed decisions that better protect against potential risks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

Explanation: The text specifically states that risk management provides a structured method for making security decisions such as purchasing and implementing security tools and hiring people. Therefore, option C is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 124 in PDF)

Explanation: Accessibility refers to the ability and ease of a user to use a resource or access data when needed. It involves removing barriers for authorized users to access these resources and data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

Explanation: Section 202 amends the CFAA to authorize investigators to obtain a wiretap for felony violations relating to computer fraud and abuse, not for any computer-related crime or for search warrants.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 76 in PDF)

Explanation: The framework should be customized and proportionate to the organization and the level of risk. A framework that is not customized could create excessive administrative overhead and unnecessary expenses. Organizations must balance the costs associated with applying a framework across their practice while delivering the requisite value. By customizing the framework, organizations can ensure that it is proportionate to their needs and level of risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 140 in PDF)

Explanation: The software- or system-centric model represents the system as a set of interconnected processes and facilitates the identification of potential attacks against each component. Threat analysts can then evaluate the diagrams to determine whether a security control is necessary, exists, and achieves the control effect.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 147 in PDF)

Explanation: A security control framework is defined as a notional construct outlining the organizations approach to security, including a list of specific security processes, procedures, and solutions used by the organization. It is a collection of security controls and processes that are designed to help organizations meet specific security requirements and objectives.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 53 in PDF)

Explanation: A vulnerability is a weakness or gap that exists within a system that may be exploited (by a threat actor) to compromise an assets security or trigger a risk event.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 126 in PDF)

Explanation: The main role of security governance principles is to align security practices with an organizations business objectives, strategy, and goals. This aligns security goals with overall business goals so that the organization can achieve its mission. A security professional must fully understand these business concepts and make sure that their security practices align with them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

Explanation: The passage states that any organization doing business with third parties should establish a third-party risk management policy to assess, monitor, and control risks associated with outsourcing. This includes assessing new third parties, documenting gaps, and continuously monitoring all third parties. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 154 in PDF)

Explanation: A firewall is an example of a preventative control because it is designed to stop unauthorized access to a network before it can occur.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

Explanation: The question asks for the true statement regarding the evaluation of security education activities. The given text states that a formal evaluation targeting the deficiencies within the awareness program itself should be conducted to evaluate the effectiveness of the security education activities. Therefore, option D is correct.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

Explanation: Risk avoidance involves eliminating a risk by stopping or removing the activity or technology that causes the risk in the first place. For example, if there is a risk associated with using removable media, a policy that bans their use would be considered an avoidance step since it eliminates the risk completely. However, complete avoidance can be difficult to achieve without business disruption, and thus other risk treatment options may need to be considered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

Explanation: The passage states that system and data backups are the most tried-and-true way that organizations address the risk of technology failure. Organizations must have a comprehensive backup process to ensure important systems and data are captured, stored, and available for recovery when necessary.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 115 in PDF)

Explanation: The first step in a typical risk assessment process in the context of Security and Risk Management is to identify assets and determine their value. This includes identifying and classifying sensitive data based on its value or sensitivity to the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 127 in PDF)

Explanation: Threat modeling is a technique by which you can identify potential threats to your systems and applications, as well as identify suitable countermeasures against those threats, and is most often used during the application development phase. However, it can also be used to help reduce risk in existing applications and environments. Threats may be related to overall system vulnerabilities or an absence of necessary security controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

Explanation: A noncompete agreement is an agreement that restricts an employee from directly competing with the organization during their employment and, in most cases, for a fixed time after employment. Noncompetes are one-way agreements that are designed to protect organizations from unfair competition by former employees or contractors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)

Explanation: The correct answer is B. Resource-centric. The three general approaches to threat modeling are attacker-centric, asset-centric, and software-centric. Resource-centric is not a valid approach to threat modeling.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 146 in PDF)

Explanation: Hacking into a government server is considered a cybercrime against government as it is an attack on that countrys sovereignty. It may also involve theft of confidential information or cyber terrorism, making it a serious offense.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

Explanation: It is true that several frameworks explicitly address supply chain risks. The complexities of managing the information systems supply chain have been evident for many years, making supply chain risk management an essential aspect of security and risk management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 155 in PDF)

Explanation: During risk evaluation, you compare the results of your risk analysis to your organizations established risk profile or risk tolerance (i.e., how much risk your organization is willing to take on). This means that risk response would be determined based on your organizations level of risk tolerance, as dictated by its risk appetite or risk management strategy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

Explanation: As stated in the text, any(ISC)2 member who knowingly violates the (ISC)2 Code of Ethics will be subject to peer review and potential penalties, which may include revocation of the members (ISC)2 certification(s). Therefore, the correct answer is B.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 34 in PDF)

Explanation: Baselines are related to but distinct from standards, and establish a minimum level of security for a system, network, or device. They identify what specific settings, applications, and configurations must be in place to meet a companys security standards and policies. While standards establish specific behavior and actions that must be followed and enforced to satisfy policies, baselines serve as a minimum level of security necessary to achieve those standards.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 107 in PDF)

Explanation: Privacy regulations like HIPAA, COPPA, and GDPR are designed to protect personal data by establishing privacy and data protection requirements across multiple jurisdictions. Privacy is effectively the security principle of confidentiality applied to personal data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 86 in PDF)

Explanation: The Economic Espionage Act (EEA) was enacted to define and establish strict penalties for theft or unauthorized use of trade secrets. The EEA makes it a criminal offense to copy, download, upload, alter, steal, or transfer trade secrets for the benefit of a foreign entity. Therefore, stealing or transferring trade secrets for a foreign entity is criminalized by EEA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

Explanation: The GDPR requires organizations to protect the privacy of EU citizens, and is considered the worlds strongest data privacy law. It was established in 2016 and replaced the EUs 1995 Data Protection Directive.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: By adding new systems and platforms, organizations are potentially creating new routes for attackers to exploit. Acquiring a company that uses different operating systems or platforms creates additional complexity for IT teams to manage and secure. This is particularly problematic if the new systems are not properly integrated and secured before being connected to the acquiring companys network. By creating these new attack vectors, organizations are increasing their overall risk profile.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

Explanation: Management controls are implemented by people and related to administrative methods. Examples include policies, procedures, and guidelines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

Explanation: Dynamic risk management using ISO 31000 principles requires the identification of risks, analyzing them, and evaluating the risks and their potential effect on the organization. Risk management should anticipate, detect, acknowledge, and respond to changes in a timely fashion.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

Explanation: ISO/IEC 27002 provides guidelines for organizations to select, implement, and manage security controls based on their own security risk profile. It is more prescriptive than ISO 27001, as it provides best-practice recommendations for organizations to build and maintain their ISMSs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 57 in PDF)

Explanation: Usability refers to the ability of a user to meet their needs with available data. It is possible for data to be available, but lack sufficient usability. An example of this is when a user has only read-only permissions for a file they need to edit.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 40 in PDF)

Explanation: The examine method is used in security and risk management as a process of reviewing, inspecting, observing, studying or analyzing assessment objects to facilitate assessor understanding, achieve clarification, or obtain evidence.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 135 in PDF)

Explanation: The first goal of any BCP must be to ensure the safety of your people during and after an emergency.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 114 in PDF)

Explanation: The correct answer is IDS, which is an example of a detective control. IDS stands for Intrusion Detection System and helps identify a negative security event while it is in progress or soon after it occurs. Much like a human detective, this type of control is intended to gather information and help security teams determine what happened, how bad the damage is, and what caused it to happen.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 134 in PDF)

Explanation: Recovery Time Objective (RTO) is the planned time necessary to restore a system to the point where it meets the minimum service expectations of the system owner. In other words, RTO is the maximum period of time within which a CBF must be restored after a disruption to avoid unacceptable business consequences.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

Explanation: Statutes and regulations are both legally enforceable, but statutes are written and adopted by the jurisdictions legislative body, while regulations are more detailed rules on how the execution of a statute will be performed. Although both statutes and regulations are legally enforceable, regulations are subordinate to statutes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 63 in PDF)

Explanation: Removing access that will no longer be needed during an employees transfer helps to enforce the principle of least privilege. This principle requires that users only have access to the information they need to do their job and nothing more. Removing unnecessary access is an important part of maintaining the security and confidentiality of sensitive information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 121 in PDF)

Explanation: The text states that the primary objective of a governance committee is to provide oversight for the companys security function, while ensuring that the security function continues to meet the needs of the organization and its stakeholders.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 47 in PDF)

Explanation: A CISO is the senior-level executive within an organization who is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

Explanation: The U.S. Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, also known as the CAN-SPAM Act, was enacted to protect email users from unsolicited commercial emails and regulate the content of commercial messages. The Act requires companies to allow email recipients to opt out of future emails and establish several requirements around email content and sending behavior.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

Explanation: As a CISSP, it is your job to protect all forms of IP. The correct answer is B because CISSPs must work with organizations such as the WTO, WCO, and WIPO to establish and protect IP rights. CISSPs should have the knowledge and skills to help create and enforce policies, procedures, and technology solutions for protecting IP rights.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

Explanation: Before adopting any new hardware, software, or services, it is important to assess how this may impact the organizations security posture. This includes a security evaluation of any potential new risks that may arise as a result and how they can be mitigated.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 152 in PDF)

Explanation: The National Counterterrorism Center (NCTC) was established by the Intelligence Reform and Terrorism Prevention Act of 2004 to help prevent terrorist acts against the United States.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 79 in PDF)

Explanation: Encryption is a common example of a technology-related countermeasure that aims to reduce the likelihood of an adverse event or the impact of that event. It involves modifying the technology or software to prevent unauthorized access to sensitive data. It is important to consider factors such as security-effectiveness, cost-effectiveness, and operational impact when selecting technology-related countermeasures.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

Explanation: Control assessments (test) is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. This stage is used to confirm that security controls are implemented as they are documented and that they are operating effectively and as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

Explanation: Confidentiality, integrity, and availability are the pillars of information security known as the CIA Triad. Confidentiality ensures that only authorized users have access to certain information. Integrity ensures that the information is correct and has not been tampered with. Availability ensures that the information is accessible to authorized users when needed. Assurance is not one of the pillars of the CIA Triad, although it is an important security concept that ensures the trustworthiness and quality of information systems.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 37 in PDF)

Explanation: ISO 27001 is an industry-standard certification that provides a framework for information security management systems. It demonstrates that an organization has implemented a comprehensive and systematic approach to managing and protecting its information assets, including personal data. Therefore, it can be pursued to demonstrate accountability and commitment to security and privacy.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 93 in PDF)

Explanation: The EU-US Privacy Shield was the second attempt by the European Union and United States to agree upon principles to mutually regulate the exchange of personal data between the two jurisdictions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 91 in PDF)

Explanation: The primary purpose of developing processes for the use of alternate sites during a disaster is to assure that critical data processing facilities and capabilities remain operational. This ensures that the organization is able to continue critical business functions and maintain operations during a disaster.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 115 in PDF)

Explanation: While the USPTO issues patents, patent law in the United States is not enforced by the USPTO; it is enforced by the U.S. legal system. The USPTO is simply responsible for granting patents. The correct answer is therefore D.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 82 in PDF)

Explanation: Single loss expectancy (SLE) is a measure of the monetary loss (calculated in dollars) you would expect from a single adverse event. It estimates how much you would lose from one occurrence of a particular realized threat by multiplying an assets value (AV) by its exposure factor (EF).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

Explanation: The General Data Protection Regulation (EU) requires organizations to obtain and process personal data in accordance with applicable laws and to fully inform the customer of how their data will be used. This includes ensuring that the processing of personal data is lawful, fair, and transparent.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: Process-related countermeasures are policy, procedure, and other workflow-based mitigations. Separation of duties on invoice approval and payment falls into this category, as it is a process-related mitigation against cyber fraud.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 132 in PDF)

Explanation: Candidate screening and background investigations are critical in ensuring that the employees who handle sensitive information are trustworthy. A robust personnel security program can aid in identifying risks such as criminal records, history of drug or alcohol abuse, and any other red flags that indicate they may not be fit to handle the organizations data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

Explanation: Recovery Point Objective (RPO) represents the maximum period of time that a business can tolerate data loss. This must be defined by the business and is responsible for resourcing the controls to achieve the RPO.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 112 in PDF)

Explanation: When employees are dissatisfied with a merger or acquisition, they may become disgruntled and pose a severe threat as insiders with access to sensitive information. Insider threat is commonly considered a top security concern that organizations need to address.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 48 in PDF)

Explanation: Annualized loss expectancy (ALE) is a metric used in quantitative risk analysis that helps quantify the impact of a realized threat on an organizations assets. It is measured in dollars and is the product of single loss expectancy (SLE) and annual rate of occurrence (ARO). SLE estimates the monetary loss you would expect from one occurrence of a particular realized threat, while ARO estimates the number of times that you expect a particular risk event to occur every year. Therefore, ALE represents the annual cost of a particular risk to an organization, which is an important measure of the effectiveness of risk management strategies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 129 in PDF)

Explanation: According to DOMAIN 1: Security and Risk Management, an organizations privacy policy should be an explanation of their personal data collection and use practices. It should explain what kind of personal data is collected, how it will be used or not used, and how it will be stored, maintained, and secured.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 123 in PDF)

Explanation: Patch management procedures are an example of a security procedure as they are used to identify and remediate vulnerabilities in software applications and operating systems. Employee onboarding, marketing campaign planning, and performance evaluation procedures are examples of non-security procedures that may also need to be reviewed for security purposes, but they do not relate specifically to information security.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 108 in PDF)

Explanation: Intellectual property theft is an example of a cybercrime against property, which falls under the category of crimes against property in which property may include information stored within a computer, or the computer itself.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

Explanation: The first stage in the U.K. National Cyber Security Centres 12 principles for establishing and maintaining effective control of the supply chain is to understand the risks. This stage involves identifying your vendors in your supply chain and establishing what needs to be protected in that supply chain (and why).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 157 in PDF)

Explanation: The main responsibility of a security professional during onboarding, transfer, and termination processes is to actively engage with the business to ensure that these processes are clearly documented and set behavior expectations during all stages of employment. This ensures that employees understand their obligations to respect the protection of the organizations intellectual property and data security as they join, move within, or leave the company.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 120 in PDF)

Explanation: DREAD is a quantitative risk rating technique originally used by Microsoft to prioritize security threats. DREAD stands for Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 150 in PDF)

Explanation: When an employee is involuntarily terminated, the organization must assume that the former employee is a threat and take appropriate action to protect organizational assets. The organization should have specific processes to notify the information security organization to disable access to electronic and physical systems, and attempt to recover any company property the terminated employee used. The recovered material should be tracked as evidence and retained for subsequent forensic analysis. Finally, remaining staff should be informed that the terminated individual is no longer allowed access and any attempts to access resources or property should be reported. (Source: CISSP Study Guide, Chapter 1)

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 121 in PDF)

Explanation: The purpose of risk maturity modeling is to assess the strength of an organizations security program and create a plan for continuous improvement based on the results. The focus is on improving the security posture, not solely on individual security gaps, or purchasing more security tools, or avoiding implementing redundant security protocols.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 137 in PDF)

Explanation: Purpose limitation requires data controllers to identify specific, explicit, and legitimate purposes for data collection and inform data subjects of such purpose.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 92 in PDF)

Explanation: The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior. This method seeks to confirm that security controls are implemented as they are documented and that they are operating effectively and as intended.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 135 in PDF)

Explanation: Personnel-related countermeasures involve people and their behavior. Hiring (or firing), organization restructuring, and awareness training are some common personnel-related countermeasures to reduce the likelihood of an adverse event or the impact of that event occurring.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

Explanation: The main purpose of the U.S. Sarbanes–Oxley Act (SOX) of 2002 was to establish a nonprofit organization, the Public Company Accounting Oversight Board (PCAOB), responsible for maintaining public trust in publicly traded companies and public accounting firms through the implementation of a wide range of controls, providing investors with appropriate risk information, placing civil and criminal penalties on executives for providing false financial disclosures, and providing protections for whistleblowers. Thus, option B is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

Explanation: Timeliness refers to the time expectation for availability of information and resources and is the measure of the time between when information is expected and when it is available for use. This means that information needs to be available to authorized users within an acceptable period of time to ensure timeliness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 41 in PDF)

Explanation: SOC 1 audits focus strictly on a companys financial statements and controls that can impact a customers financial statements, while SOC 2 audits evaluate an organization based on AICPAs five Trust Services principles: privacy, security, availability, processing integrity, and confidentiality.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

Explanation: A SOC 1 audit and compliance report focuses specifically on an organizations controls that can impact a customers financial statements. The report ensures that financial information is accurate and trustworthy, particularly for customers initiating transactions or other interactions with the organization. Examples of companies that perform credit card processing that are likely to require a SOC 1 audit include banks and financial institutions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 66 in PDF)

Explanation: According to the text, healthcare clearinghouses are private or public organizations that process or facilitate the processing of nonstandard health information and convert it into standard data types. They are covered entities under HIPAA.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 88 in PDF)

Explanation: Risk transference involves shifting the responsibility and potential loss associated with a risk onto a third party through mechanisms such as insurance. The most common form of risk transference is insurance, which enables a company to transfer financial risk to their insurer. This is useful when unforeseen events occur, such as cyber breaches, that may expose the organization to significant financial risk. However, its important to note that the company still retains some level of reputational risk as well as a degree of responsibility for managing the overall risk.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 131 in PDF)

Explanation: The official definition of terrorism, as stated in Section 808 of the USA PATRIOT Act of 2001, includes destruction of communication lines, stations, or systems as a federal crime of terrorism.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 77 in PDF)

Explanation: FISMA mandates that all U.S. federal government agencies and nongovernment organizations that provide information services to these agencies conduct risk-based security assessments that align with the NIST Risk Management Framework.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 65 in PDF)

Explanation: The purpose of the Child Pornography Prevention Act (CPPA) of 1996 was to restrict and punish the production and distribution of child pornography on the internet. This is done to protect minors from exploitation and abuse. The act makes it illegal to produce, distribute, or possess child pornography.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 75 in PDF)

Explanation: The Chief security officer (CSO) is a senior-level executive within an organization who is generally responsible for all physical security and personnel security matters.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 52 in PDF)

Explanation: Jurisdiction refers to the legal authority of a governmental body over a specific matter, often based on geography. It determines which law enforcement agency has the right to prosecute a criminal case.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 98 in PDF)

Explanation: A trademark is a word, phrase, symbol, and/or design that identifies and distinguishes the source of the goods of one party from those of others according to the USPTO.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 82 in PDF)

Explanation: According to GDPR, the maximum fine for infringements of the basic principles for processing and consent, data subjects rights, transfer of personal data to a third country, member state law obligations or noncompliance with supervisory authority orders is up to €20 million, or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 95 in PDF)

Explanation: The PASTA methodology integrates business objectives with technical requirements, which makes it more easily understood by upper management. This is beneficial for organizations because it ensures that security measures and requirements are aligned with business objectives and not just technical factors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 149 in PDF)

Explanation: The primary goal of data integrity is to ensure that all data remains intact, correct, and reliable. This helps prevent personnel from making improper decisions or potentially harmful actions due to having incorrect information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 39 in PDF)

Explanation: A nondisclosure agreement (NDA) is an agreement that restricts an employee or contractor (or anyone else with access to sensitive information) from disclosing sensitive information they obtain through the course of their employment or relationship with an organization. An NDA is designed to protect the confidentiality of the organizations data (such as trade secrets or customer information) and is often a lifetime agreement (even after the employee leaves the company).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)

Explanation: A compensating control is a safeguard used in addition to or in place of a primary control. It is often implemented if a primary control cannot be fully implemented for some reason. While the compensating control may not fully mitigate the risk, it provides some level of security that wouldnt exist without any control being implemented.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 136 in PDF)

Explanation: According to the text, significant changes to the organizations risk posture, significant changes to security or privacy controls, internal audits, external audits, suspected or confirmed security breaches, and other incidents are all included in a well-managed risk-based security programs reporting requirements. However, system outage reporting is not mentioned anywhere in the text.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 137 in PDF)

Explanation: Analysis of quiz results is one of the most effective methods of measuring program effectiveness through knowledge retention. This helps to identify the areas where employees might need further information or clarification.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 160 in PDF)

Explanation: As mentioned in the text, the Chief information security officer (CISO) is the senior-level executive within an organization who is responsible for the overall management and supervision of the information security program. The CISO drives the organizations security strategy and vision and is ultimately responsible for the security of the companys systems and information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 51 in PDF)

Explanation: Identity theft is an example of a cybercrime that falls under the category of crimes against people. Other crimes against people include cyberstalking, online harassment, and credit card fraud.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 71 in PDF)

Explanation: Security governance is a business issue that requires a high level of planning and oversight by people throughout the entire organization, not just the IT department. As such, security governance is typically led by executive management at a company, usually including the board of directors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 44 in PDF)

Explanation: Evaluating the potential operational impact of a countermeasure is important to ensure it is not too difficult to implement or use, as a countermeasure that is too difficult can actually increase risk because it is not used properly or at all. It is important to carefully consider the organizations culture and strategy when selecting countermeasures to avoid negative operational impacts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 133 in PDF)

Explanation: The five offenses introduced by The Computer Misuse Act 1990 (U.K.) are Unauthorized access to computer material, Unauthorized access with intent to commit or facilitate commission of further offenses, Unauthorized acts with intent to impair, or with recklessness as to impairing, operation of computer, etc., Unauthorized acts causing, or creating risk of, serious damage, and Making, supplying, or obtaining articles for use in other offenses.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 80 in PDF)

Explanation: Risk management is essential in information security as it helps identify potential security risks and vulnerabilities, and assists in devising a plan to implement appropriate security measures to reduce risk. By evaluating security risks, one can identity the right security controls needed to implement in their environment.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 162 in PDF)

Explanation: As per the GDPR, the 10 criteria to determine the amount of the fine on a noncompliant firm include the nature of infringement, intention, mitigation, and other factors such as the number of people affected, damage suffered, duration of infringement, purpose of processing, past relevant infringements, cooperation with supervisory authority, data type, notification, certification or adherence to approved codes of conduct, and financial impact of the infringement (83.1).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 94 in PDF)

Explanation: When an organization assesses the risks it faces, there are four common responses: avoid the risk, mitigate the risk, transfer the risk and accept the risk. Each of these responses requires different actions within the organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 130 in PDF)

Explanation: ISO 31000 principles for risk management explicitly consider any limitations of available information. It emphasizes the importance of using the best available and reliable information, and understanding the limitations of that information. It also includes a requirement to continuously review and update risk assessments as new information becomes available.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 141 in PDF)

Explanation: The purpose of conducting a threat analysis in risk analysis is to evaluate the likelihood of identified threats exploiting weaknesses (i.e., vulnerabilities) in your environment and determining the impact to your assets if that happens. This stage of risk assessment is focused on examining how disastrous the event would be if it were to happen, and assessing the probability that the threats might actually exploit a vulnerability, or weakness.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 127 in PDF)

Explanation: As stated in the text, an effective security function must be in alignment with the companys business strategy, goals, mission, and business objectives. Each of these elements should be considered during the creation and management of the organizations information security program and policies. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 44 in PDF)

Explanation: A guideline is a recommendation and is not a mandatory requirement while a standard is a mandatory requirement for an organization to follow. Standards are typically set by external regulatory bodies or organizations, while guidelines provide flexible suggestions for meeting the intent of policies or implementing the requirements in standards and baselines.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 109 in PDF)

Explanation: A noncompete agreement is an agreement that restricts an employee from directly competing with the organization during their employment and, in most cases, for a fixed time after employment. Noncompetes are designed to protect organizations from unfair competition by former employees or contractors

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 119 in PDF)