Pass the ISC 2 Credentials CISSP Questions and answers with ExamsMirror

The best reason to review audit logs periodically is to identify anomalies in use patterns that may indicate unauthorized or malicious activities, such as intrusion attempts, data breaches, policy violations, or system errors. Audit logs record the events and actions that occur on a system or network, and can provide valuable information for security analysis, investigation, and response. The other options are not as good as identifying anomalies, as they either do not relate to security (B), or are not the primary purpose of audit logs (A and D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 405; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 465.

The attribute of the data that has been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, is the confidentiality. The confidentiality is the property or the characteristic of the data that ensures that the data is only accessible or disclosed to the authorized individuals or entities, and that the data is protected from the unauthorized or the malicious access or disclosure. The confidentiality of the data can be compromised when the data is copied, stolen, leaked, or exposed by an unauthorized individual or a malicious actor, such as the one who accessed the system hosting the database. The compromise of the confidentiality of the data can violate the privacy, the rights, or the interests of the data owners, subjects, or users, and can cause damage or harm to the organization’s operations, reputation, or objectives. Availability, integrity, and accountability are not the attributes of the data that have been compromised, if it is discovered that large quantities of information have been copied by the unauthorized individual, as they are related to the accessibility, the accuracy, or the responsibility of the data, not the secrecy or the protection of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 263. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, Security Architecture and Engineering, page 279.

The most likely security issue with degaussing is that the degausser products may not be properly maintained and operated. Degaussing is a method of sanitizing magnetic media, such as hard disk drives, by applying a strong magnetic field that erases the data stored on the media. Degaussing can be effective in destroying the data, but it requires that the degausser products are calibrated, tested, and used according to the manufacturer’s specifications and instructions. If the degausser products are not properly maintained and operated, they may not generate a sufficient magnetic force to erase the data completely, or they may damage the media or the device. Commercial products often have serious weaknesses of the magnetic force available in the degausser product, the inability to turn the drive around in the chamber for the second pass due to human error, and inadequate record keeping when sanitizing media are not the most likely security issues with degaussing, as they are related to the quality, the technique, or the documentation of the degaussing process, not the maintenance or the operation of the degausser products. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 888. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 904.

A data retention policy is a document that specifies the rules and guidelines for how long and under what conditions an organization should retain its data. The main goal of a data retention policy is to ensure the integrity and confidentiality of data for a predetermined amount of time. Integrity means that the data is accurate, complete, and consistent, and that it has not been modified or corrupted by unauthorized parties. Confidentiality means that the data is protected from unauthorized access or disclosure, and that it respects the privacy and security of the data owners or subjects. A data retention policy can help an organization to comply with the legal or regulatory requirements, to support the business or operational needs, and to reduce the storage or management costs of the data. Ensuring that data is destroyed properly, ensuring that data recovery can be done on the data, and ensuring the availability of data for a predetermined amount of time are not the main goals of a data retention policy, as they are related to the disposal, restoration, or accessibility of the data, not the integrity or confidentiality of the data. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 49. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 64.

The most beneficial item to review when performing an IT audit is the security log. The security log is a record of the events and activities that occur on a system or network, such as logins, logouts, file accesses, policy changes, or security incidents. The security log can provide valuable information for the auditor to assess the security posture, performance, and compliance of the system or network, and to identify any anomalies, vulnerabilities, or breaches that need to be addressed. The other options are not as beneficial as the security log, as they either do not provide enough information for the audit (A and C), or do not reflect the actual state of the system or network (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, page 405; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, page 465.

The access control logs must contain the time of the access, in addition to the identifier. Access control logs are the records or the files that capture and store the information or the data related to the access control events or activities, such as the authentication, the authorization, the audit, or the accountability. Access control logs can help to monitor and analyze the access control performance and effectiveness, to detect and investigate any security incidents or breaches, and to provide evidence or proof for any legal or regulatory actions. The access control logs must contain the time of the access, as it can help to identify and verify when the access control event or activity occurred, and to correlate and compare it with other events or activities, such as the network traffic, the system activity, or the user behavior. The time of the access can also help to determine the duration and the frequency of the access control event or activity, and to measure and evaluate the access control efficiency and quality. The security classification, the denied access attempts, and the associated clearance are not the information that must be contained in the access control logs, as they are related to the level of sensitivity or protection of the data or the resource, the unsuccessful or rejected access control requests, or the level of authorization or permission of the user or the device, not the time of the access control event or activity. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 671. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 687.

The best place to specify the permitted access for each department and job classification combination is the security standards. Security standards are the documents that define the specific and measurable requirements or rules for the implementation and maintenance of the security policies and procedures. Security standards can help to ensure the consistency and the compliance of the security controls and measures across the organization, and to support the security objectives and principles, such as the least privilege and the separation of duties. Specifying the permitted access for each department and job classification combination in the security standards can help to enforce the role-based access control (RBAC) methodology, which assigns the permissions and privileges to the users or the devices based on their roles or functions in the organization. Security procedures, human resource policy, and human resource standards are not the best places to specify the permitted access for each department and job classification combination, as they are related to the steps or actions for the execution or operation of the security controls or measures, the general and strategic guidelines or objectives for the management or administration of the human resources, or the specific and measurable requirements or rules for the implementation and maintenance of the human resource policy, not the role-based access control methodology. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 46. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 61.

The best factor that supports the recommendation of upgrading all perimeter firewalls to mitigate a particular finding is that the expected loss from the risk exceeds mitigation costs. The expected loss from the risk is the product of the probability of occurrence and the impact of the risk, which can be measured by the Annualized Loss Expectancy (ALE). The mitigation costs are the expenses associated with implementing the security controls or countermeasures to reduce the risk. If the expected loss from the risk exceeds the mitigation costs, then it is economically justified to invest in the mitigation strategy, such as upgrading the firewalls. The inherent risk is greater than the residual risk, the ALE approaches zero, and the infrastructure budget can easily cover the upgrade costs are not the best factors that support the recommendation, as they do not indicate the cost-benefit analysis or the return on investment of the mitigation strategy. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 47. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 62.

 The action that provides effective management assurance for a WLAN is establishing a VPN tunnel between the WLAN client device and a VPN concentrator. A VPN is a secure and encrypted connection that enables remote access to a private network over a public network, such as the internet. A VPN concentrator is a device that manages and authenticates the VPN connections, and provides encryption and decryption services. By establishing a VPN tunnel, the organization can protect the confidentiality, integrity, and availability of the data transmitted over the WLAN, and prevent unauthorized or malicious access to the network. The other options are not as effective as establishing a VPN tunnel, as they either do not provide sufficient security for the WLAN (A and B), or do not address the management assurance aspect (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, page 167; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, page 177.

 The most likely cause of the inconsistent application of server security controls resulting in vulnerabilities on critical systems is a lack of baseline standards. Baseline standards are the minimum level of security controls and measures that must be applied to the servers or other assets to ensure their protection and compliance. Baseline standards help to establish a consistent and uniform security posture across the organization, and to prevent or reduce the exposure to threats and risks. If there is a lack of baseline standards, the server security controls may vary in quality, effectiveness, or completeness, resulting in vulnerabilities on critical systems. Improper documentation of security guidelines, a poorly designed security policy communication program, and ineffective Host-based Intrusion Prevention System (HIPS) policies are not the most likely causes of this issue, as they do not directly affect the application of server security controls or the existence of baseline standards. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 35. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 48.

Encrypting the entire disk and deleting the contents after a set number of failed access attempts provides the most protection against data theft of sensitive information when a laptop is stolen. This method ensures that the data is unreadable without the correct decryption key, and that the data is erased if someone tries to guess the key or bypass the encryption. Setting up a BIOS and operating system password, encrypting the virtual drive, or implementing a policy are less effective methods, as they can be circumvented by physical access, booting from another device, or copying the data to another location. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, p. 269; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), p. 521.

 The action that provides the greatest protection against the same attack occurring again is to implement server-side filtering. Server-side filtering is the process of validating and sanitizing the user input on the server side, before passing it to the database or application. Server-side filtering can prevent SQL injection attacks, which are the attacks that exploit the vulnerability of the database or application to execute malicious SQL commands or queries. SQL injection attacks can result in data theft, corruption, or deletion, as well as unauthorized access or privilege escalation. The other options are not as effective as server-side filtering, as they either do not prevent SQL injection attacks (A and B), or do not address the root cause of the vulnerability (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 481; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 581.

A Host-Based Intrusion Protection (HIPS) system is a software that monitors and blocks malicious activities on a single host, such as a computer or a server. A HIPS system can also prevent unauthorized changes to the system configuration, files, or registry12

During the initial implementation, a HIPS system is often deployed in monitoring or learning mode, which means that it observes the normal behavior of the system and the applications running on it, without blocking or alerting on any events. The objective of starting in this mode is to automatically create exceptions for specific actions or files that are legitimate and safe, but may otherwise trigger false alarms or unwanted blocks by the HIPS system34

By creating exceptions, the HIPS system can reduce the number of false positives and improve its accuracy and efficiency. However, the monitoring or learning mode should not last too long, as it may also expose the system to potential attacks that are not detected or prevented by the HIPS system. Therefore, after a sufficient baseline of normal behavior is established, the HIPS system should be switched to a more proactive mode, such as alerting or blocking mode, which can actively respond to suspicious or malicious events

The most likely factor that will influence the selection of top initiatives is the severity of risk. The severity of risk is a measure of the impact or the consequence of a threat exploiting a vulnerability, and the likelihood or the probability of that occurrence. The severity of risk can help to prioritize the security initiatives, as it can indicate the level of urgency or importance of addressing or mitigating the risk, and the potential benefit or value of implementing the initiative. The security initiatives that have the highest severity of risk should be selected as the top initiatives, as they can provide the most protection or improvement for the security program. Complexity of strategy, frequency of incidents, and ongoing awareness are not the most likely factors that will influence the selection of top initiatives, as they are related to the difficulty, the occurrence, or the education of the security program, not the prioritization or the justification of the security initiatives. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 25. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 40.

The component that assures that rules are followed in an identity management architecture is the policy enforcement point. A policy enforcement point is a device or software that implements and enforces the security policies and rules defined by the policy decision point. A policy decision point is a device or software that evaluates and makes decisions about the access requests and privileges of the users or devices based on the security policies and rules. A policy enforcement point can be a firewall, a router, a switch, a proxy, or an application that controls the access to the network or system resources. A policy database, a digital signature, and a policy decision point are not the components that assure that rules are followed in an identity management architecture, as they are related to the storage, verification, or definition of the security policies and rules, not the implementation or enforcement of them. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 664. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 680.