---

@denbesten wrote:
Without a label, how would one know if the message requires encryption.

---

Or if you just encrypt all email, you don't have to worry about labels 😉

Again, I think it is a flawed question. What might make a better scenario is to put Johny in charge of a file server. A will provide at least the same level of confidentiality, integrity, and availability as B, C, D without the extra overhead of having to create some labeling system that would seem difficult to implement across the heterogeneity of email. By the same token, to implement B, C, and D requires you to the encryption work of A and then create an additional taxonomy. Again, I think a file server scenario might more get what the answer was trying to test.

Okay sharing the answer from the source.

Answer given is B.  Somewhere you are.

Do you agree with this answer?  Your answer and explanation is appreciated.  Thanks

Land lines are located in a physical location and its a location based item. It is not something you have because it is not tied to you as an individual. Its not something you know, because its a physical device external to your brain. So the answer will be somewhere you are. Also multi factor authentication is slightly changing in the market to use other ways to authenticate. 

Thank you @funkychicken, for the explanation.

"Land lines are located in a physical location and its a location based item. It is not something you have because it is not tied to you as an individual. Its not something you know, because its a physical device external to your brain. So the answer will be somewhere you are. Also multi factor authentication is slightly changing in the market to use other ways to authenticate."

What through me off is that I never heard this "somewhere you are" mentioned anywhere else. I thought this could be mad-up thing. Well, I know now. Thanks.

@funkychicken Big congrats in passing the exam. 

Sounds like lot of ambiguous questions on the exam 🙂 Thanks for the advice, re - best answer

Thanks for your explanation for the question below. However, these keywords "minimum security requirements' could be interpreted different way by some. Some may think the minimum requirement /effort could be just encrypt all mail rather than go through the extensive process in classifying emails appropriately and then label them, and then apply appropriate polices. And we know email and data classification is challenging and takes time and efforts. Not disagreeing with the answer but just my 2 cents... 

"Question 1. 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

Lets break this down. 

Johny needs to provide a set of MINIMUM security requirements for EMAIL. So the standards are going to be minimum and not necessarily for all email. Infact most times in an organisation especially when doing ISO27001 and PCI-DSS, all email does not require to be encrypted only the sensitive items need to be. We must also consider encryption as a technology that puts lots of processing power on CPU resources and also will slow down the system if being used for all email so in reality this really isn't a viable options because in an email scenario, receiving an email if it is not sensitive is more important than encrypting it. 

What steps should he recommend for his organization to ensure that the email remains secure?

OK so he needs to take some steps, and he should recommend these steps for the org to make sure THE EMAIL remains secure. 

So, the email relates to the type of email that is being encrypted. This does not relate to all email, it relates to the type of email which means that it has been broken down in to categories. So here you will have email that is non secure and is OK to be sent to users and then you have email that is sensitive and needs to be secured and send using something like PGP encryption. 

Remember the CISSP training and the core skills of a CISSP representative. The Security Dept is there to facilitate the business to achieve the business goals. There are also many elements of the CISSP training which you need to consider for every answer to a question. Remember that most of the answers are correct but it is the best answer which you need to know in the situation. I know all these are confusing but you will need to consider every situation in every part of the CISSP and adopt the knowledge to answer the question. 

So the answers:

A.   All email should be encrypted - not necessarily. In most companies all email does not need to be encrypted but only the category of email that is required to be encrypted. 

B.   All email should be encrypted and labelled - same as above. In certain companies or government operations it should be but if this was a standard then Office 365 would adopt this or yahoo.com and everyone would have to use PGP and everything would need to be labelled which is impractical at the moment. 

C.  Sensitive email should be encrypted and labelled - Yes there is always a time where there are certain emails which need to be shared with a key. They also need to be labelled and considered inbound and outbound. So something that may not be considered sensitive inside but when released outside of the company this may be considered sensitive and therefore should be labelled as such. 

D.  Only highly sensitive email should be encrypted - This is incorrect because some email which is classified as non sensitive may be sensitive if the data was released outside. 

I recently passed my CISSP I had to review all of the documentation for these areas. It became more and more obvious that its not just the specific question that is the concern but every element from the training, what the current state of the technology is that is mentioned in the question, wow the technology works, the CIA triad, the principles of a CISSP, the roles and objectives of a CISSP in a business and a variety of other aspects that could affect the answer to a question. 

When I sat my exam there were many questions that were like this, and the thought process is not just the question at stake as all of the answers could be correct but its what is the best answer in this scenario given the situation. "

---

@Rooks wrote:

Callback to a landline phone number is an example of what type of factor?

...

Answer given is B.  Somewhere you are.

 

Do you agree with this answer?  

---

I do not.  "Somewhere you are" is not a generally recognized factor. There are three generally recognized factors:  

• something you have (e.g. a phone/PC hopefully with a TPM)
• something you are  (e.g. biometrics)
• something you know (e.g. a password)

The best (well, least bad) answer would be "something you have".  

Incidentally, a "landline" phone does not really demonstrate physical location.  My phone number is a "landline" based on the telco allocation tables, but it is actually rings on my mobile phone. Phone calls/texts are also not a very good choice for MFA due to known attack methods (porting numbers, forwarding, sim swap).  Given a choice between a password or password+SMS, chose the latter, but if any other MFA mechanism is available, avoid SMS.