Hi All, I have got another question that I would like to get some feedback / insight from you. Thank you.

I am debating the answer given, so reaching out to you if you can shed some insight, please. 

I've copied/mentioned some folks here that I encountered with or saw their feedback in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

Question 9. 

Which data role is tasked with applying rights that provide appropriate access to staff members?

A.  Data processors

B.  Business owners

C.  Custodians

D.  Administrators 

Answer: Given answer is Administrators

But Administrators is not a data specific role. I know that a Data Custodian could be an Administrator, but it is said so in this question. So is D.  Administrators, the correct answer here? I think it would be C.  Custodians who will engage an administrator to do the job.

Your feedback is appreciated. Thank you.

---

@tim73 wrote:

The answer for securing email is C. "Sensitive email should be encrypted and labelled" seems appropriate as it aligns with the principle of protecting information based on its classification. Encrypting and labelling only sensitive emails is often a more practical approach, especially if classification details are provided. However, if there’s no classification context, a broader recommendation like A, that all email should be encrypted, could be a good default approach to ensure comprehensive security.

 Actually I studied this question at CertsLab's sample questions. I also recommend others, if you are looking further into their CISSP exam preparation, might find CertsLab’s sample questions and practice materials helpful. They provide a range of questions to test your knowledge and refine your understanding. Check them out here: CertsLab CISSP Practice Questions. Good luck with your studies!”

 

---

Thank you, @tim73 , for your feedback and advice - much appreciated. 

Hi All,

I'm trying to get some solid information (steps) on as to how a client validates PKI certificate that it gets from a server using the CA's digital signature on the certificate. I found some information on the net, but nothing explains properly. What are the steps that a client (requestor) goes thru to confirm the PKI certificate from the CA?

I understand the rest of the PKI process clearly except what I outlined above.  Thank you.

Hi sorry I have been away and been a little busy. 

In answer to this question. Information Security in the business stops with the top most decision maker. It is specified in the official training that decisions about security are pushed from the top down because they need to encompass senior management support to distribute to the rest of the business. This means that the CIO and CISO are ruled out because the CEO is effectively in charge of everything. 

In the C-Suite, even if the CIO wanted to make a decision about a security policy, it would need to be signed off by the CEO even before it was deployed. Sometimes a business does not have a CIO due to the size and rarely will have a CISO if a CIO already exists. Ideally a Security manager will need to report to a CIO or a CISO who will then feed back to the CEO. This is not the case in all businesses though because of the size and type of the business. 

In terms of Directors or the Board of Directors. These representatives are at the top of the business and may sit above the CEO or with the CEO. They will all have the responsibility of providing due care and diligence making the right decisions about security and leading the business. 

So with this and taking into account a legal change that come from law that needs to be implemented in the business it would be the Board of Directors to ensure this would be implemented in the business which may or may not include the CEO.

I have not seen this question appear with these answers before. Usually there is only 1 choice for the owners of the business who are ultimately responsible for decisions made about security. 

---

@funkychicken wrote:

Hi sorry I have been away and been a little busy. 

 

In answer to this question. Information Security in the business stops with the top most decision maker. It is specified in the official training that decisions about security are pushed from the top down because they need to encompass senior management support to distribute to the rest of the business. This means that the CIO and CISO are ruled out because the CEO is effectively in charge of everything. 

 

In the C-Suite, even if the CIO wanted to make a decision about a security policy, it would need to be signed off by the CEO even before it was deployed. Sometimes a business does not have a CIO due to the size and rarely will have a CISO if a CIO already exists. Ideally a Security manager will need to report to a CIO or a CISO who will then feed back to the CEO. This is not the case in all businesses though because of the size and type of the business. 

 

In terms of Directors or the Board of Directors. These representatives are at the top of the business and may sit above the CEO or with the CEO. They will all have the responsibility of providing due care and diligence making the right decisions about security and leading the business. 

 

So with this and taking into account a legal change that come from law that needs to be implemented in the business it would be the Board of Directors to ensure this would be implemented in the business which may or may not include the CEO.

 

I have not seen this question appear with these answers before. Usually there is only 1 choice for the owners of the business who are ultimately responsible for decisions made about security. 

 

---

Thank you for chiming in, @funkychicken.

Interestingly, ISC2 does not reference to Board of Directors, at least I haven't seen any. Other organizations like ISC2 say it clearly it is the Board of Directors.