cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rooks
Newcomer III

CISSP Review Questions

Hello All,

 

I'm reviewing some questions for CISSP exam preparation. I found answers for some of the questions are questionable and would like to find your take on this.  You feedback is very much appreciated.

 

I'm copied/mentioned some folks here that I encountered with or saw their feedbacks in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

 

 

Question 1. 

 

Johny needs to provide a set of minimum security requirements for email. What steps should he recommend for his organization to ensure that the email remains secure?

 

A.   All email should be encrypted

B.   All email should be encrypted and labelled

C.  Sensitive email should be encrypted and labelled

D.  Only highly sensitive email should be encrypted

 

 

Answer: Given answer is C. 

 

However, I think it should be A because the question is not mentioning anything to do with classification.

What do you think? 

 

36 Replies
Rooks
Newcomer III

Hi All, I have this following inquiry/question that I would like to get some feedback / insight from you. Thank you.

 

I'm primarily asking since I haven't found much reference or information about the role of Board of Directors for the organization in ISC2 materials. But we know Board of Directors provide the ultimate vison / advice for the company. In ISC2 materials it says the CEO or Senior Managment.

 

I've copied/mentioned some folks here that I encountered with or saw their feedbacks in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

 

 

Question 8. 

 

Who is ultimately responsible for the organization's Information Security?

 

A.  Borad of Directors

B.  CEO

C.  CIO

D.  CISO

 

 

Answer: I would love to hear your feedback/Answer. Thank you. 

Rooks
Newcomer III

Hi All, I have got another question that I would like to get some feedback / insight from you. Thank you.

 

I am debating the answer given, so reaching out to you if you can shed some insight, please. 

 

I've copied/mentioned some folks here that I encountered with or saw their feedback in other communities. Thank you all in advance.

 @rslade @dcontesti @denbesten  @funkychicken @Vigenere @Shannon @gidyn @alekos

 

 

Question 9. 

 

Which data role is tasked with applying rights that provide appropriate access to staff members?

 

A.  Data processors

B.  Business owners

C.  Custodians

D.  Administrators 

 

 

Answer: Given answer is Administrators

 

But Administrators is not a data specific role. I know that a Data Custodian could be an Administrator, but it is said so in this question. So is D.  Administrators, the correct answer here? I think it would be C.  Custodians who will engage an administrator to do the job.

 

Your feedback is appreciated. Thank you.

tim73
Viewer II

The answer for securing email is C. "Sensitive email should be encrypted and labelled" seems appropriate as it aligns with the principle of protecting information based on its classification. Encrypting and labelling only sensitive emails is often a more practical approach, especially if classification details are provided. However, if there’s no classification context, a broader recommendation like A, that all email should be encrypted, could be a good default approach to ensure comprehensive security.

 Actually I studied this question at CertsLab's sample questions. I also recommend others, if you are looking further into their CISSP exam preparation, might find CertsLab’s sample questions and practice materials helpful. They provide a range of questions to test your knowledge and refine your understanding. Check them out here: CertsLab CISSP Practice Questions. Good luck with your studies!”

 

Rooks
Newcomer III


@tim73 wrote:

The answer for securing email is C. "Sensitive email should be encrypted and labelled" seems appropriate as it aligns with the principle of protecting information based on its classification. Encrypting and labelling only sensitive emails is often a more practical approach, especially if classification details are provided. However, if there’s no classification context, a broader recommendation like A, that all email should be encrypted, could be a good default approach to ensure comprehensive security.

 Actually I studied this question at CertsLab's sample questions. I also recommend others, if you are looking further into their CISSP exam preparation, might find CertsLab’s sample questions and practice materials helpful. They provide a range of questions to test your knowledge and refine your understanding. Check them out here: CertsLab CISSP Practice Questions. Good luck with your studies!”

 


Thank you, @tim73 , for your feedback and advice - much appreciated. 

Rooks
Newcomer III

Hi All,

 

I'm trying to get some solid information (steps) on as to how a client validates PKI certificate that it gets from a server using the CA's digital signature on the certificate. I found some information on the net, but nothing explains properly. What are the steps that a client (requestor) goes thru to confirm the PKI certificate from the CA?

 

I understand the rest of the PKI process clearly except what I outlined above.  Thank you.

 

funkychicken
Contributor I

Hi sorry I have been away and been a little busy. 

 

In answer to this question. Information Security in the business stops with the top most decision maker. It is specified in the official training that decisions about security are pushed from the top down because they need to encompass senior management support to distribute to the rest of the business. This means that the CIO and CISO are ruled out because the CEO is effectively in charge of everything. 

 

In the C-Suite, even if the CIO wanted to make a decision about a security policy, it would need to be signed off by the CEO even before it was deployed. Sometimes a business does not have a CIO due to the size and rarely will have a CISO if a CIO already exists. Ideally a Security manager will need to report to a CIO or a CISO who will then feed back to the CEO. This is not the case in all businesses though because of the size and type of the business. 

 

In terms of Directors or the Board of Directors. These representatives are at the top of the business and may sit above the CEO or with the CEO. They will all have the responsibility of providing due care and diligence making the right decisions about security and leading the business. 

 

So with this and taking into account a legal change that come from law that needs to be implemented in the business it would be the Board of Directors to ensure this would be implemented in the business which may or may not include the CEO.

 

I have not seen this question appear with these answers before. Usually there is only 1 choice for the owners of the business who are ultimately responsible for decisions made about security. 

 

Rooks
Newcomer III


@funkychicken wrote:

Hi sorry I have been away and been a little busy. 

 

In answer to this question. Information Security in the business stops with the top most decision maker. It is specified in the official training that decisions about security are pushed from the top down because they need to encompass senior management support to distribute to the rest of the business. This means that the CIO and CISO are ruled out because the CEO is effectively in charge of everything. 

 

In the C-Suite, even if the CIO wanted to make a decision about a security policy, it would need to be signed off by the CEO even before it was deployed. Sometimes a business does not have a CIO due to the size and rarely will have a CISO if a CIO already exists. Ideally a Security manager will need to report to a CIO or a CISO who will then feed back to the CEO. This is not the case in all businesses though because of the size and type of the business. 

 

In terms of Directors or the Board of Directors. These representatives are at the top of the business and may sit above the CEO or with the CEO. They will all have the responsibility of providing due care and diligence making the right decisions about security and leading the business. 

 

So with this and taking into account a legal change that come from law that needs to be implemented in the business it would be the Board of Directors to ensure this would be implemented in the business which may or may not include the CEO.

 

I have not seen this question appear with these answers before. Usually there is only 1 choice for the owners of the business who are ultimately responsible for decisions made about security. 

 


Thank you for chiming in, @funkychicken.

 

Interestingly, ISC2 does not reference to Board of Directors, at least I haven't seen any. Other organizations like ISC2 say it clearly it is the Board of Directors.