cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer I

Re: CISSP questions

D - Although requirement development is a bit further down the lifecycle (Initiation - Functional requirements - Design - Development - implementation - testing - Deployment), it’s still the best answer option compared to the others.
Highlighted
Community Champion

Re: CISSP questions

> aphelps52 (Viewer) posted a new reply in Exams on 08-12-2020 12:42 AM in the

> Would an RSA token be an example of this?

and

> That reply was to the one-time password question where the answer was
> "something you have"

Yes, generally a password "generating" token would be considered "something you
have." Sometimes a one-time-password is on the basis of a pre-established list,
and then it *might* be argued that it might be "something you know" (although
most of the time, even then, you would "have" the list, rather than memorizing
it).

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
Hard work is simply the refuge of people who have nothing
whatever to do. - Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: CISSP questions

And, given that you posted to the topic, as promised:

System Development Controls are based on

a. a detailed set of business objectives.
b. a logical design for security testing.
c. an auditor designated review process.
d. a standard methodology for project performance.

Answer: d.

(Reference: Caelli, Longley, and Shain, Information Security Handbook, Stockton
Press, 1991, pg 244)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
you cant have a bad day today bc today is thursday meaning
tomorrows friday n how could anyone have a bad day today knowing
tomorrows friday
- https://twitter.com/laurenthellama/status/573497939928203264
The Farce is strong in this one. He/she/it is approaching
Fridaydom http://www.noticebored.com/html/cisspforum_faq.html#Friday
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Newcomer I

Re: CISSP questions

You comments are gem.

Especially where you say "if you don't know something, it doesn't mean it is correct".

I was getting so much wound up in the terms I never heard of.

Highlighted
Newcomer I

Re: CISSP questions

Hi Shanon:

C was chosen because Pen Testing doesn't really care about or focus on probability of threat exploiting the vulnerability they found or they may not be experts in making such judgments. And risk analysis basically means that.

They may have some ideas about risk but won't really be an authoritative voice on it.

Would my understanding be correct?
Highlighted
Community Champion

Re: CISSP questions

When verifying the key control objectives of a system design, the security
specialist should ensure that the

a. Final system design has security administrator approval
b. Auditing procedures have been defined
c. Vulnerability assessment has been completed
d. Impact assessment has been approved

Answer: c.

Reference: HISM, edited by Ruthberg & Tipton; Auerbach; 1993, pg 309.

Discussion:

Answer a is a fabricated distractor. (The security admin probably doesn't do design
approval.)
Answer b is a necessary step in the security administration process, but isn't a
primary part of system control design.
Answer c - correct - a key step in the System Design process.
Answer d is possibly important, particularly in risk assessment or business
continuity planning, but, again, isn't vital to system control design.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
They always say time changes things, but you actually have to
change them yourself. - Andy Warhol
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Community Champion

Re: CISSP questions


@rajus wrote:

Especially where you say "if you don't know something, it doesn't mean it is correct".

I was getting so much wound up in the terms I never heard of.


Quite common.  It's part of the design of exam questions to account for people who are good at guessing which answer "sounds good," even if they don't know the field.


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Newcomer III

Re: CISSP "sample" questions

@rslade This question looks incomplete to me.

 

"Prior to implementation <of what?>, a complete description of an operational security issue should specify threat, vulnerability, and"

 




"I have no special talent. I am only passionately curious."
Highlighted
Community Champion

Re: CISSP questions


@Vigenere wrote:

This question looks incomplete to me.

 

"Prior to implementation <of what?>, a complete description of an operational security issue should specify threat, vulnerability, and"


There are two types of people in this world: those who can tolerate ambiguity.


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Highlighted
Viewer III

Re: CISSP "sample" questions

 

@Vigenere  Are you referring to this question:

 

At what stage of the applications development process should the security department become involved?

 

a. Prior to the implementation (of the application(s))
b. Prior to systems testing (of the application(s))
c. During unit testing (of the application(s))
d. During requirements development (of the application(s))

 

If so, what's incomplete? The question clearly states "applications development process," so we know we're talking about an...application or applications, right? Then, by default, each of the answer choices points back to same - it's simply that "of the application(s)" is not tacked on to the end of each choice, but I added that phrase and perhaps this makes the answer choices more clear. Does this help?

 

And further to the point, if you've just started studying for the CISSP exam or have not reached Domain 8 yet, you may not know that this question is referring to aspects of the SDLC. Good luck as you forge ahead.