Jumat, 17 April 2015

CISSP Exam Preparation (Question 292)

(292) Which one of the following is the MAIN goal of a security awareness program when addressing senior management?

A. Provide a vehicle for communicating security procedures.
B. Provide a clear understanding of potential risk and exposure.
C. Provide a forum for disclosing exposure and risk analysis.
D. Provide a forum to communicate user responsibilities.

Correct Answer: B


When the Security Officer is addressing Senior Management, the focus would not be on user
responsibilities, it would be on making sure the Senior Management have a clear understanding of the risk and potential liability is Not D: Item D would be correct in a situation where Senior Management is addressing organizational staff.

- Idham Azhari

Jumat, 10 April 2015

CISSP Exam Preparation (Question 291)

(291) Which of the following is most relevant to determining the maximum effective cost of access control?

A. the value of information that is protected
B. management's perceptions regarding data importance
C. budget planning related to base versus incremental spending.
D. the cost to replace lost data

Correct Answer: A


- Idham Azhari

Jumat, 03 April 2015

CISSP Exam Preparation (Question 290)

(290) What is the MAIN purpose of a change control/management system?

A. Notify all interested parties of the completion of the change.
B. Ensure that the change meets user specifications.
C. Document the change for audit and management review.
D. Ensure the orderly processing of a change request.

Correct Answer: C


- Idham Azhari

Jumat, 27 Maret 2015

CISSP Exam Preparation (Question 289)

(289) Within the organizational environment, the security function should report to an organizational level that

A. Has information technology oversight.
B. Has autonomy from other levels.
C. Is an external operation.
D. Provides the internal audit function.

Correct Answer: B


- Idham Azhari

Jumat, 20 Maret 2015

CISSP Exam Preparation (Question 288)

(288) Organizations develop change control procedures to ensure that

A. All changes are authorized, tested, and recorded.
B. Changes are controlled by the Policy Control Board (PCB).
C. All changes are requested, scheduled, and completed on time.
D. Management is advised of changes made to systems.

Correct Answer: A


"Change Control: Changes must be authorized, tested, and recorded. Changed systems may require recertificationvand re-accreditation." Pg 699 Shon Harris: All-in-One CISSP Certification

- Idham Azhari

Minggu, 15 Maret 2015

CHAP 1: Information Security Governance and Risk Management - Introduction

CHAPTER 1: Information Security Governance and Risk Management

Exam Objectives in this Chapter

  • Risk analysis
  • Information security governance


Our job as information security professionals is to evaluate risks against our critical assets and deploy safeguards to mitigate them. We work in various roles as firewall engineers, penetration testers, auditors, management, and the like. The common thread is risk: It is part of our job description.

The Information Security Governance and Risk Management domain focuses on risk analysis and mitigation. It also details security governance, or the organizational structure required for a successful information security program. The difference between organizations that are successful and those that fail in this realm is usually not tied to dollars or staff size: It is tied to the right people in the right roles. Knowledgeable and experienced information security staff and supportive and vested leadership are the keys to success.

Speaking of leadership, learning to speak the language of leaders is another key to personal success in this industry. The ability to effectively communicate information security concepts with C-level executives is a rare and needed skill. This domain also helps you speak this language by discussing risk in terms such as Total Cost of Ownership (TCO) and Return on Investment (ROI).

- Quoted by Idham Azhari from Eleventh Hour CISSP - Study Guide

Jumat, 13 Maret 2015

CISSP Exam Preparation (Question 287)

(287) Information security is the protection of data. Information will be protected mainly based on:

A. Its sensitivity to the company.
B. Its confidentiality.
C. Its value.
D. All of the choices.

Correct Answer: D


Information security is the protection of data against accidental or malicious disclosure, modification, or destruction. Information will be protected based on its value, confidentiality, and/or sensitivity to the company, and the risk of loss or compromise. At a minimum, information will be update-protected so that only authorized individuals can modify or erase the information.

- Idham Azhari