Welcome to the CISSP Cyber Training Podcast , where we provide you the training and tools you need to pass the CISSP exam the first time . Hi , my name is Sean Gerber and I'm your host for this action-packed , informative podcast . Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge .
All right , let's get started . Hey y'all , sean Gerber , with CISSP Cyber Training , and today is CISSP Question Thursday . But before we get started , we're going to talk about just a quick article I was reading in Infosec Industry . It brought it up on Forbes and it's related to the changes that are happening within Gmail .
Gmail is recommending that you put in place a multi-factor if you don't already have it , and the reason they're doing that is they've been .
I've seen a lot of different challenges that have been happening to their various platform and one of the things that they said if you really have these three items , you need to consider putting in place your multi-factor , and one is creating and editing or importing a filter .
Two is adding or forwarding addresses from a post office protocol , which is your pop right , your email pop or your IMAP protocols as well . So if you have an email that you forward to it . They'll want that in there . And then also , if you're enabling IMAP access from your settings , bottom line is they want you to add this multi-factor capability now .
One interesting part of that is it already has much of this built into it . You're just going to have to . If you don't have it enabled , it's going to prompt you forward that enabling .
Obviously , what they're running into is some issues with malicious actors that are trying to game the overall situation , and they recommend that you get that done as soon as you possibly can . So if you have a Gmail account , that might be something to consider .
Also , as a security person and working on your CISSP understanding , some of these articles are really important , especially for some of your senior leaders , because what's going to happen is your senior leaders may have questions for you and require this of you saying , hey , I don't know what to do .
If you already come with some level of knowledge around this and maybe even put out a recommendation to them . That would be a great first step in helping them . So just kind of keep that in mind .
But Gmail is recommending your multi-factor is enabled , and again I come back to the fact that you will have users that are going to ask you questions specifically around this topic . Okay , let's get started on the CISSP questions and let's see what we've got today .
Okay , question one which of the following best describes the fundamental purpose of an organization's security governance program ? A implementing security technologies . B compliance with legal regulations . C ensuring that the secure organizational culture or D aligning security with business objectives ?
So again , which is the best or which best describes the fundamental purpose of an organization's security governance program ? And the answer is D aligning the security with your business objectives .
That is something you will deal with a lot as a CISSP and your security governance is a framework that will help align with the overall strategy that what your business is looking to accomplish . And so , again , that's really an important factor is that you always comes back to the business objectives .
Question two which framework emphasizes continuous monitoring and risk management ? So now they gave you some acronyms , so the key around this is you're going to have to know these acronyms to be able to understand what they are . So which framework emphasizes continuous monitoring and risk management ? Covid , I tell COSO , that's C-O-S-O .
And then D is RMF , romeo , mike Foxtrot , and the answer is RMF Risk Management Framework . This emphasizes continuous monitoring and risk management . On integrating these processes into your various development life cycle . Now the key question is if you get this question , what do I do ?
So if you're dealing with COVID , obviously that is a framework out there , but it doesn't deal with risk . It's more on the IT space . It does have a little bit of risk , but it's not totally around that . Itol and COSO are something you may or may not be aware of , but RMF you can just kind of just make the assumption it would deal with risk .
So that's gonna be a tough one for you . Question three ISO 27001 is primarily concerned with what aspect of information security management A risk management , b compliance monitoring , c software development or D physical security .
Question again is ISO 27001 is primarily concerned with what aspect of information security management A risk management , b compliance monitoring , c software development or D physical security . When you're dealing with ISO 27001 , always think of risk management . That's the purpose behind it .
It is designed specifically on risk management and information security management and its overall business risk is what it's focused on . So you could possibly come down to the compliance monitoring and maybe bite off on that , but risk management's a key factor when it comes to 27001 .
How does an application of a balanced scorecard benefit , an organization's security governance program . So the question is how does the application ? So basically putting in place of a balanced scorecard benefit , an organization's security governance program . So the scorecard is basically what do you do , right ? How is your patching doing ?
How is your I'm trying to think of something else your mobile program going , so on and so forth . So it's just giving you a grade right ? Well , a , it ensures total regulatory compliance . B , it measures your financial performance only . C , it balances security controls with business goals . Or D , it focuses exclusively on technology improvements .
So if you don't know how to answer this when you start getting into the exclusively ensures total financial or performance only . Those are key indicators . That that's might not be the right question or right answers . The actual answer is C it balances security controls with your business goals .
The ultimate goal is you align your security control with your business goals is an important factor in any sort of security governance program . So again , you wanna make sure that you keep in our key in on some of those key words .
Question five which principle of security governance focuses on ensuring that decisions are made by individuals with the appropriate authority and responsibility ? The principle of security governance focuses on ensuring that decisions are made by individuals with appropriate authority and responsibility . The answer one of the answers protection . Okay , what that's ?
We're talking about principles here . The protection principle responsibility , accountability or transparency . So again , it focuses on ensuring decisions are made by individuals with the appropriate authority and their responsibility , and the answer is C accountability . This ensures that those that have the appropriate authority and responsibility can make those decisions Very tricky .
Those are kinda tough ones because you get real quick . If you roll through this too fast you could just start picking on ones that are not correct . Question six in the context of NIST cybersecurity framework , what does the protect function primarily emphasize ? So you're gonna focus on the protect aspect .
You have A monitoring , b penetration testing , c disaster recovery or D access control . And the answer is D . The protect function of the cybersecurity framework emphasizes primarily on the implementation of appropriate safeguards to deliver critical infrastructure services and it's based on access control .
Question seven what is the primary goal of the security control framework such as NIST special publication 853 ? The primary goal of the security control framework A identify potential threats , b ensure compliance with laws and regulations . C establishing security controls and the associated guidelines , or . D developing security technologies .
So what is the primary goal of this and that is C sorry C establishing security controls and guidelines . 853 focuses on providing the guidelines and standards for implementing these security controls within , especially within , federal information systems . That's what the key point also to keep in mind is . Nist focuses on US-based federal systems .
However , many use NIST because of the fact that it can be used with any organization . Question 8 , which international standard focuses on the implementation of risk management processes that are integrated with the overall business risk ? Again , the international focus keyword and implementation of risk management processes keyword .
And then it's integrated with overall business risk . So you have ISO 2000, . 27002 , iso 27005 , iso 27001 . And NIST 853 . Again , which one is it International standard focuses on this . So it would be the ISO 27001 focuses on risk management with the organization's overall risks .
Okay , question 9 , what does the Sherwood Applied Business Security Architecture , sabsa , primarily aim to provide ? Now , when I first took to see ISSP , I had no idea what this would be and honestly , even on my job , I'm not too totally connected with SABSA . But one thing that I started doing some digging into this I figured you know what ?
Let's throw this out there as a question and then see what you think . Well answer . We'll go through some of the responses A detailed technical controls . B business driven approach to security . C compliance with GDPR . Or D network security protocols . D is , if you don't know what this is , focus on the name Sherwood Applied Business Security Architecture .
So if it's a business keyword , it's a security architecture . So if it's an architecture , it's not going to divide or design specifically on detailed technical controls . Most architecture is not in a detail , it's more of a larger abstract environment .
Compliance with GDPR , as question C or as answer C no , it's not focused on that because it really doesn't get into . It could , potentially , because it's business related , but I wouldn't glob onto that one . And then network security protocols . It doesn't have anything to do with network security protocols .
So if you had to narrow it down , you potentially could go with B and C , but the actual answer is B , the business driven approach to security . It's a framework and a methodology for delivering a cohesive information security solution that aligns with your business , thus providing a business driven approach .
Okay , so which of the following is not an underlying principle of COVID ? So we talked about this before . What is COVID ? That's one of the frameworks that deals specifically around IT and well , so let's , if you know that , going into it , then the answers would be meeting stakeholders needs is one answer . It's A , meeting or applying a single integrated framework .
That would be B or C enabling a holistic approach . Or D ensuring technological advancement . Okay , so which of the following is not an underlying principle of COVID ? Okay , so it's easy to glob onto the wrong one on this . But meets the stakeholders need . That would be a principle that you would want it to do .
Applying a single integrated framework COVID is an integrated framework . You'd want that to be the case . C , enabling a holistic approach . It's more all about . It's a full up again , basically around the whole situation . Or D , ensuring technological advancement .
Now , even though COVID focuses on IT and it focuses on that aspect of it , it's not an underlying principle of COVID . Okay , it focuses . Covid focuses on the stakeholders needs , your integrated framework , and enabling a holistic approach . So again , think about the question which is not an underlying principle , an underlying principle of COVID ?
Again , it's highly focused on IT and the technological aspects , but it's not ensuring that the technological advancement is occurring . Okay , what is the primary focus of COSO framework ? Okay , so the COSO framework is a committee on sponsoring organizations and of a treadway commission . Okay , so that's really hard right , but it's basically that's the purpose of COSO .
Now the focus of it , since it is a committee sponsoring organizations of the treadway commission okay , this focuses on internal controls within an organization , especially related to financial reporting . So , as you're going down this path , you may not have heard of COSO before is it is a focus on internal financial reporting .
So , when we look at the questions , what is the primary focus of COSO ? A network security no . B internal controls within an organization Possibly . C disaster recovery Not really . D incident response Not really . So the answer would have to be B . So again , you got to understand the COSO framework , even if you didn't know COSO framework .
If you understand it's probably not dealing with the disaster recovery or incident response , because both of them would probably fall within a very similar area . You could throw those out . Network security it doesn't . I've never talked about that too much in our podcast , so it probably isn't one that would fall into that .
So you then break it down to an internal control within an organization . Next question which stage of the RMF process includes the formal acceptance of a system ? A categorize , b implement , c authorize or D monitor . So we're talking about the risk matrix framework , right , the risk management framework . So that's the RMF .
The risk management framework , what includes the formal acceptance of the system ? A categorize , b implement , c authorize or D monitor . And the answer is C authorize . Authorize is the stage in which the RMF process involves the formal acceptance of the system and understanding the security controls that are in place .
In the context of security controls or the security control framework . Which or what does the term baseline refer to ? Okay , so in the context of security control frameworks , what does the term baseline refer to ? A a set of minimum security controls . B the first phase in a risk assessment . C the security incident response plan or D the network monitoring tool .
So you're looking at a baseline again . That's the sets , the beginning , the minimum security standards . What would that be ? A a set of minimum security controls or standards that you have in place . That is your baseline . This is the point , the starting point for your system hardening and in your overall risk management strategy .
Okay , I'm going to give you a couple of scenario questions real quick here . The CEO of a large financial organization is pushing for a quicker adoption of new technologies to stay competitive . As the CISO , you decide to follow a risk management framework to ensure a balance between rapid technology development and security .
Which of the following is not generally used for this purpose ? So you're looking for a risk management framework , okay , to help balance between rapid technology and security . So , and you're also looking for a quick adoption . So the following frameworks NIST 853 . So again , look at the negatives . This is not generally used for this purpose .
Nist 853 , iso 27001 , covid or Agile . So , as we've talked about in the podcast those are the top three are frameworks . Agile is not a framework . It's a well , it is a framework , but it's a software development framework . It is not specifically around the overall risk management process that you would be tied to , typically to 853 or ISO 27001 or COVID .
Sorry , can't speak , but again , agile is a framework focused on software development , so it is not used for this specific purpose . Okay , so next question your organization is evaluating the financial impact of a potential data breach . The asset value is $500,000 . So the one asset you're looking at the value of it .
Okay , when we talk about this whole plan of figuring out your single loss expectancy , this is your SLE . The asset value , av , is $500,000 . The exposure factor is 60% , which basically means 60% when you were exposed . What is the single loss expectancy that you can , you could , attribute to this potential data breach ? You have $30,000 . You have $60,000 .
You have $300,000 , or you have $500,000 . Again . So the overall single loss expectancy of an exposure factor of 60% is $300,000 . So you basically take $600,000 , or not $600,000 , you take $500,000 times 60% and that will give you your single loss expectancy of $300,000 . Okay , thank you so much for today . All you're all done . I hope you have a wonderful day .
Go out to cispsybertrainingcom and you can check out what I've got there . It's available to you at any time and there's a lot of great stuff , from the blueprints to the videos , to questions you can ask me directly . I answer those . I do really do .
So please head on out to cispsybertraining and go sign up for my free three 30 days of CISP questions , if you want that , or just going out there and see what other products we have available . I guarantee you you will not be disappointed . All right , have a wonderful day and we'll catch you on the flip side , see you .