ISC Updated CISSP Exam Questions and Answers by matthias

The most important priority for the information security officer is to obtain the formal acceptance of the security strategy. The security strategy is a document that defines the vision, mission, goals, and objectives of the security program, and that aligns the security activities and initiatives with the business needs and requirements. The formal acceptance of the security strategy means that the security strategy is approved and supported by the senior management and the key stakeholders of the organization, and that it is communicated and understood by the employees and the users. The formal acceptance of the security strategy can help to ensure the success and the effectiveness of the security program, as it can provide the authority, the resources, the guidance, and the accountability for the security officer and the security department. Disciplinary actions taken against unethical behavior, development of an awareness program for new employees, and audit of all organization system configurations for faults are not the most important priorities for the information security officer, as they are related to the enforcement, the education, or the evaluation of the security policies and procedures, not the definition or the approval of the security strategy. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 32. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 47.

Configuration control procedures are critical for establishing an initial baseline for software components in the operation and maintenance of applications. Configuration control procedures are the processes and activities that ensure the integrity, consistency, and traceability of the software components throughout the SDLC. Configuration control procedures include identifying, documenting, storing, reviewing, approving, and updating the software components, as well as managing the changes and versions of the components. By establishing an initial baseline, the organization can have a reference point for measuring and evaluating the performance, quality, and security of the software components, and for applying and tracking the changes and updates to the components. The other options are not as critical as configuration control procedures, as they either do not establish an initial baseline (A and C), or do not apply to all software components (D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, page 468; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 568.

Encrypting the entire disk and deleting the contents after a set number of failed access attempts provides the most protection against data theft of sensitive information when a laptop is stolen. This method ensures that the data is unreadable without the correct decryption key, and that the data is erased if someone tries to guess the key or bypass the encryption. Setting up a BIOS and operating system password, encrypting the virtual drive, or implementing a policy are less effective methods, as they can be circumvented by physical access, booting from another device, or copying the data to another location. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, p. 269; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), p. 521.

The most likely factor that will influence the selection of top initiatives is the severity of risk. The severity of risk is a measure of the impact or the consequence of a threat exploiting a vulnerability, and the likelihood or the probability of that occurrence. The severity of risk can help to prioritize the security initiatives, as it can indicate the level of urgency or importance of addressing or mitigating the risk, and the potential benefit or value of implementing the initiative. The security initiatives that have the highest severity of risk should be selected as the top initiatives, as they can provide the most protection or improvement for the security program. Complexity of strategy, frequency of incidents, and ongoing awareness are not the most likely factors that will influence the selection of top initiatives, as they are related to the difficulty, the occurrence, or the education of the security program, not the prioritization or the justification of the security initiatives. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 25. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 40.