ISC Updated CISSP Exam Questions and Answers by miruna

According to the CISSP CBK Official Study Guide1, the identity management process in which the subject’s identity is established is enrollment. Enrollment is the process of registering or enrolling a subject into an identity management system, such as a user into an authentication system, or a device into a network. Enrollment is the process in which the subject’s identity is established, as it involves verifying and validating the subject’s identity, as well as collecting and storing the subject’s identity attributes, such as the name, email, or biometrics of the subject. Enrollment also involves issuing and assigning the subject’s identity credentials, such as the username, password, or certificate of the subject. Enrollment helps to create and maintain the subject’s identity record or profile, as well as to enable and facilitate the subject’s access and use of the system or network. Trust is not the identity management process in which the subject’s identity is established, although it may be a factor that influences the enrollment process. Trust is the degree of confidence or assurance that a subject or an entity has in another subject or entity, such as a user in a system, or a system in a network. Trust may influence the enrollment process, as it may determine the level or extent of the identity verification and validation, as well as the identity attributes and credentials that are required or provided for the enrollment process. Provisioning is not the identity management process in which the subject’s identity is established, although it may be a process that follows or depends on the enrollment process. Provisioning is the process of creating, assigning, and configuring a subject’s account or resource with the necessary access rights and permissions to perform the tasks and functions that are required by the subject’s role and responsibilities, as well as the security policies and standards of the system or network. Provisioning is not the process in which the subject’s identity is established, as it does not involve verifying and validating the subject’s identity, or collecting and storing the subject’s identity attributes or credentials. Authorization is not the identity management process in which the subject’s identity is established, although it may be a process that follows or depends on the enrollment process. Authorization is the process of granting or denying a subject’s access or use of an object or a resource, based on the subject’s identity, role, or credentials, as well as the security policies and rules of the system or network. Authorization is not the process in which the subject’s identity is established, as it does not involve verifying and validating the subject’s identity, or collecting and storing the subject’s identity attributes or credentials. References: 1

Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the security impact analysis. A TCB system is a system that consists of the hardware, software, and firmware components that enforce the security policy and protect the security-relevant information of the system. A TCB system is usually certified or accredited to meet certain security standards or criteria, such as the Common Criteria or the Trusted Computer System Evaluation Criteria (TCSEC). A security impact analysis is a document that describes the changes made to a TCB system, such as adding, modifying, or removing components or functions, and analyzes the potential effects of the changes on the security of the system, such as introducing new vulnerabilities, risks, or threats. A security impact analysis can help to determine whether the changes require a recertification or reaccreditation of the TCB system, or whether the changes can be accepted without affecting the security level or assurance of the system. The other options are not the documents that document the changes to a TCB system, but rather different types of documents. A structured code review is a document that records the results of a systematic and rigorous examination of the source code of a software component or system, such as a TCB system, to detect errors, bugs, or vulnerabilities. A structured code review can help to improve the quality, reliability, and security of the software, but it does not document the changes made to the software. A routine self assessment is a document that reports the findings and recommendations of a periodic and voluntary evaluation of the security controls and measures of a system or organization, such as a TCB system, to measure the effectiveness, efficiency, and compliance of the security. A routine self assessment can help to identify and address the security gaps, weaknesses, or issues, but it does not document the changes made to the system. A cost benefit analysis is a document that compares the costs and benefits of different security solutions or alternatives for a system or organization, such as a TCB system, to justify the investment in security. A cost benefit analysis can help to evaluate the trade-offs between the security costs and the security benefits, but it does not document the changes made to the system. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, p. 416; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, p. 149.

After acquiring the latest security updates, the best practice is to install the patches on a test system before deploying them to the production systems. This is to ensure that the patches are compatible with the system configuration and do not cause any adverse effects or conflicts with the existing applications or services. The test system should be isolated from the production environment and should have the same or similar specifications and settings as the production system.

• A. Use tools to detect missing system patches is not something that must be done after acquiring the latest security updates, but rather something that must be done before acquiring the security updates. This is to identify the current patch level and the patch requirements of the system.
• C. Subscribe to notifications for vulnerabilities is not something that must be done after acquiring the latest security updates, but rather something that must be done as part of the ongoing patch management process. This is to stay informed of the latest security threats and vulnerabilities and the corresponding patches or mitigations.
• D. Assess the severity of the situation is not something that must be done after acquiring the latest security updates, but rather something that must be done before acquiring the security updates. This is to prioritize the patching activities based on the risk and impact of the vulnerabilities.

References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6, page 336; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 6, page 297

 For an organization considering two-factor authentication for secure network access, the most secure option is smart card and biometrics. A smart card is a physical device that contains a microchip or a magnetic stripe that stores information, such as a digital certificate, a private key, or a personal identification number (PIN). A biometric is a physical or behavioral characteristic of a user that can be measured and compared, such as a fingerprint, a retina scan, a voice print, or a facial recognition. Smart card and biometrics are two different types of factors that can provide strong and reliable authentication for network access. A smart card can prove that the user has a valid credential or key, while a biometric can prove that the user is who they claim to be. Smart card and biometrics can prevent unauthorized or fraudulent access, as they are difficult to forge, copy, or share56 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, pp. 322-323; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, pp. 450-451.