ISC Updated CISSP Exam Questions and Answers by caden

When developing a business case for updating a security program, the security program owner must identify relevant metrics that can help to measure and evaluate the performance and the effectiveness of the security program, as well as to justify and support the investment and the return of the security program. A business case is a document or a presentation that provides the rationale or the argument for initiating or continuing a project or a program, such as a security program, by analyzing and comparing the costs and the benefits, the risks and the opportunities, and the alternatives and the recommendations of the project or the program. A business case can provide some benefits for security, such as enhancing the visibility and the accountability of the security program, preventing or detecting any unauthorized or improper activities or changes, and supporting the audit and the compliance activities. A business case can involve various elements and steps, such as:

• Problem statement, which is the description or the definition of the problem or the issue that the project or the program aims to solve or address, such as a security gap, a security threat, or a security requirement.
• Solution proposal, which is the explanation or the demonstration of the solution or the approach that the project or the program offers or adopts to solve or address the problem or the issue, such as a security tool, a security process, or a security standard.
• Cost-benefit analysis, which is the calculation or the estimation of the costs and the benefits of the project or the program, both in quantitative and qualitative terms, such as the financial, operational, or strategic costs and benefits, and the comparison or the evaluation of the costs and the benefits, to determine the feasibility and the viability of the project or the program.
• Risk assessment, which is the identification and the analysis of the risks or the uncertainties that may affect the project or the program, both in positive and negative terms, such as the threats, vulnerabilities, or opportunities, and the estimation or the evaluation of the likelihood and the impact of the risks, to determine the severity and the priority of the risks, and to develop or implement the risk mitigation or the risk management strategies or actions.
• Alternative analysis, which is the identification and the analysis of the alternative or the comparable solutions or approaches that may solve or address the problem or the issue, other than the proposed solution or approach, such as the existing or the available solutions or approaches, or the do-nothing or the status-quo option, and the comparison or the evaluation of the alternative solutions or approaches, to determine the advantages and the disadvantages, the strengths and the weaknesses, and the pros and the cons of each alternative solution or approach.
• Recommendation, which is the suggestion or the endorsement of the best or the preferred solution or approach that can solve or address the problem or the issue, based on the results or the outcomes of the previous elements or steps, such as the cost-benefit analysis, the risk assessment, or the alternative analysis, and the justification or the support of the recommendation, by providing the evidence or the data that can validate or verify the recommendation.

Identifying relevant metrics is a key element or step of developing a business case for updating a security program, as it can help to measure and evaluate the performance and the effectiveness of the security program, as well as to justify and support the investment and the return of the security program. Metrics are measures or indicators that can quantify or qualify the attributes or the outcomes of a process or an activity, such as the security program, and that can provide the information or the feedback that can facilitate the decision making or the improvement of the process or the activity. Metrics can provide some benefits for security, such as enhancing the accuracy and the reliability of the security program, preventing or detecting fraud or errors, and supporting the audit and the compliance activities. Identifying relevant metrics can involve various tasks or duties, such as:

• Defining and documenting the objectives, scope, criteria, and methodology of the metrics, and ensuring that they are consistent and aligned with the business case and the security program.
• Selecting and collecting the data or the evidence that are related to the metrics, using various tools and techniques, such as surveys, interviews, tests, or audits.
• Analyzing and interpreting the data or the evidence that are related to the metrics, using various methods and models, such as statistical, mathematical, or graphical methods or models.
• Reporting and communicating the results or the findings of the metrics, using various formats and channels, such as reports, dashboards, or presentations.

Preparing performance test reports, obtaining resources for the security program, and interviewing executive management are not the tasks or duties that the security program owner must do when developing a business case for updating a security program, although they may be related or possible tasks or duties. Preparing performance test reports is a task or a technique that can be used by the security program owner, the security program team, or the security program auditor, to verify or validate the functionality and the quality of the security program, according to the standards and the criteria of the security program, and to detect and report any errors, bugs, or vulnerabilities in the security program. Obtaining resources for the security program is a task or a technique that can be used by the security program owner, the security program sponsor, or the security program manager, to acquire or allocate the necessary or the sufficient resources for the security program, such as the financial, human, or technical resources, and to manage or optimize the use or the distribution of the resources for the security program. Interviewing executive management is a task or a technique that can be used by the security program owner, the security program team, or the security program auditor, to collect and analyze the information and the feedback about the security program, from the executive management, who are the primary users or recipients of the security program, and who have the authority and the accountability to implement or execute the security program. 

The main purpose of a change management policy is to ensure that all changes made to the IT infrastructure are approved, documented, and communicated effectively across the organization. This helps to minimize the risks associated with unauthorized or poorly planned changes, such as security breaches, system failures, or compliance issues. A change management policy does not assure management that changes are necessary, identify the changes that may be made, or determine the necessity for implementing modifications, although these may be part of the change management process. References: CISSP CBK Reference

 The technique that an organization should use to assure application integrity is digital signing. Digital signing is a technique that uses cryptography to generate a digital signature for a message or a document, such as an application. The digital signature is a value that is derived from the message and the sender’s private key, and it can be verified by the receiver using the sender’s public key. Digital signing can help to assure application integrity, which means that the application has not been altered or tampered with during the transmission or storage. Digital signing can also help to assure application authenticity, which means that the application originates from the legitimate source. Application authentication, input validation, and device encryption are not techniques that can assure application integrity, but they can help to assure application security, usability, or confidentiality, respectively. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 607; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 388.

Monitoring of a control should occur at a rate concurrent with the volatility of the security control when implementing Information Security Continuous Monitoring (ISCM) solutions. ISCM is a process that involves maintaining the ongoing awareness of the security status, events, and activities of a system or network, by collecting, analyzing, and reporting the security data and information, using various methods and tools. ISCM can provide several benefits, such as:

• Improving the security and risk management of the system or network by identifying and addressing the security weaknesses and gaps
• Enhancing the security and decision making of the system or network by providing the evidence and information for the security analysis, evaluation, and reporting
• Increasing the security and improvement of the system or network by providing the feedback and input for the security response, remediation, and optimization
• Facilitating the compliance and alignment of the system or network with the internal or external requirements and standards

A security control is a measure or mechanism that is implemented to protect the system or network from the security threats or risks, by preventing, detecting, or correcting the security incidents or impacts. A security control can have various types, such as administrative, technical, or physical, and various attributes, such as preventive, detective, or corrective. A security control can also have different levels of volatility, which is the degree or frequency of change or variation of the security control, due to various factors, such as the security requirements, the threat landscape, or the system or network environment.

Monitoring of a control should occur at a rate concurrent with the volatility of the security control when implementing ISCM solutions, because it can ensure that the ISCM solutions can capture and reflect the current and accurate state and performance of the security control, and can identify and report any issues or risks that might affect the security control. Monitoring of a control at a rate concurrent with the volatility of the security control can also help to optimize the ISCM resources and efforts, by allocating them according to the priority and urgency of the security control.

The other options are not the correct frequencies for monitoring of a control when implementing ISCM solutions, but rather incorrect or unrealistic frequencies that might cause problems or inefficiencies for the ISCM solutions. Continuously without exception for all security controls is an incorrect frequency for monitoring of a control when implementing ISCM solutions, because it is not feasible or necessary to monitor all security controls at the same and constant rate, regardless of their volatility or importance. Continuously monitoring all security controls without exception might cause the ISCM solutions to consume excessive or wasteful resources and efforts, and might overwhelm or overload the ISCM solutions with too much or irrelevant data and information. Before and after each change of the control is an incorrect frequency for monitoring of a control when implementing ISCM solutions, because it is not sufficient or timely to monitor the security control only when there is a change of the security control, and not during the normal operation of the security control. Monitoring the security control only before and after each change might cause the ISCM solutions to miss or ignore the security status, events, and activities that occur between the changes of the security control, and might delay or hinder the ISCM solutions from detecting and responding to the security issues or incidents that affect the security control. Only during system implementation and decommissioning is an incorrect frequency for monitoring of a control when implementing ISCM solutions, because it is not appropriate or effective to monitor the security control only during the initial or final stages of the system or network lifecycle, and not during the operational or maintenance stages of the system or network lifecycle. Monitoring the security control only during system implementation and decommissioning might cause the ISCM solutions to neglect or overlook the security status, events, and activities that occur during the regular or ongoing operation of the system or network, and might prevent or limit the ISCM solutions from improving and optimizing the security control.