ISC Updated CISSP Exam Questions and Answers by bobbie

Additional padding may be added to the Encapsulating Security Protocol (ESP) trailer to provide partial traffic flow confidentiality. ESP is a protocol that provides confidentiality, integrity, and authentication for IP packets. ESP uses encryption to protect the payload of the IP packets, and optionally the IP header as well. ESP also adds a trailer at the end of the IP packet, which contains a padding field, a pad length field, and a next header field. The padding field is used to align the encrypted data to the block size of the encryption algorithm, and to provide partial traffic flow confidentiality by obscuring the actual length of the data. The pad length field indicates the number of bytes in the padding field. The next header field indicates the type of the payload that follows the ESP trailer. Data origin authentication, protection against replay attack, and access control are not provided by the ESP trailer, but by other components of ESP, such as the ESP header, the ESP authentication data, and the security association. References:

• Encapsulating Security Payload
• IPsec
• IPsec: ESP Trailer

The data custodian is the role that is responsible for ensuring that important datasets are developed, maintained, and are accessible within their defined specifications. The data custodian is the person or entity that implements the security controls and procedures for the data, as defined by the data owner. The data custodian is also responsible for performing the technical tasks related to the data, such as backup, recovery, archiving, encryption, deletion, and auditing. The data custodian should ensure that the data is available, reliable, and secure, and that the data quality and integrity are preserved. The data reviewer, the data user, and the data owner are not the roles that are responsible for ensuring that important datasets are developed, maintained, and are accessible within their defined specifications. The data reviewer is the person or entity that verifies the accuracy, completeness, and validity of the data, and provides feedback or recommendations for improvement. The data user is the person or entity that accesses, uses, or benefits from the data, and may have different levels of permissions or restrictions depending on their role or function. The data owner is the person or entity that has the ultimate authority and responsibility over the data, and defines the security requirements and policies for the data. References:

• 1 (Domain 1: Security and Risk Management, Objective 1.5: Understand and apply concepts of data governance)
• 2 (Chapter 1: Security and Risk Management, Section 1.5.3: Data Governance)

 Software defined networking (SDN) is a network architecture that decouples the control plane from the data plane, allowing for more flexibility and programmability of network functions. The SDN controller is the architectural component that acts as the brain of the SDN network, communicating with both the SDN applications and the SDN data paths. The SDN controller is responsible for translating the network requirements from the SDN applications, such as security policies, routing rules, or load balancing, into instructions for the SDN data paths, such as switches, routers, or firewalls, to implement them. The SDN controller also monitors the network state and provides feedback to the SDN applications. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 9: Communication and Network Security, page 573. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, page 663.

An access control list (ACL) is a security tool that will ensure authorized data is sent to the application when implementing a cloud-based application. An ACL is a list of rules or policies that specify which users, groups, roles, or processes are allowed or denied access to a resource, such as a file, folder, network, or application. An ACL can also define the type and level of access that is granted or denied, such as read, write, execute, or delete. An ACL can help to protect the confidentiality, integrity, and availability of the data and the application in the cloud environment, by preventing unauthorized access, modification, or deletion. An ACL can also help to enforce the principle of least privilege, by granting only the minimum access required for the legitimate purpose. A host-based intrusion prevention system (HIPS) is a security tool that monitors and blocks malicious or anomalous activities on a host, such as a server, workstation, or device. A HIPS can help to protect the host from attacks, such as malware, exploits, or unauthorized changes, but it does not ensure authorized data is sent to the application. A file integrity monitoring (FIM) tool is a security tool that monitors and detects changes to files or directories, such as creation, deletion, modification, or renaming. A FIM tool can help to protect the integrity and availability of the files or directories, by alerting or reporting on unauthorized or unexpected changes, but it does not ensure authorized data is sent to the application. A data loss prevention (DLP) tool is a security tool that monitors and prevents the leakage or exfiltration of sensitive or confidential data, such as personal information, intellectual property, or trade secrets. A DLP tool can help to protect the confidentiality and integrity of the data, by blocking or encrypting the data before it is transferred, copied, printed, or emailed, but it does not ensure authorized data is sent to the application. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5, Identity and Access Management, page 513. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 470.