ISC Updated CISSP Exam Questions and Answers by elise

The required components for implementing software configuration management systems are audit control and signoff, rollback and recovery processes, and regression testing and evaluation. Software configuration management systems are tools and techniques that enable the identification, control, tracking, and verification of the changes and versions of software products throughout the software development life cycle. Audit control and signoff are the mechanisms that ensure that the changes and versions of the software products are authorized, documented, reviewed, and approved by the appropriate stakeholders. Rollback and recovery processes are the procedures that enable the restoration of the previous state or version of the software products in case of a failure or error. Regression testing and evaluation are the methods that verify that the changes and versions of the software products do not introduce new defects or affect the existing functionality or performance. User training and acceptance are not required components for implementing software configuration management systems, as they are related to the deployment and operation of the software products, not the configuration management. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1037. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1063.

According to the star property (*property) of the Bell-LaPadula model, a subject with a given security clearance may write data to an object if and only if the object’s security level is greater than or equal to the subject’s security level. In other words, a subject can write data to an object with the same or higher sensitivity label, but not to an object with a lower sensitivity label. This rule is also known as the no write-down rule, as it prevents the leakage of information from a higher level to a lower level. In this question, User A has a Restricted clearance, and File 1 has a Restricted security class. Therefore, User A can write to File 1, as they have the same security level. User B, User C, and User D cannot write to File 1, as they have higher clearances than the security class of File 1, and they would violate the star property by writing down information to a lower level. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 4, Communication and Network Security, page 498. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 4, Communication and Network Security, page 514.

Capability Maturity Models (CMM) are frameworks that describe the key elements of effective processes for various domains, such as software engineering, project management, or information security. CMM serve as a benchmark for an organization to assess its current level of maturity and identify the areas for improvement. CMM can help an organization to establish, standardize, measure, control, and optimize its procedures in systems development, which is the process of creating, maintaining, and enhancing information systems. Experience in the industry, definition of security profiles, and human resource planning efforts are not the main focus of CMM, although they may be influenced by the maturity level of the organization. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1034. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1060.

The plan must include employee education in order to reduce client-side exploitation. Employee education is a process of providing the employees with the necessary knowledge, skills, and awareness to follow the security policies and procedures, and to prevent or avoid the common security threats or risks, such as client-side exploitation. Client-side exploitation is a type of attack that targets the vulnerabilities or weaknesses of the client applications or systems, such as web browsers, email clients, or media players, and that can compromise the client data or functionality, or allow the attacker to gain access to the network or the server. Employee education can help to reduce client-side exploitation by teaching the employees how to recognize and avoid the malicious or suspicious links, attachments, or downloads, how to update and patch their client applications or systems, how to use the security tools or features, such as antivirus or firewall, and how to report or respond to any security incidents or breaches. Approved web browsers, network firewall procedures, and proxy configuration are not the plan components that must be included in order to reduce client-side exploitation, as they are related to the technical or administrative controls or measures, not the human or behavioral factors, that can affect the client-side security. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 47. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 62.