ISC Updated CISSP Exam Questions and Answers by miran

 When assigning ownership of an asset to a department, the most important factor is to ensure individual accountability for the asset. Individual accountability means that each person who has access to or uses the asset is responsible for its protection and proper handling. Individual accountability also implies that each person who causes or contributes to a security breach or incident involving the asset can be identified and held liable. Individual accountability can be achieved by implementing security controls such as authentication, authorization, auditing, and logging.

The other options are not as important as ensuring individual accountability, as they do not directly address the security risks associated with the asset. The department should report to the business owner is a management issue, not a security issue. Ownership of the asset should be periodically reviewed is a good practice, but it does not prevent misuse or abuse of the asset. All members should be trained on their responsibilities is a preventive measure, but it does not guarantee compliance or enforcement of the responsibilities.

ISIsOC 1 is the most useful Service Organization Control (SOC) report for reviewing the financial reporting risks of a third-party application, because it focuses on the internal controls over financial reporting (ICFR) of the service organization. ISIsOC 1 reports are based on the Statement on Standards for Attestation Engagements (SSAE) No. 18, and can be either Type 1 or Type 2, depending on whether they provide a point-in-time or a period-of-time evaluation of the controls. SOC 2, SOC 3, and SOC for cybersecurity reports are based on the Trust Services Criteria, and cover different aspects of the service organization’s security, availability, confidentiality, processing integrity, and privacy. They are not specifically designed for financial reporting risks. References: CISSP Official Study Guide, 9th Edition, page 1016; CISSP All-in-One Exam Guide, 8th Edition, page 1095

If traveling abroad and a customs official demands to examine a personal computer, the most reasonable assumption is that the hard drive has been copied. The hard drive is the component of the computer that stores the data and the operating system, and it can be easily copied or cloned by using a device or a software. The customs official may copy the hard drive to inspect its contents, to search for illegal or suspicious data, or to obtain sensitive or valuable data. The hard drive may not be stolen, as the customs official may return the computer to the owner after the examination. The Internet Protocol (IP) address may not be copied, as the IP address is not a fixed or permanent attribute of the computer, but rather a dynamic and temporary identifier that is assigned by the network. The Media Access Control (MAC) address may not be stolen, as the MAC address is a unique and permanent identifier that is embedded in the network interface card (NIC) of the computer, and it cannot be easily changed or modified. 

SAML is an XML-based standard for exchanging authentication and authorization data between different parties, such as a service provider and an identity provider. SAML enables single sign-on (SSO) for web applications, which means that users can access multiple services with one set of credentials. SAML also improves security by not passing the users’ password during authentication, but instead using assertions that contain information about the user’s identity and attributes. SAML assertions are digitally signed and encrypted to ensure their integrity and confidentiality. SAML does not use TLS to address confidentiality, although it can be used as an additional layer of protection. SAML does not limit unnecessary data entry on web forms, although it can reduce the need for users to enter their credentials repeatedly. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management, page 291. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 5: Identity and Access Management (IAM), page 609.