ISC Updated CISSP Exam Questions and Answers by henley

The type of solution that would suit the needs of a large corporation that wants to automate access based on where the request is coming from, who the user is, what device they are connecting with, and what time of day they are attempting this access is Network Access Control (NAC). NAC is a solution that enables the enforcement of security policies and rules on the network level, by controlling the access of devices and users to the network resources. NAC can automate access based on various factors, such as the location, identity, role, device type, device health, or time of the request. NAC can also perform functions such as authentication, authorization, auditing, remediation, or quarantine of the devices and users that attempt to access the network. Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC) are not types of solutions, but types of access control models that define how the access rights or permissions are granted or denied to the subjects or objects. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, page 737; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 4: Communication and Network Security, page 517.

An organization that has achieved a Capability Maturity Model Integration (CMMI) level of 4 has done the following: achieved predictable process performance. CMMI is a framework that provides a set of best practices and guidelines for improving the capability and maturity of the processes of an organization, such as software development, service delivery, or project management. CMMI consists of five levels, each of which represents a different stage or degree of process improvement, from initial to optimized. The five levels of CMMI are:

• Level 1: Initial. This level indicates that the processes of the organization are ad hoc, chaotic, or inconsistent, and that the outcomes of the processes are unpredictable, unreliable, or unrepeatable.
• Level 2: Managed. This level indicates that the processes of the organization are planned, performed, measured, and controlled, and that the outcomes of the processes are manageable, stable, or repeatable.
• Level 3: Defined. This level indicates that the processes of the organization are well-defined, documented, standardized, and integrated, and that the outcomes of the processes are aligned with the goals and objectives of the organization.
• Level 4: Quantitatively Managed. This level indicates that the processes of the organization are quantitatively measured, analyzed, and optimized, and that the outcomes of the processes are predictable, consistent, or high-quality.
• Level 5: Optimizing. This level indicates that the processes of the organization are continuously monitored, evaluated, and improved, and that the outcomes of the processes are innovative, adaptive, or excellent.

An organization that has achieved a CMMI level of 4 has done the following: achieved predictable process performance, meaning that the organization has established quantitative objectives and metrics for the processes, and has used statistical and analytical techniques to monitor and control the variation and performance of the processes, and to ensure that the processes meet the expected or desired outcomes. An organization that has achieved a CMMI level of 4 has not done the following: addressed continuous innovative process improvement, addressed the causes of common process variance, or achieved optimized process performance, as these are the characteristics or achievements of a CMMI level of 5, which is the highest and most mature level of CMMI. References:

• CMMI
• CMMI Levels
• CMMI Level 4

A pre-action system is a type of fire suppression system that minimizes damage to IT equipment stored in a data center when a false fire alarm event occurs. A pre-action system consists of sprinkler heads, pipes filled with pressurized air or nitrogen, and a separate water supply. The system is activated only when two conditions are met: a fire detection device (such as a smoke detector or a heat sensor) triggers an alarm, and the sprinkler heads detect a rise in temperature. When both conditions are met, the system releases the air or nitrogen from the pipes, and then fills them with water. The water is then discharged through the sprinkler heads that have been activated by the heat. A pre-action system prevents accidental water damage to IT equipment caused by false alarms, pipe leaks, or mechanical failures, as the pipes are normally dry and the water is released only when a fire is confirmed. A pre-action system also allows time for manual intervention or verification before the water is released, which can further reduce the risk of unnecessary water damage. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 9: Communication and Network Security, page 600. Official (ISC)² CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, page 713.

A security professional has been requested by the Board of Directors and Chief Information Security Officer (CISO) to perform an internal and external penetration test. A penetration test is a type of security assessment that simulates a real-world attack on a system or a network, to identify and exploit the vulnerabilities or weaknesses that may compromise the security. An internal penetration test is performed from within the system or the network, to assess the security from the perspective of an authorized user or an insider. An external penetration test is performed from outside the system or the network, to assess the security from the perspective of an unauthorized user or an outsider. The best course of action for the security professional is to review corporate security policies and procedures, before performing the penetration test. The corporate security policies and procedures are the documents that define the security goals, objectives, standards, and guidelines of the organization, and that specify the roles, responsibilities, and expectations of the security personnel and the stakeholders. The review of the corporate security policies and procedures will help the security professional to understand the scope, objectives, and methodology of the penetration test, and to ensure that the penetration test is aligned with the organization’s security requirements and compliance. The review of the corporate security policies and procedures will also help the security professional to obtain the necessary authorization, approval, and consent from the organization and the stakeholders, to perform the penetration test legally and ethically. Reviewing data localization requirements and regulations is not the best course of action for the security professional, as it is the process of identifying and complying with the laws and regulations that govern the collection, storage, and processing of the data in different jurisdictions. Reviewing data localization requirements and regulations is important for the security professional, but it is not the first step before performing the penetration test. Reviewing data localization requirements and regulations is more relevant for the data protection and privacy aspects of the security, not for the penetration testing aspects of the security. With notice to the Configuring a Wireless Access Point (WAP) with the same Service Set Identifier external test is not a valid option, as it is not a coherent or meaningful sentence. Configuring a Wireless Access Point (WAP) with the same Service Set Identifier (SSID) is a process of setting up a wireless network device with a network name, to allow wireless devices to connect to the network. This has nothing to do with performing a penetration test, or with giving notice to the organization or the stakeholders. With notice to the organization, perform an external penetration test first, then an internal test is not the best course of action for the security professional, as it is not the first step before performing the penetration test. Giving notice to the organization is important for the security professional, as it informs the organization and the stakeholders about the purpose, scope, and timing of the penetration test, and it also helps to avoid any confusion, disruption, or conflict with the normal operations of the system or the network. However, giving notice to the organization is not the first step before performing the penetration test, as the security professional should first review the corporate security policies and procedures, and obtain the necessary authorization, approval, and consent from the organization and the stakeholders. Performing an external penetration test first, then an internal test is not the best course of action for the security professional, as it is not the first step before performing the penetration test. Performing an external penetration test first, then an internal test is a possible way of conducting the penetration test, but it is not the only way. The order and the method of performing the penetration test may vary depending on the objectives, scope, and methodology of the penetration test, and the security professional should follow the corporate security policies and procedures, and the best practices and standards of the penetration testing industry. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 6: Security Assessment and Testing, page 291. CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Security Assessment and Testing, page 353.