ISC Updated CISSP Exam Questions and Answers by malakai

Service Organization Control (SOC) 2 is a report that provides information about the security, availability, processing integrity, confidentiality, and privacy of a service organization’s system. It is intended for users who need assurance about the controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. A SOC 2 report can help an organization assess the business continuity/disaster recovery policy and procedures for an application that is outsourced to a third-party service provider.

The option that should be included in a good defense-in-depth strategy provided by object-oriented programming for software deployment is encapsulation. Encapsulation is a technique that provides the protection and the abstraction of the data or the information and the methods or the functions that are associated with an object or a class, by hiding or restricting the access or the visibility of the data or the information and the methods or the functions from the other objects or classes, and exposing or allowing only the relevant or necessary data or information and the methods or the functions to the other objects or classes. Encapsulation can provide a good defense-in-depth strategy for software deployment, because it can:

• Prevent or reduce the unauthorized or unintended access or modification of the data or the information and the methods or the functions that are associated with an object or a class, and ensure the integrity and the confidentiality of the data or the information and the methods or the functions.
• Simplify or modularize the design and the development of the software, by separating or isolating the data or the information and the methods or the functions that are associated with an object or a class, and reducing the complexity or the dependency of the data or the information and the methods or the functions.
• Enhance or improve the maintainability and the reusability of the software, by facilitating the changes or the updates of the data or the information and the methods or the functions that are associated with an object or a class, and enabling the reuse or the sharing of the data or the information and the methods or the functions.

The other options are not the options that should be included in a good defense-in-depth strategy provided by object-oriented programming for software deployment. Polyinstantiation is not a technique that provides the protection and the abstraction of the data or the information and the methods or the functions that are associated with an object or a class, but rather a technique that allows multiple versions or instances of the same data or the information to exist in a database, at different levels of security or classification, and for different users or groups. Polyinstantiation can provide a good defense-in-depth strategy for database security, but not for software deployment. Polymorphism is not a technique that provides the protection and the abstraction of the data or the information and the methods or the functions that are associated with an object or a class, but rather a technique that allows an object or a class to have different forms or behaviors, depending on the context or the situation, and to respond differently to the same message or the same method. Polymorphism can provide a good defense-in-depth strategy for software flexibility, but not for software deployment. Inheritance is not a technique that provides the protection and the abstraction of the data or the information and the methods or the functions that are associated with an object or a class, but rather a technique that allows an object or a class to acquire or inherit the data or the information and the methods or the functions that are associated with another object or class, and to extend or override the data or the information and the methods or the functions. Inheritance can provide a good defense-in-depth strategy for software consistency, but not for software deployment. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 1025. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8: Software Development Security, page 1026.

 Vendor accounts that are used for emergency maintenance should be disabled when not in use, and enabled only when authorized and necessary. This can prevent unauthorized or malicious access by vendors or attackers who compromise vendor credentials. Vendor access should also be subject to the principle of least privilege, meaning that vendors should only have the minimum level of access required to perform their tasks. Additionally, vendor access should be monitored and audited to ensure compliance and accountability34. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, page 355; 100 CISSP Questions, Answers and Explanations, Question 14.

 As a design principle, the cloud consumer is the actor that is responsible for identifying and approving data security requirements in a cloud ecosystem. A cloud ecosystem is a complex system of interrelated and interdependent components that provide cloud services and solutions to the users and customers. A cloud ecosystem consists of different actors, such as cloud provider, cloud consumer, cloud broker, or cloud auditor, that have different roles and responsibilities in the cloud ecosystem. The cloud consumer is the actor that uses the cloud services or solutions provided by the cloud provider or the cloud broker. The cloud consumer is responsible for identifying and approving data security requirements in a cloud ecosystem, because:

• The cloud consumer owns and controls the data that is stored, processed, or transmitted in the cloud ecosystem, and therefore, the cloud consumer has the authority and accountability for the data security requirements.
• The cloud consumer knows and understands the data classification, sensitivity, and value of the data that is stored, processed, or transmitted in the cloud ecosystem, and therefore, the cloud consumer can determine the appropriate data security requirements.
• The cloud consumer has the obligation and liability to comply with the data security regulations, standards, and best practices that apply to the data that is stored, processed, or transmitted in the cloud ecosystem, and therefore, the cloud consumer can define the relevant data security requirements. References: CISSP All-in-One Exam Guide, Chapter 3: Security Architecture and Engineering, Section: Cloud Computing, pp. 147-148.