CISSP Exam Dumps - Certified Information Systems Security Professional (CISSP)

• Degaussing
• Overwriting
• Destruction
• Deleting

Comprehensive Explanation: Degaussing is the process of decreasing or eliminating a remnant magnetic field to reduce the risk of data remanence on magnetic media, making it the best method among the options provided. Overwriting involves replacing old data with new data, which can also be effective but not as thorough as degaussing. Destruction refers to physically destroying the media, which is effective but not always practical or environmentally friendly. Deleting is simply removing data pointers and does not actually erase the data from the media, making it the worst option.

References:

• CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10, p. 518.
• CISSP practice exam questions and answers, Question 7.

 Encapsulating Security Payload (ESP) in transport mode affects the Internet Protocol (IP) by encrypting and optionally authenticating the IP payload, but not the IP header. ESP is a protocol that provides confidentiality, integrity, and authentication for data transmitted over a network. ESP can operate in two modes: transport mode and tunnel mode. In transport mode, ESP only protects the data or payload of the IP packet, while leaving the IP header intact and visible. This mode is suitable for end-to-end communication between two hosts. In tunnel mode, ESP protects the entire IP packet, including the header and the payload, by encapsulating it within another IP packet. This mode is suitable for gateway-to-gateway or host-to-gateway communication34 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, p. 345; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 464.

The functional testing techniques and the input parameter selection criteria are based on the following definitions and examples:

• State-Based Analysis: A technique that tests the system’s behavior and response based on its current state or mode, which can be affected by the previous inputs or events. For example, testing how a system reacts when it is in normal mode, maintenance mode, or error mode. The input parameter selection should include one input that does not belong to any of the identified partitions or states, to test how the system handles an invalid or unexpected input.
• Equivalence Class Analysis: A technique that divides the input domain into classes or groups of inputs that have the same or similar expected output or behavior, and tests one input from each class or group. For example, testing how a system validates an email address by using valid inputs (e.g., name@example.com), invalid inputs (e.g., name@.com), and boundary inputs (e.g., name@example.c). The input parameter selection should include inputs that are at the external limits of the domain of valid values, to test how the system handles the boundary cases.
• Decision Table Analysis: A technique that tests the system’s logic and decision making based on the combinations of input values and conditions that affect the output or the action. For example, testing how a system grants access based on the input values of username, password, and role. The input parameter selection should include invalid combinations of input values, to test how the system handles the error or exception cases.
• Boundary Value Analysis: A technique that tests the system’s robustness and reliability based on the inputs that are at or near the boundaries or the extremes of the input domain. For example, testing how a system handles a file size that is zero, maximum, or slightly above or below the maximum. The input parameter selection should include unexpected inputs corresponding to each known condition, to test how the system handles the abnormal or unusual cases.

References: CISSP Official (ISC)2 Practice Tests, Chapter 8, page 220; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, page 389

WS-Trust

WS-Trust is a Web Services Security (WS-Security) specification that negotiates how security tokens will be issued, renewed and validated. WS-Trust defines a framework for establishing trust relationships between different parties, and a protocol for requesting and issuing security tokens that can be used to authenticate and authorize the parties. WS-Trust also supports different types of security tokens, such as Kerberos tickets, X.509 certificates, SAML assertions, etc56 References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, p. 346; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 465.

According to the CISSP Official (ISC)2 Practice Tests3, the most suitable approach that the administrator should take when a user requests read-only access to files that are not considered sensitive in a Discretionary Access Control (DAC) methodology is to request data owner approval to the user access. DAC is a type of access control that grants or denies access to an object based on the identity and permissions of the subject, and the discretion of the owner of the object. The owner of the object has the authority and responsibility to determine who can access the object and what level of access they can have, such as read, write, execute, or delete. The owner can also delegate the access rights to other subjects or groups, or revoke them as needed. The administrator is the person who manages and maintains the system and the access control mechanisms, but does not have the authority to grant or deny access to the objects without the owner’s consent. Therefore, the administrator should request data owner approval to the user access, regardless of the sensitivity of the files, to ensure that the access is authorized and compliant with the DAC methodology. Requesting manager approval for the user access is not the most suitable approach, as the manager may not be the owner of the files, and may not have the authority or knowledge to grant or deny access to the files. Directly granting the access to the non-sensitive files is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. Assessing the user access need and either granting or denying the access is not the most suitable approach, as it may violate the DAC methodology and the owner’s discretion, and may introduce unauthorized or excessive access to the files. References: 3

The common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan are as follows:

• Risk Assessment: This is the phase of identifying and quantifying the potential impacts of disruptive events on the organization’s critical business functions and processes. This phase involves determining the recovery objectives, such as the recovery time objective (RTO) and the recovery point objective (RPO), as well as the recovery priorities, dependencies, and resources.
• Business Impact Analysis: This is the phase of selecting and implementing the appropriate recovery methods and solutions for the organization’s critical business functions and processes. This phase involves evaluating the costs and benefits of different recovery options, such as backup, redundancy, alternate sites, or outsourcing, and choosing the ones that meet the recovery objectives and budget.
• Mitigation Strategy Development: This is the phase of documenting and communicating the procedures and actions to be taken before, during, and after a disaster to restore the normal operations of the organization. This phase involves defining the roles and responsibilities of the staff and stakeholders, establishing the communication and escalation channels, and outlining the steps for activation, execution, and termination of the plan.
• BCDR Plan Development: This is the phase of verifying and updating the effectiveness and efficiency of the BC/DR plan. This phase involves conducting regular tests and exercises to validate the functionality, usability, and reliability of the plan, and performing periodic reviews and audits to identify and address any gaps, weaknesses, or changes in the plan.
• Training, Testing & Auditing: This is the phase of ensuring the awareness and readiness of the staff and stakeholders for the BC/DR plan. This phase involves providing the training and education on the BC/DR plan, conducting the testing and auditing of the BC/DR plan, and collecting the feedback and lessons learned from the BC/DR plan.
• Plan Maintenance: This is the phase of maintaining and improving the BC/DR plan. This phase involves updating and revising the BC/DR plan according to the changes in the organization, environment, or technology, and ensuring the compliance and alignment of the BC/DR plan with the legal, regulatory, operational, or business requirements.

The image that you sent shows a flowchart or process diagram with five empty boxes connected by arrows, indicating a sequence of steps. The boxes are placeholders for the phases of the BC/DR plan. Below the image, there is a list of the phases of the BC/DR plan. To complete the image, you need to drag the phases from the list to the appropriate boxes in the diagram. The correct order of the phases is as follows:

• Box 1: Risk Assessment
• Box 2: Business Impact Analysis
• Box 3: Mitigation Strategy Development
• Box 4: BCDR Plan Development
• Box 5: Training, Testing & Auditing

The phase of Plan Maintenance is not shown in the image, but it is an ongoing and continuous phase that should be performed after the completion of the other phases.

The primary security concern for an organization that publishes and periodically updates its employee policies in a file on their intranet is integrity. Integrity is the property that ensures that the data or the information is accurate, complete, consistent, and authentic, and that it has not been modified, altered, or corrupted by unauthorized or malicious parties. Integrity is a primary security concern for the employee policies file on the intranet, as it can affect the compliance, trust, and reputation of the organization, and the rights and responsibilities of the employees. The employee policies file must reflect the current and valid policies of the organization, and must not be changed or tampered with by anyone who is not authorized or qualified to do so. Availability, confidentiality, and ownership are not the primary security concerns for the employee policies file on the intranet, as they are related to the accessibility, protection, or attribution of the data or the information, not the accuracy or the authenticity of the data or the information. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 20. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 33.

The use of Network Access Control (NAC) on switches is a major consideration in implementing a Voice over IP (VoIP) network. NAC is a mechanism that enforces security policies on the network devices, such as switches, routers, firewalls, and servers. NAC can prevent unauthorized or compromised devices from accessing the network, or limit their access to specific segments or resources. NAC can also monitor and remediate the devices for compliance with the security policies, such as patch level, antivirus status, or configuration settings. NAC can enhance the security and performance of a VoIP network, as well as reduce the operational costs and risks. References: Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 4: Communication and Network Security, p. 473; CISSP All-in-One Exam Guide, Eighth Edition, Chapter 6: Communication and Network Security, p. 353.