When auditing the Software Development Life Cycle (SDLC) which of the following is one of the high-level audit phases?
Answer : D
The high-level audit phase that is represented by the option D is planning. An audit is a systematic and independent examination and evaluation of the evidence, records, or activities of an entity, such as a process, a system, or an organization, to determine the compliance, effectiveness, or efficiency of the entity, and to provide assurance, recommendations, or improvements for the entity. The audit process consists of several phases, such as planning, execution, reporting, and follow-up. The planning phase is the first and the most important phase of the audit process, as it involves defining the objectives, scope, and criteria of the audit, and determining the roles, responsibilities, and resources of the audit team. The planning phase also involves conducting the preliminary risk assessment, the background research, and the stakeholder analysis of the audit entity, and developing the audit plan, the audit checklist, and the audit schedule .Reference: [CISSP CBK, Fifth Edition, Chapter 6, page 572]; [100 CISSP Questions, Answers and Explanations, Question 19].
What is the correct order of execution for security architecture?
Answer : A
Security architecture is the design and implementation of the security controls, mechanisms, and processes that protect the confidentiality, integrity, and availability of the information and systems of an organization. Security architecture is aligned with the business goals, objectives, and requirements of the organization, and supports the security policies, standards, and guidelines of the organization. Security architecture follows a systematic and structured approach, which consists of the following phases or steps:
Governance: Establish the security vision, mission, principles, and policies of the organization, and define the roles, responsibilities, and authorities of the security stakeholders and functions.
Strategy and program management: Develop the security strategy and objectives of the organization, and plan, coordinate, and manage the security projects and initiatives that support the security strategy and objectives.
Project delivery: Design, implement, and integrate the security solutions and components that meet the security requirements and specifications of the organization, and deliver the expected security outcomes and benefits.
Refer to the information below to answer the question.
During the investigation of a security incident, it is determined that an unauthorized individual accessed a system which hosts a database containing financial information.
Aside from the potential records which may have been viewed, which of the following should be the PRIMARY concern regarding the database information?
Which of the following is the BEST reason for the use of security metrics?
Answer : D
The best reason for the use of security metrics is to quantify the effectiveness of security processes. Security metrics are measurable indicators that provide information about the performance, efficiency, and quality of security activities, controls, and outcomes. Security metrics can help to evaluate the current state of security, identify strengths and weaknesses, monitor progress and trends, and support decision making and improvement. Security metrics can also help to demonstrate the value and return on investment of security to the stakeholders, and to communicate the security objectives and expectations to the users. Security metrics can be based on various criteria, such as compliance, risk, cost, time, or customer satisfaction. Security metrics can be classified into different types, such as implementation metrics, effectiveness/efficiency metrics, and impact metrics. Security metrics can be collected, analyzed, and reported using various methods and tools, such as surveys, audits, logs, dashboards, or scorecards. Ensuring that the organization meets its security objectives, providing an appropriate framework for IT governance, and speeding up the process of quantitative risk assessment are all possible benefits or uses of security metrics, but they are not the best reason for the use of security metrics. Security metrics are not the only means to ensure that the organization meets its security objectives, as security objectives can also be influenced by other factors, such as policies, standards, procedures, or culture. Security metrics are not the only component of IT governance, as IT governance also involves other elements, such as leadership, strategy, structure, processes, or roles. Security metrics are not the only factor that can speed up the process of quantitative risk assessment, as quantitative risk assessment also depends on other inputs, such as asset value, threat frequency, vulnerability severity, or control effectiveness.
Which of the following is the MOST important element of change management documentation?
Including a Trusted Platform Module (TPM) in the design of a computer system is an example of a technique to what?