The first step in developing an Information Security Continuous Monitoring (ISCM) strategy and implementing an ISCM program is to define a strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts. An ISCM strategy is a document that outlines the goals, objectives, scope, and approach of the ISCM program, which is a program that involves collecting, analyzing, and reporting data on the performance and security of the information systems and networks. An ISCM strategy should be aligned with the risk tolerance of the organization, which is the level of risk that the organization is willing to accept or mitigate. An ISCM strategy should also maintain clear visibility into the assets, which are the resources that support the organization’s mission and business processes, such as hardware, software, data, or personnel. An ISCM strategy should also maintain awareness of the vulnerabilities, which are the weaknesses or flaws that can be exploited by threats, as well as the up-to-date threat information, which is the data or intelligence that indicates the sources, methods, and intentions of the adversaries. An ISCM strategy should also consider the mission/business impacts, which are the consequences or effects of the security events or incidents on the organization’s operations, objectives, or reputation. The other steps in developing an ISCM strategy and implementing an ISCM program are conducting a vulnerability assessment, analyzing the data collected and reporting findings, and responding to findings with appropriate actions, but these are not the first step.

The best measure for protecting data on devices when traveling to high-risk countries is to review the applicable destination country laws, forensically clean the devices prior to travel, and only download sensitive data over a VPN upon arriving at the destination. This will minimize the risk of data loss, theft, or compromise due to border inspections, device confiscation, malware infection, or network interception. Keeping devices in the hotel room, using SSL or VPN connections, or using MFA or biometric access controls may not be sufficient or effective in protecting data in high-risk countries, as they may still be subject to physical or logical attacks by adversaries.  References :  CISSP - Certified Information Systems Security Professional , Domain 3. Security Architecture and Engineering, 3.8 Implement and manage engineering processes using secure design principles, 3.8.4 Secure design principles and processes;  CISSP Exam Outline , Domain 3. Security Architecture and Engineering, 3.8 Implement and manage engineering processes using secure design principles, 3.8.4 Secure design principles and processes

Additional padding may be added to the Encapsulating Security Protocol (ESP) trailer to provide partial traffic flow confidentiality. ESP is a protocol that provides confidentiality, integrity, and authentication for IP packets. ESP uses encryption to protect the payload of the IP packets, and optionally the IP header as well. ESP also adds a trailer at the end of the IP packet, which contains a padding field, a pad length field, and a next header field. The padding field is used to align the encrypted data to the block size of the encryption algorithm, and to provide partial traffic flow confidentiality by obscuring the actual length of the data. The pad length field indicates the number of bytes in the padding field. The next header field indicates the type of the payload that follows the ESP trailer. Data origin authentication, protection against replay attack, and access control are not provided by the ESP trailer, but by other components of ESP, such as the ESP header, the ESP authentication data, and the security association. References:

Encapsulating Security Payload

IPsec

IPsec: ESP Trailer

According to the CISSP For Dummies, the role that is directly responsible for data within an organization is the information owner. The information owner is the person or role that has the authority and accountability for the data or information that the organization owns, creates, uses, or maintains, such as data, documents, records, or intellectual property. The information owner is responsible for defining the classification, value, and sensitivity of the data or information, as well as the security requirements, policies, and standards for the data or information. The information owner is also responsible for granting or revoking the access rights and permissions to the data or information, as well as for monitoring and auditing the compliance and effectiveness of the security controls and mechanisms for the data or information. The data custodian is not the role that is directly responsible for data within an organization, although it may be a role that supports or assists the information owner. The data custodian is the person or role that has the responsibility for implementing and maintaining the security controls and mechanisms for the data or information, as defined by the information owner. The data custodian is responsible for performing the technical and operational tasks and activities for the data or information, such as backup, recovery, encryption, or disposal. The database administrator is not the role that is directly responsible for data within an organization, although it may be a role that supports or assists the information owner or the data custodian. The database administrator is the person or role that has the responsibility for managing and administering the database system that stores and processes the data or information. The database administrator is responsible for performing the technical and operational tasks and activities for the database system, such as installation, configuration, optimization, or troubleshooting.

According to the CISSP All-in-One Exam Guide 2 , a weakness of Wired Equivalent Privacy (WEP) is the length of the Initialization Vector (IV). WEP is a security protocol that was designed to provide confidentiality and integrity for wireless networks, by using the RC4 stream cipher to encrypt the data and the CRC-32 checksum to verify the data. However, WEP has several flaws that make it vulnerable to various attacks, such as the IV attack, the key recovery attack, the bit-flipping attack, and the replay attack. One of the flaws of WEP is the length of the IV, which is only 24 bits long. This means that the IV space is very small, and the IVs are likely to repeat after a short period of time, especially in a busy network. This allows an attacker to capture enough IVs and ciphertexts to perform a statistical analysis and recover the encryption key.  WEP does not provide protection against message replay, detection of message tampering, or built-in provision to rotate keys, but these are not weaknesses of WEP, but rather limitations or features that WEP lacks.  References :  2

According to the CISSP All-in-One Exam Guide 2 , the things that are required to assure authenticity are authentication and non-repudiation. Authenticity is the property that ensures that the data, information, system, network, or entity is genuine, original, and trustworthy, and is not counterfeit, altered, or impersonated. Authentication is the process of verifying and confirming the identity or the validity of a subject or an entity, such as a user, a device, or a message. Authentication helps to assure authenticity, as it ensures that the subject or the entity is who or what it claims to be, and is not an impostor, a fraud, or a forgery. Non-repudiation is the process of preventing or denying the denial or the dispute of an action or an event, such as the sending, receiving, or signing of a message. Non-repudiation helps to assure authenticity, as it ensures that the subject or the entity cannot deny or reject the authenticity or the validity of the action or the event, and is held accountable and responsible for it. Confidentiality is not the thing that is required to assure authenticity, although it may be a thing that is supported or enhanced by authenticity. Confidentiality is the property that ensures that the data or information is only accessible or disclosed to the authorized parties, and is protected from unauthorized or unintended access or disclosure. Confidentiality may be supported or enhanced by authenticity, as it ensures that the data or information is not accessed or disclosed by the impostors, frauds, or forgeries, and that the data or information is not counterfeit, altered, or impersonated. However, confidentiality is not the thing that is required to assure authenticity, as it does not verify or confirm the identity or the validity of the subject or the entity, or prevent or deny the denial or the dispute of the action or the event. Integrity is not the thing that is required to assure authenticity, although it may be a thing that is supported or enhanced by authenticity. Integrity is the property that ensures that the data or information is accurate, complete, and consistent, and is protected from unauthorized or unintended modification or corruption. Integrity may be supported or enhanced by authenticity, as it ensures that the data or information is not modified or corrupted by the impostors, frauds, or forgeries, and that the data or information is genuine, original, and trustworthy.  However, integrity is not the thing that is required to assure authenticity, as it does not verify or confirm the identity or the validity of the subject or the entity, or prevent or deny the denial or the dispute of the action or the event.

Logging and audit trail controls are designed to record and monitor the activities and events that occur on a system or network. They can provide valuable information for forensic analysis, such as the source, destination, time, and type of an event, the user or process involved, the data or resources accessed or modified, and the outcome or status of the event. Logging and audit trail controls can help identify the cause, scope, impact, and timeline of an attack, as well as the evidence and artifacts left by the attacker. They can also help determine the effectiveness and gaps of the preventive and detective controls, and support the incident response and recovery processes. Logging and audit trail controls should be configured, protected, and reviewed according to the organizational policies and standards, and comply with the legal and regulatory requirements.

OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf. The end user must provide an access token to the service provider, which is issued by an authorization server after the user grants permission to the third-party application. The access token represents the user’s identity and the scope of access granted by the user. The service provider can then use the access token to authenticate the user and provide the requested service. A username and password are not required by OAuth 2.0, as they are only used to authenticate the user to the authorization server, not the service provider. A username or a password alone are not sufficient to authenticate the user to the service provider, as they do not indicate the scope of access granted by the user.  References :  OAuth 2.0 ,  CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Identity and Access Management (IAM)

The correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment is that they should be inspected and sanitized following the organizational policy. The unlabeled, disconnected, and powered off devices are the devices or the systems that are not identified, not connected, or not turned on, and that are used or intended for storing or holding the data or the information, such as the hard disks, the flash drives, or the memory cards. The correct procedure for handling the unlabeled, disconnected, and powered off devices is that they should be inspected and sanitized following the organizational policy, which means that they should be examined or checked and cleaned or erased according to the rules or the guidelines that are established or defined by the organization, and that are based on the classification, the sensitivity, or the value of the data or the information that are stored or held on the devices or the systems. The inspection and the sanitization of the unlabeled, disconnected, and powered off devices can ensure or maintain the security or the privacy of the data or the information, as they can prevent or reduce the risk of unauthorized or inappropriate access or disclosure of the data or the information by the third parties or the attackers who access or compromise the devices or the systems.

A. They should be recycled to save energy is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is intended or aimed to conserve or to preserve the energy or the resources, by reusing or repurposing the devices or the systems, or by disposing or discarding them in an environmentally friendly or responsible manner.

B. They should be recycled according to NIST SP 800-88 is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is based or derived on the NIST SP 800-88, which is a special publication or a document that provides or offers the guidance or the recommendations for the media sanitization or the media disposal, and that is published or issued by the National Institute of Standards and Technology (NIST), which is a federal agency or an organization that develops or establishes the standards or the best practices for the science, the technology, or the engineering.

D. They should be inspected and categorized properly to sell them for reuse is not the correct procedure for handling the unlabeled, disconnected, and powered off devices that are found while inventorying storage equipment, but rather a procedure that is performed or applied after the inspection and the sanitization of the devices or the systems, and that is intended or aimed to generate or to produce the revenue or the income, by selling or transferring the devices or the systems to the other parties or the entities, who can use or utilize the devices or the systems for their own purposes or needs.

Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the security impact analysis. A TCB system is a system that consists of the hardware, software, and firmware components that enforce the security policy and protect the security-relevant information of the system. A TCB system is usually certified or accredited to meet certain security standards or criteria, such as the Common Criteria or the Trusted Computer System Evaluation Criteria (TCSEC). A security impact analysis is a document that describes the changes made to a TCB system, such as adding, modifying, or removing components or functions, and analyzes the potential effects of the changes on the security of the system, such as introducing new vulnerabilities, risks, or threats. A security impact analysis can help to determine whether the changes require a recertification or reaccreditation of the TCB system, or whether the changes can be accepted without affecting the security level or assurance of the system. The other options are not the documents that document the changes to a TCB system, but rather different types of documents. A structured code review is a document that records the results of a systematic and rigorous examination of the source code of a software component or system, such as a TCB system, to detect errors, bugs, or vulnerabilities. A structured code review can help to improve the quality, reliability, and security of the software, but it does not document the changes made to the software. A routine self assessment is a document that reports the findings and recommendations of a periodic and voluntary evaluation of the security controls and measures of a system or organization, such as a TCB system, to measure the effectiveness, efficiency, and compliance of the security. A routine self assessment can help to identify and address the security gaps, weaknesses, or issues, but it does not document the changes made to the system. A cost benefit analysis is a document that compares the costs and benefits of different security solutions or alternatives for a system or organization, such as a TCB system, to justify the investment in security. A cost benefit analysis can help to evaluate the trade-offs between the security costs and the security benefits, but it does not document the changes made to the system.  References :  CISSP All-in-One Exam Guide, Eighth Edition , Chapter 8, p. 416;  Official (ISC)2 CISSP CBK Reference, Fifth Edition , Chapter 3, p. 149.

A third-party vulnerability assessment provides an unbiased evaluation of the organization’s security posture, identifying existing vulnerabilities and offering recommendations for mitigation. It is more comprehensive and objective compared to internal reviews or automated scans.  References :  CISSP Official (ISC)2 Practice Tests, Chapter 5, page 137

The policy that should be updated to address the problem of having only six days of audit logs from the last month available while investigating a malicious event is the retention policy. A retention policy is a policy that defines and specifies the duration and conditions for keeping or storing the records or data of an organization, such as audit logs, backups, or archives. A retention policy should be based on the legal, regulatory, operational, or business requirements of the organization, and should balance the costs and benefits of retaining or disposing the records or data. The problem of having only six days of audit logs from the last month available while investigating a malicious event indicates that the retention policy is inadequate or ineffective, as it does not ensure the availability or accessibility of the audit logs for the investigation purposes. The retention policy should be updated to address this problem by extending or adjusting the retention period or criteria for the audit logs, and by enforcing or monitoring the compliance with the retention policy. The other options are not the policies that should be updated to address this problem, but rather different or irrelevant policies. A reporting policy is a policy that defines and specifies the procedures and actions for communicating or disclosing the information or incidents of an organization, such as audit results, security breaches, or performance metrics. A reporting policy should be based on the legal, regulatory, operational, or business requirements of the organization, and should ensure the accuracy, timeliness, and completeness of the reporting. A recovery policy is a policy that defines and specifies the objectives and strategies for restoring the normal operations of an organization after a disaster or disruption, such as recovery time objective, recovery point objective, or recovery methods. A recovery policy should be based on the business impact analysis and risk assessment of the organization, and should ensure the continuity, resilience, and availability of the organization. A remediation policy is a policy that defines and specifies the procedures and actions for correcting or improving the security or performance of an organization, such as vulnerability remediation, incident response, or root cause analysis. A remediation policy should be based on the security assessment and audit findings of the organization, and should ensure the effectiveness, efficiency, and compliance of the organization.  References :  CISSP All-in-One Exam Guide, Eighth Edition , Chapter 7, p. 376;  Official (ISC)2 CISSP CBK Reference, Fifth Edition , Chapter 7, p. 406.

 According to the CISSP CBK Official Study Guide, a vulnerability in hardware would be the most difficult to detect. A vulnerability is a weakness or exposure in a system, network, or application, which may be exploited by threats and cause harm to the organization or its assets. A vulnerability can exist in various components of a system, network, or application, such as the kernel, the shared libraries, the hardware, or the system application. A vulnerability in hardware would be the most difficult to detect, as it may require physical access, specialized tools, or advanced skills to identify and measure the vulnerability. Hardware is the physical or tangible component of a system, network, or application that provides the basic functionality, performance, and support for the system, network, or application, such as the processor, memory, disk, or network card. Hardware may have vulnerabilities due to design flaws, manufacturing defects, configuration errors, or physical damage. A vulnerability in hardware may affect the security, reliability, or availability of the system, network, or application, such as causing data leakage, performance degradation, or system failure. A vulnerability in the kernel would not be the most difficult to detect, although it may be a difficult to detect. The kernel is the core or central component of a system, network, or application that provides the basic functionality, performance, and control for the system, network, or application, such as the operating system, the hypervisor, or the firmware. The kernel may have vulnerabilities due to design flaws, coding errors, configuration errors, or malicious modifications. A vulnerability in the kernel may affect the security, reliability, or availability of the system, network, or application, such as causing privilege escalation, system compromise, or system crash. A vulnerability in the kernel may be detected by using various tools, techniques, or methods, such as code analysis, vulnerability scanning, or penetration testing. A vulnerability in the shared libraries would not be the most difficult to detect, although it may be a difficult to detect. The shared libraries are the reusable or common components of a system, network, or application, that provide the functionality, performance, and compatibility for the system, network, or application, such as the dynamic link libraries, the application programming interfaces, or the frameworks. 

The organization will provide the limits and scope of the testing to the security services firm that will conduct a penetration test. The limits and scope of the testing define the boundaries, objectives, and rules of engagement for the penetration test, such as the target systems, the testing methods, the testing duration, the testing schedule, the testing team, the testing tools, the testing reporting, and the testing authorization. The limits and scope of the testing are essential for ensuring the legality, the ethics, and the effectiveness of the penetration test.

B. Physical location of server room and wiring closet is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could compromise the security and the integrity of the network infrastructure and the testing results.

C. Logical location of filters and concentrators is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could reveal the network architecture and the security controls and affect the testing accuracy and validity.

D. Employee directory and organizational chart is not something that the organization will provide to the security services firm that will conduct a penetration test, as it could violate the privacy and the confidentiality of the employees and the organization.

A data sensitivity assessment is a process of identifying and classifying the data that is involved in a system or application, based on the level of confidentiality, integrity, and availability that is required for the data. A data sensitivity assessment can help to determine the security requirements, controls, and measures that are needed to protect the data from unauthorized access, use, disclosure, modification, or destruction. The phase of the System Development Life Cycle (SDLC) where it will be most beneficial to conduct a data sensitivity assessment is the initiation phase. The initiation phase is the first phase of the SDLC, where the scope, objectives, and feasibility of the system or application are defined and approved. The initiation phase is the best time to conduct a data sensitivity assessment, as it can help to identify the data that is essential for the system or application, and the potential risks and impacts that may affect the data. The data sensitivity assessment can also help to align the security goals and strategies of the system or application with the business goals and strategies of the organization and the stakeholders. The data sensitivity assessment can also help to avoid or reduce the costs and efforts of implementing or changing the security controls and measures in the later phases of the SDLC. Development / Acquisition, Enumeration, or Operation / Maintenance are not the phases of the SDLC where it will be most beneficial to conduct a data sensitivity assessment, as they are either too late or irrelevant for the data sensitivity assessment.  References :  CISSP All-in-One Exam Guide, Eighth Edition , Chapter 21: Software Development Security, page 1149;  CISSP Official (ISC)2 Practice Tests, Third Edition , Domain 8: Software Development Security, Question 8.2, page 302.