CCSP Domain 5: Maintenance

Question 1

How often should CMB meet?

Answer 1

often enough to address organizational needs and reduce frustration with delay; frustrated employees and managers can increase risk to the organization by implementing their own, unapproved modifications to the environment

Question 2

What should the update procedure include?

Answer 2

1. document how, when and why the update was initiated by the vendor
2. move the update through the CM process

Question 3

What is the update procedure?

Answer 3

1. put the systems and devices into maintenance mode
2. apply the updates to the necessary systems and devices; annotate the asset inventory to reflect the changes
3. verify the update; run tests on the production environment to ensure all necessary systems and devices have received the update - if missed, repeat the installation until complete
4. validate the modifications; ensure intended results of the update have taken effect and interactions with the rest of the environment work appropriately
5. return to normal operations

Question 4

What document should cover patching?

Answer 4

patching, like any other form of maintenacne should be covered in SLAs

Question 5

Agreed upon schedule and patching threshold should be covered by what document?

Answer 5

contract

Question 6

What does configuration management entail?

Answer 6

documenting the approved settings for systems and software, which helps establish baselines within the organization

Question 7

What is CM?

Answer 7

change and configuration management

Question 8

What does CM begins with?

Answer 8

baselining

Question 9

What is baselining?

Answer 9

a way of taking an accurante account of the desired standard state

Question 10

What is important to incorporate in baselines?

Answer 10

security controls with a thorough description of each one’s purpose, dependencies and supporting rationale

Question 11

Why is it essential to include security controls in baselines?

Answer 11

so that business is informed about risk management as changes are considered to be implemented through the CM process; need to know if changes introduce any new risks for which compensatory controls would need to be implemented

Question 12

What stakeholders should provide input for creating baselines?

Answer 12

IT, security office, management, users

Question 13

Baseline should be a reflection of what?

Answer 13

risk appetite of the organization; provides optimum balance between security and operational functionality

Question 14

When baseline provides the gratest value?

Answer 14

when it’s applied to the greatest amount of covered systems

Question 15

Are baselines the be-all and end-all of system security?

Answer 15

no, it just serves as a standard against which to compare and validate all systems in the organization

Question 16

Why is it important to continually test the baselines?

Answer 16

to continually test the baselines to determine that all assets are accounted for and to detect antrhing that differes from the baseline

Question 17

What needs to be done with baseline deviations?

Answer 17

need to be documented and reviewed, whether they are intentional or unintentional, as they pose a risk to the organization

Question 18

What needs to be assured in order for a baseline to be successful?

Answer 18

needs to be flexible, so that exception request process is timely and responsive to the needs of the organization and its users

Question 19

Why is it important to have flexible and timely modifications to the baselines?

Answer 19

to avoid frustrated users, who then may circumvent the security controls and introduce significant risks

Question 20

Why is it important to track exceptions and deviations to the baselines?

Answer 20

ensuring regulatory compliance and security control coverage as well as allow meaningful modifications to the baselines, if a considerable amount of users report the same issue caused by the baseline controls

Question 21

How many baselines shuld be created?

Answer 21

depending on how many systems organization uses - baseline shuld be created for each type of system in the environment

Question 22

What is the CM process in the normal operational mode of the organization?

Answer 22

1. CMB meetings; CMB meets to analyze and review change and exception requests - authorize, reject or ask for additional effort
2. CM testing; if authorized, change needs to be tested before deployed
3. Deployment; change implemented and then reported to CMB
4. Documentation; modifications to the environment are documented and reflected in the asset inventory

Question 23

What is the initial CMB process?

Answer 23

1. full asset inventory; crucial to know what assets are used - can be aided by BIA
2. codification of the baseline; formal action that includes all members of CMB
3. secure baseline build; version of baseline is constructed and stored for later use
4. deployment of new assets; when new assets are deployed, relevant baseline has to be installed

Question 24

Who should be CMB composed of?

Answer 24

IT, security, legal, management, finance and acquisition, HR, general users, anyone who would be useful in this process

Question 25

What are commonly maintenance-related orchestrated tasks?

Answer 25

patch management and VM reboots

Question 26

What is the difference between change management and change control?

Answer 26

• change management: policy that details how changes will be processed in an organization; guidance on the process
• change control: process of evaluation a change request to decide, if it should be implemented; process in action

Question 27

What approach helps with automating change managment?

Answer 27

CI/CD and IaaC

Question 28

What is a credentialed scan?

Answer 28

powerful vulnerability scan that has higher privileges than a non-credentialed scan

Question 29

What are non-intrusive scans?

Answer 29

passive scans that merely report vulnerabilities; do not cause damage to a system

Question 30

What are intrusive scans?

Answer 30

cause damage as they try to exploit the vulnerabilty and should be used in a sandbox and not on a live production system

Question 31

What is the name of components or services that are managed as part of a configuration management effort?

Answer 31

CIs (configuration items)

Question 32

What are configuration models used for?

Answer 32

used to evaluate changes and causes of incidents

Question 33

What are configuration records?

Answer 33

records that describe configuration item relationships and settings