The CISSP Mindset

Question 1

My Role in the Exam

Answer 1

My role is risk Advisor - do not fix problems

Ex. John is scheduled to terminated on Friday, separation will be contention, what should you do on Friday morning.

• technical answer would be to disable the account
• risk advisor would be to call the correct party to understand the the existing process

Won’t remove accounts, disabling access to URLs, blocking ports, patching

FOCUS ON FIXING THE PROCESS

Long term mindset - not just running around putting out fires or day-to-day. We shift to strategic planning and think about how we will be affected 3 years from now

Question 2

Who is accountable for security?

Answer 2

Accountable = the buck stops here AKA senior management

Employees have responsibilities to follow policies, etc.

Ultimate accountability and responsibility is senior management

• decisions
• fines, penalties

Question 3

How much security is enough

Answer 3

Wrong answer: you can never have enough, can’t have too much

Right Answer: sometimes the cost does not meet the requirements

• costs sometimes will be more than money, i.e. dollars, time, backwards compatibility, UX, performance
• costs can sometimes be too high, even if it’s provided cheaply

How much security is enough, is answered by risk management - identify and analyze assets and asset value

Security must be here to support to the business, so that means it needs to be cost-effective

Question 4

All decisions start with risk management. Risk management starts with identifying and valuation of your assets.

Answer 4

Looks at the threats, vulnerabilities, potential for loss

Can make good risk based decisions to make security decisions that is worth it

Question 5

Think “End Game”

Answer 5

Sometimes the exam answers may have multiple ones that looks ‘correct’

Look I for the one that best satisfies the question it asks
- ex:

Q: why do we classify information?

a. to indicate it’s value
b. indicate harm done if threat
c. indicate sensitivity of the data
d. dictate the security controls

Correct answer: Dictate the security controls. the other answers are true, but does not answer the WHY component

Question 6

Security Transcends Technology

Answer 6

Security has to be based on a good foundation of good principles

• good strategy
• good programs

Much less of a technical exam than we would think - it’s more about good, sound security fundamentals

Question 7

Not too Technical, Not too Managerial

Answer 7

Questions and Answers - Not too into the weeds technologically, and not too into the weeds about managerial experience

Question 8

Best Practices in the Best Environment

Answer 8

Answer the questions based on best practices in the best environment

• don’t think about if an answer will still be correct in 3 months

Question 9

‘Security should be baked in, not sprayed on’

Answer 9

Integrate security early on, not later on

Does it work securely vs. does it work at all
- focus on security, starting at feasibility of a project to retirement

Question 10

Layered Defense

Answer 10

No one device or mechanism is going to keep you safe. Have several of these in place

Example: Locks can be picked, burglar alarms happen after or during a burglary

Security policies, physical security, logical security

Question 11

What to focus on

Answer 11

Risk Management + Business Continuity

There are technical questions, but it’s heavily a business exam

Significance of the BIA, processes and flows, RPO, RTO, Service Agreements?