Download Full Version CISSP ISC Exam

Service Organization Control (SOC) reports are audit reports that provide information about the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payroll service. There are three types of SOC reports: SOC 1, SOC 2, and SOC 3. SOC 1 reports focus on the controls that affect the financial reporting of the user entities (the clients of the service organization). SOC 2 reports focus on the controls that affect the security, availability, confidentiality, and privacy of the user entities’ data and systems, as well as the processing integrity of the service organization. SOC 3 reports are similar to SOC 2 reports, but they are less detailed and more accessible to the general public. Each SOC report can be either Type 1 or Type 2. Type 1 reports describe the design and implementation of the controls at a specific point in time. Type 2 reports describe the operating effectiveness of the controls over a period of time, usually six to twelve months. When conducting a third-party risk assessment of a new supplier, the best report to review to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles is the SOC 2, Type 2 report. This report provides assurance that the service organization has implemented and maintained the controls that are relevant to the protection of the user entities’ data and systems, and that the controls have been tested and verified by an independent auditor. International Organization for Standardization (ISO) 27001 and ISO 27002 are not audit reports, but rather standards for information security management systems (ISMS). ISO 27001 specifies the requirements for establishing, implementing, maintaining, and improving an ISMS. ISO 27002 provides guidelines and best practices for implementing the controls of the ISMS. While these standards can be used as a reference for evaluating the security posture of a service organization, they do not provide the same level of assurance and evidence as a SOC 2, Type 2 report. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 66-67. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 103-104.

Risk analysis is the process of identifying, assessing, and prioritizing the risks that could affect an organization’s assets, operations, or objectives. Risk analysis is an essential component of Disaster Recovery (DR) planning, as it helps to determine the likelihood and impact of various disaster scenarios, and to develop appropriate mitigation and recovery strategies. The main objective of risk analysis in DR planning is to identify potential threats to business availability, which is the ability of an organization to continue its critical business functions and processes in the event of a disaster. Business availability depends on the availability of the information systems (IS) that support the business functions and processes, such as hardware, software, data, network, and personnel. Risk analysis helps to identify the vulnerabilities and threats that could compromise the availability of the IS, and to estimate the potential losses and damages that could result from a disaster. Risk analysis also helps to establish the recovery point objective (RPO), which is the maximum acceptable amount of data loss after a disaster, and the recovery time objective (RTO), which is the maximum acceptable time to restore the normal operations after a disaster. References: Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 7: Security Operations, page 330. [CISSP All-in-One Exam Guide, Eighth Edition], Chapter 8: Business Continuity and Disaster Recovery Planning, page 461.

The (ISC)* Code of Ethics is a set of principles and guidelines that govern the professional and ethical conduct of (ISC)* certified members and associates. The Code of Ethics consists of four mandatory canons, which are: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The other two options are not mandatory canons, but rather examples of how to apply the canons in practice. Develop comprehensive security strategies for the organization is an example of how to protect society, the common good, necessary public trust and confidence, and the infrastructure. Create secure data protection policies for principals is an example of how to provide diligent and competent service to principals. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, p. 24-25. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Domain 1: Security and Risk Management, p. 19-20.

 Security control testing is a common term for various methods of assessing the effectiveness and compliance of security controls in an information system. Log reviews, synthetic transactions, and code reviews are examples of security control testing techniques that can be used to verify the functionality, performance, and security of an application or system. Log reviews involve analyzing the records of events and activities that occurred in an information system, such as user actions, system errors, or security incidents. Synthetic transactions are simulated user interactions with an application or system that are designed to test its functionality and performance under different scenarios and conditions. Code reviews are inspections of the source code of an application or system that are performed to identify errors, vulnerabilities, or deviations from best practices. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 10: Security Assessment and Testing, pp. 1015-1016; [Official (ISC)2 CISSP CBK Reference, Fifth Edition], Domain 6: Security Assessment and Testing, pp. 1019-1020.