ISC CISSP Actual Questions

The required components for implementing software configuration management systems are audit control and signoff, rollback and recovery processes, and regression testing and evaluation. Software configuration management systems are tools and techniques that enable the identification, control, tracking, and verification of the changes and versions of software products throughout the software development life cycle. Audit control and signoff are the mechanisms that ensure that the changes and versions of the software products are authorized, documented, reviewed, and approved by the appropriate stakeholders. Rollback and recovery processes are the procedures that enable the restoration of the previous state or version of the software products in case of a failure or error. Regression testing and evaluation are the methods that verify that the changes and versions of the software products do not introduce new defects or affect the existing functionality or performance. User training and acceptance are not required components for implementing software configuration management systems, as they are related to the deployment and operation of the software products, not the configuration management. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8, Software Development Security, page 1037. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, Software Development Security, page 1063.

The capabilities of the system that allow its business users to perform business functions but not user administration functions, and its application administrators to perform administration functions but not user business functions, are best described as separation of duties. Separation of duties is a security principle that divides the roles and responsibilities of different tasks or functions among different individuals or groups, so that no one person or group has complete control or authority over a critical process or asset. Separation of duties can help to prevent fraud, collusion, abuse, or errors, and to ensure accountability, oversight, and checks and balances. Least privilege, rule based access controls, and Mandatory Access Control (MAC) are not the best descriptions of the capabilities of the system, as they do not reflect the division of roles and responsibilities among different users or groups. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, Security and Risk Management, page 32. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, Security and Risk Management, page 45.

The most appropriate action to take when the auditor finds evidence of potentially illegal activity is to work with the client to report the activity to the appropriate authority. The auditor is a professional who performs an independent and objective examination of the system, the process, or the activity, to provide assurance, evaluation, or improvement. The auditor has a duty and a responsibility to report any evidence of potentially illegal activity that they find during the audit, as it can affect the security, the compliance, or the integrity of the system, the process, or the activity. The auditor should work with the client to report the activity to the appropriate authority, such as the law enforcement, the regulatory body, or the senior management, as it can ensure the cooperation, the communication, or the transparency between the auditor and the client, and it can follow the legal, the contractual, or the ethical obligations of the auditor and the client. The auditor should not immediately call the police, work with the client to resolve the issue internally, or advise the person performing the illegal activity to cease and desist, as they are not the most appropriate actions to take when the auditor finds evidence of potentially illegal activity, as they can bypass, undermine, or interfere with the cooperation, the communication, or the transparency between the auditor and the client, and they can violate the legal, the contractual, or the ethical obligations of the auditor and the client. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 7, Security Operations, page 894. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 7, Security Operations, page 910.

The primary reason for ethics awareness and related policy implementation is to affect the reputation of an organization positively, by demonstrating its commitment to ethical principles, values, and standards in its business practices, services, and products. Ethics awareness and policy implementation can also help the organization avoid legal liabilities, fines, or sanctions for unethical conduct, and foster trust and loyalty among its customers, partners, and employees. The other options are not as important as affecting the reputation, as they either do not directly relate to ethics (A), or are secondary outcomes of ethics (C and D). References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 19; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 28.