CISSP Exam Question 531
Risk analysis is MOST useful when applied during which phase of the system development process?
Correct Answer: A
In most projects the conditions for failure are established at the beginning of the project. Thus risk management should be established at the commencement of the project with a risk assessment during project initiation.
As it is clearly stated in the ISC2 book: Security should be included at the first phase of development and throughout all of the phases of the system development life cycle. This is a key concept to understand for the purpose for the exam.
The most useful time is to undertake it at project initiation, although it is often valuable to update the current risk analysis at later stages.
Attempting to retrofit security after the SDLC is completed would cost a lot more money and might be impossible in some cases. Look at the family of browsers we use today, for the past 8 years they always claim that it is the most secure version that has been released and within days vulnerabilities will be found.
Risks should be monitored throughout the SDLC of the project and reassessed when appropriate.
The phases of the SDLC can very from one source to another one. It could be as simple as
Concept, Design, and Implementation. It could also be expanded to include more phases such as this list proposed within the ISC2 Official Study book:
Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation)
And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 291).
and
The Official ISC2 Guide to the CISSP CBK , Second Edition, Page 182-185
As it is clearly stated in the ISC2 book: Security should be included at the first phase of development and throughout all of the phases of the system development life cycle. This is a key concept to understand for the purpose for the exam.
The most useful time is to undertake it at project initiation, although it is often valuable to update the current risk analysis at later stages.
Attempting to retrofit security after the SDLC is completed would cost a lot more money and might be impossible in some cases. Look at the family of browsers we use today, for the past 8 years they always claim that it is the most secure version that has been released and within days vulnerabilities will be found.
Risks should be monitored throughout the SDLC of the project and reassessed when appropriate.
The phases of the SDLC can very from one source to another one. It could be as simple as
Concept, Design, and Implementation. It could also be expanded to include more phases such as this list proposed within the ISC2 Official Study book:
Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation)
And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 291).
and
The Official ISC2 Guide to the CISSP CBK , Second Edition, Page 182-185
CISSP Exam Question 532
When is the disaster considered to be officially over?
Correct Answer: B
The correct answer is: when all of the elements of the business
have returned to normal functioning at the original site. Its important to remember that a threat to continuity exists when processing is being returned to its original site after salvage and cleanup has been
done.
have returned to normal functioning at the original site. Its important to remember that a threat to continuity exists when processing is being returned to its original site after salvage and cleanup has been
done.
CISSP Exam Question 533
In the network design below, where is the MOST secure Local Area Network (LAN) segment to deploy a Wireless Access Point (WAP) that provides contractors access to the Internet and authorized enterprise services?
Correct Answer:
Explanation
LAN 4
CISSP Exam Question 534
John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an IS auditor?
Correct Answer: A
Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented.
For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk
Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred.
Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for
which it wishes to continue business. This could have a catastrophic effect on the company's
ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in
certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in
another way.
For example, an executive may be confronted with risks identified during the course of a risk
assessment for their organization. These risks have been prioritized by high, medium, and low
impact to the organization. The executive notes that in order to mitigate or transfer the low-level
risks, significant costs could be involved. Mitigation might involve the hiring of additional highly
skilled personnel and the purchase of new hardware, software, and office equipment, while
transference of the risk to an insurance company would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the
reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for
the organization to forgo the costs and accept the risk. In the young driver example, risk
acceptance could be based on the observation that the youngster has demonstrated the
responsibility and maturity to warrant the parent's trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity,
such as an insurance company. Let us look at one of the examples that were presented above in a
different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in
question is not realized.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in
another way.
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
Official ISC2 guide to CISSP CBK 3rd edition page number 383,384 and 385
For your exam you should know below information about risk assessment and treatment: A risk assessment, which is a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.
A risk analysis has four main goals:
Identify assets and their value to the organization.
Identify vulnerabilities and threats.
Quantify the probability and business impact of these potential threats.
Provide an economic balance between the impact of the threat and the cost of the countermeasure. Treating Risk
Risk Mitigation Risk mitigation is the practice of the elimination of, or the significant decrease in the level of risk presented. Examples of risk mitigation can be seen in everyday life and are readily apparent in the information technology world. Risk Mitigation involves applying appropriate control to reduce risk. For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information. In the underage driver example, risk mitigation could take the form of driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time.
Risk Transfer Risk transfer is the practice of passing on the risk in question to another entity, such as an insurance company. Let us look at one of the examples that were presented above in a different way. The family is evaluating whether to permit an underage driver to use the family car. The family decides that it is important for the youth to be mobile, so it transfers the financial risk of a youth being in an accident to the insurance company, which provides the family with auto insurance. It is important to note that the transfer of risk may be accompanied by a cost. This is certainly true for the insurance example presented earlier, and can be seen in other insurance instances, such as liability insurance for a vendor or the insurance taken out by companies to protect against hardware and software theft or destruction. This may also be true if an organization must purchase and implement security controls in order to make their organization less desirable to attack. It is important to remember that not all risk can be transferred. While financial risk is simple to transfer through insurance, reputational risk may almost never be fully transferred.
Risk Avoidance Risk avoidance is the practice of coming up with alternatives so that the risk in question is not realized. For example, have you ever heard a friend, or parents of a friend, complain about the costs of insuring an underage driver? How about the risks that many of these children face as they become mobile? Some of these families will decide that the child in question will not be allowed to drive the family car, but will rather wait until he or she is of legal age (i.e., 18 years of age) before committing to owning, insuring, and driving a motor vehicle. In this case, the family has chosen to avoid the risks (and any associated benefits) associated with an underage driver, such as poor driving performance or the cost of insurance for the child. Although this choice may be available for some situations, it is not available for all. Imagine a global retailer who, knowing the risks associated with doing business on the Internet, decides to avoid the practice. This decision will likely cost the company a significant amount of its revenue (if, indeed, the company has products or services that consumers wish to purchase). In addition, the decision may require the company to build or lease a site in each of the locations, globally, for
which it wishes to continue business. This could have a catastrophic effect on the company's
ability to continue business operations
Risk Acceptance
In some cases, it may be prudent for an organization to simply accept the risk that is presented in
certain scenarios. Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in
another way.
For example, an executive may be confronted with risks identified during the course of a risk
assessment for their organization. These risks have been prioritized by high, medium, and low
impact to the organization. The executive notes that in order to mitigate or transfer the low-level
risks, significant costs could be involved. Mitigation might involve the hiring of additional highly
skilled personnel and the purchase of new hardware, software, and office equipment, while
transference of the risk to an insurance company would require premium payments. The
executive then further notes that minimal impact to the organization would occur if any of the
reported low-level threats were realized. Therefore, he or she (rightly) concludes that it is wiser for
the organization to forgo the costs and accept the risk. In the young driver example, risk
acceptance could be based on the observation that the youngster has demonstrated the
responsibility and maturity to warrant the parent's trust in his or her judgment.
The following answers are incorrect:
Risk Transfer - Risk transfer is the practice of passing on the risk in question to another entity,
such as an insurance company. Let us look at one of the examples that were presented above in a
different way.
Risk Avoidance - Risk avoidance is the practice of coming up with alternatives so that the risk in
question is not realized.
Risk Acceptance - Risk acceptance is the practice of accepting certain risk(s), typically based on a
business decision that may also weigh the cost versus the benefit of dealing with the risk in
another way.
The following reference(s) were/was used to create this question:
CISA Review Manual 2014 Page number 51
Official ISC2 guide to CISSP CBK 3rd edition page number 383,384 and 385
CISSP Exam Question 535
Which of the following statements is true about data encryption as a method of protecting data?
Correct Answer: D
In cryptography, you always assume the "bad guy" has the encryption algorithm (indeed, many algorithms such as DES, Triple DES, AES, etc. are public domain). What the bad guy lacks is the key used to complete that algorithm and encrypt/decrypt information. Therefore, protection of the key, controlled distribution, scheduled key change, timely destruction, and several other factors require careful consideration. All of these factors are covered under the umbrella term of "key management".
Another significant consideration is the case of "data encryption as a method of protecting data" as the question states. If that data is to be stored over a long period of time (such as on backup), you must ensure that your key management scheme stores old keys for as long as they will be needed to decrypt the information they encrypted.
The other answers are not correct because:
"It should sometimes be used for password files." - Encryption is often used to encrypt passwords stored within password files, but it is not typically effective for the password file itself. On most systems, if a user cannot access the contents of a password file, they cannot authenticate. Encrypting the entire file prevents that access.
"It is usually easily administered." - Developments over the last several years have made cryptography significantly easier to manage and administer. But it remains a significant challenge. This is not a good answer.
"It makes few demands on system resources." - Cryptography is, essentially, a large complex mathematical algorithm. In order to encrypt and decrypt information, the system must perform this algorithm hundreds, thousands, or even millions/billions/trillions of times.
This becomes system resource intensive, making this a very bad answer.
Reference:
Official ISC2 Guide page: 266 (poor explanation)
All in One Third Edition page: 657 (excellent explanation)
Key Management - Page 732, All in One Fourth Edition
Another significant consideration is the case of "data encryption as a method of protecting data" as the question states. If that data is to be stored over a long period of time (such as on backup), you must ensure that your key management scheme stores old keys for as long as they will be needed to decrypt the information they encrypted.
The other answers are not correct because:
"It should sometimes be used for password files." - Encryption is often used to encrypt passwords stored within password files, but it is not typically effective for the password file itself. On most systems, if a user cannot access the contents of a password file, they cannot authenticate. Encrypting the entire file prevents that access.
"It is usually easily administered." - Developments over the last several years have made cryptography significantly easier to manage and administer. But it remains a significant challenge. This is not a good answer.
"It makes few demands on system resources." - Cryptography is, essentially, a large complex mathematical algorithm. In order to encrypt and decrypt information, the system must perform this algorithm hundreds, thousands, or even millions/billions/trillions of times.
This becomes system resource intensive, making this a very bad answer.
Reference:
Official ISC2 Guide page: 266 (poor explanation)
All in One Third Edition page: 657 (excellent explanation)
Key Management - Page 732, All in One Fourth Edition
- Other Version
- 1412ISC.CISSP.v2026-05-11.q720
- 3373ISC.CISSP.v2024-06-16.q746
- 63ISC.Braindumpspass.CISSP.v2022-04-14.by.egbert.619q.pdf
- 10057ISC.CISSP.v2022-02-09.q619
- 8956ISC.CISSP.v2021-08-21.q483
- Latest Upload
- 128Microsoft.AB-900.v2026-06-27.q28
- 129BCS.BAPv5.v2026-06-27.q50
- 141TheOpenGroup.OGEA-101.v2026-06-27.q69
- 147CyberAB.CMMC-CCP.v2026-06-26.q98
- 140MedicalProfessional.CCM.v2026-06-26.q60
- 156RedHat.EX200.v2026-06-25.q31
- 273Microsoft.DP-100.v2026-06-25.q212
- 243IIBA.ECBA.v2026-06-24.q96
- 275Microsoft.AI-102.v2026-06-24.q184
- 164Databricks.Databricks-Generative-AI-Engineer-Associate.v2026-06-24.q31