The best Identity-as-a-Service (IDaaS) solution for validating users is Security Assertion Markup Language (SAML). IDaaS is a cloud-based service that provides identity and access management functions, such as authentication, authorization, and provisioning, to the customers. SAML is a standard protocol that enables the exchange of authentication and authorization information between different parties, such as the identity provider, the service provider, and the user. SAML can help to validate users in an IDaaS solution, as it can allow the users to access multiple cloud services with a single sign-on, and provide the service providers with the necessary identity and attribute assertions about the users. Single Sign-On (SSO), Lightweight Directory Access Protocol (LDAP), and Open Authentication (OAuth) are not IDaaS solutions, but technologies or protocols that can be used or supported by IDaaS solutions, respectively. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5: Security Engineering, page 654; Official (ISC)2 Guide to the CISSP CBK, Fifth Edition, Chapter 3: Security Architecture and Engineering, page 437.

White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the appropriate outputs. This is analogous to testing nodes in a circuit, e.g. in-circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white-box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements.
For your exam you should know the information below: Alpha and Beta Testing - An alpha version is early version is an early version of the application system submitted to the internal user for testing. The alpha version may not contain all the features planned for the final version. Typically software goes to two stages testing before it consider finished.The first stage is called alpha testing is often performed only by the user within the organization developing the software. The second stage is called beta testing, a form of user acceptance testing, generally involves a limited number of external users. Beta testing is the last stage of testing, and normally involves real world exposure, sending the beta version of the product to independent beta test sites or offering it free to interested user.
Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is
not meant to replace other testing methods, but rather to provide a limited evaluation of the
system. Proof of concept are early pilot tests - usually over interim platform and with only basic
functionalities.
White box testing - Assess the effectiveness of a software program logic. Specifically, test data are
used in determining procedural accuracy or conditions of a program's specific logic path. However
testing all possible logical path in large information system is not feasible and would be cost
prohibitive, and therefore is used on selective basis only.
Black Box Testing - An integrity based form of testing associated with testing components of an
information system's "functional" operating effectiveness without regards to any specific internal
program structure. Applicable to integration and user acceptance testing.
Function/validation testing - It is similar to system testing but it is often used to test the
functionality of the system against the detailed requirements to ensure that the software that has
been built is traceable to customer requirements.
Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure
that changes or corrections have not introduced new errors. The data used in regression testing
should be same as original data.
Parallel Testing - This is the process of feeding test data into two systems - the modified system
and an alternative system and comparing the result.
Sociability Testing - The purpose of these tests is to confirm that new or modified system can
operate in its target environment without adversely impacting existing system. This should cover
not only platform that will perform primary application processing and interface with other system
but , in a client server and web development, changes to the desktop environment. Multiple
application may run on the users desktop, potentially simultaneously , so it is important to test the
impact of installing new dynamic link libraries (DLLs), making operating system registry or
configuration file modification, and possibly extra memory utilization.
The following answers are incorrect:
Parallel Testing - This is the process of feeding test data into two systems - the modified system
and an alternative system and comparing the result.
Regression Testing - The process of rerunning a portion of a test scenario or test plan to ensure
that changes or corrections have not introduced new errors. The data used in regression testing
should be same as original data.
Pilot Testing - A preliminary test that focuses on specific and predefined aspect of a system. It is not meant to replace other testing methods, but rather to provide a limited evaluation of the system. Proof of concept are early pilot tests - usually over interim platform and with only basic functionalities
The following reference(s) were/was used to create this question: CISA review manual 2014 Page number 167 Official ISC2 guide to CISSP CBK 3rd Edition Page number 176
Topic 2, Telecommunication and Network Security

The information security practitioner should work with the information owner (IO) to ensure that the information is properly categorized. The information owner is the person or the entity that has the authority and the responsibility for the information, such as the creation, classification, maintenance, use, and disposal of the information. The information owner is also accountable for the security and the protection of the information, such as the confidentiality, integrity, and availability of the information. The information security practitioner is the person or the entity that provides the expertise and the guidance for the implementation and the enforcement of the security policies and the controls for the information. The information security practitioner should work with the information owner to ensure that the information is properly categorized, as the information owner knows the value, the sensitivity, and the criticality of the information, and the information security practitioner knows the security requirements, the standards, and the best practices for the information. The information categorization is the process of assigning labels or tags to the information based on the predefined criteria, such as the impact level, the risk level, or the regulatory compliance. The information categorization can help determine the appropriate security measures and the access controls for the information, and facilitate the information management and the information sharing. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security and Risk Management, page 9. CISSP Practice Exam | Boson, Question 10.

Explanation/Reference:
Explanation:
Static passwords are passwords that can be reused, but may or may not expire. They can, therefore, be used for each log-on session if password expiration has not been configured.
Incorrect Answers:
A: A one-time password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used.
B: A two-time password is not a valid password type.
D: A dynamic password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 195, 196 Conrad, Eric, Seth Misenar, Joshua Feldman, CISSP Study Guide, 2nd Edition, Syngress, Waltham, 2012, p. 30