CISSP Cyber Training Podcast - CISSP Training Program
Join Shon Gerber on his weekly CISSP Cyber Training podcast, where his extensive 23-year background in cybersecurity shines through. With a rich history spanning corporate sectors, government roles, and academic positions, Shon imparts the essential insights and advice necessary to conquer the CISSP exam. His expertise is not just theoretical; as a CISSP credential holder since 2009, Shon translates his deep understanding into actionable training. Each episode is packed with invaluable security strategies and tips that you can implement right away, giving you an edge in the cybersecurity realm. Tune in and take the reins of your cybersecurity journey—let’s ride into excellence together! 🚀
CISSP Cyber Training Podcast - CISSP Training Program
CCT 257: Practice CISSP Questions - Understanding, Adhering To, and Promoting Professional Ethics (Domain 1.1)
Check us out at: https://www.cisspcybertraining.com/
Ethical dilemmas lurk around every corner in cybersecurity, ready to challenge even the most technically competent professionals. Sean Gerber tackles these moral minefields head-on in this thought-provoking episode focused on CISSP Domain 1.1, presenting fifteen real-world ethical scenarios that will test your professional judgment.
The episode opens with crucial context about the New York Department of Financial Services (NYDFS) and its significant influence on cybersecurity standards in the financial sector. Sean explains how their recent bulletin addressing Iranian threats emphasizes essential security controls including multi-factor authentication and third-party risk management - requirements that extend well beyond the financial industry.
Diving into the ethical scenarios, listeners will confront challenging questions: What would you do upon discovering a concealed data breach orchestrated by previous leadership? How should you handle a zero-day vulnerability when the vendor is notorious for slow responses? Is it ever appropriate to modify security logging standards when employees resist what they perceive as surveillance?
Through each scenario, Sean walks through multiple possible responses, highlighting the correct ethical choice while acknowledging the complex organizational dynamics at play. The discussions reveal that ethical practice isn't just about knowing the right answer—it's about effectively implementing ethical decisions through proper channels, documentation, and constructive solutions.
The episode offers invaluable guidance for anyone preparing for the CISSP exam or working in cybersecurity, demonstrating that while technical competence opens doors in this field, ethical judgment keeps those doors from slamming shut. As cyber threats evolve in complexity, the moral compass of security professionals becomes an increasingly critical asset in protecting organizations and their stakeholders.
Ready to test your ethical judgment against CISSP standards? Visit CISSPcybertraining.com for 360 free practice questions and additional resources to strengthen both your technical knowledge and ethical reasoning.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. Alright, let's get started. Let's go.
Speaker 2:Cybersecurity knowledge All right, let's get started. Hey all Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP Question Thursday and we are going to be going over CISSP questions related to Domain 1.1, and that training that was done prior was done on Monday. So if you're new to CISSP cyber training, we do training over the products on Monday, or I should say over the domains, on Monday, followed by the CISSP questions on Thursday, and so that's where we're at today. So this is going to be a quick, before we get started, a quick article around NYDFS issues some guidance around cybersecurity, as it relates to how you should think about this from a banking standpoint. Now, to set a little context, what is this? What is the article? What is NYDFS?
Speaker 2:If you're not connected with that NYDFS, they are a regulating body within New York and within the United States. New York houses, majority of our financial institutions are within the state of New York and so therefore, much of the US will follow whatever New York does. As it relates to the banking industry and it's not typically just banking. It's a lot of different aspects where they're a little bit more liberal when it comes to, or, I should say conservative with some aspects of how you want to use privacy and how you do cybersecurity. So many companies will use New York or California as the litmus test of how they should deploy their cybersecurity and privacy type aspects within their company. And so NYDFS has a lot of clout and it has a lot of pull within the rest of the financial industry, especially within the United States. So they're just basically coming out and saying that, hey, knock, knock. If you didn't have a good cybersecurity program before, you should have one now. You never know if you're going to be a target of hackers around the globe. Again, anybody listening to this podcast knows that can happen at any point, any time. It doesn't need NYDFS to come tap you on the shoulder. However, awareness is key. It's very important and so, therefore, that's why they're coming out and doing awareness.
Speaker 2:Now, if you're not familiar with NYDFS, I'm just going to quickly highlight some different aspects of why it's important and why people are focused on it. So there are some various requirements that it does come out and enforces you to do One. You must have a program in place. You must define it. Now, in the United States, there's NYDFS, there's GLBA, there's various other entities that require this. But because it's in the New York State, new York said, hey, beyond what GLBA does and that's a US-based law, we're going to focus a little bit more of a target approach on the New York State environment. So you got to have a program, you got to have a policy.
Speaker 2:You have to have a CISO appointed and this means an individual that is going to be your CISO within your organization. Now, if you go to a lot of banks, they don't have CISOs, especially small and medium-sized banks. They may have that as a dual-hatted. However, in New York, you have to have one appointed, which means that person has to have signature authority. That person needs to be part of the board. Potentially.
Speaker 2:There's a lot of different aspects that go along with being a CISO at a bank, a very large bank within the New York state environment. You need to have risk assessments done, you need to have access controls and then you need to do pen tests on a routine basis. And then one of the key factors the last two was they have multi-factor, and then third party risk management are key aspects of it. Now, multi-factor is an important part because of the fact that we stress if multi-factor is used within any organization. Well, this document calls out multi-factor as well. I should say this bulletin calls out multi-factor and said hey, if you haven't had it in place yet, you need to truly consider it to help protect your organization against these Iranian challenges. So, again, very interesting part I forgot to mention there's also encryption, audit, incident response reporting, annual certifications and so forth. That's all part of NYDFS.
Speaker 2:But the point comes down to is is that if you are a bank within the New York environment, you need to follow those regulations that are there. You also need to pay attention to potential Iranian hackers. Now, if you're not in the New York's environment financial services, oh, you don't need to worry about it. No big deal. No, that's we all know that's not the case. You should probably take onus of the whatever New York is doing and maybe even implement that within your company as well. I firmly believe that the more consistent that you can stay with all of these different security mechanisms, the better off you will be and the better off your customers will be. So, again, just want to bring that up NYDFS issues a bulletin as it relates to the Iranian threat. That up NYDFS issues a bulletin as it relates to the Iranian threat, talking about. What are some different aspects you should put in place to ensure that your company, especially your bank, your financial institution, is protected from these potential challenges on a global scale.
Speaker 2:Okay, so let's get into some of the questions we're going to talk about today. Okay, so, before we do wanted to just put out a quick shout out to head on over to CISSP Cybertraining and get access to all the content that's available to you there. It's great, just go check it out. There's a lot of great stuff available. There's from a lot of free stuff. I'm making some changes to the site, but there's going to be a lot of free stuff out there as well as some paid stuff to help you get what you need. But head on over to cispcybertrainingcom, okay. So question one let's roll into this. This is again tied to domain 1.1 around ethics, so a lot of these are going to be scenario-based questions focused on ethics. And how would you handle it? Okay, question one A CISO discovers irrefutable evidence that her organization suffered a significant data breach six months ago.
Speaker 2:This was intentionally concealed by the previous CISO and a former executive to avoid public and regulatory fallout. Not good. The breach exposed sensitive customer PII and the current CISO's organization's code of ethics emphasizes protecting the reputation is everything. It's above all else. So what is the most ethically sound course of action for the current CISO according to ISC Square's code of ethics? Okay, so A quietly remediate the breach and ensure future incidents are reported without disclosing the past concealment to protect the company's current reputation Probably not the best choice.
Speaker 2:B disclose a breach immediately and affected customers and regulators understanding this may cause significant reputational and financial harm to the organization. C inform the board of directors and legal counsel recommending strategy to address the past concealment while minimizing additional damage. Or D resign from the position and avoid complicity and pass concealment and protect personal and professional integrity. I guess it's a tough spot to be in right For your CISO. What would you do in this situation? So I would say it's going to be a combination. One you might bite off on is D is inform the board and legal counsel, which is definitely something you would do. You wouldn't just come out and arbitrarily say, hey, we did this, we were bad. You would want to make sure legal counsel and everybody's on board before you even do any of this aspect. But the right answer would be B disclose the breach immediately to affected customers and regulators, understanding this may cause significant reputational and financial harm to the organization. It could cause a lot of financial or reputational harm to you, especially why? Because you walked into the dumpster fire and now you have to deal with it. Obviously, you would talk to legal and you would get with compliance and you would make sure that everybody is aligned with your approach. You'd have an approach defined and you would have a plan laid out. You, as a CISO, would be responsible to ensure that this plan is taken care of and that you have articulated it well to the entire organization before you actually come out Again. This is going to be a huge deal. You wouldn't just come out and say it, but you'd want to come out effectively and quickly to what the situation is, to just tell your customers of what's actually happened, and it would go badly, but you have to do it.
Speaker 2:Question two a security architect identifies a critical zero-day vulnerability in a widely used third-party component that has his company relies on, which could expose millions of users across various organizations, millions and billions. The third-party vendor is notoriously slow oh my goodness to respond to security reports. Not good the the architect organizational policy requires that all vulnerability disclosures go through the vendor first. What is the architect's most ethical priority in this situation, considering the potential for widespread harm? Okay, there's a vendor and his third party. They don't do things very quickly and it could expose millions and millions of users across many organizations. So what should you do? A adhere strictly to the organizational policy by reporting only to the vendor and awaiting their response. B immediately disclose the vulnerability publicly to warn the affected organizations and users. C develop and implement internal mitigations and then wait for the vendor to patch before external disclosure. And then D report the vulnerability to the reputable vulnerability coordination center or the CERT to facilitate the responsible disclosure. Okay, so lots of stuff going on here.
Speaker 2:What would you do as an architect? Well, as an architect, first off, you wouldn't just go and do this. You would actually go talk to your legal and counsel around this. You'd talk to your CISO and many of the other organizations or people within your company. But if it was you and it was your responsibility to report it, then you probably would pick D right, report the vulnerability to a reputable vulnerability coordination center and then to facilitate a responsible disclosure. So again, you would first coordinate with the vendor. You'd work with them, trying to figure out what you're going to do. But if the vendor doesn't respond and the vendor is very slow to action you would need to coordinate with your legal team to say, okay, after X amount of days, we are going to the reputable vulnerability coordination center and then you'd have that plan defined. And you'd also define that plan with the vendor saying, hey, we're coming out with this thing, whether you like it or not. So, unless you get your act together, we're going to come out and you're going to be named. And again, you're not going to say this. Your legal counsel will, but it's going to be an important part that you will want to make sure that they're aware of.
Speaker 2:Question three is security analyst is tasked with deploying an employee monitoring solution that records all internal communications, including personal messages, under the guise of data loss prevention. The analyst knows that this violates the spirit of the company's privacy policy and potentially local privacy laws. Although the legal department has provided a vague sign-off that's what the plan is Her manager insists that a rapid deployment is necessary. So what is the analyst's most ethical responsibility here? So they're recording everything they are doing, they're being the NSA and they're calling it under data loss prevention Again. Now you look at the word, look at the terms, look at the question, the guise of data loss prevention. It gives you the hint that there's something nefarious going on here. Maybe there is, maybe there isn't. Again, this is important when you are doing any sort of DLP, you need to make sure everybody's aligned with what's going on and it's full transparency, not with all employees, but with senior leadership, that they know what you're doing.
Speaker 2:A deploy the solution as instructed by her manager, as legal has provided sign-off implying it is permissible. B deploy the solution but configure it to minimize the collection of personal communications without informing management. C express her concerns to her manager, citing potential privacy policy and legal risks, and request a clear legal review or policy amendment. And then D report her manager's request to the internal ethics hotline for or a regulatory body. Okay, so D you would not want to do that. I mean, obviously you would do that if you got nothing. You thought this was absolutely stupid and everybody's being negligent. You would do that, but that's not where you would go to immediately. C is the correct answer Express your concerns to your manager, citing potential privacy violations and legal risks, and request a clear legal view or policy amendment.
Speaker 2:So something to consider with this is that I've had numerous times where I have a policy has been set up, we set up the program, and then what ends up happening is I talk to legal and I go this is what's actually occurring within this product, and they go oh no, we don't want to do that. So legal will give you advice based on what they know, and sometimes it takes a little bit more clear understanding, both by you as the person that's bringing this forward, and also by legal, and so that may change the approach. So if you do have analysts that come to you, or if you are an analyst and you're saying, hey, this is BS, this is not good, there's a way to provide criticism in a polite and effective manner. This would be one of those where you'd want to be very careful, not in a way that be careful, you lose your job, but be careful on how you come across, coming across saying you are violating policies. You should not do this. That's a bit abrasive and that will not get you where you want, but by bringing forward something that needs clarity, because maybe you're just a little confused about it and that you see some potential risks to the organization. That is a much better approach and you'll get a lot better listening from your legal counsel. So, again, it's all about the approach.
Speaker 2:Question four a CISSP certified security consultant has been hired by a small tech startup thank you very much to develop an entire cybersecurity strategy Yay. During the initial assessment, the consultant realizes that her existing knowledge base, while strong in the enterprise security, has significant gaps in specific cloud-native and serverless technologies. The startup that predominantly uses that should have been figured out in the SOW. What is the most ethical course of action for this consultant? Okay, so this person does not know what they're doing on the specific topic A inform the startup of her knowledge gaps and propose bringing in a specialist or recommend another consultant better suited potentially to oversee the strategy. B proceed with the engagement learning on the job to fill in the knowledge gaps and the startup needs because they need immediate help. C decline the engagement learning on the job to fill in the knowledge gaps that the startup needs because they need immediate help. C decline the engagement entirely to avoid providing incompetent service. Or. D focus on areas of her expertise and deprioritize cloud-native aspects, as some security is better than none.
Speaker 2:Okay, the most ethical course of action. Again, you could decline it. That would be good to avoid your incompetence, but the most ethical plan would be to A inform the startup of her knowledge and propose bringing in a specialist, or recommend another consultant better suited to oversee the strategy. Obviously, this needs to come out during the SOW, your statement of work, but this does happen from time to time where you might get in and go oh, this is not what they told me it is, and this is definitely not in my wheelhouse, so you may want to go. Ah, let's talk about this, boys and girls, because again, you want to do the most ethical, ethical thing and give them the product they need, again the service they want, for the price they've asked for. And you need to be able to provide the skills for it. And if you can't, you need to own it and figure out what to do to fix it. But again, coming together with solutions is a much better solution than just going out tap, I'm out, tap out. That does not help anybody and it actually hurts your overall street cred. Your street cred will be hurt already because the fact is that you're trying to do something you can't do, but at the end of the day, you need to make sure that you provide them the service they paid you for.
Speaker 2:Question five a security leader holding a cissp discovers a critical vulnerability in a popular social media platform. Oh, yay, the platform has published a responsible disclosure policy, but it offers no bug bounty program. The researcher's rent is due. Oh, you see where this is going, and he knows selling this vulnerability on the black market could solve his immediate financial problems. Yeah, baby, what is the most ethical decision according to the ISE squared code of ethics? Ok, so, yes, he could sell it. Could he sell it? Is that a good idea? Okay, so, yes, he could sell it. Could he sell it? Is that a good idea? A sell a vulnerability on the black market to address his personal financial needs, as the platform offers no reward. B follow the platform's responsible disclosure policy even without financial incentive for the safety of users. C disclose the vulnerability publicly immediately to force the platform to patch, as they offer no incentives. Or D contact the platform privately, offer to fix the vulnerability for direct payment and threaten public disclosure if refused. Okay, so all the threatening stuff? That's just bad. Right, it's just really bad. And then also put it on the black market that's really bad too. Bottom line is if you're not getting paid, you still need to do the right thing and disclose it responsibly. The other thing you got to understand is even if you just said you know what, I'm just going to release it in the wild, let it go, let it see what happens. You will be legally liable for doing that and so you think you're doing the right thing in your mind. Whatever that is, you will pay for it for quite some time. So, highly recommend follow the responsible disclosure policy, no matter what. That's the right call to do, because it's just the right call to do.
Speaker 2:Question six CISO is reviewing a security budget proposal. This is a key project strongly recommended by our team as an essential right. It's essential. Air quotes for mitigating a significant threat is deemed potentially too expensive by senior management, who are proposing that they defer it. They push it down, they kick the can down the road. The CISO believes that a deferral would put the organization in unacceptable risk, potentially violating the organization's stated risk tolerance. What is the most ethical action for the CISO? So now you get risk. Stated risk tolerance is an important factor, especially in the financial industry. So what should this CISO do? There's unacceptable risk A. Accept the management's decision and document the deferral and focus on budgetary items.
Speaker 2:B clearly articulate the risk implications of the deferral and make sure they understand that, including potential regulatory and financial impacts. Ensuring that risk acceptance is formally documented and approved by the appropriate levels of authority yes. B or C implementing a project secretly by reallocating funds from other areas without explicit approval. Or D resign in protest as the organization is clearly not prioritizing security. Okay, well, the last one is just I'm going to throw a fit and take my ball and go home. That's not right. But B clearly articulate the risk implications.
Speaker 2:Defer to senior management, including potential regulatory and financial impacts, is an important part of all this and you want to make sure it's documented. Again, it comes down to education. The board, in many of these cases, senior management, is going to find the money. If it's that big of a deal, you just have to do a really good job of articulating why it is a big deal. And again, you may also have to come to the table saying, because of this, we are going to defer in X, y and Z. But, guys and gals, we really need this and this is why They'll find the money. They will, most organizations will, because if they don't, they're legally being held liable as well if it ever comes out that the board or senior leadership didn't want to spend the money on security? Uh, and something bad happens? Yeah, they're all fired. So everybody's aware. It's again. It's cya, cover your hiney, they will do it.
Speaker 2:Question seven a cyber security firm uses a proprietary scanning tool for its clients. A new employee, cissp, discovers a critical flaw in this tool and could allow the attacker to gain unauthorized access to client data. If exploited during a scan, reporting this internally would delay the project timelines and could reflect poorly on the firm's reputation. What is the most ethical thing for this person to do? A fix the flaw quietly without reporting it to formally avoid delays and reputational damage. B continue using the tool for current projects, but stopping using it for new clients until the fix is available. C inform clients immediately about the potential flaw in the scanning tool. Or. D report the flaw internally through the formal bug reporting process, emphasizing potential client impact. Okay, the most ethical action for this would be D report the flaw internally through your formal bug process of emphasizing potential client impact. Again, you're going to have to get legal compliance, all these boys and girls involved in this, so you really want to make sure that it is well documented and you've gone through your overall process. Again, that's the first step in doing this Fixing it's not continuing to use it's not the best idea, you may have to, but you have to figure that one out. And then informing clients immediately. Again, that's not good if you don't have legal and compliance on board.
Speaker 2:Question eight a financial institution's organizational code of ethics explicitly forbids employees from engaging in any outside consulting work that could create a conflict of interest. Yes, that is what I ran into when I was with my company, a cissp certified employees offering a lucrative part-time consulting role for a non-profit. Yeah, that is unknown to him is that this is a minority investor of one of the most of one of his financial institutions critical third-party vendors. What is the employee's most ethical decision? Again, you're getting offered a lucrative part-time consulting role for a non-profit which, unknown to him, has a minority investor in one of the most, in one of his financial institutions critical third-party vendors. So again, basically, what it comes right down to is he's going to go work for a non-profit. This non-profit has some aspects to a third party that is tied to his company. He doesn't know this, but what's that going to do a investigate the non-profit's affiliations and, if a potential conflict exists, disclose it to his employers. Employer before accepting. B accept the role. The non-profit is unrelated to this direct work and the conflict is unknown. C accept the role but implement a personal Okay. So this is really squishy. It gets super tough and super interesting. So again, when it comes right down to it, the Code of Ethics forbids the employees from engaging in any outside consulting work. So investigating the nonprofit is an important part, understanding who they all are and what's going on. If a potential conflict exists, disclose it to the employer before accepting. That is A. I would highly recommend that.
Speaker 2:When I had this situation occur to me, I was very upfront and transparent to my employer on what I was doing. Part of it was my podcast. Right, I came out with my podcast, was running that, and my employers. I wanted to let them know what I was doing because I'm talking about stuff. Their aspect was hey, we're fine with it, just don't mention us. That's the end of it. They don't really. They didn't want to be called or not necessarily even not mention them. Just don't bring up any sort of vulnerabilities. That could be tied to my previous organization and that that went without saying, right. So again, bring it up to people before you go and do it.
Speaker 2:During an incident response, the security professional discovers evidence that a senior executive's account was compromised due to extremely weak, non-compliant password usage. The organizational policy states that all incidents must be fully documented, but the ciso requests that details of the executives password weakness be omitted from the final report to avoid embarrassing this executive. Shame on you. What is the security professional's most ethical obligation? Okay, we don't want to do public shaming.
Speaker 2:A omit the details as requested by the CSO or CISO, as it is a direct order from a superior management. B document the full details of the password weakness in the report, citing the organizational policy for full documentation. C document the full details but provide a separate redacted version to the CISO for external distribution. Or D discuss with the CISO. Omitting the details would hinder lessons learned and proper remediation. Okay, so there's a right way and there's also the correct way and the right way. So the correct way would be B document the full details of the weakness, citing the organizational policy for full documentation. That's right, no question about it. However, you're going to want to do this is the nuance and the experience that you really need to get is that you would work with the CISO going hey boss, we really need to deploy that, we really need to have this cited, we need to do it.
Speaker 2:However, here are some options about how we could do this in a way that doesn't make our executive look like a fool. Maybe and the reason it probably looks like a fool is, I mean, I'll give you an example the executive's password, let's just say, is this guy's name or gal's name? Is super executive, that's their name, right, they put in their password super executive rocks. Ok, well, you know who super executive is. Right, it's this guy or gal. So you wouldn't put that in as a password. You would probably highlight the fact, maybe blur out part of it and say, hey, this is a person's name, they put this in there, we're protecting this person, this individual. Come up with solutions around it. The executive would understand, they would see it and go, ooh, they would squirm a little bit in their chair, but it wouldn't call out the executive in front of all of their friends. So, again, just there's ways to do this that are more professional that you wouldn't just go hey, you're sucks to be you, I'm going to do this. That are more professional that you wouldn't just go. Hey, it sucks to be you, I'm going to do it. Don't do that Bad idea.
Speaker 2:Question 10, a CISSP certified individual is working on a new AI-driven product for his company. He discovers that the training data sourced from a third party contains personal identifiable information that is clearly not consented for AI model training Aha AIs baby, violating the company's privacy policy and GDPR. The team lead dismisses his concerns, stating that everyone does it and it's essential for model performance. Yeah, everybody does it. What's the problem? What is the most ethical course of action for this individual? A continue working on the product, as a team lead has dismissed the concern and the model performance is imperative. Performance is imperative. Anonymize the PII and the training data on oneself and, even if it might degrade the model's performance slightly, without informing the team lead.
Speaker 2:C escalate the concern to the company's data protection officer or DPO or legal compliance department. If you don't have a DPO, maybe you have a chief risk officer, somebody like that you would bring it up to. Or. D resign in protest. Right, that's always one Resign and protest for the project to avoid ethical conflicts. I mean, that's obviously the draconian approach, but it's not the right approach. The answer would be C escalate it to your DPO, risk officer, legal compliance one of those folks and just say, hey, we need to talk about this Again education and I wouldn't throw your buddy under the bus. Just say, hey, we have some concerns, we need to talk about this. Uh, don't throw your boss under the bus, but you also need to let your boss know. Hey, I'm going up here, I'm gonna go talk to these people. You're awesome, but yeah, you suck.
Speaker 2:Question 11 a security analyst, part of the global team, identifies a critical vulnerability in a system used primarily by employees in a country with strict cyber sovereignty laws. This makes it legally ambiguous to fully disclose all collected security log data to the central SOC located in another country. So, basically, you got they have sovereignty laws that you got to keep the data local and then sending it to another SOC in a different country makes it challenging. Dealt with this. Yes, it's very challenging. The organizational policy mandates full log centralization. What is the most ethical approach for this analyst? So you need to have the logs out of this place where the logs need to stay the cyber sovereignty and the country says no, but your policy says yes, you must. So what is the most ethical approach for this analyst? A prioritize a global organizational policy and centralize all logs. This offers better security, just do it. B prioritize local countries, cyber sovereignty laws and limit log collection or centralization from that region.
Speaker 2:C document the conflict, raise it to legal and compliance and propose a solution Haha, that sounds very good. That balances security and legal requirements such as anonymization, pseudonymization, local processing before transfer. X, y and Z Come up with solutions. D request a transfer of a different team to avoid personal legal liability. That's not my thing, it's a hot potato, it's your problem. So the answer is C document the conflict, raise it to legal and compliance and propose a solution. That's always the best option Well, not always, but probably in most cases the best option.
Speaker 2:Question 12, a security operations manager has discovered that one of his direct reports has been consistently violating the company's acceptable use policy by regularly browsing prohibited websites on company devices during work hours. I ran into this a lot. Yeah, especially in Europe. They would go on porn, but they could. They can't do it in the United States, but they could do it there. So you had to deal with acceptable use In this case. These guys and gals are going to places they shouldn't be going. So this is an administrative policy violation, not a criminal act, but it could expose a company to malware because they're going to potentially risky sites.
Speaker 2:What is the most ethical first step for the manager? A immediately terminate the employee for policy violations. I like that one, but that's not correct. Just terminate everybody. B issue a formal written warning and document the violation. C block the websites and the network level without informing the employee of the monitoring. Or D discreetly discuss the issue with the employee, explain the risks and remind them of the policy. So there's a couple things here, right? So the answer is D and I agree with that. You discreetly talk to the employee and say, hey, let us not do this, but you need to document all this and you need to document with their manager and you need to talk to their manager about it, but it would be discreetly doing this, not highlighting it, if you can avoid it. Again, ultimate point is talk to the person, explain the situation. In many cases it can be resolved just by a conversation and it goes away. But you need to document everything that you did Because you never know when it could come back to bite you and they come back and say well, hey, sean said I could do it. Yeah, no, that's, that's not the case.
Speaker 2:Question 13 during a routine internal audit, someone at cissp are you identify that there's a critical legacy system vital for daily operations? Okay, you got your ops which does not meet the organizational's current minimum security baselines. Okay, it has outdated out, outdated operating systems and unpatched software. Oh, not good End of the world, it's Armageddon. Remediation would require a significant investment in downtime.
Speaker 2:The operations department argues that against immediate remediation due to the cost and service disruption. They don't want to affect ops. What is the most ethical course of action for this person? A approve a temporary waiver of the system, acknowledging operational constraints. B insist on immediate remediation, threatening to report the system on high risk to external auditors if not fixed. Again, draconian approach. C clearly documented the deviation of the security baselines, conduct a formal risk assessment detailing the potential impact and likelihood and present the remediation options as well as alternatives to the folks to basically risk management, to understand what to do. And then, d advise operations to implement workarounds to accept the risk without formal documentation, given the system's criticality. So there's a lot going on here and the correct answer is C right, you want to do a risk assessment, look where it's at from the baselines, including provide alternatives. Right, that's the best approach, but you're going to have to work through that with operations and make sure they understand it. You may actually even have a workaround in the short term and tell you the risk assessment is complete. You probably need to do that, but you need to document it. That's where D falls flat is. You have to document this and make sure everybody's aligned, including legal and compliance and your senior leaders. Again, I can't stress this enough Do not I repeat, do not go alone on this. If you do, you will end up without a chair when the music stops, and we do not want that.
Speaker 2:Question 14, a CISSP certified lead is tasked with implementing a new security logging standard across the organization. The standard requires logging specific user actions that some employees perceive as intrusive and unnecessary surveillance. Yes, big brother, leading to the internal resistance. The lead knows that these logs are critical for incident detection and forensic analysis. What is the most ethical action to address this resistance? Incident detection and forensic analysis. What is the most ethical action to address this resistance? A. Engage with employees, clearly communicate the necessity of the logs and basically explain the privacy standards or safeguards in place and offer channels for their feedback Again, listening and providing feedback. B. Implement logging standards, fully ignoring the employee complaints and just go, don't worry about it. C. Implement scope of logging to avoid employee backlash, even if it compromises security visibility. Or. D. Seek a mandatory directive from a senior leader to force compliance without further explanation to employees.
Speaker 2:Now, if you all read these, you're going to go. You're probably going to figure out the right one, but the goal around this is to go. You know what. Clearly communicate the necessity for the logs and the feedback. Make sure they're aware of what's going on and make sure that they're aligned with it. And even if they're not aligned with it, you still have to do it. But you need to make sure everybody understands the risk and why you're doing what you're doing. Okay, you are employed by a software vendor. You discover that a critical security patch released by the company has a widely used product inadvertently introduces a new and even more severe vulnerability. Oh no, the executive team decides to delay public announcement of the new vulnerability until the second patch is is readied. So they're not going to deploy it because they are the public announcement until the second patch is. Patch is ready. Fearing potential immediate stock market impact. Okay, so they're already there. Already there, they're publicly traded, so that tells you something, but they're going to delay on the public announcement until the second patch is ready.
Speaker 2:The executive team decision conflicts with the company's policy stating that customer safety is always first. What is the most ethical thing you should be doing? A remain silent, continue working on the second patch as per the executive's instructions. B publicly disclose a new vulnerability immediately to alert customers. C inform the board of directors and legal counsel about the executive team's decision and its potential ill ethical or legal implications. Or. D inform the direct manager of the ethical conflict and suggest a compromise solution, basically a private notification to high-risk customers.
Speaker 2:Okay, again, there's lots of nuances in which way this could go. The answer is C informing the board of directors and legal counsel. That is what you should do, but there would be a lot of things leading up to that, and you might be a security analyst and that's not your role to do that. Your role is that you're doing whatever, but, as let's just say, you are somebody that is in senior leadership position. This is something that you would want to highlight to the board of directors if you're not getting it resolved.
Speaker 2:That being said, if you're willing to take it to the board of directors, highly, highly likely that your senior leaders will not be bucking you and they'll go okay, let's do this. What do we need to do? Because they're not going to want to take this to the board or legal counsel. They're going to want it to be resolved internally and quietly, to get it taken care of and be done the right way. But, yeah, you're going to want to make sure that you bring this out and you get it resolved as fast as you possibly can without having to go and do jump through a bunch of hoops. But the correct answer is c inform the board of directors and legal counsel about the executive team's decision and its potential ethical legal implications.
Speaker 2:Okay, that is all I have for you today. Again, this is cissp cyber training and you can head on over here get all kinds of free stuff. It's amazing, you love it. It's going to incredible. But head over to CISSPcybertrainingcom. Expect some changes coming to the site. Got a lot of great stuff coming. A lot of great stuff happening on YouTube as well, so you are going to love it.
Speaker 2:If you're studying for your CISSP, it's going to be really good for you. All right, hope you have a wonderful, wonderful day and we will catch you all on the flip side, see ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training and you will find a plethora, or a cornucopia, of content to help you pass the CISSP exam the first time. The CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.
