Anyone taking CISSP need to answer the questions in context of what the test is looking for.

  • Your Role is a Risk Advisor – Do NOT fix problems

    • DON’T FIX PROBLEMS

    • Engage the processes and controls to handle problems
    • Fix the Process, and the problems will take care of themselves
    • Focus on strategic planning, and think 5 years out

  • Who is accountable for Security?

    • Sr Management is accountable for the Security of the Organization.(Ulitmate responsibility)
    • Employees have responsibility to follow standards set by Management
    • Decisions escalate to SrMgmt

  • How much Security is enough?

    • You can have too much security.

      • do you have a retina scan to enter your house?

    • Security always has a cost(Other vectors than just money)
    • Security needs to be worth the benefit. Just enough Security is enough.
      • Risk Management & Risk Analysis
      • Implement a control with protects the assets.
    • Security must support the Organization.

  • All decisions start with Risk Management.

    • Risk Management starts with Identifying and Valuation of Assets.

  • Think for the End Game

    • For questions where all of the answers seem “pretty good”, the WHY leads to protecting the assets.
    • Find the answer which best satisfys the question being asked and results in Secure Practices.

    • Which answer goes far enough to staisfy the result of a project.

  • Security Trancends Technology

    • Security is not the technology or tools. It’s processes, controls, and good sound foundational principles.
    • It doesn’t matter how much you spend on a firewall if it isn’t configured correctly.

  • Physical safety is always the first choice

  • Technical Questions are for Managers. Management questions are for Technicians.

    • The exam questions run down the middle between MBA and Technical. Answers are in the middle.
    • Answer the question, and only they question they give you. Answer in the best practices, in the best circumstances. Don’t overthink.

  • Incorporate Security into the design, as opposed to adding it on later.

    • Security should be baked in, not sprayed on.

    • Integrate security into all that we do.
    • Security has to be considered at every step of the application’s lifecycle. From start to termination.

  • Layered Defence!

    • No one device or tool will be complete protection.

    • Defense is built upon layers of Due Care and Due Diligence.