CCT 051: CISSP Exam Questions (Domain 1)

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started, let's go. Hey, all this, sean Gerber, with CISSP Cyber Training, and today is exam question Thursday. So we are gonna be talking about some great exam questions for the CISSP that fall in line with supply chain risk And, if you all haven't been aware, the supply chain is a big challenge that we all struggle with. Every company out there does. It doesn't matter how big or how small you might be, you will struggle with supply chain. So this is gonna be an area that you'll be able to see in my CISSP Cyber Training environment. That is going to be one of the test questions, and one of the things I thought of, rather than just kind of having test questions for you that you couldn't have, is that be able to pull the questions out of my actual site and then you guys can video these. These will hit YouTube at some point, but you can also get them at my, at CISSP Cyber Training, and have access to them as well. But we're gonna kind of go over these questions and then from there we can talk about what the plan is. Okay, so question number this is 16, because there's actually about 25 questions, but we're only gonna be able to get to about 10 today. So which of the following is not a key principle of supply chain risk management? Okay, so, when you're dealing with supply chain risk management, what are some key things you need to keep, principles you need to be aware of? So this is one that is not a key principle. First one is transparency. Is it or isn't it? Agility is that a supply chain risk management issue? Or trustworthiness? And then, finally, isolation. So which one of these is not a key principle of supply chain risk management? And the answer is isolation. So the key principles of supply chain risk management do include transparency, which basically is clear visibility into the overall supply chain. Do you know what it is? from soup to nuts? What part of the entire chain do you understand? Agility is the ability to adapt to a changing situation And, as we know, this world is very changing and very dynamic. So you have to have agility to be able to do that. And then, finally, trustworthiness, or the reliability or integrity of these suppliers. One of the pieces that I deal with routinely is working with and trying to understand the suppliers for organizations. And what are they? a reliable or trustworthy organization and company? So that's things that you'll have to do as a security professional. You'll have to figure that part out, and the isolation is not a principle associated with supply chain, and in most cases you don't wanna have a supply chain that's totally isolated, because that will actually end up probably causing you more issues in the long run. Okay, so then what is the primary goal of supply chain risk management? A, to eliminate all risks from supply chains Okay, we all know that you can't eliminate all risks. B to minimize risks and maintain a continuity of operations Now, that would make sense. Or C maximize profits by taking on higher risks Now, that could be the case, potentially, but you'd have to really weigh out your supply chain. And then, two transfer risks to third party vendors. Well, we always wanna transfer some level of risk to third party vendors, but you may not wanna do all of that, dependent upon your business, right? So the real answer, or the correct answer is B to minimize risks and maintain continuity of operations. Okay, the main thing is you want to make sure that you have the ability to identify, assess and mitigate any risks that are in order of you in your organization, to make sure that you have a good plan to deal with the impact and how you can have your supply chain uninterrupted. So to minimize risks that's a key factor, but you're never gonna get rid of them and to maintain some level of operations and maintain that continuity of operations. That is the overall primary goal of supply chain risk management. Next question is which of the following is an example of supply chain risk mitigation strategy? So now we're gonna talk about supply chain risk mitigation. How are you going to minimize or mitigate the risks that are appropriated to the supply chain? So, a is outsourcing critical operations to a single vendor probably not a good idea. Single vendor no. Multiple vendors yeah, that probably makes sense. Relying solely on internal resources for all supply chain activities probably not, again, solely, and all those are key words. You probably want to avoid Implementing redundant suppliers for critical components. That would make sense, right? You want to have same thing we do with disaster recovery and business continuity is you want to have some sort of redundant systems And then D, minimizing supplier audits and evaluations. You wouldn't want to minimize those Now. You don't want to maximize those either. You want to find that sweet balance. So, when it really comes right down to it is you want to implement redundant suppliers, also known as what they call dual sourcing, and then you make sure that's in your supply chain mitigation strategy. Now, there might be some situations where you can't do that, and if you can't do that, then you need to at least discuss it, understand the risk and what you're willing to accept, and so that's the main thing. A lot of these is that you do understand, you go into these aspects with eyes wide open and you understand the risk the best that you possibly can. Next question what is the purpose of conducting a supply chain risk assessment? A to identify and evaluate potential risks in the supply chain, okay. B to select the most cost effective suppliers? Not really, probably, because you're looking at risk right. That may or may not be the right thing. Negotiate better contract with suppliers, maybe. Or to establish a strict control over supplier activities. It really wouldn't establish a strict control. It may help you put in place some controls, but it wouldn't help. You have a strict control around that. So the real answer or the correct answer is but A the purpose of conducting a supply chain risk assessment is to identify, assess and prioritize your risks, right, we talked about earlier and you want to make sure you have these potential risk mitigation strategies built in and you have to identify them, but that you do that through the use of a risk assessment. Next question what are the following is an example of a supply chain risk. So what could be a supply chain issue? A employee turnover in the finance department? That's probably not it. B a natural disaster causing disruption to the transportation routes Yeah, that would be a potential supply chain risk. Regulatory changes impacting product design That's not, doesn't deal with supply chain, it's more of a compliance and regulatory aspect. And then D changes in the market demand for the product Again, that doesn't really affect your supply chain. So the bottom line of it is is you want A a natural disaster causing disruption to transportation routes. These are important to understand that, because what can happen is is these risks could include natural disasters, geopolitical events you mean Russia, ukraine supplier bankruptcies, other external factors as well And all of those things can have dramatic impacts on your entire supply chain. So when you become a security professional for an organization, you're going to need to understand what those are for your company. What is the purpose? next question what is the purpose of a supplier code of conduct? A to impose strict regulations on suppliers. Well, that doesn't really regulations is not done by you. To ensure compliance with governmental regulations No, you can't really force them to do that. B to communicate the organization's expectations to the suppliers. That sounds probably more like it. Or D a transfer all supply chain risks to suppliers. Again, all got to avoid that. All. Now it can say again, sometimes all might be right, but in many cases, when they say all or never, those usually are key words that will keep you out of trouble. So the real answer, the correct answer is I don't know why I keep saying real, but the correct answer is C right, you want to communicate the organization's expectations to suppliers and this helps define your ethical, your social, your environmental. All these different security practices are then passed on to them, which is part of your code of conduct, and then therefore, they understand where your expectations are. Ideally, you would see the same code of conduct from them, so you can understand what their expectations are. Next question what's the following as an example of supply chain vulnerabilities? Okay, what could be a vulnerability in the supply chain? A implementing strong access controls for supplier systems Well, you're implementing something, so that wouldn't be a vulnerability. B regularly reviewing and updating supplier contracts Okay, that wouldn't necessarily be a vulnerability. Relying on a single supplier for a critical component Yeah, ding, ding, ding, ding. Yep, that's one right there. Or then conducting background checks on supplier employees. So the first, you know the A, b and D. You pretty much can figure that out right. If you rely on a single supplier, that would be a potential vulnerability in the supply chain and could have dramatic impacts upon you and your company. What is the purpose of supply chain continuity planning? A to identify and address potential disruptions in the supply chain. Kind of goes with the terms continuity. We talk about business continuity and disaster recovery Kind of sounds similar. B minimize costs by consolidating suppliers Okay, maybe that would be it. You wouldn't necessarily be looking for minimizing your costs, but maybe consolidating your suppliers. B maximize profits by increasing speed of delivery That's really not continuity planning. Or D outsource critical supply chain functions to third-party vendors Now, that could be close right. So you gotta decide. Maybe you will outsource some of your critical supply functions to a third-party vendor. But the answer is A to identify and address potential disruptions in the supply chain. That's the purpose of supply chain continuity planning. You wanna look for these areas that potentially could cause some impact from disruption. What is the impact to you? And then you develop a strategy to work around it. Next question what is the role of supply chain risk manager? A to solely focus on risk management within the supply chain Solely usually not a good word. To identify and mitigate risk throughout the supply chain, maybe sounds pretty close. C to manage only physical security risks within the supply chain. And that's only, and not in only physical security. That's not right. Or D transfer all risk to third-party vendors. Again, all yeah. So the real answer is B the correct answer, not real. Why do I keep saying that? The correct answer is B. A supply chain risk manager is responsible for identifying, assessing and developing risk mitigation strategies, as well as implementing measures to mitigate those risks across the supply chain. Last question what is the purpose of supply chain monitoring and surveillance? A to track suppliers financial performance, you know. B to identify potential opportunities for cost reduction. No, it's not really doesn't sound right. C to detect and respond to supply chain security incidents. Maybe monitoring surveillance may yeah, that might sound about right. Or D enforce compliance with regulatory requirements. You could play with that D a little bit, but that would not be the right one. The actual correct answer is C to detect and respond supply chain security incidents. Again, they wanna have things that are actively monitoring the supply chain for security incidents which could be unauthorized access, tampering or theft. Obviously you wanna have these measures and play mitigation strategies and measures to ensure that that is minimized. But you have to have some level of monitoring and surveillance. But don't bite off on D right To enforce compliance and regulatory requirements. Enforce is kind of a big word. Watch that word. Okay, that is all I have for today with these questions the CISSP cybertrainingcom questions And you can go out to the CISSPcybertrainingcom and you can go and check out the site. I got a lot. My blueprint is amazing. People keep talking about it And also the fact is is that business continues to grow because there's lots of people that wanna be get their CISSP done. Go out there, check it out. You can see these questions out there on CISSP cybertraining and they will eventually be on YouTube as well, so check that out as well. All right, that's all I got for today. Have a wonderful day, and we'll catch you on the flip side, see ya.