CCT 285: CISSP Questions – Governance Principles

The fastest way to lose trust is to let AI adoption outrun your governance. We open with a blunt look at AI sprawl and shadow AI—how unsanctioned tools slip past weak policies, create data exposure, and strain legacy controls—then lay out a practical path for teams that don’t have a big‑tech budget: continuous discovery via proxies or CASB‑like tools, real‑time monitoring through a trusted partner, and risk assessments that focus on business impact, not buzzwords. The goal isn’t to slow innovation; it’s to make it safe and repeatable.

From there, we bring CISSP Domain 1.3 to life with five scenario‑based questions that mirror real leadership decisions. You’ll hear why federated governance outperforms heavy central mandates in multinationals, how defining risk appetite is the first step before any framework, and which metrics actually prove value to a board. We draw a clear line between due care (policies, accountability, legal alignment) and due diligence (testing, verification, audits), and we show why insurance can transfer residual risk but can never replace sound governance.

We also get specific about executive communication. A new CEO wants alignment, accountability, and outcomes—not weekly patch timelines. Learn how to map security objectives to corporate strategy, prioritize by business risk, and present measurable progress that earns budget and buy‑in. If you’re preparing for the CISSP or leading a program under pressure, these principles help you think like a strategist and act with confidence.

Want more? Explore the free resources and growing library at CISSP Cyber Training, and grab the 360 free CISSP practice questions. If this episode helps you think clearer about governance and AI, subscribe, share it with a teammate, and leave a quick review to help others find the show.

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber. I'm your host for this action-packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started.

SPEAKER_01: 0:25 

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is, yes, CISSP question Thursday. And we are going to be going into some deep dive questions related to domain 1.3. And again, the question day, the question of the day, the questions that we talk about on Thursday is usually typically related to the topic we talk about on Monday, and which was domain 1.3 of the CISSP exam. So we're going to get into some deep dive around some questions that are related to it. The purpose of this is that there's tons of questions at CISSP cyber training, but I wanted to focus specifically around some deep dive or a little bit deeper in questions versus kind of running through a bunch of list of questions that you should be paying attention for. So that when it comes right down to the CISSP, as we all know, there's lots of different ways for you to learn and grow with the CISSP exam and get prepared for it. And one of the typical comments out there is you have to go through a lot of questions to make this happen. And I do agree you need to go through a lot of questions to kind of help understand the mindset. However, it can be daunting if you're saying you got to go through about two or three thousand questions. So the point of this is just to kind of delve a little bit deeper into some of these questions, why the thought process is that way, and then reinforce that with the training you get at CISSP Cyber Training. Because again, the ultimate point is that you want to have something that helps you pass the exam the first time. So before we do that, though, I wanted to go over an article I saw uh in the news. And it's one of these things that's related to AI, which I kind of am going down this path a little bit more as of late. Two reasons. One is the company I work with next peak. Uh, we have a really good AI security assessment program that's out there for companies. And two, I do not feel that there's a lot of knowledge around AI, uh, that it is growing very quickly, and there's limited knowledge around it specifically. And I know when you get a large enterprise, you probably have plenty of people that that understand it well enough that they can add security controls. My biggest concern is these middle and small end businesses or companies that are trying to use AI in a way that can help them. I don't know if they truly understand some of the risks that they're seeing. And this article kind of talks about they're trying to sell their products, right, from different types, well, how they can help secure the world from what their plans are. But they bring up some good points that I wanted to kind of highlight as it relates to AI security. Uh, one of the things they bright they act or they talk about in the article is AI sprawl. Now, if you are a company that has some level of artificial intelligence slash LLMs that are incorporated within your network, you will start to see more and more of this in place, especially if you do not have good policies on how to manage the data and how to manage the technology within your company. And a lot of people are using this as they they see this as a way to one uh maximize their capability of enhancing their people and what they can do. Also, it's a way to limit employees, right? So if there's employees that are doing more mundane tasks, uh, why do I want to have them on the payroll? And I could use them for more important things than just doing basic data entry. So that's part of the issue that that why AI has grown so much. So one of the things that there's some key risks that you're seeing out there, right? So data sprawl is one, vulnerable uh supply chain vulnerability is another, data exposure risk, these are all big factors that can potentially affect companies. But there's the one thing that I think I kind of come back to is shadow AI. Um, and this is where unsanctioned employee use of shadow AI is being accomplished. Now, if you don't have a good policy, like I mentioned before earlier, in your environment that is limiting the amount of AI that can be done at work, the folks are gonna find ways around it. And just like they did with websites, they're gonna be the filters that you have in place to limit AI are going to be missed, or they're gonna be missing things and are gonna allow employees to be able to utilize these tools. So, one, you have to have a really good policy, two, you have to have tools in place to minimize the effort, and then three, you have to have some really good training to help your employees understand they shouldn't do these things. If they do it, there are consequences that go with that. Obviously, there's complete uh complex AI supply chain dependencies, there's data leakage, obviously, of external AI services, and then legacy controls just don't understand and they fail against many of these uh fast-moving AI type of kit capabilities. So there's some really big risks for organizations if they're not paying attention to it. So, what are some things that you can can do that you need to keep aware of if you are going to be deploying AI within your environment? One is disc continuous discovery for any new AI tools. Do you have software in place that is looking for uh employees using AI tools? Now, proxy is a good example of that. Is your proxy aware to know that if employees are using AI, will it flag, will it alert on that? You have real-time monitoring and analytics. Uh, if you're a medium to small company, you may not be doing that in-house, which I actually don't even recommend doing it in-house uh unless you have a specific software company that you are and you may have that capability already built in. I would outsource it to somebody who it's in their competitive advantage, comparative advantage to be able to uh be successful in that. They have adaptive context-aware risk assessment. Are you do you have some sort of risk assessment that you've done to understand the risks associated with it? And again, that you need to really understand what is the problem you're trying to solve here. And then the big one that I feel is a big aspect is governor governance controls to enforce compliance and safe use. If you don't have these governance in place, or that comes down to policies, it comes down to having some sort of procedures. If you don't have these in place related to AI, you're gonna you're really asking your employees to just figure it out on their own. And that's not a good place to be, especially if you are in a regulated environment where you can't get away with that. You're if if something bad happens, they're coming after you. Even if you're not in a regulated environment, you what's going to happen is if something does occur within your organization, you now are set up for litigation just from a civil standpoint that employee, or not employees, but uh people that have, you've got their data can come after you as well. So it's just imperative that you do have some level of governance around your AI within your organization. Uh, you just you really have to think about this pretty hard. Uh so again, safe innovation, employees can adopt AI tools with confidence. That's a good thing you want them to do. You want to reduce your exposure, obviously, to AI or LLMs, regulatory readiness, you have a strong governance plan in place, and then they talk about enterprise trust, strengthen the relationship between customers, partners, and regulators. Again, being transparent, dealing with all of that out front, and explaining where you're at with it, all of that will go a long ways to helping you in your program. So it's a good article. I mean, it's really pretty quick, it's about three and a half minutes of reading, but the ultimate point of it is that if you are utilizing AI within your enterprise, whether you're big or small, you truly need to have some level of risk assessment that is done to understand your overall risks around the AI infrastructure and AI capabilities. If you don't, it's really hard for you to protect something you don't even truly understand yourself. Again, you may have this all under control. You may be under this and not a big deal, and good on you, you've got it. But this is for the companies that maybe aren't quite there where you're at. Uh, it's it's an important part that you need to consider. So, again, go check it out. Uh again, evolving enterprise defense to secure modern AI supply chain, and this is on the hacker news. Okay, so let's get started about what we're gonna talk about today. Okay, so this is domain one deep dive questions. We're gonna be talking about domain one dot three. And as you can go, you can go to CISSP Cyber Training and get access to all of my questions. These included, as well as uh my 10-day boot camp that I'm building and my uh overall questions that are gonna be tied to that. So there's a lot of great stuff coming to CISSP Cyber Training, um, and even more than what I currently have. I mean, there is so much stuff out there at CI. One of my um uh mentors made a comment to me and said, You you have so much content out here. How in the world can uh is it so reasonable? And realistically it is. You all the content you need to pass the CISSP is on my site, period. That's it. Uh, there is so much out there for you that is available, and just go out to CISSP Cyber Training and check it out. Uh, it's again, I've got a bunch of free content, a lot of free stuff, as well as the paid content if you really need some extra help and you need you want to really get it done in a time frame that makes it work for you and your busy schedule. So again, go out to CISSP Cyber Training and check it out. Okay, domain one, deep dive questions. Let's get into question number one. A multinational corporation with a decentralized IT operation is struggling to implement consistent information security practices. Local business units resist corporate mandates, claiming conflicts with the regional regulations and business needs. From a governance perspective, what is the most effective mechanism to address this challenge? So you have a lot going on here. You have multinationals, you have decentralized IT, they have security practices, and you have local business units. So there's a lot of people. And we talk about in the CISSP, well, we talk about it from a CISO standpoint, is it's all about influence. And you're gonna have to figure out how to influence these people. But it's asking what is the most effective mechanism to address this specific challenge? A enforce in centralized corporate control with mandatory compliance audits. B delegate full control responsibilities to local business units. C. Adopt only the strictest regional regulations and apply it globally, or D apply a federated governance model that balances global and local requirements. Okay, so let's break each of these down. You enforce a centralized corporate control with mandatory compliance audits. That will work, but it will not be it's it's if you're using basically a mallet for a very small job, right? Uh it's it's you're you're getting a hammer out and you're beating on people. Don't I wouldn't recommend that. Delegate full governance responsibilities to local business units. Okay, so now you are having instead of one governance plan, you have many governance plans and they're in different jurisdictions, and therefore they have different regional issues that they have to work through. So that is going to be make it extremely complex and painful. So I would not do B. C is adopt only the strictest regional regulations and apply it globally. Okay, so this I have seen happen. Uh I used to do this when I worked at my my multinational that out at Cook Industries. And we would do this, we would look at the most strict regulation and we would try to apply it as much as possible globally. Because again, if it's the most strict, it would affect everyone. That may or may not be the right call for you. It is possible, right? Depending upon the size of your enterprise and also how much power foot or uh uh leadership powers behind it, but it can be very onerous and it can add a lot of additional compliance requirements that you may not necessarily need. Some people may need it, maybe it may be good for some organizations, but it's it's probably maybe not the most effective mechanism. D is apply a federated governance model that balances global and local requirements. Okay, so now you are blending in the local and the global requirements. It's kind of an in-between of the C where it's the strictest regional regulation, uh, but you're now balancing out trying to be as best you possibly can with the local requirements. You may end up at C when you start doing this, but the point of it is that you're trying to figure out a balance between what's happening locally as well as what's happening globally, and then trying to come to a happy medium in between. Now, this is not something as a security professional you would do on your own by any stretch of the imagination. You would have your legal, compliance, and HR folks all involved in this discussion because it would affect many, many people from many different areas. Because again, a multinational, so you're dealing with lots of different geographic locations. It is not just the CISO can make this call. It's going to take a village to make that happen. Okay, so let's move on to question two. An international financial organization is developing a security governance framework. The board of directors has mandated that a framework must be aligned with the business objectives, demonstrate accountability, and provide measurable outcomes. Sounds familiar. Big thing. Which of the following is the most critical first step in this process? Okay, you have an international financial organization that's developing a governance framework. So that's big, right? Financial, big money, international, big scope, big scale. The board of directors are mandating something. Okay, so that means that the CISO along with the CIO and the CEO all have agreed that this is what we need to do. So you've got top level leadership approval. The framework must align with the business objectives, demonstrate accountability, and provide measurable outcomes. Again, metrics, important, imperative. Which of the following is the most critical first step in this process? A let's just do the questions. I'll read through them first. A. Define the organization's risk appetite and tolerance levels. B establish a formal security steering committee with business leaders. C. Conduct the business impact assessment across all functional areas, or D. Implement a control framework such as ISO IEC 27001. Okay, so what's the most critical first step? If you go back to the paragraph, what is the one that you really must accomplish first? So let's start with ones we know are wrong. Implement a control framework such as ISO uh 27001. Okay, that is something you'll want to do. However, it will not be the first step because that's usually about step five or six down the road, maybe more like three or four. But you that's not the first step. Conduct a business impact assessment across all functional areas. Okay, so that could be something you would want to do. Um now, you may not do it against against all functional areas. You may want to do it against the highest risk functional areas, but you have to figure out what your risk is first before you do that. B or yeah, B, next not B. The next one, establish a formal security steering committee with business leaders. Okay, that is an important step as well. So understanding getting business leaders involved in the conversation, having them understand what's going on, that is an important step as well. So all of these are good, right? They're not bad, they're just different. But it's not the first step in this process. The first step in this process is define the organization's risk appetite and tolerance levels because this will feed many of the other areas to include your BIA, uh steering committees, and so forth. If you have areas that are really low risk, then you don't necessarily need to pull on those business leaders maybe as much. I would still have them involved in the conversation, but you may be having more detailed, more routine meetings with the folks that have risk in higher risk areas than folks that are not in the high risk areas. But again, the number one, the first, most critical step is to define the organization's risk appetite and their tolerance levels. Question three The CISO of the healthcare organization is tasked with reporting on the effectiveness of its security governance to the board. Makes sense. Which of the following is the best indicator of governance effectiveness? Okay, so the CISO has to go to the board and they have to report on the governance effectiveness. A number of security incidents detected by monitoring tools. B a percentage of staff completing mandatory security awareness training. C, degree of alignment between security investments and the business objectives, or D, the number of audit findings resolved within the required time frame. Okay, so this is going to the board, and the board is the money people. The board are the ones that release the money. They're the ones that say, yes, go spend this cash. So that's an important thing for you to know from a contextual standpoint. So which of the following is the best indicator of governance effectiveness? Well, let's let's start with the ones that are not correct. Number of audit findings resolved within the required time frame. Okay, so having audit findings uh and that have been resolved is an important part, and your board may want that. Depending upon the situation. Some boards will want that information, some boards will not. If you're just getting started and you're working with your board, that might be a good metric for you to track. Again, it gives them, shows them progress, shows that you're moving forward. However, it is not the best indicator of governance effectiveness. It's it's saying that you can check box, you can go through things, but it's not telling you how effective you might be. Number of security incidents detected by monitoring tools. So this is not something that it's it gives you a good idea of that your tools are actually doing something. However, it's not truly finding out what is going on within your organization and it's not remediating any of this. So is it a bit an indicator of the effectiveness? Um, yeah, maybe not so much. Uh it gives you an idea that again your tools are in place and they've paid for that and then they're actually working, but it's not an indicator of governance effectiveness. B percentage of staff completing mandatory security awareness training. Okay, so this is another part that it could say that your governance is important, that you're doing things with governance. Maybe part of your training is tied to that. However, it doesn't really go into the effectiveness of it. One thing that would be probably more effective is how many events after training did your employees report when they did a phishing exam or phishing test. That would be a good metric on how their governance might be being effective. However, in this case, that's not the question they're asking. The next with the most correct answer is DRSC, degree of alignment between security investments and business objectives. Okay, so this is based on the overall strategic alignment of what the board of directors wanted. And this helps to ensure that if they're what they're planning, what their investments are doing, are meeting the business objectives and they're a one-for-one. Now, in there, you're gonna have to unpack that a bit and to figure out, explain to them why it's meeting those objectives. But again, think about it this way if it's the board of directors, it's strategic. If you're dealing with something that comes up very tactical, that is probably not a board of directors question. So all three of those were all tactical. The ones that were incorrect were tactical. The one that was correct was more strategic. So if you don't know, think about it that way. Question four Which of the following best demonstrates a principle of due care in an organization security governance framework? Okay, so we're talking about due care, right? Remember, we talked about that in the training of 1.3 on Monday. So due care in an organization security governance framework. Okay, so let's start off with the questions. A ensuring a senior management accepts accountability for implementing controls. B documented security policies that reflect organizational goals and legal obligations. C conduct regular vulnerability scans and penetration tests on critical systems. Or D. Purchasing cybersecurity insurance to offset potential financial losses. Okay, so question four, which of the following best demonstrates the principle of due care in an organization's security governance framework. So let's talk about the questions that are not correct. Okay, purchasing cybersecurity insurance to offset potential final financial losses. Okay, so that doesn't really get into due care because the due care is what you want to do is you're looking at ways to help take reasonable steps to protect the assets and the stakeholders. Now, this purchasing cybersecurity insurance is more of a way for you to transfer risk to another organization. It's not necessarily doing due care to figure out what's going on within your organization. So that would not be a due care type of activity. Conducting regular vulnerability scans and penetration tests on critical systems. So this is not a due care type of activity. This is a due diligence type of activity where you're basically taking what you should be doing, such as doing security audits, threat intelligence, you're doing penetration scans. That is where you're taking the diligence. You're doing the activities to make sure that your systems are protected. It's not a due care aspect. Ensuring senior management accepts accountability for implementing controls, that is not something that really falls into any of this. This is one of those aspects where you just have to work with senior management to ensure that they're aligned with your plan. At the end of the day, if they're aligned with your goals, they will accept the responsibility and accountability for it. If they don't aren't aligned with your controls, they will not accept accountability and responsibility. So you got to make sure, again, this is the influence piece that you need to make sure they're aligned with all of that. And then the correct answer documenting security policies that reflect organizational goals and legal obligations. This is the due care piece of this where you're taking reasonable steps to protect the assets and the stakeholders. So by creating documents and security policies for your organization, this will help with any sort of organizational goals and legal obligations you may have. So again, those are important parts of your overall due care for your organization. Question five, a newly appointed CEO wants assurance that the company's information security program supports the business strategy. The CISO explains that the security governance framework is designed to achieve this. Which of the following elements is least likely to demonstrate the effective security governance to the CEO? Again, newly appointed CEO wants to assurance that the company's information program supports the business strategy. Does it meet the strategy of what he's outlined? The CISO explains that the governance framework is designed to achieve this. Which following elements is least likely to demonstrate, least likely to demonstrate the effective security governance to the CEO. So again, watch the question. Which of the elements is least likely to demonstrate this? So that could get you. You could be thinking, oh, what's likely? What's the likelihood way? And then you're gonna bite off and you'll get confused. Least likely. Okay, a mapping of security objectives to corporate strategic objectives. B clear assignment of accountability for information security and the executive level. C. Regular operational reports showing patching timelines and incident response metrics, or deestablished risk management processes that incorporate business priorities. Okay, so let's go through the questions that are not correct, that are not least likely to demonstrate effective security governance. A mapping security objectives to corporate strategic objectives. Okay, that is something that would definitely be something that your security governance program and your CEO would be very interested in. If the objectives and the corporate strategic objectives meet, then life is good. We have Nirvana. And yes, the CEO's happy and the CISO still has his job. B clear assignment of accountability for information security at the executive level. Yes, that is something the CEO would want. He would definitely want that. That would not be a least likely kind of thing. So you would go, well, of course that makes sense. If you're reading through this quick, you go, click, I've got that. Yes, and then you got it wrong. Next question is establish a risk management process that incorporates business priorities. Again, sounds wonderful. It is wonderful if you have a good security program in place and the CEO is happy. Yes, that is what you want. However, the least likely to demonstrate effectiveness of your security governance to the CEO is regular operational reports showing patching timelines and incident response metrics. So the CEO is interested with governance, right? Does he want to know metrics around patching, incident response, and all those things? Highly unlikely that he or she is going to be care too much about that whatsoever. Now, unless they're asking you questions around it, yes, that's fine. But that is not something that would show the effectiveness of his security governance to the CEO. It just wouldn't do it. So the CEO is going to want to know more around strategic aspects, accountability, enterprise risk management. That's what the CEO, he or she will want. So you're going to want to make sure that you don't give them the metrics. And I've seen this time and again, and they have metrics everywhere. They're showing metrics of stuff saying, you look at your product is working so well. That's not what they want. They don't want that. Now they I I say that. Now the one person's going to email me saying, Yes, they do. They want that. My CEO wanted it. Yeah, I get it. I mean, some cases they're going to want it. But in most cases, they're going to go yawn, you're the geek, figure it out. I cannot tell you how many times I've been in a meeting with a CEO and he's thinking about financial aspects. And when one of the guys previous to me had a slide up there with patching metrics, and it was like he just looked at me like, what is this? And I'm like, that was a cringe moment. It was not good. Um, now, that being said, there was a time when I did have the metrics up there about where we were patched, because there was a situation that required us to address it immediately. And he wanted to know, okay, what how big of a risk do I have to my organization? That was a one-time slide that basically said, here's what we have, here's what we don't have, here's the gap, and this is what we're doing to affix it. And then he was happy. The point of that is that you may have this, but it's more of a strategic kind of thought process. It isn't tactical around what are your specific metrics on each specific tool, on what sort of patching, etc., etc. So again, be very careful with that. Do not read these questions too fast. Take your time, go one question at a time, do it. A newly appointed CEO wants assurance that their program and business strategy meets what it should be. Period. The CISO explains, blah, blah, blah. Period. Read it that slow and that methodical. If you do it that way, you have a much better chance of at least if you don't know the question or know the answer, you can guess more appropriately. Okay, that is all I have for you today on CISSP Cyber Training. Go to CISSP Cybertraining.com, check out my free stuff. Lots of great stuff, lots of free stuff, amazing amount of paid stuff. And the paid stuff, again, like I said before, you can, I mean it, you cannot go out there and find what you got at CISSP Cyber Training. You're gonna pay thousands and thousands of dollars for the content that you have at CISSP Cyber Training, and I'm making it better all the time. So if you're studying for the CISSP, it's the best money you would ever spend is going out there to the CISSP Cyber Training and purchasing some of my paid products. I again, I I highly stress that to you. It's it's it it's inexpensive. I purposely made it inexpensive for people to be able to go out and do this. And there's new content added all the time. I mean it. These podcasts, I routinely would may be making new podcasts each and every week. And so the content that a podcast, the content that I put out there, the different blueprints, all of that is available to you at CISSP Cyber Training. Go check it out. If you don't want to pay for anything, that's fine. I've got free stuff that will help you along as well. It puts you in a much better position than I was when I studied for it. And so again, it's there for you for your taking at CISSP Cyber Training. And this is coming from someone who's been there, done that, got that t-shirt, and the CISSP. You've got 20-some years as a CISO at working in security, and as a CISO, this stuff is there. It's available for you. I can't I'm again, I can't rant on it enough just because of the fact that it is very inexpensive for you. All right, go ahead, check it out. Have a wonderful day. We will talk to you. We'll catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conopopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.