CCT 303 - Domain 6 Deep Dive Questions - Domain 6.5

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

A headline about hacked nanny cams is more than a cautionary tale—it’s a mirror for how easily convenience eclipses security. We start with the Korean IP camera case to highlight simple, high-impact steps anyone can take: change default credentials, use unique passwords, turn off remote access unless you truly need it, and keep firmware current. Then we ask the harder question: how do you prove security works when the stakes are higher than a living room feed?

Shifting into CISSP Domain 6, we break down audit readiness, independence, and risk-based assurance. If you’re eyeing ISO 27001, the smartest first move is an internal audit program aligned with the standard’s control objectives. It validates design and operating effectiveness before an external auditor walks in, and it surfaces the documentation and evidence gaps that slow teams down. We also unpack governance: when boards want independent assurance, the audit function should report outside IT. Self-assessments still help, but they don’t replace a real audit.

Risk should lead, not scanner severity. Consider a “medium” vulnerability on a critical payment system that demands authenticated access and precise timing. Rather than knee-jerk patching or dismissal, a structured risk analysis weighs business impact, likelihood, and compensating controls like monitoring and segregation of duties. That approach drives better prioritization and stronger outcomes.

For ongoing evaluation, snapshots alone aren’t enough. Instead of doubling costly SOC 2s, blend risk-based self-assessments, targeted internal audits, and continuous monitoring to maximize coverage and value. And when your cloud provider won’t allow pen tests on shared PaaS, you can still gain assurance: request SOC 2 Type II, ISO 27001, and pen test summaries under NDA, then map their scope and results to your control requirements and risk appetite. Close gaps with compensating controls and a clear shared responsibility matrix.

If you’re preparing for the CISSP or modernizing your assurance program, this conversation will help you cut noise, focus effort, and build confidence where it counts. Subscribe, share with a teammate who handles audits, and leave a review to tell us what assurance challenge you want solved next.

TRANSCRIPT

SPEAKER_00: 0:00 

Welcome to the CISP Cybertraining Podcast. We provide you training and tools you need to pass the CISP exam first. Hi, my name is Sean Gerber. I'm your host of Active Activity Podcast. Join me each week as I provide the information you need to pass the CISP exam and grow your cyber security knowledge. Alright.

SPEAKER_01: 0:26 

Good morning, everybody. It's Sean Gerber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is CISSP question Thursday, and we are going to be getting into the CISSP questions related to domain five. But before we do, I obviously have this small little thing we're going to talk about, just a couple little areas of within the IP or IT space that may be affecting you. And as you are listening to this, you're probably like we talk about numerous times on this podcast, you are probably a cybersecurity professional or irrelated to that field in some way or another. And this article came out of the bleeping computer. And this is where it comes down to some Korean experts arrest individuals selling intimate videos from hacked IP cameras. So, as we all know, there's IP cameras everywhere. They are all over the place. And if they're not on your phone, they are based in these actually the normal cameras that you can buy. If you can buy them from WISE, you can buy them from Lorex, you can buy them from all kinds of places, that these IP cameras will be available to you. And I have them as well. If in within my businesses that we have, we have a couple different businesses that are with coffee and with Kona Ice. And so I have at our warehouse we have cameras that are located. These are IP-based cameras, and they work like a champ. They are awesome. They actually work very, very well. But the question comes into is is these fo these cameras can be used so well that other people can gain access to them. And we've talked about this and we deal with physical security a lot. If you have IP-based, especially Wi-Fi-based cameras, uh you need to make sure that you have enabled the proper protections on those cameras to ensure that they are not being utilized by somebody else. And this comes into the nanny cams that has come out. I think it was probably a couple years ago. There were it was an article that actually came up around nanny cams. And those are the cameras that are put in kids' bedrooms to watch the kids in the event something were to happen. Well, those the the nanny cam situation, those uh cameras were used again for inappropriate content. And again, they were looking for anything they could find, and then they would post it on websites that were inappropriate for folks. And so this is a situation that came up with Korea and a same kind of concept as the Nanny Cam. The Korean National Police uh they basically arrested some suspects who allegedly hacked over 120,000 IP cameras across South Korea. This would include cameras in homes, commercial facilities, and numerous other areas. And they basically took the stolen footage and sent it to adult sites overseas. So your private things that are occurring, uh if you have a camera in those areas were being watched and monitored. And again, there's probably all kinds of stuff that was really not appropriate or really was no big deal, but they did obviously find some things that were something they were interested in. So they took this information. So there was a basically an individual took about 63,000 cameras and sold 545 videos of about$35 million, or actually it's you Korean dollars, which was around$23,000. And so they took they went, I'm sorry, but you went through$63,000 cameras to find$545 videos. That's a lot of us just sitting at home and just scanning through stuff trying to find something to make$23,000. I wonder how long that took them. They they probably could, if they would be working and using their powers for good and not evil, they probably would make more money. But uh again, that's what people do. Uh there was a second, there was an office worker who took about 70,000 cameras and he sold 648 videos worth around$12,000. So as you can see, there's situations that came up, and it's about percentage-wise, honestly, you look at it from a perspective, it was$63,545,000,$70,648. So you've got to look through a lot of cameras to find anything of any value. And so there's this is these office workers were bored and they decided, hey, we'll try this out. We'll see if we can get some extra cash out of this. And so they decided to go and and do these things. So the the challenge with this is one, it's just morally incorrect, it's wrong, it's not something that you should be doing. Uh, but two, the other aspect is that what you're seeing is gonna cause a lot of grief and issues. One, for the people that are having now have to deal with the trauma of people eyeballing them using their cameras. And two, is well, or should actually three, and then you have children that are potentially being seen in ways that are inappropriate, so that's really bad. And then you run down the risk of now because you did this, you're gonna go to prison for a really long time and be breaking big rocks into little rocks. Uh, so just a really bad thing for well, let's, I mean, yeah, fifty thousand dollars in the grand scheme of things, when you add them both up, it's that's a lot of money, but it's not a lot of money for the drama that they have caused and the issues they're gonna cause for themselves. So basically it comes down to anytime you're dealing with an IP camera or IoT type device, you want to make sure that you change the default password, the default credentials. And we did this in the hacking world, is that we would typically go and look for wireless access points that had the administrative credentials still labeled, still there. Because in the past, and they they've changed this a lot since then, but there would be a lot of wireless access points that would use the same admin credentials, such as admin username, admin password. Uh assuming that you are going to go and make the changes to them when you actually install them, which most people did not do. So changing default admin credentials, again, very important part with unique passwords. Do not replace and remove this exact same password on all your other devices because once they get one, they can get many. Uh disable remote access when it is not necessary. Obviously, remote access is very nice. Uh, I use it with my facilities, and it does give me access into what's actually occurring at them. That being said, uh it's also one of those things that if you don't change the password and put some level of credential uh management on them, you could have yourself a lot of issues in the future. So again, disable remote access when not necessary, and then obviously keep your camera firmware up to date. Uh, this is something that I'd say a lot of people don't do as well because they just set the set them and forget them, these IP address or IP cameras. So those are really simple things that you can put in place that will protect you and your family. Depending upon where you have cameras within your home, uh you may want to consider maybe not having cameras in those locations. Uh again, it just depends. And you you may be maybe interested, maybe not. That's hard to say. All I can say is if someone's interested in watching me nay-nay, that you man, you're out, you're just you're that sucks. You're just you're not gonna be a happy person because it's just not pretty. It's just not not good at all. Uh, so again, that is the IP-based security cameras. These are basically comes out of the Korea arrest suspects with intimate videos from hacked IP off of bleeping computer. Okay, before we get started on what we're gonna talk about today, one quick shameless plug. Head on over to CISSP Cyber Training and get some great stuff. So I've got various products that are out there and available to you at CISSP Cyber Training. If you're listening to this podcast, you are actually interested in getting your CISSP. Well, guess what? What a better place to go than to CISSP Cyber Training to get that kind of stuff. So I've got a bunch of free things that are out there for you that can help you get started into this program. However, if you really truly want to get this thing knocked out in a quick manner and have your best chance of passing the exam, you want to really look at my paid products. I have various paid products out there. They are not expensive. And let's put this in perspective: if you're trying to get your CISSP and you're gonna spend all this opportunity cost studying for it and you're gonna go and go spend a bunch of money on a test, you probably want to invest a little money to ensure that you have a really good chance at passing the test. Don't go cheap on this. I mean it, I've done it, and you will regret it. Uh, and bottom line is if you're trying to better yourself, you really need the content to help you do that. But head on over to CICP Cyber Training. All of that information is available to you. I've got questions, I've got training videos, you name it, it's there and available to you. However, if you just want the free stuff, get that too, because you know what? That can help you at least get you started and moving in the right direction until you figure out what you really truly need. All right, let's get into what we're gonna talk about today. Okay, so today is going to be domain six, deep dive questions. I'm gonna be focused on questions related to domain six, and we want to get a little bit deeper into these questions and what some things you may want to consider when reading them potentially for the CISSP exam. Now, again, we've made this content or comment multiple times and the disclaimer comes out. This content most likely, I mean, it's possible, it's truly possible, it most likely will not be on the CISSP exam, but it's going to give you good understanding and direction of what how to answer the questions when you go to take the exam. So let's roll into question number one. An organization is preparing for its first ISO 27001 cert. Senior leadership wants to ensure that security controls are operating effectively and that the internal processes conform to the standards requirements before bringing it into an external certification body. So basically, you want to make sure your act is together, you have everything under control, and you are actually doing what you're supposed to be doing before you bring somebody in to highlight some challenges you may have. So, which of the following is the best activity to perform first? A commission a full external certification audit against your ISO 27001. B, perform an internal audit program aligned with ISO 27001 control objectives. C conduct a set of ad hoc pen tests or internal facing systems for and on internal facing systems, or D run one-time automated vulnerability scan across all critical servers. Okay, so there we the first one obviously you guys can throw out, right? We just talked about it. We want to make sure we go through this before we actually bring somebody in. So that one's an easy one to throw out. But let's kind of walk through some of these other questions. So we talked about you want to make sure you have a good plan. So running a one-time automated vulnerability scan across your critical servers that will meet some of the needs, but it's one time. It hasn't been something you've been building upon. So that one would probably be one that I would discount if I'm not real sure. Conduct a set of ad hoc pen tests and on internet-facing systems. Now you'll probably have wanted to conduct at least one pen test before bringing some certification authority in to look at your environment. However, ad hoc means basically you kind of do them on ad as a whim. And it's possible, but I don't think that's the best activity to perform first. The best activity would be to perform an internal audit program aligned with the 27001. So why is this the best? Well, it's designed to verify both control design and operational effectiveness. So they're gonna look at how does it look, what's the design of it, and then is it being do you have the proper uh playbooks in place, do you have the proper ACT processes in place to make that happen? You also explicitly expected by the ISO 27001 as part of their overall internal audit program. They're gonna expect you to have done this at some point in time. And then you need to perform before any external certification to identify and remediate any nonconformities. Well, I've dealing with this right now with uh with a company that we're gonna be working through a SOC 2 audit. And they want to make sure that before the regulators come in, you actually have done some of these things or at least have a good understanding of where you are at because they're gonna look at this and go, yeah, you're not there. Yeah, you're not in the position you need to be. So we want to make sure that we are in a good position uh to financially or should to get the right controls in place to ensure that they have what they need to be successful. Question two, you are a security manager for a financial institution. The CIO wants your security team to perform an independent audit of IT general controls to satisfy board directives on its overall independence. Your team does it designs, it controls and implements them and monitors their performance. Which of the following was the most appropriate response? Okay, a recommend using an internal audit function that reports outside of IT to the board or audit committee. So basically your board wants to have an independent view of this. They don't want to get all their information from IT. B, you agree that because the security staff understands the controls and you can they can audit them efficiently and effectively. So you don't need to worry about this being an independent thing. You agree, but the label of the activity of is a self-assessment instead of an audit. So you basically come down to and you say, well, we're not gonna audit it, we're just gonna self-assessment, which when you're dealing with an audit versus a self-assessment, you can't, the language can be very different and you can also be not as particular. So they're gonna basically open up the guard guardrails and make it so that they have plenty of room to maneuver and operate within this air quotes assessment. Or you decline and say, no, we're not doing this, insist that only external public accounting firm can perform the independent audit. So what they want is they want an independent audit done. So we'll resummarize this by your by a certain group. They want it to be internal first, just to kind of before they actually go and report it to outside of the organization. So what should you recommend? And so what it comes down to is you should recommend A, recommend using an internal audit and report the outside of it, report outside of IT to your basically your team and to the board. That's the one thing you really kind of want to consider. Now, having an external audit team is great, they can perform a lot of great things. However, just using them, uh, it can be very expensive. And so if your board just wants to have a good understanding of what's what's going on, you would want to have a third party or an I say it a third party, it would be an internal third party, internal unbiased person or group of people to do the audit. Whereas with C and D, so you agree to it, but you also want to use your security staff. Well, they can be biased on this plan. And then if you agree to it, but you want to do a self-assessment versus an audit, it's basically you're couching the fact that you're probably not going to come out very well in this overall plan. So you're gonna want to have a better strategy. So it's understandable. So the best answer is A. Question three: a recent vulnerability assessment identified several issues on a critical payment system. One finding is a medium severity vulnerability per the scanner that, if exploited, could bypass transaction authorization controls. The vulnerability requires authenticated internal access and precise timing, and there are no public exploits available. Okay, so you got an issue, found a problem, right? It's a medium severity problem. Uh there are no known exploits available at this time. Uh, so it the but it does, it has been confirmed that the vulnerability does exist. So what should the security professionals do first? A accept the standard severity and place the vulnerability into a backlog behind higher severity issues. Possible. A immediately treat the vulnerability as critical and require emergency patching. Maybe not so much, because is a medium severity. C close the finding because it exploits only the internal staff with authenticated access, or D perform a risk analysis that considers business impact, likelihood, and existing compensating controls. Okay, so again, we're gonna come back to you found a vulnerability on a critical payment system. It's not a critical vulnerability, it's a critical payment system. One finding has a medium severity vulnerability per the scanner. What it's saying, uh, that if exploited, it could bypass the authentication controls that are on the overall critical system. So, what should you do? Well, we talked about A is you know, putting it in uh backlog might be a good option, uh, and uh, but it probably isn't the first thing you want to do. Uh immediately treat the vulnerability as a critical and require emergency patching, probably not the best choice, uh, especially since it is only a medium severity vulnerability, potentially. C, close the finding because it's exploitable only to internal staff. Yeah, no, not probably not, uh, because you don't want to close the finding at all. You want to make sure you track that. So the correct answer would be D, perform a risk analysis that considers business impact, likelihood, and existing compensating controls. Again, understanding the overall risk, evaluating it, and then determining whether it's gonna actually be a factor for your organization. These are important things that you should do. You may have separation of duties in place, you may have other aspects that really mitigate the risk. And you may want to close the this this situation. However, uh, you you really don't want to go down that path and say, well, it's just because it's exploitable to internal, we're not gonna worry about it. You know, you're gonna want to have a whole process on how you are remediating this situation. Question four global SaaS provider must comply with regulatory expectations that a security controls be monitored and evaluated on an ongoing basis. The provider already performs annual external SOC 2 audits. Okay, so this is a global SaaS provider is must comply with regulatory expectations and they already do external SOC 2 audits. Which of the following best satisfies the expectation of ongoing evaluation while optimizing cost and coverage? That's an important part. Optimization of cost and coverage. A increase the incur external SOC audit twice per year. Or that's A, yeah. B implement a risk-based internal assessment program combining both self-assessments, targeted internal audits, and continuous monitoring. C perform a full scope internal audit and security controls once a year in addition to the SOC 2. Or D rely on real-time security monitoring tools as a continuously monitor security events. Okay, so each of these are available, or I each of these are good choices. They're not not terrible choices. Uh, but when it comes back to the ongoing evaluation while optimizing cost and coverage, some of these are more expensive than others. So A, let's go and increase our SOC 2 audit to twice a year. Okay, that's not bad, right? It'll help you increase this that you're you should have a better visibility of what's going on. However, a SOC 2 audit is not inexpensive, they are rather expensive. So by doing this, you are now gonna be in a situation where you're just increasing your cost. Are you and are you actually making it any better? Maybe, maybe not. Uh let's go to C perform a full scope internal audit on all security controls once a year in addition to the SOC. That's not a bad thing, but you now you got to tie up an internal audit team. The one problem with an internal audit team, they may not have all the security knowledge, so they'll be pulling people from your organization. Um, so it maybe it isn't um the most cost effective, or the coverage may not be as valuable. Uh C, or I should say D, rely on real-time security monitoring tools as they are continuously monitoring security events. You should have this in place anyway if you're dealing with SOC 2. That's probably not your best choice. I would say it's probably the least desirable choice of all the four. Then the answer, correct answer would be B, implement a risk-based internal assessment program combining both security assessments, targeted internal audits, and continuous monitoring. All of the three are in place. And yes, so now you're looking at everything. So you're not just looking at one or two, or you're just looking at every six months. You now are looking at on a continuous and optimized basis. So again, this will definitely balance out regulatory expectations, operational practical practicality, practicality. I can't see big words, and then cost controls versus assurance. So all of those pieces, the answer would be B. All right, question five. The last question for this podcast. Your company is moving a critical application to a public cloud provider using a PEASS model. Okay, so it's platform as a service. If you're any of any questions about that, the provider does not allow customer penetration tests against the shared platform. Uh-huh. That does happen. But the publisher's independent third-party reports, SOC2 type 2, which is the most aggressive, and also ISO 27001 and penitentiar penetration test summaries under are available to you under an NDA. So, what is the best approach to obtaining assurances that the provider's controls are effective? So, again, they won't allow you to hit it because it's a platform as a service model, but they do SOC2, type two, they do ISO 27001, and they do pen tests. And this is all available to you. The reports are under an NDA. A reject the provider because penetration tests cannot be performed by your internal red team. B, rely solely on the provider's marketing documentation for security white papers. C, review the map of the independent assurance reports to your organization's control requirements and risk appetite, or D demand full access to raw penetration tests, artifacts, and exploit chains from the provider's red team. Okay, so how Draconian do you want to be? So the key question on this is that you need to understand, and I've run into this multiple times, as a CISO and in different other aspects, you're gonna want to know it's all about the risk, right? It's all about the risk. There's actually it's all about the something song, but it's all about the risk, right? Well, if it's all about the risk, the key thing around this then is you want to focus on what have they done, and if they are actually truly have certifications, SOC2 type 2 and ISO 27001, as well as the pen tests, if they've done this, then that would really be a good thing. So A, let's talk about that. Rejecting the provider because pen tests cannot be performed by your internal red team. That is no no. You can't necessarily say that. Now, I say that if you have multi-gazillion dollars in IP-based information with these people, then you may want to talk to them and say, well, I can't do it against your platform, so maybe I'm willing to stand up my own platform that you guys manage. Those are options, right? Now, I they they totally have legit concerns about having you do it against their stuff, but then maybe you need to look at other options architecturally. B, rely solely on the provider's marketing documentation and security white papers. Well, okay, anybody can put what they want in papers. Now they could get sued, but you definitely don't want to rely on that. That that's great. It might be the first hack of going, okay, cool. There's SOC 2 type 2. Awesome. Yeah, that might be great at the beginning, but when it comes right down to it, you're gonna want to see their documentation. So demand, demand is usually not a really good word when you're trying to meet with people, so question uh or answer D, demand full access to raw pen tests, artifacts, and exploit chains from the provider's red team. So demanding usually does not go well. Uh, it becomes very confrontational very quickly. So I would highly recommend you do not use that. Uh, you actually maybe have a good uh discussion and dialogue with them, and maybe they'll be happy enough to give that information to you. That being said, the right answer is C. Review and map the independent assurance reports to your organization's control requirements and risk appetite. Comes right down to put them under NDA. Get the NDA, sign the NDA. Then they will give you all this information, and then you can start looking at it and gleaning over it and determining if it will meet your needs. Again, you need the correct response is you want to get the access to the reports, but you got to get them under NDA. You want to scope it and determine the coverage to ensure that it covers your own network, and then you want to identify gaps where your organization must implement compensating and complementary controls. So, again, that is the answer. Again, that's on question five. Review and map identity uh independent assurance reports to your organization's control requirements and risk appetite. Okay, so if you go to CISSP Cyber Training, I actually have more questions that are tied into my deep dive. I just don't have time to go over all of them right now. Head on over to CISSP Cyber Training. You can get access to those. Those are all available to you. Again, uh I'll have to tell you that's on the paid subscription to get access to some of the deep dive questions that I have. But you can actually, actually, actually, you can actually look at the the video of this and you can go through this. This will be available on my blog uh as well as it'll be posted, obviously, in this podcast. But all that's available to you at CISSP Cyber Training. All right, thank you so much for joining me today again. I appreciate it. I want to tell you that I hope you all are doing well. And I get more people pinging me all the time saying, past, I passed. It's like it's like the ding on your phone, you know. Okay, ding, passed, ding, past. It's been awesome. I'm so excited that people are passing using the CISSP cyber trading content because they're very, very happy with it. So that's the ultimate goal. Get you done, get you passed, get you moving on. All right, have a great day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes as I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.