Really good questions sir. Especially i very much liked the last question sir.. thanks for sharing these questions sir with the wonderful explanation sir!!
Thank you for the questions and the mindset. I am confused on the Q6. It has not been given; how do you be sure that the patch created by Lannister Corp. has been tested before publishing which leads us to the thought that the patches has been tampered by someone else. If it is not mentioned, we should consider the possibility of a malfunctioned patch causing for the backdoors. In this situation, option A makes much more sense because verifying could also cover the testing of the patch beside confirming the patch sender. In this sense 'verifying the patch' covers option B.
thanks for the feedback and good observation. However the situation is from Lannister Corp's perspective on how they could have avoided the situation. The only option that could have avoided the situation from their perspective if they had digitally signed the patches. Option A certainly is the best choice from the customer's perspective. Hope this helps.
I believe D is correct. C is definitely a reason to have a data retention policy. If you don't have a data retention policy in place and fail to delete data that is no longer needed then the company is at risk of have having that data disclosed.
@@greggsterling7355 The question asks which is NOT a reason an organization would need a data retention policy. Let’s evaluate the options: • A. It helps in cost-saving effort True: Retaining only necessary data reduces storage costs. • B. It reduces liability and culpability True: Retaining data for the required period minimizes legal risks. • C. It protects an organization from unauthorized data disclosure False: A data retention policy is primarily about storing data, not protecting against unauthorized disclosure. This falls under data security policies. • D. It provides a better insight on data ownership True: A data retention policy clarifies who owns and is responsible for specific data. Correct Answer: C A data retention policy doesn’t specifically address protection from unauthorized data disclosure.
@@askarbacker8212thanks for the feedback. Here’s my take on why Option D is not required as per retention policy. Retention period is certainly determined by Data Owners on how long we need the data based on regulatory/legal requirements or policy driven. However, that duration doesn’t influence on who should own the data. If my organisation has a data retention policy of 5 years, it will not determine who is the owner of that data. On the other hand it reduces the compromise as if we don’t have the data, risk of loosing it is not there. E.g. there are several backup tapes lying there in the warehouse which has exceeded the retention period and its no longer needed. If we don’t need them probably we won’t pay that focus on protecting it. Lets say someone manage to get rid of those tapes as its not longer needed and they gave it to scrap vendors or just threw them or someone managed to take it with them (physically compromising the disks/tapes) can lead to unauthorised disclosures. Classic real world scenario was Marriott breach in 2018 when the acquired Starwood in 2016 and kept the data longer than necessary which led to breach of the customer’s data and resulting into regulatory penalties. Hope this helps.
Really good questions sir. Especially i very much liked the last question sir.. thanks for sharing these questions sir with the wonderful explanation sir!!
Question 10 really got me and proved your point, i missed the certificate which was the key word
An eye-opening journey for CISSP aspirants-huge thanks to Prashant for the insights!
Great teaching here
Love ya Prashant!
Thank you for the questions and the mindset. I am confused on the Q6. It has not been given; how do you be sure that the patch created by Lannister Corp. has been tested before publishing which leads us to the thought that the patches has been tampered by someone else. If it is not mentioned, we should consider the possibility of a malfunctioned patch causing for the backdoors. In this situation, option A makes much more sense because verifying could also cover the testing of the patch beside confirming the patch sender. In this sense 'verifying the patch' covers option B.
thanks for the feedback and good observation. However the situation is from Lannister Corp's perspective on how they could have avoided the situation. The only option that could have avoided the situation from their perspective if they had digitally signed the patches. Option A certainly is the best choice from the customer's perspective. Hope this helps.
Just a personal question, How are you related to Prabh Nair?
@@supersmart671 he is my brother from another mother youtube.com/@prabhnair1
Hi Prashant, your question number 7 answer is C and not D.
I believe D is correct. C is definitely a reason to have a data retention policy. If you don't have a data retention policy in place and fail to delete data that is no longer needed then the company is at risk of have having that data disclosed.
@@greggsterling7355 The question asks which is NOT a reason an organization would need a data retention policy. Let’s evaluate the options:
• A. It helps in cost-saving effort
True: Retaining only necessary data reduces storage costs.
• B. It reduces liability and culpability
True: Retaining data for the required period minimizes legal risks.
• C. It protects an organization from unauthorized data disclosure
False: A data retention policy is primarily about storing data, not protecting against unauthorized disclosure. This falls under data security policies.
• D. It provides a better insight on data ownership
True: A data retention policy clarifies who owns and is responsible for specific data.
Correct Answer: C
A data retention policy doesn’t specifically address protection from unauthorized data disclosure.
@@askarbacker8212thanks for the feedback. Here’s my take on why Option D is not required as per retention policy.
Retention period is certainly determined by Data Owners on how long we need the data based on regulatory/legal requirements or policy driven. However, that duration doesn’t influence on who should own the data. If my organisation has a data retention policy of 5 years, it will not determine who is the owner of that data.
On the other hand it reduces the compromise as if we don’t have the data, risk of loosing it is not there.
E.g. there are several backup tapes lying there in the warehouse which has exceeded the retention period and its no longer needed. If we don’t need them probably we won’t pay that focus on protecting it. Lets say someone manage to get rid of those tapes as its not longer needed and they gave it to scrap vendors or just threw them or someone managed to take it with them (physically compromising the disks/tapes) can lead to unauthorised disclosures.
Classic real world scenario was Marriott breach in 2018 when the acquired Starwood in 2016 and kept the data longer than necessary which led to breach of the customer’s data and resulting into regulatory penalties.
Hope this helps.