CISSP EXAM PREP

STRATEGY SESSION

10 key topics
& Strategies
A transformational
exam prep session
with Pete Zerger vCISO, CISSP, MVP
housekeeping To keep our session orderly

Keep communications friendly and positive.

No selling anything!
A recording will be available for a few days
after each session.
I’ll send follow-up email following this
session with video and resource links

The resources I’ll share in this series are effective

for the 2021 and 2024 versions of the CISSP exam!
Agenda
Intro and FAQs
2025 Exam Prep Strategy and Materials
Coverage of Key Foundational Topics
Strategy for Answering Difficult Questions

Throw questions in the chat as we go!

Links to all resources mentioned will be shared in

a single follow-up email after the session!
WHO AM I?
Cybersecurity Strategist
vCISO for a regional bank
Speaker and Author
19-time Microsoft MVP
LinkedIn Learning Instructor
Content Developer (YouTube)
MORE IMPORTANTLY…

Last year, I helped thousands

achieve cybersecurity
certifications, like CISSP, CCSP
and the Security+ exams
 1. Exam Prep Strategy

10 Key
topics
CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
Day 1 Strategic Guidance
 100 – 150 questions in 180 minutes
means approx. 1:15 – 1:45 per question

Strategy and Time Management

Chart the course before you take off

 Foundational
Topics & Principles

Strategy and Time Management

Advanced topics assume you have a foundation!

 Advanced
Topics

Foundational
Topics & Principles

Strategy and Time Management

Many topics you may see only once or twice…

Hundreds of topics and as little as 100 questions

Advanced
Topics

Foundational
Topics & Principles

Strategy and Time Management

…unless you are unfamiliar with the topic

 Mindset

Advanced
Topics

Foundational
Topics & Principles

Strategy and Time Management

The security leader mindset that defines your role

 Mindset

Advanced
Topics

Foundational
Topics & Principles

Strategy and Time Management

Work the plan, know your readiness, schedule, pass

 CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
Recommended exam resources
Changes from 2021 to 2024?
Changes are incremental. 2021 exam topics still apply!
2024 brings a few new topics…
some updated topics…
some have been elevated to direct mention in the syllabus…
and others simply moved around or reworded

Cloud computing will factor more prominently in 2024

All your preparation for the 2021 exam still applies!

 I N T R O D U C T I O N : CISSP EXAM DOMAINS

DOMAINS 2021 2024

1. Security and Risk Management 15% 16%

2. Asset Security 10% 10%

3. Security Architecture and Engineering 13% 13%

4. Communication and Network Security 13% 13%

5. Identity and Access Management 13% 13%

6. Security Assessment and Testing 12% 12%

7. Security Operations 13% 13%

8. Software Development Security 11% 10%

 I N T R O D U C T I O N : CISSP EXAM DOMAINS

DOMAINS 2021 2024

1. Security and Risk Management 15% 16%

2. Asset Security 10% 10%

3. Security Architecture and Engineering 13% 13%

4. Communication and Network Security 13% 13%

5. Identity and Access Management 13% 13%

6. Security Assessment and Testing 12% 12%

7. Security Operations 13% 13%

8. Software Development Security 11% 10%

Possible (but unlikely) to pass if you fail even one domain

Exam prep resources
Use these together for the 2024 exam

+
2024 updates are minor, 2021 topics still apply, so
the two together provide up-to-date coverage
Exam prep resources
Use these together for the 2024 exam

+
My CISSP Exam Prep 2024 playlist has several
key videos with the most important at the top
 testimonials
What are other learners saying?

“
Great videos. Excellent
presentation. Perfect study
companion to the ISC2 book.

~Mike R
1,000+ practice questions, with
access to the practice questions
at the end of each chapter

Use the 10th edition, preferably

in electronic format
4 practice exams, AND 100
questions for each domain

Makes it easier to drill

down on a per-domain basis.
 Now available on LeanPub!
✓ 450+ pages of clear, focused
explanations
✓ Covers every topic on the 2024
exam syllabus
✓ 100+ meaningful supporting
diagrams and reference tables
✓ Distills the “what, when, and why”
of concepts and technologies
✓ Priced to be accessible to all

Available for as little as $9.99 USD

 Good for testing knowledge
and focus on weak areas

Good simulation of real exam

question format & language

Exam Flashcards 1,300+ flashcards you

from Inside Cloud and Security can use on any device
 CISSP EXAM CRAM
THE COMPLETE COURSE

STRATEGY
How to use materials effectively
There is no

AWARD
for the longest
STUDY TIME!
 24 hours
1 week

20 min

THE POWER OF

REPETITION
 spaced repetition
100 Spaced Repetition

1st session 2nd session 3rd session

Forgetting curve

Forgetting curve longer and

shallower with repetition
0
How long does it take to memorize anything?
1st repetition Right after learning
TO MEMORIZE 2nd repetition After 15-20 min

QUICKLY
3rd repetition After 6-8 hours
4th repetition After 24 hours
5th repetition After 48 hours

1st repetition Right after learning

2nd repetition After 20-30 min TO MEMORIZE FOR
A LONG TIME
3rd repetition After 1 day
4th repetition After 2-3 weeks
5th repetition After 2-3 months
Use multiple sources

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAM REVIEW

How to identify the most likely exam topics?

 S T U D Y G U I D E : CHAPTER-TO-DOMAIN MAPPINGS

DOMAIN CHAPTERS
1. Security and Risk Management 1-4
2. Asset Security 5
3. Security Architecture and Engineering 6 – 10
4. Communication and Network Security 11 – 12
5. Identity and Access Management 13 – 14
6. Security Assessment and Testing 15
7. Security Operations 16 – 19
8. Software Development Security 20 - 21

Keep mapping of domains to book chapters on hand for reference

Use multiple sources

Exam Essentials (at the

end of each chapter)
recaps likely exam topics
The 80/20 process (pareto principle)

All exam content

and study materials

EXAM
Filter down to weak areas
PREP
with practice exams, live
review, flashcards, etc.

What you need Spend the bulk of your

to focus on exam prep time here!
Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

Mix, match, and repeat based on your preferences

Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

My preferred order
Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

My preferred order
Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

Course PDFs can help here!

Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

Practice time management in these sessions

Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

For closing knowledge gaps, not cover-to-cover reading

Exam prep strategy
Research shows everyone benefits from a variety of sources!

TARGETED LIVE QUIZ VIDEO

READING (or flashcards) CONTENT

PRACTICE POWERPOINT
EXAMS REVIEW

Multiple resources of each type are a GREAT idea!

HOW
to best use the
PRACTICE quizzes
to assess your
EXAM readiness?
 1. Exam Prep Strategy
2. CISSP Mindset

10 Key
topics
When choosing
your answers…

THINK LIKE A
MANAGER short version
know your priorities
Roles & Risks Priorities & Objectives
human safety, business
continuity, protect profits,
YOU ARE CISO Strategic reduce liability & risk
HERE! long term (5-yr)

IT Director or Tactical policy and planning

Manager
Midrange (~1 yr)
implement and
IT Engineer Operational operate
short term (1-3 mths)

Security Planning Horizons

DUE DILIGENCE VS DUE CARE

Due practicing the activities that maintain

Diligence the due care effort.

Due doing what a reasonable person would

do in a given situation. It is sometimes
Care called the “prudent man” rule.

Together, these will reduce senior management’s

culpability & (downstream) liability when a loss occurs.
 Decision

Research Implementation
Planning Operation (upkeep)
Evaluation Reasonable measures

INCREASES understanding “PRUDENT MAN” RULE

and REDUCES risk

Largely before the decision Doing after the decision

DUE DILIGENCE DUE CARE

before Decision after

Think BEFORE Actions speak

you act! louder than words

Do Detect Do Correct

DUE DILIGENCE DUE CARE

 CISSP
EXAM the full story

CRAM How do I master the

30:05 “CISSP Mindset”?
 testimonials
What are other learners saying?

“
Your “Think like a manager” was the single
most important video that I watched in
preparation for taking the CISSP exam.

~FB
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key
topics
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store
Can be created by users
a user creates a file

Can be created by systems

a system logs access
Archive Use

Share
3
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store

To ensure it’s handled properly,

it’s important to ensure data is
classified as soon as possible.

Archive Use Ideally, data is encrypted at rest

Share
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store

Data should be protected by

adequate security controls
based on its classification.

Archive Use

Share
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store

refers to anytime data is in use

or in transit over a network

Archive Use

Share
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store

Archival is sometimes needed to

comply with laws or regulations
requiring the retention of data.

Archive Use

Share
 Create Cloud Secure data Lifecycle
The Cloud Security Alliance model

Destroy Store

When data is no longer needed,

it should be destroyed in such a
way that it is neither readable
nor recoverable.
Archive Use

Share Crypto-shredding happens

in this phase!
 Creation

Destruction Classification

Secure data
LIFECYCLE
( functional )

Archive Storage

Usage
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

topics
 1 . 2 . 1 : THE 5 PILLARS OF INFORMATION SECURITY

The 5 pillars of information security

They are confidentiality, integrity, and availability,
authenticity, and nonrepudiation
These are not new concepts but are not referenced
as “The 5 pillars” in the 2021 exam.

Know what “The 5 pillars”

refers to before exam day
The 5 pillars
Authenticity Proof of origin
Verifying the identity of a subject or resource to ensure it is genuine
and what it claims to be. Provides proof of origin.
Requiring multi-factor authentication when employees log into a
corporate network.
Nonrepudiation Proof of origin + transactional proof
provides undeniable proof that the sender of a message actually
authored it.
prevents the sender from denying that they sent the original
message.
Maintaining detailed audit logs that track who accessed what records
in a database.

Nonrepudiation always includes authenticity, but

authenticity doesn’t always guarantee nonrepudiation.
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
 7 . 6 INCIDENT MANAGEMENT 5

Official Study Guide on the exam

Lessons
Detection Response Mitigation Reporting Recovery Remediation
Learned

SANS
Lessons
Preparation Identification Containment Eradication Recovery
Learned

NIST 800-61v2

Containment,
Detection and
Preparation eradication, and Post-incident activity
analysis
recovery
INCIDENT MANAGEMENT framework

1 Detection
DRMRRRL
2 Response

3 Mitigation

4 Reporting
|
5 Recovery

6 Remediation

7 Lessons Learned
INCIDENT MANAGEMENT framework
1. Detection - Monitoring and identifying potential
Detection incidents through alerts and user reports.
2. Response - Activating the incident response team
Response
and coordinating initial response.
3. Mitigation - Containing the incident and taking
Mitigation
steps to limit its impact.
4. Reporting - Notifying appropriate parties internal
Reporting and external to the organization.
5. Recovery - Restoring affected systems and
Recovery
services to normal operations.
6. Remediation - Identifying and mitigating
Remediation
vulnerabilities that led to the incident.

Lessons Learned 7. Lessons Learned - Documenting the incident and

identifying improvements to policies and controls.
INCIDENT MANAGEMENT framework
Detection Triage is the initial assessment.
Response Is it an incident? Severity?

Mitigation Incident is declared in the Detection phase

Containment and mitigation are about
Reporting
controlling the incident.
Recovery Remediation and eradication are about
removing the causes of the incident.
Remediation
Recovery is about restoring normal
Lessons Learned operations after the incident.
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
6. Cryptography Concepts
CONCEPT: Symmetric vs Asymmetric

Relies on the use of a shared secret key.

Symmetric Lacks support for scalability, easy key
distribution, and nonrepudiation
faster

Public-private key pairs for communication

Asymmetric between parties. Supports scalability, easy
stronger key distribution, and nonrepudiation
CONCEPT: Symmetric vs Asymmetric
Symmetric

sender and recipient using a single shared key

CONCEPT: Symmetric vs Asymmetric
Asymmetric

uses public and (unshared) private key

example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key

Maria sends her public key to Franco

Franco uses Maria’s public key to encrypt

the message and sends it to her

Maria uses her private key to decrypt

the message
asymmetric key types
Public keys are shared among communicating parties.
Private keys are kept secret.
DATA
To encrypt a message: use the recipient’s public key.
To decrypt a message: use your own private key.
DIGITAL SIGNATURE
To sign a message: use your own private key.
To validate a signature: use the sender’s public key.
each party has both a private key and public key!
hashing vs encryption
How is hashing different from encryption?
Encryption
Encryption is a two-way function; what is encrypted can be decrypted with
the proper key.

Hashing no way to reverse if properly designed

a one-way function that scrambles plain text to produce a unique message
digest.
HASH FUNCTION REQUIREMENTS
Good hash functions have five requirements:
1. They must allow input of any length.
2. Provide fixed-length output.
3. Make it relatively easy to compute the hash
function for any input.
4. Provide one-way functionality.
5. Must be collision free.
 Hashing
(validates info, confirms integrity)

# YS–9\&
:E9KJ2]
‘H[#YkH

Plain Text Input Hash Hashed Text

(any length) Function (fixed length)

The brown fox DFCD3454

The brown fox

63ED879F
runs in the field Hash
Function
The brown fox
runs in the big 46042841
green field

Variable length input fixed length output

common uses
How are different algorithm types used?
Symmetric
Typically used for bulk encryption / encrypting large amounts of data.

Asymmetric
Distribution of symmetric bulk encryption keys (shared key)
Identity authentication via digital signatures and certificates
Non-repudiation services and key agreement

Hash functions
Verification of digital signatures
Generation of pseudo-random numbers
Integrity services (data integrity and authenticity)
symmetric algorithms
NAME TYPE Algorithm Type Block Size (bits) Key Size (bits) Strength

AES Symmetric Block cipher 128 128, 192, 256 Strong

Blowfish Symmetric 64 32-448 key bit
DES Symmetric Block cipher 64 56 bit Very weak
3DES Symmetric Block cipher 64 112 or 168 bit Moderate
IDEA Symmetric 64 128
RC2 Symmetric 64 128
RC4 Symmetric Stream cipher Streaming 128
RC5 Symmetric RSA block mode cipher 32, 64, 128 0 – 2,040 bit Strong
128, 192, 256 -
RC6 Symmetric RSA block mode cipher 128 Very Strong
2,2040
Skipjack Symmetric 64 80

Twofish Symmetric 128 1-256

symmetric algorithms
NAME TYPE Algorithm Type Block Size (bits) Key Size (bits) Strength

AES Symmetric Block cipher 128 128, 192, 256 Strong

Blowfish Symmetric 64 32-448 key bit
DES Symmetric Block cipher 64 56 bit Very weak
3DES Symmetric Block cipher 64 112 or 168 bit Moderate
IDEA Symmetric 64 128
RC2 Symmetric 64 128
RC4 Symmetric Stream cipher Streaming 128
RC5 Symmetric RSA block mode cipher 32, 64, 128 0 – 2,040 bit Strong
128, 192, 256 -
RC6 Symmetric RSA block mode cipher 128 Very Strong
2,2040
x2
Skipjack Symmetric 64 80

Twofish Symmetric 128 1-256

This is a skipjack
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

MD* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Message Digest SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

SHA* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Secure Hash SHA-384* Hash 384 Yes -
Algorithm
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2

SHA* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Secure Hash SHA-384* Hash 384 Yes -
Algorithm
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. Al.

Hash MD4 Hash 128 No MD6, et. Al.

Algorithms MD5 Hash 128 No MD6, et. Al.

SHA-1 Hash 160 No SHA-2
SHA-224* Hash 224 Yes -
SHA-256* Hash 256 Yes -
*SHA-2 variants
SHA-384* Hash 384 Yes -
SHA-512* Hash 512 Yes -
cryptography
NAME TYPE HASH VALUE LENGTH STILL IN USE? REPLACED BY
HMAC Hash Variable Yes -
HAVAL Hash 128, 160, 192, 224, 256 No

MD2 Hash 128 No MD6, et. al.

Hash MD4 Hash 128 No MD6, et. al.

Algorithms MD5 Hash 128 No MD6, et. al.

SHA-1 Hash 160 No SHA-2

SHA* SHA-224* Hash 224 Yes -

SHA-256* Hash 256 Yes -
Secure Hash SHA-384* Hash 384 Yes -
Algorithm
SHA-512* Hash 512 Yes -
Available on
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
6. Cryptography Concepts
7. Security Models
WHAT IS A SECURITY MODEL? Security Policy
ISO, NIST, FIPS
Security models are used to determine how security
will be implemented, what subjects can access the
system, and what objects they will have access to.
Security Model
Bell LaPadula, Biba,
They are a way to formalize security policy. State Machine

Typically implemented by enforcing integrity,

confidentiality, or other controls.
Programming Code
Python, Java, C#
Each of these models lays out broad guidelines and
is not specific in nature.

It is up to the developer to decide how these models Operating System

will be used and integrated into specific designs. Windows, Linux, UNIV
 D O M A I N 3 . 2 : SECURITY MODELS

WHAT IS THE PURPOSE OF A

Security Model?
Provides a way for designers to map
abstract statements into a security policy
 D O M A I N 3 . 2 : SECURITY MODEL

WHAT IS THE PURPOSE OF A

Security Model?
Determines how security will be implemented,
what subjects can access the system, and
what objects they will have access to.
security models
Three properties that will be mentioned
repeatedly when talking about security models.

Simple security property

Describes rules for read
Star * security property
Describes rules for write
Invocation property
Rules around invocations (calls), such as to subjects
 D O M A I N 3 : SECURITY MODELS

Lattice-based
Bell LaPadula
State machine model enforces confidentiality
Uses mandatory access control (mac) to enforce the
DoD multilevel security policy government!
Simple security property
subject cannot read data at a higher level of
classification. “no read up”
Star * security property
subject cannot write info to lower level of classification
“no write down”
security models
Bell LaPadula

Mnemonic: “No Running Under Nets With Dingos”

User cannot read higher Bell LaPadula
classifications (no read up)
Subject
Top Secret

READ Secret
WRITE
Confidential

Unclassified

Subject
Objects and cannot write data into
lower classification
document (no write down)
Model Focus Note
Biba Integrity No read down, no write up
Clark-Wilson Integrity Access control triplet
Bell-LaPadula Confidentiality No read up, no write down
Brewer and Nash Confidentiality aka Chinese Wall
Graham-Denning Confidentiality Security labels (8 rules)
Take-Grant Confidentiality Employs a “directed graph”
Information Flow Confidentiality Based on State Machine model
Lattice-based Confidentiality Aka Layer-based
Non-interference Confidentiality Based on Information Flow model
State Machine Both Describes secure state machine

Integrity Confidentiality Model Type

 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
6. Cryptography Concepts
7. Security Models
8. Quantitative Risk Analysis
 D O M A I N 1 : RISK ANALYSIS

RISK ANALYSIS
Two ways to evaluate risk to assets:

| qualitative and quantitative

 QUANTITATIVE
Assigns a dollar value to evaluate
effectiveness of countermeasures

| OBJECTIVE
D O M A I N 1 : RISK ANALYSIS
1.11 software risk mitigation
Term Formula Description
Represents the percentage of
EF = Monetary loss due to
Exposure Factor (EF) potential loss an asset might
threat) / Value of asset
experience if a threat occurs.
Calculates the average
Single Loss
SLE = AV x EF expected loss from a single
Expectancy (SLE)
occurrence of a specific threat.
Estimates the frequency of a
Annual Rate of ARO = (Number of Events) /
specific threat occurring within a
Occurrence (ARO) (Observation Time in Years)
year.
Represents the average
Annualized Loss
ALE = SLE x ARO annualized loss expected from a
Expectancy (ALE)
specific threat over a year.
 D O M A I N 1 : CALCULATING RISK

Exposure Factor (EF)

Percentage of loss that an organization
would experience if a specific asset
were violated by a realized risk
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
Represents the cost associated with a
single realized risk against a specific asset
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
SLE = Asset Value (AV) X Exposure Factor (EF)
 D O M A I N 1 : CALCULATING RISK

Single Loss
Expectancy (SLE)
AV EF SLE
$100,000 X .3 (30%) = $30,000
 D O M A I N 1 : CALCULATING RISK

Annualized Rate
of Occurrence (ARO)
The expected frequency with which a specific
threat or risk will occur within a single year.
 D O M A I N 1 : CALCULATING RISK

Annualized Loss
Expectancy (ALE)
The possible yearly cost of all instances of a
specific realized threat against a specific asset.
 D O M A I N 1 : CALCULATING RISK

Annualized Loss
Expectancy (ALE)
ALE = single loss expectancy (SLE) *
annualized rate of occurrence (ARO)
 D O M A I N 1 : CALCULATING RISK

ALE Example
Office Building = $200,000
Hurricane damage estimate 50%
Hurricane probability is one every 10 years 10%

(AV x EF = SLE) $200,000 x .50 = $100,000

(SLE x ARO = ALE) $100,000 x .10 = $10,000

value of the safeguard (annually)
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
Good security controls mitigate risk,
are transparent to users, difficult to
bypass, and are cost effective
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
Good security controls mitigate risk,
are transparent to users, difficult to
bypass, and are cost effective
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
ALE before safeguard – ALE after safeguard
– annual cost of safeguard = value of safeguard
 D O M A I N 1 : CALCULATING RISK

Safeguard
Evaluation
value of safeguard = ALE1 – ALE2 - ACS
 QUANTITATIVE RISK ANALYSIS

JUST THE FORMULAS!

CISSP
EXAM
real-world example!
Available on CRAM
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
6. Cryptography Concepts
7. Security Models
8. Quantitative Risk Analysis
9. Cloud Computing
shared responsibility model
100% YOURS
Applications Applications Applications Applications
Data Data Data Data
Runtime Runtime Runtime Runtime
Responsible Middleware Middleware Middleware Middleware
CSP OS OS OS OS
Customer Virtualization Virtualization Virtualization Virtualization
Shared Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

On-premises IaaS PaaS SaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
shared responsibility model
PRIVATE Cloud

Applications Applications Applications Applications

Data Data Data Data
Runtime Runtime Runtime Runtime
Responsible Middleware Middleware Middleware Middleware
CSP OS OS OS OS
Customer Virtualization Virtualization Virtualization Virtualization
Shared Servers Servers Servers Servers
Storage Storage Storage Storage
Networking Networking Networking Networking

On-premises IaaS PaaS SaaS

HYBRID Cloud
CLOUD service categories - IAAS

Applications Applications
Data Data
Runtime Runtime CSP provides building blocks, like
Middleware Middleware networking, storage and compute
OS OS
Virtualization Virtualization CSP manages staff, HW, and
Servers Servers
datacenter
Storage Storage
Networking Networking

On-premises IaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - IAAS

Applications Applications
Data Data
Runtime Runtime Key Benefits
Middleware Middleware
Usage is metered
OS OS
Virtualization Virtualization Eases scale (scale-up, out, and down)
Servers Servers Reduced energy and cooling costs
Storage Storage
Networking Networking

On-premises IaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - IAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers Azure Virtual Amazon EC2 GCP Compute
Storage Storage Machines Engine
Networking Networking

On-premises IaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - PAAS

Applications Applications
Data Data
Runtime Runtime Customer is responsible for
Middleware Middleware deployment and management of apps
OS OS
Virtualization Virtualization CSP manages provisioning,
Servers Servers
configuration, hardware, and OS
Storage Storage
Networking Networking

On-premises PaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - PAAS

Applications Applications
Data Data
Runtime Runtime Key Benefits
Middleware Middleware
Core infrastructure updated by provider
OS OS
Virtualization Virtualization Global collaboration for app development
Servers Servers Running multiple languages seamlessly
Storage Storage
Networking Networking

On-premises PaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - PAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers Azure SQL API Azure App
Storage Storage Database Management Service
Networking Networking

On-premises PaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - SAAS

Applications Applications Customer has some responsibility in

Data Data access management and data recovery
Runtime Runtime
Middleware Middleware Customer just configures features.
OS OS
Virtualization Virtualization CSP is responsible for management,
Servers Servers
operation, and service availability.
Storage Storage
Networking Networking

On-premises SaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - SAAS

Applications Applications
Data Data
Runtime Runtime Key Benefits
Middleware Middleware
Limited administration responsibility
OS OS
Virtualization Virtualization Limited skills required
Servers Servers Service always up-to-date
Storage Storage
Global access
Networking Networking

On-premises SaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
CLOUD service categories - SAAS

Applications Applications
Data Data
Runtime Runtime
Middleware Middleware
OS OS
Virtualization Virtualization
Servers Servers
Storage Storage
Networking Networking

On-premises SaaS

For free cybersecurity exam prep content, follow Inside Cloud and Security on Youtube!
 You can’t audit a major CSP, but they offer
On premises vs cloud SOC 2 and other reports on-demand

Customer rights and capabilities to perform forensic

investigation varies in the cloud versus on-premises.

Right-to-Audit Clauses
written into supply chain contracts, allow an auditor can visit the premises to inspect
and ensure that the contractor is complying with contractual obligations.
This would help an auditor identify:
- Faulty or inferior quality of goods
- Short shipments
- Goods not delivered
- Kickbacks
- Gifts and gratuities to company employees
- Commissions to brokers and others
- Services allegedly performed that were not actually necessary
 1. Exam Prep Strategy
2. CISSP Mindset
3. Data Lifecycle

10 Key 4. The 5 Pillars

5. Incident Management

topics
6. Cryptography Concepts
7. Security Models
8. Quantitative Risk Analysis
9. Cloud Computing
10.Answering Questions,
Managing Time
 testimonials
What are other learners saying?

“
The "READ" strategy was monumental
support in training my brain how to de-
construct the exam questions.

~S.A.
THE “READ” Strategy

REVIEW

ELIMINATE An easy-to-remember strategy

for choosing the correct answer
ANALYZE on the CISSP exam.

DECIDE
THE “READ” Strategy
GOAL: Find "What is the core issue
you are solving for?"
REVIEW
Read through the details of:
ELIMINATE ✓ What is being asked?
✓ Requirements and context?
ANALYZE ✓ Is a specific framework being
referenced?
DECIDE ✓ Which leg of the CIA triad does
the question speak to?
THE “READ” Strategy

REVIEW GOAL: Find “Which answers are

definitely not correct?”

ELIMINATE Identify and remove:

✓ Unimportant details
ANALYZE (distractors)
✓ Wrong answers
DECIDE This step will often eliminate 1
or 2 answers immediately!
THE “READ” Strategy

REVIEW GOAL: Prioritize solution

requirements based on context.
ELIMINATE Identify:
✓ All requirements (there may be
ANALYZE one or multiple)
✓ Sort requirements in priority
DECIDE order
THE “READ” Strategy
TIPS for this step:
REVIEW
Remember CISO priorities:
1. Human safety
ELIMINATE
2. Keep the business running
securely
ANALYZE 3. Managing risk, while exercising
due diligence and due care
DECIDE REMEMBER: As a leader, “call
an outside expert” is an option!
THE “READ” Strategy
GOAL: Select the best answer (based
REVIEW on the previous steps)
For the remaining answers:
ELIMINATE ✓ Evaluate each answer by itself.
✓ Identify why you do/don't like each
ANALYZE ✓ Look for one option that
encompasses (includes) the others

DECIDE Be wary of answers that call for

a technical (hands-on) response
THE “READ” Strategy
GOAL: Select the best answer (based
REVIEW on the previous steps)
For the remaining answers:
ELIMINATE ✓ Evaluate each answer by itself.
✓ Identify why you do/don't like each
ANALYZE ✓ Look for one option that
encompasses (includes) the others

DECIDE Take good people or process-

focused answers over technical
THE “READ” Strategy
GOAL: Select the best answer (based
REVIEW on the previous steps)
For the remaining answers:
ELIMINATE ✓ Evaluate each answer by itself.
✓ Identify why you do/don't like each
ANALYZE ✓ Look for one option that
encompasses (includes) the others

DECIDE Regulatory requirements

override company policies
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
important decision criteria
When choosing your answer, remember the following:

1. Meets CISO priorities (human safety, enables continued

business operation, cost-effective)
2. Meets all solution requirements
3. When multiple answers meet requirements, chosen
answer has objective advantages over other solutions
4. When no answers meets all requirements, answer meets
highest priority requirement(s)
5. Favor “all-encompassing answers“
6. Beware of technical, hands-on solutions (CISSP will tend
to focus on people and process more than technology)
important decision criteria
When choosing your answer, remember the following:

7. Role-appropriate for the party tasked with solution?

(CISO, administrator, user, etc.)
8. What is the focus of this question in the CIA Triad?
(confidentiality, integrity, availability)
9. Which answer is scoped and tailored to the organization?
(based on needs, risk appetite, cost effectiveness)
10. Be wary of answers that solve for ALL or EVERY situation
(no room for tuning or tailoring from a baseline)
Just answer
the question
with facts
you are given!
Do NOT assume
or invent additional
scenario context!
THE “READ” Strategy Quick reference

What is being asked? True end goal we’re solving for?

REVIEW Any process frameworks or regulatory requirements?

Unimportant details intended to distract?

ELIMINATE Answers that are definitely wrong?

What are the solution requirements?

ANALYZE If multiple, prioritize based on CISO priorities.

Evaluate each answer individually. What do we like

DECIDE about each? Does one encompass the other?
Know your role! Remember CISO priorities!
 secure data lifecycle

01 Rico’s chain of sandwich shops wants to provide secure,

free wireless for customers. Which option best meets
the need without requiring users to have an account?

1. A captive portal
2. WPA3 in SAE mode
3. WPA2 in PSK mode
4. WPA2 in Enterprise mode
 secure data lifecycle
Both meet the technical requirement,
01 ANSWER but WPA3 has objective advantages

2. WPA3 in SAE mode

Both WPA3 SAE and WPA2 PSK meet the need of secure
wireless without the need for user accounts.
However, the pre-shared key makes WPA2 PSK less convenient.
 Security architecture & engineering

02 Acme has implemented multifactor authentication

(MFA) using SMS as a second factor.
What is the primary security concern with this design?

1. SMS messages may be stored on the receiving phone

2. SMS messages can be sent to more than one device
3. SMS messages are not encrypted
4. SMS messages can be spoofed by senders
 Security architecture & engineering

02 ANSWER
3. SMS messages are not encrypted

SMS messages are not encrypted, so they could be

sniffed and captured. SMS messages can be spoofed,
but that is not the primary concern in this case.
 identity and access management

03 Greg has been tasked with identifying areas the

corporate wireless network is available where it shouldn’t
be. What’s the best method to identify problem areas?

1. Wardriving
2. A site survey
3. Warwalking
4. Network design diagram
 identity and access management
This option provides certainty through due
03 ANSWER care and is well-suited to this use case.

2. A site survey
A site survey meets the need through physical, real-world
validation, demonstrating due care in the response. A network
diagram offers clues, but not direct confirmation. Wardriving and
Warwalking can indirectly expose this issue but are not primarily
intended for this purpose.
 Security operations

04 Contoso has offices with networks across the city and

want all locations to appear like a single network.
Which option would best achieve this goal?

1. SDWAN
2. VXLAN
3. FCoE
4. VLAN
 Security operations

04 ANSWER
VXLAN achieves with least
2. VXLAN complexity, effort, disruption.

VXLAN is an encapsulation protocol that carries VLANs across

routable networks, giving the appearance of a single network
across distance without need for physical network changes.
FCoE is storage related, and SD-WAN for wide-area networks.
 CISSP EXAM PREP
STRATEGY SESSION

HOW TO ANSWER
DIFFICULT questions
with the field - tested
“READ” strategy

with Pete Zerger vCISO, CISSP, MVP

Get your materials
and GET STARTED!
INSIDE CLOUD

THANKS
F O R W A T C H I N G!