CISSP Case Study – The PreLaunch Demo:
Imagine yourself as the CISO of Sagar Bansal Digital. You sit in a huge cabin, hundreds of people working under you, a lot of stakeholders to manage. That’s a lot of work. Now, one of your partner companies ICyber-Security has released a new product called ICyber-Shield. It’s a SOAR platform that can change the whole industry. Marco is the founder and because he’s a good friend of mine, he wants to give us a demonstration of his product before it officially launches and what’s more exciting than getting your hands dirty on something which is not yet public? Well, that’s one of the perks of working in Sagar Bansal Digital. Since we work with multiple high profile clients including governments, things can get ugly if something goes wrong. Well, you are the CISO of the company and I give this responsibility to you to make sure that everything goes according to the plan.
It’s the day of the meeting. You decided to give Marco and his team a VPN connection so that they can connect to our environment. Great job meeting started. The product needs to be custom configured to our infrastructure Marco has asked you for access to the folder where all the configuration files are stored. Now this can be dangerous if something is accidentally altered. So to save the integrity you decided to give him the read only access. After the configuration is done, Marco has asked you to allow internet access in your local network, since the product needs to sync to a remote central database. I know what you’re thinking. Allowing Direct Access? That can open up the system to the whole world. Soon your CISSP brain strikes the idea and you decide to set up a firewall with the inbound rule to only white list Marco’s server’s IP. Problem Solved! But wait, what about this secret data of your clients?
You cannot just give it a way to Marco for a demo. If any of your clients know this, you may be in a breach of your NDA. Oh Wait NDA! You decide to get an NDA signed from Marco so that it becomes properly balanced. Everything goes as planned. The ICyber-Shield platform impresses our board. Marco gets a review on his product and I’m super happy to see my CISO’s awesome work.
Now Question Time:
Which one of these concepts was not used in this meeting?
A. Rule Based Access Control
B. Least Privilege Based Access
C. Due Diligence & Due Care
D. Need To Know
Answer To This CISSP Question:
If you try to analyze this situation carefully,
Option A is Rule Based Access Control and in this case, Establishing a rule for Accepting Inbound Network Traffic only from Marco’s server IP was done through implementation of a Firewall. So that concept was definitely used.
Option B which is Least Privilege can be justified with that VPN Connection which started Marco’s Team access with no privileges. He requested us to give him access to configuration files and we granted a READ ONLY ACCESS. All of this is least privilege based access control.
Option C which is Due Diligence & Due Care was seen with the NDA since Marco was made to sign a One Sided NDA for not disclosing anything from our clients. This leaves us with
Option D which is Need To Know. This concept was not used in this situation. Some may argue that Giving a VPN Access was the part of Need To Know as Marco’s team was given limited access to infrastructure… Well that’s not correct. It was a SOAR Product. He connected all our devices to his product, He had a full access and visibility of our process, data, information, and all. Even he know about the folder where configuration files are stored and hence requested access for it.
Were you able to answer this correctly?
My CISSP MASTERCLASS has changed thousands of lives, It’s time for you to take action. Click Here To Start Your Free Trial