Risk management questions require knowing the terminology precisely. ALE (Annual Loss Expectancy) = SLE × ARO. SLE = asset value × exposure factor. ARO = how often a threat occurs annually. BCP covers the entire business; DR covers IT systems. RTO = maximum acceptable downtime. RPO = maximum acceptable data loss (expressed as time since last backup).

• CIA triad and security principles (need-to-know, least privilege, separation of duties)
• Risk frameworks: NIST RMF, ISO 27001, COBIT
• Risk treatment: accept, transfer (cyber insurance), avoid, mitigate
• Legal and regulatory compliance: GDPR, HIPAA, SOX, PCI DSS
• Business Continuity Planning (BCP) and Disaster Recovery (DR) concepts: RTO, RPO, MTTR, MTBF
• Security awareness training and ethics (ISC2 Code of Ethics)

Data ownership roles are reliably tested. The data owner (executive/business unit) is responsible for classification and risk decisions. The data custodian (IT/security) implements the technical controls the owner mandates. Media sanitisation levels: Clearing = overwrite (sufficient for reuse within organisation); Purging = degaussing or cryptographic erase (for reuse outside); Destruction = physical shredding (for classified data).

• Data classification: public, internal, confidential, restricted/secret
• Data ownership roles: data owner (business decisions), data custodian (technical controls), data steward
• Data lifecycle management: creation, storage, use, sharing, archiving, destruction
• Privacy protection: PII, PHI, data minimisation, privacy by design
• Data handling: DRM, DLP, data retention policies
• Media sanitisation: clearing, purging, destruction methods (degaussing, shredding)

Bell-LaPadula vs Biba: Bell-LaPadula protects confidentiality (classified military model — no read up prevents low-clearance subjects reading high-sensitivity data). Biba protects integrity (no read down prevents high-integrity subjects being corrupted by low-integrity data). For crypto: symmetric = fast bulk encryption; asymmetric = slow but enables key exchange without prior shared secret. Hybrid encryption (TLS) uses asymmetric to exchange a symmetric session key.

• Security models: Bell-LaPadula (no read up, no write down — confidentiality), Biba (no read down, no write up — integrity)
• Cryptography: symmetric (AES, DES, 3DES), asymmetric (RSA, ECC, Diffie-Hellman), hashing (SHA-2)
• PKI: certificate lifecycle, CA hierarchy, CRL and OCSP
• Physical security: defence in depth (perimeter → facility → floor → room → rack)
• Trusted Platform Module (TPM) and hardware security modules (HSM)
• Side-channel attacks: timing, power analysis, electromagnetic emissions

Network security is largely the same across certifications — focus on what each control is for and where it sits. Firewalls between zones; IDS/IPS inside the network (IDS passively alerts; IPS actively blocks). IPsec operates at Layer 3 (network) and can protect entire VPN tunnels. TLS operates at Layer 4–7 and protects application sessions. Split tunnelling in VPN: only corporate traffic goes through the tunnel; internet traffic goes direct.

• OSI model security by layer: application (firewalls/IDS), transport (TLS), network (IPsec)
• Network attacks: ARP poisoning, DNS poisoning, VLAN hopping, BGP hijacking
• Firewalls: packet filtering, stateful, NGFW (application-aware)
• VPN types: IPsec (site-to-site), SSL/TLS (remote access), split tunnelling
• Wireless security: WPA3, TKIP vs CCMP/AES, 802.1X EAP types
• Network segmentation: DMZ, NAC, microsegmentation

Access control model selection is tested by scenario. MAC = government/military (labels, mandatory enforcement, no user discretion). DAC = most common in commercial OS (file owner sets permissions). RBAC = enterprise (permissions assigned to roles). For biometrics: CER/EER is the balance point between FAR and FRR — lower CER = better system. System administrators prefer low FAR (security); users prefer low FRR (convenience).

• Authentication factors: something you know (password), have (token), are (biometric), somewhere (location)
• Access control models: MAC (mandatory, labels), DAC (discretionary, owner sets ACLs), RBAC (roles), ABAC (attributes)
• Identity federation: SAML 2.0, OAuth 2.0, OpenID Connect (OIDC)
• Single Sign-On (SSO) and its security trade-offs
• Privileged Access Management (PAM) and just-in-time access
• Biometric accuracy: FAR (false accept — impersonator gets in), FRR (false reject — user locked out), CER (crossover — FAR = FRR)

Vulnerability assessment = identify and list vulnerabilities without exploiting them. Penetration test = actively exploit vulnerabilities to demonstrate business impact. Red team = simulate an advanced persistent threat over weeks/months with minimal rules of engagement. CVSS scoring: Base score = inherent characteristics; Temporal = current exploitability; Environmental = customised to your organisation.

• Vulnerability assessment vs penetration testing vs red team (different scope and depth)
• Pen test phases: reconnaissance → scanning → exploitation → post-exploitation → reporting
• Static vs dynamic code analysis
• Log reviews and audit trails: what to collect, integrity protection
• Security metrics: KRI, KPI, patch compliance rate
• SOC 2 Type I (point-in-time) vs Type II (over 6+ months) audits

DR site types: Hot = fully operational, data synchronised, minutes to failover (most expensive). Warm = hardware in place, data partially current, hours to failover. Cold = just space and power, days to weeks to failover (cheapest). CISSP prefers detective controls (understand what happened) over just implementing new preventive controls after an incident — always do a lessons-learned review.

• Incident response lifecycle: preparation, identification, containment, eradication, recovery, lessons learned
• Digital forensics: chain of custody, order of volatility, write blockers, forensic images
• Change and patch management: emergency change process, rollback procedures
• Disaster recovery: hot site (always on), warm site (periodic updates), cold site (empty space)
• Business continuity: testing types (tabletop, walkthrough, full interruption)
• Data Loss Prevention (DLP): network DLP, endpoint DLP, cloud DLP

CISSP software security questions focus on process and concepts rather than code syntax. Threat modelling (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) happens during design — cheapest time to fix vulnerabilities. SAST = static analysis (source code, no execution, finds code flaws). DAST = dynamic analysis (running application, finds runtime vulnerabilities).

• SDLC security integration: security requirements, threat modelling, code review, SAST/DAST
• OWASP Top 10: injection, broken auth, XSS, IDOR, SSRF, security misconfigurations
• Secure coding practices: input validation, parameterised queries, output encoding
• DevSecOps and shift-left security
• Software supply chain security: SBOMs, dependency scanning, signing
• Database security: stored procedures, least privilege DB accounts, view-based access