May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

CISSP Security Certification:
A Slightly Skeptical View

News Security Certifications Coverage Recommended Links Recommended Books Recommended Articles Sample Tests
Lists  Exam strategies Refreshing your networking skills TCP Protocol Layers OSI Protocol Layers CIRD and VLSM Network Sniffers
Access Control Role Engineering Security Models Cryptography  Network Security  Applications & Systems Development  Operations Security (Computer)
Security Policy and  Standards   Security Management Practices  Authentication and Accounts Security   History Humor Etc

CISSP stands for Certified Information Systems Security Professional. The certification is from the International Information Systems Security Certification Consortium, (ISC)2 (

This is "one inch deep and a mile wide" type of exams: 250 multiple-choice questions for 6 hours. Than means a little bit less than 1.5 minute per question. But I think that for those three areas where you really feel strong a rational approximation would be 10 seconds per question.  As for another a difficult question can take up to 5 minutes to make an educated guess. As for many multiple choices exams in a dynamic field you can expect considerable number of question that are "strange" in some way. At the same time questions that look "normal" might have  really strange "right" answers (see a review to the All-in-one CISSP Certicication Exam book for more information ).

That means that you need to develop a right exam strategy. You need to work on it and there is no substitute to planning how you take the exam. I will give just a couple of tips:

A dozen books exists to prepare for this exam. See Recommended Books. You probably need two-three books to prepare for the exam, although many people who wrote reviews of CISSP-related books on Amazon claimed that for them one was enough. Almost any will introduce you to to ISC2's unique vocabulary (which as I already mentioned several times is perhaps the most important aspect of the test). Over 80% of the terms and concepts you need to learn are presented in Recommended Books.

Make appointments with yourself for study time (i.e., in your daytimer) so that it is clear to you when you're doing well or shirking your study responsibilities. Study appointments may be among the most important that you ever make and keep since they very much determine your career. The key is to focus you efforts. You have only so much time and there is a lot of partially dull partially useless staff. Motivate yourself taking as many tests as possible. Use our FREE CISSP Diagnostic Tests to determine areas where you need to work, if any...

All in-all this is a typical multiple choice style exam, although a long one. No news here.

Exam covers 10 main domains of knowledge.  Each domain includes a dozen or so subtopics. Some topics are artificially divided (for example, access control and security models) some are pretty eclectic. The core topic is operational security. Like one reader put in in amazon review "I should have studied operational security more than I did."

A lot of subtopics are based on outdated contents and while omitting vital information pay undue attention to obscure, useless, but perfectly suitable for multiple choice questions subtopics :-). Security Architecture & Model is a good example here:

As one can easily guess the networking part of the exam pays pretty high level of attention to obsolete ISO/OSI Model :-).  Be prepared to review all those partially meaningless levels and understand the difference.  

Still those guys were the first and despite new entries to the field CISSP still remains the most influential security certification brand name.  Some weaknesses of the exam are generic. Not only this one, but most such exams are questionable and often deteriorate to an exercise in memorizing obscure things. But at least they check the ability to memorize those obscure and useless things so that complete dummies and PHBs might have some difficulties in passing that test ;-) Also security certification should not be the end but only the beginning of your security education. Like is the case with Microsoft certifications and CISCO certifications, there always will be quite a lot completely clueless CISSP professionals around ;-)

Like one of Amazon Reviewers of the CISSP All-in-One Exam Guide aptly put it:

The CISSP exam is immature; that is, many of the questions appear convoluted for the sake of being obtuse. I doubt seriously if your score on this exam correlates to your true ability. That said, it is a necessary benchmark of a very broad subject.

Please be aware that many exam questions are connected not with computer security, but with physical security issues, and Security Management Practices. As far as I can tell CISSP is loosely modeled on CPA but they still are afraid to add the second day :-). For more information visit the AICPA's CPA exam section here or here.

ISC offers a draft Study Guide which contains just updated descriptions of the ten test domains. You need to get it to understand the scope of the exam better. It is available from (you need to register).

To become a CISSP, you also must subscribe to ISC Code of Ethics, and have already three years of direct work experience in the field. The exam currently costs $450...

You need to pay annual membership fee to maintain CISSP. A CISSP can only maintain certification by earning 120 CPE (continuing professional education) credits over a three-year recertification period. If we are talking about educational courses this is impossible (counting 2 credit per 5-days course and two courses per year you can expect around 4*3=12 credits) but there is a loophole of  conference attendance. Two-thirds (80 CPEs) must be earned in activities directly related to the information systems security profession and up to one third (40 CPEs) may be earned in other educational activities that enhance the CISSPís overall professional skills, knowledge, and competency.  

In addition to paying an annual maintenance fee and subscribing to the Code of Ethics, a CISSP or SSCP must earn continuing professional education credits every three years - or retake their certification examinations. CPE credits are earned by performing activities largely related to the information systems security profession including, but not limited to, the following:

Top Visited
Past week
Past month


Old News

NSA Plans New Security Certification

March 10, 2003
NSA Plans New Security Certification
By Roy Mark

The International Information Systems Security Consortium (ISC2) has signed a five-year contract with the National Security Agency's Information Assurance Directorate (IAD) to develop and administer a new Information Systems Security Engineering Professional (ISSEP) certification.

The new certification will serve as an extension of the CISSP (Certified Information Systems Security Professional), offered by ISC2 for information security professionals with four years cumulative work experience in the field.

Persons interested in taking the ISSEP exam will be required to already hold a CISSP credential. The certification is designed to recognize mastery of an international standard for information security professionals and their understanding of the 10 domains of the ISC2 Common Body of Knowledge in forming security policies, standards and procedures.

NSA will provide the subject matter experts to develop the ISSEP examination. ISC2 will manage the additional domains and exam material for the extension. The new domains of the ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations.

The ISSEP complements the CISSP by addressing the systems engineering side of information security. As with the CISSP, the substance of the domains studied will be updated with the constantly changing field of information security.

"The U.S. government has a unique set of standards for information security," said Patricia L. Moreno, chief of staff for NSA's Information Assurance Directorate. "We believe (ISC2's longtime international expertise in professional certification best suits our training needs within NSA."

A Comment on the "Basic Security Theorem" of Bell and LaPadula- nice critique


Exam covers almost a dozen topics:

Security Management Practices

Security management entails the identification of an organization's information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines.

Management tools such as data classification and risk assessment/analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented.

Security Architecture and Models

The Security Architecture and Models domain contains the concepts, principles, structures, and standards used to design, monitor, and secure operating systems, equipment, networks, applications and those controls used to enforce various levels of availability, integrity, and confidentiality.

Access Control Systems and Methodology

Access controls are a collection of mechanisms that work together to create a security architecture to protect the assets of the information system.

Application Development Security

This domain addresses the important security concepts that apply to application software development. It outlines the environment where software is designed and developed and explains the critical role software plays in providing information system security.

Operations Security

Operations Security is used to identify the controls over hardware, media, and the operators and administrators with access privileges to any of these resources. Audit and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process.

Physical Security

The physical security domain provides protection techniques for the entire facility, from the outside perimeter to the inside office space, including all of the information system resources.


The cryptography domain addresses the principles, means, and methods of disguising information to ensure its integrity, confidentiality and authenticity.

Telecommunications, Network, and Internet Security

The telecommunications, network, and Internet security domain discusses the:

Business Continuity Planning

The Business Continuity Plan (BCP) domain addresses the preservation and recovery of business operations in the event of outages.

Law, Investigations, and Ethics

The Law, Investigations, and Ethics domain addresses:

Even though the curriculum and CBK were developed in the United States, the material does not boast a definite US flavor. In fact, the material, as well as the exam, focuses on international issues.


Judging from the content of CISSP preparation books tests a log the questions on the CISSP test your vocabulary (how well you understand the meaning of words) in some form. Correspondingly, there is no quicker way to improve your CISSP scores than to improve your vocabulary. I know that's boring and have little or know practical value, but this is the way the game is played.

Refreshing your networking skills

Recommended Links

Google matched content

Softpanorama Recommended

Top articles


CCCure -- a very nice site with a lot of useful material and several tests.

(ISC)2CERTIFICATION ONLINE STUDY GUIDES -- here you can submit a request for the study guide.

CS4601 Computer Security -- excellent set of slides

Introduction to Computer Security -- nice set of lectures



SC-80 Security Home Page The mission of the Security Management Program in the Office of Science is to assure the adequate protection of information and assets while maintaining the openness and integrity that is necessary to foster the advancement of basic science and technological innovation. The web portal for the certified information systems security professionals -- almost no useful info except resource page and (questionable :-) 15 question exam practice. The book that they sell is definitely overpriced ;-)

Boson Software Practice Tests for Certified Information Security Systems Professional (CISSP) Test #1, #2 & #3

Each Demo includes 12 sample questions ... - available practice exams -- free test. Registration requered

40 questions


INCITS, InterNational Committee for Information Technology Standards

TECS The Encyclopedia of Computer Security

Recommended Articles


Landwehr, C.E., C. L. Heitmeyer, and J. D. McLean, "A security model for military message systems: retrospective," Proceedings 17th Annual Computer Security Applications Conference (ACSAC '01), pp. 174-190, 10-14 Dec 2001. PDF

Originally published in the 1984 ACM Transactions on Computer Systems, this paper was republished in 2001 as a "classic paper" in computer security. The Introduction to the Classic Papers by Dan Thomsen of Secure Computing Corporation (ACSAC '01 Proceedings, p. 161) states that because computer security is a "relatively new field that spans a wide range of topics", the question is how to sort through computer security history to find the data needed by computer security practitioners when they are "swamped with just the data published in the past year." The answer, according to Thomsen, is "to dust off papers that influenced security thought and print them again." In addition to republishing their papers, the authors of the three selected papers were asked to update their papers, place them in historical perspective, and describe what happened to the work after publication. This paper deals with a basic component of computer security: application-specific security policies.

Generally Accepted System Security Principles Ver 1.0 (GASSP)

Handbook of Information Security Management Access Control

Preparing for the CISSP exam, Part 1 , 03-21-01

" How does the CISSP compare to the [Systems Security Certified Practitioner] in terms of the exam itself and the relative weight/importance of the certification? "

Both are useful stages in professional development. Visit the International Information Systems Security Certification Consortium (ISC)╡ Web site - - where you will find a wealth of material about the CISSP and the SSCP.

The SSCP is more hands-on and limited to technical issues. According to the description at "The International Information Systems Security Certification Consortium, or (ISC)╡, working with a professional testing service, has developed a certification examination based on the SSCP Common Body of Knowledge (CBK). Candidates have up to 3 hours to complete the examination which consists of multiple-choice questions that address the seven topical test domains of the CBK. The information systems security test domains are:

* Access Control.

* Administration.

* Audit and Monitoring.

* Risk, Response, and Recovery.

* Cryptography.

* Data Communications.

* Malicious Code."

In contrast, the CISSP is deliberately designed to cover a wide range of topics that distinguish information security experts from other kinds of IT experts. As described at "Candidates have up to 6 hours to complete the examination which consists of 250 multiple-choice questions that address the [10] topical test domains of the CBK. The information systems security test domains are:

* Access Control Systems & Methodology.

* {Computer} Operations Security.

* Cryptography.

* Application & Systems Development.

* Business Continuity & Disaster Recovery Planning.

* Telecommunications & Network Security.

* Security Architecture & Models.

* Physical Security.

* Security Management Practices.

* Law, Investigations & Ethics."

Pritsky also asked:

" What can you tell me about the exam itself? A lot of questions? Evenly distributed amongst the 10 domains? Multiple choice? Hands-on? I don't really know what to expect. "

CISSPs and all who take the exam are under nondisclosure agreement not to divulge the detailed content. See sample questions on the (ISC)2 Web site.

In the next segment of this three-part series, I will look at useful reading for future CISSPs

Sample Questions

Should you take the CISSP exam? By Richard Power "Reprinted from the March 1997 issue of Computer Security Institute's monthly newsletter, Computer Security Alert.

Do you consider yourself an information security professional? Have you been working as an information security practitioner for at least three years? Are you going to attempt to make a career out of information security? You should seriously consider seeking certification as a Certified Information Systems Security Professional (CISSP). Even if information security is only part of your overall job description or career path, you should probably seek certification. CISSP certification is only available to those qualified candidates who successfully pass the examination created by the International Information Systems Security Certification Consortium (ISC)2. The consortium is supported by Computer Security Institute (CSI), Information Systems Security Association (ISSA), Canadian Information Processing Society (CIPS), and other reputable industry presences. The CISSP exam is built from a pool of 1,200 multiple choice questions based on a Common Body of Knowledge (CBK), consisting of ten test domains, for example, access control, risk management, application program security, etc.

Information security has reached center stage. The "1997 Information Security Staffing Levels and the Standard of Due Care" study conducted by CSI and Charles Cresson Wood of Baseline Software indicates that budgets for information security staffing are expected to rise 17.8% over the next year and that information security as a percentage of total employment has increased nearly 100% over the last seven years. Information security is rapidly gaining ground relative to related organizational functions like EDP audit, physical security and information systems. There are other strong indicators. Consider the remarks of Tracy A. Lenzner (Williamsville, NY), an independent executive search consultant who recently managed an aggressive recruitment campaign for one of the Big Six firms. "The information security market is very hot. I have never seen people going after one area so aggressively. It's because there are so few infosec professionals with real expertise. If you find people who really know what they're doing, they are worth their weight in gold. One week, I'm talking to candidates, the next week they have been contacted by four companies. And these aren't just little companies, these are the big guns going after everybody and anybody."

But there is also significant evidence that those who want to cash in on the information security Gold Rush will greatly benefit from having a CISSP designation on their resumes. CISSP is starting to show up in more and more job listings, and is typically listed as either "minimum requirement" or "a definite plus."

Does CISSP give you a competitive edge in the job market?

Will CISSP be more of a factor in the future? According to Lenzner, yes. "In the years ahead, there will be a greater demand for IT security as an integral part of corporate success. And therefore, there will be a greater demand for highly skilled, knowledge based expertise in security. CISSP certification is a distinctive indication of both technical and theoretical security expertise. Thus, CISSP certification will become an increasingly important factor in the near future."

Although certification is clearly an advantage on the job market, there are still only a handful of CISSP holders, as Lenzner explains. "As an executive recruiter engaging heavily in security recruitment, I do encounter CISSP holders. But I would say only 20% of the security professionals I speak with are CISSP-certified at this time."

What kind of difference could a CISSP certification make for job candidates?

Could it give them a significant edge over other candidates who don't have a CISSP certification?

"Absolutely! CISSP certification could potentially be a huge plus for candidates. Like many advanced degrees and certifications, CISSP is an additional asset that a candidate can possess, both from a competitive standpoint and in added value to the hiring company."

Consider the remarks of Satnam Purewal. Until recently, she was an information security professional at the University of British Columbia (Vancouver, BC). She took the CISSP exam and soon after was hired by Deloitte and Touche LLP as a Senior Computer Assurance Services (CAS) Specialist. Does she feel being a CISSP holder helped her in her recent job search?

"Yes. It's a great self marketing tool. I know the concepts, but a CISSP after my name says that a formal organization also believes that I know the material. There are certification bodies for engineers and accountants. These organizations enable employers to choose from a qualified group of people. Information system security is a critical function for any enterprise. Only qualified people should work on security. Computer security is more than just IDs and passwords. Security professionals must have working knowledge of policies, investigations, and laws. It was hard work. But it formalized the knowledge I obtained on the job."

How do you know if you are ready to take the test?

How can people evaluate whether or not they're ready to take the test? Purewal offers some tips. "People should take the self test in the CISSP Examination Study Guide available from (ISC)2. It will help you identify the areas were more learning is required. (ISC)2 asks for three years of experience. I seriously doubt anyone under three years of experience could pass the test anyway."

How would she suggest you prepare for the CISSP?

"Get hands on experience in as many areas of the Common Body of Knowledge as possible. Familiarize yourself with industry standards. An individual's knowledge should cover more than what technologies and practices are used at their own organization."

CISSP is approaching critical mass

Hal Tipton of HFT Associates (Villa Park, CA) is one of the scions of information security and a leading force in the Herculean effort to make the certification process a reality. Tipton was also the driving force in developing both the CISSP training course and study guide.

According to Tipton, there are over 700 CISSP holders. Approximately 400 have passed the exam, approximately 300 were "grandfathered" in at the beginning. "When we get a thousand or so certified people and there's a pool of people available, we'll see more headhunters and HR people insisting on CISSP as a qualification."

How big is the known universe of those who should take the test?

Tipton says it could be as many as 20,000. Clearly the high number involves many beyond those whose full-time job is information security. Among others Tipton cites as likely candidates to benefit from being a CISSP holder include network administrators, auditors and industrial security personnel. "A lot of small organizations might not be able to afford a full-time information security person, but they might be able to afford someone who is certified and double-hat the person with some other job. For example, a network administrator in an organization that cannot afford information security staff but has the need for security."

Tipton suggests that independent security consultants seek CISSP certification as well. "Some of the Big Six people really want you to have that CISSP designation. And for the smaller independent guys, it's a good way to win a contract. If you put in your proposal that you're CISSP-certified and the other bidders aren't, well, that's an advantage."

Why people fail and how you can avoid it

Of course, every silver lining is attached to a cloud. The CISSP exam is a straight pass or fail situation and some people do fall short. "The object of the certification process is not to fail peopleПwe would like to have 90% passП but it's all passed on the curve set up by the testing service based on the group that have taken the exam in that particular period of time." Tipton cautions against going it alone.

"The people that have failed are those who didn't take the seminar and just did the review on their own. They're failing 'Physical Security,' 'Cryptography' and 'Law, Investigations and Ethics.' That makes a lot of sense. In the field, information security personnel usually don't have a lot of hands-on experience with physical security. It is usually left to the industrial security types. In regard to cryptography, most organizations weren't into crypto at all until recently. With the rise of the Internet, it is becoming a much more important issue. It shouldn't be too hard to guess why the test scores on "Law, Investigations and Ethics" are so low. Organizations simply don't report incidents."

Where and when to move forward

CSI will host Hal Tipton's all-day course "An Introduction to the CISSP Exam" at NetSec '97 (San Francisco, CA) on Sun-day, June 8th. Later in the year, CSI will host the CISSP exam at the 24th Annual Computer Security Conference and Exhibition (Washington, DC) on Sunday, November 16th, 1997. For more information on the CISSP certification process and training materials, contact (ISC)2 via the World Wide Web at, e-mail: [email protected], telephone: 508-842-7329 or fax: 508-842-6461.

Sample Tests

Information Security Magazine Can You Top the Bar? BY MOLLIE KREHNKE AND DAVID KREHNKE

MOLLIE KREHNKE, CISSP, is a computer security analyst at Lockheed Martin Energy Systems. DAVID KREHNKE, CISSP, is the program manager for ISC.

Information Security Magazine CISSP SAMPLE EXAMINATION The paper also contains answers to those question

I. Access Control Systems and Methodology
1. In a discretionary mode, who has delegation authority to grant access to information to other people?
a. User
b. Security officer
c. Group leader
d. Owner

2. An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?
a. Discretionary access
b. Least privilege
c. Mandatory access
d. Separation of duties

3. The type of penetration testing used to discover whether numerous usercode/password combinations can be attempted without detection is called
a. Keystroke capturing
b. Access validation testing
c. Brute force testing
d. Accountability testing

II. Telecommunications & Network Security

4. Which of the following telecommunications media is MOST resistant to tapping?

a. Twisted pair
b. Coaxial
c. Shielded coaxial
d. Fiber optic

5. Which network topology passes all traffic through all active nodes?
a. Broadband
b. Hub and spoke
c. Baseband
d. Token ring

6. Layer 4 of the OSI stack is known as
a. The data link layer
b. The transport layer
c. The network layer
d. The presentation layer

III. Security Management

7. Which of the following represents an ALE calculation?
a. Gross loss expectancy x loss frequency
b. Asset value x loss expectancy
c. Total cost of loss + actual replacement value
d. Single loss expectancy x annualized rate of occurrence

8. Who is ultimately responsible for ensuring that information is categorized and that specific protective measures are taken?
a. Security officer
b. Management
c. Data owner
d. Custodian

9. What principle recommends the division of responsibilities so that one person cannot commit an undetected fraud?
a. Separation of duties
b. Mutual exclusion
c. Need to know
d. Least privilege

IV. Application & System Development Security

10. When a database error has been detected requiring a backing-out process, a mechanism that permits starting the process at designated places in the process is called

a. Restart
b. Reboot
c. Checkpoint
d. Journal

11. Which one of the following is an automated software product used to review security logs?
a. User profiling
b. Intrusion detection
c. System baselining
d. Access modeling

12. Which of the following is a malicious program, the purpose of which is to reproduce itself throughout the network utilizing system resources?
a. Logic bomb
b. Virus
c. Worm
d. Trojan horse

V. Cryptography

13. In what way does the Rivest-Shamir-Adleman algorithm differ from the Data Encryption Standard?
a. It is based on a symmetric algorithm.
b. It uses a public key for encryption.
c. It eliminates the need for a key-distribution center.
d. It cannot produce a digital signature.

14. The fact that it is easier to find prime numbers than to factor the product of two prime numbers is fundamental to what kind of algorithm?
a. Symmetric key
b. Asymmetric key
c. Secret key
d. Stochastic key

15. The Data Encryption Algorithm performs how many rounds of substitution and permutation?
a. 4
b. 16
c. 54
d. 64

VI. Security Architecture & Models
16. At which ITSEC or TCSEC class is design verification first required?
a. F5 or A1
b. F3 or B1
c. F2 or C2
d. F1 or C1 17.

What software flaw allows stack overflows and other memory-bound attacks to succeed?

a. Inadequate confinement properties.
b. Compartmentalization not enforced.
c. Insufficient parameter checking.
d. Applications execute in privileged mode.

18. Between-the-lines, line disconnects, interrupt and NAK attacks are all examples of exploits related to
a. System data channel
b. System timing (TOC/TOU)
c. System bounds checking
d. Passive monitoring

VII. Operations Security

19. Why are unique user IDs critical in the review of audit trails?
a. They show which files were altered.
b. They establish individual accountability.
c . They cannot be easily altered.
d. They trigger corrective controls.

20. An e-mail gateway that does not restrict the reception of e-mail to a known set of addresses can be used by a hacker for
a. Spamming attacks
b. NAK attacks
c. Exhaustive attacks
d. Spoofing attacks

21. Which of the following is an example of an operations security attack that is designed to cause the system, or a portion of the system, to cease operations?
a. Ping of Death
b. Brute force
c. Satan attack
d. Back door

VIII. Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)

22. Which of the following criteria should be met by off-site storage protection for media backup?
a. The storage site should be located at least 15 miles from the main site.
b. The storage site should be easily accessible during working hours.
c. The storage site should always be protected by an armed guard.
d. The storage site should guard against unauthorized access.

23. Which of the following best describes remote journaling?
a. Send hourly tapes containing transactions off-site.
b. Send daily tapes containing transactions off-site.
c . Real-time capture of transactions to multiple storage devices.
d. The electronic forwarding of transactions to an off-site facility.

IX. Law, Investigations & Ethics

24. Computer-generated evidence is not considered reliable because it is
a. Stored on volatile media
b. Too complex for jurors to understand
c. Seldom comprehensive enough to validate
d. Too difficult to detect electronic tampering

25. Before powering off a computer system, the computer crime investigator should record the contents of the monitor and
a. Save the contents of the spooler queue
b. Dump the memory contents to disk
c. Back up the hard drive
d. Collect the owner's bootup disks

26. According to the Internet Activities Board, which one of the following activities is in violation of RFC 1087 "Ethics and the Internet?"
a. Performing penetration testing against an Internet host.
b. Entering information into an active Web page.
c. Creating a network-based computer virus.
d. Disrupting Internet communica- tions.

X. Physical Security
27. Which of the following measures would be the BEST deterrent to the theft of corporate information from a laptop that was left in a hotel room?

a. Store all data on disks and lock them in an in-room safe.
b. Remove the batteries and power supply from the laptop and store them separately from the computer.
c. Install a cable lock on the laptop when it is unattended.
d. Encrypt the data on the hard drive.

28. Which of the following BEST describes a transponder-based identification card?
a. The card is read by passing it through a magnetic strip reader.
b. The card is read by holding it in the proximity of the reader.
c. The card is read by slipping the card into a standard card edge connector.
d. The card is read by passing light through the holes in the card.

29. Under what conditions would use of a "Class C" hand-held fire extinguisher be preferable to use of a "Class A" hand-held fire extinguisher?
a. When the fire is in its incipient stage.
b. When the fire involves electrical equipment.
c. When the fire is located in an enclosed area.
d. When the fire is caused by flammable products

Security Management Practices

Security Management Concepts and Principles

Change/Control Management

Data Classification Schemes

Employment Policies and Practices

Security Policies, Standards, Guidelines, and Procedures

Antivirus policies

Risk Analysis Management

Roles and Responsibilities

Security Awareness

Security Management Planning

Integrated Safeguards and Security Management



Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019