Free CISSP Practice Test – 2025 Updated

1. Cloud Security Alliance. (2017). Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. Domain 7: Infrastructure Security, Section 7.2, p. 89. The document states, "The virtual network provides logical isolation... This allows customers to segment their resources, not just from other customers, but also from their own resources."

2. National Institute of Standards and Technology. (2011). NIST Special Publication 500-292: NIST Cloud Computing Reference Architecture. Section 5.3.1.2, "Resource Pooling & Multi-tenancy," p. 17. This section discusses how multi-tenancy requires logical isolation of shared resources, which is the problem that VPCs are designed to solve.

3. Amazon Web Services. (2023). What is Amazon VPC?. AWS Documentation. The official documentation defines a VPC as a service that "lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define."

4. Armbrust, M., et al. (2009). Above the Clouds: A Berkeley View of Cloud Computing. University of California, Berkeley, Technical Report No. UCB/EECS-2009-28. Section 4, "Top 10 Obstacles and Opportunities for Cloud Computing," p. 8. The report discusses the obstacle of "Data Confidentiality and Auditability," for which network and machine-level isolation (as provided by a VPC) is a key solution.

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.

Reference: Section 3.5, "Application Security Testing," discusses the need to test all components of an application, including its interfaces with other systems. It notes that security testing should "verify that the application properly enforces security for both valid and invalid operations" and that this includes how it communicates with other services. The described scenario is a failure in this specific area.

2. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9), 1278–1308.

Reference: Section I.A.3, "Principle of Least Privilege," and Section I.A.5, "Principle of Complete Mediation." While not a direct definition of interface testing, these foundational security principles, taught in university curricula, imply that every access and data exchange between systems (an interface) must be validated. The failure to encrypt data at the interface violates the principle of protecting data as it crosses trust boundaries. (DOI: https://doi.org/10.1109/PROC.1975.9939)

3. University of Toronto, Department of Computer Science. (2018). CSC301: Introduction to Software Engineering, Lecture 11 - Software Testing.

Reference: Slide 21, "Integration Testing." The lecture material defines integration testing as testing the interfaces between components. It distinguishes between "Big Bang" and incremental approaches. This academic source establishes that testing interfaces between system components is a distinct and critical phase of software testing. The scenario highlights a failure in this specific phase.

1. ISC2 CISSP Official Study Guide (9th ed.). (2021). Chapter 21: Secure Software Development. pp. 898-899. The text explicitly places code review and static code analysis within the "Software Development and Coding" phase, emphasizing its role in early detection before testing begins.

2. NIST Special Publication 800-218. (Feb 2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities. Section 4, Practice PW.5. This practice, "Review All Code," states, "The software producer reviews all code to identify vulnerabilities and verify compliance with security requirements... This can be accomplished through manual and/or automated means." This is a core practice applied to the code artifact itself.

3. OWASP Foundation. (2021). OWASP Software Assurance Maturity Model (SAMM) v2.0. Design - Security Testing, Stream B: Application Testing. The model shows Static Application Security Testing (SAST), an automated form of code review, as a foundational activity that can be integrated directly into the CI/CD pipeline during the build process, far earlier than dynamic testing or penetration testing.

4. Kissel, R., Stine, K., et al. (Oct 2008). NIST Special Publication 800-115: Technical Guide to Information Security Testing and Assessment. Section 5-2. The document distinguishes between code review (a static analysis technique) and security testing techniques like penetration testing and vulnerability scanning, which require an operational system.

1. OWASP Foundation. (2021). OWASP Top 10:2021. A05:2021-Security Misconfiguration. The description explicitly includes "directory listing is not disabled on the server" as a common example of this vulnerability. (Reference: owasp.org/Top10/A052021-SecurityMisconfiguration/)

2. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (NIST Special Publication 800-53, Revision 5). Control CM-7 "Least Functionality" requires that the organization "configures the information system to provide only essential capabilities," which includes disabling functions like directory listing. A failure to do so is a configuration management failure. (Page 138, Control CM-7).

3. Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in Computing (5th ed.). Pearson Education. Chapter 8, "Web Security," discusses how improper server configuration is a primary source of web vulnerabilities, distinct from injection attacks or authentication flaws. (Section 8.3, "Web Server Vulnerabilities").

1. National Institute of Standards and Technology (NIST) Special Publication 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security. Section 3.2, "ICS Security Program Development," outlines recommended security controls. Control family System and Information Integrity (SI), specifically SI-7 "Software, Firmware, and Information Integrity," and the general principle of defense-in-depth emphasize protecting individual system components from unauthorized changes.

2. National Institute of Standards and Technology (NIST) Internal Report (NISTIR) 8259A, IoT Device Cybersecurity Capability Core Baseline. This document establishes a baseline of security capabilities for IoT devices. The capabilities listed, such as Device Identification (Section 3.1), Device Configuration (Section 3.2), and Software Update (Section 3.5), are all focused on securing and managing the individual component to protect it from exploitation.

3. Al-Garadi, M. A., Mohamed, A., Al-Ali, A. K., Du, X., Ali, I., & Guizani, M. (2020). A Survey of Machine and Deep Learning Methods for Internet of Things (IoT) Security. IEEE Communications Surveys & Tutorials, 22(3), 1646-1685. DOI: 10.1109/COMST.2020.2988293. This survey discusses the convergence of security challenges in ICS and IoT, noting that "the first line of defense for IoT systems is to secure the IoT devices themselves" (Section II.A). This highlights the foundational importance of component-level protection.

1. National Institute of Standards and Technology (NIST) Special Publication 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, February 2007. Section 3.1, "IEEE 802.1X Port-Based Access Control," states, "IEEE 802.1X uses the Extensible Authentication Protocol (EAP) [RFC 3748] to exchange authentication messages between the supplicant and the authentication server."

2. IEEE Std 802.11™-2020, IEEE Standard for Information Technology--Telecommunications and Information Exchange between Systems Local and Metropolitan Area Networks--Specific Requirements - Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. Clause 12.7.2, "AKM suite selector definitions," defines Authentication and Key Management (AKM) suites, including those based on IEEE 802.1X, which is the mechanism that employs EAP.

3. Carnegie Mellon University, Software Engineering Institute (SEI), Securely Deploying 802.11 Wireless Networks with Microsoft Windows, January 2009. Page 11, Section 3.2.2, "WPA2-Enterprise," states, "WPA2-Enterprise uses 802.1X/EAP for authentication. With 802.1X/EAP, a user must authenticate to the network before being granted access."

1. National Institute of Standards and Technology (NIST). (2022). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (NIST Special Publication 800-218).

Section/Page: Practice PW.5, "Acquire and use only securely developed third-party components." Page 13 states, "A component with known vulnerabilities could be exploited by attackers to compromise the software, so it is important to know which components are used in the software and which vulnerabilities have been identified in those components."

2. OWASP Foundation. (2021). OWASP Top 10:2021.

Section/Page: A06:2021 – Vulnerable and Outdated Components. The document states, "You are likely vulnerable... If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies... If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use." This directly supports the idea that known vulnerabilities in components are a major risk.

3. Healy, J. C., & Mylopoulos, J. (2002). Requirements and Early-Phase Software Engineering. In van der Hoek, A. (Ed.), University of California, Irvine, Informatics 125 course materials.

Section/Page: In discussions on Non-Functional Requirements (NFRs) for security, course materials often reference the need to manage dependencies. The principle is that using third-party components, including open-source, means inheriting their security posture. The system's security is dependent on the security of its weakest component, which could be an unpatched open-source library. This is a foundational concept in secure software engineering taught in university curricula.

1. (ISC)². (2024). ISC2 Code of Ethics. Preamble. The document states, "The canons, in the order of their priority, are: 1. Protect society... 2. Act honorably... 3. Provide diligent and competent service to principals. 4. Advance and protect the profession." It further clarifies, "Therefore, any conflict between these canons should be resolved in the order of the canons."

2. Stewart, J. M., Chapple, M., & Gibson, D. (2021). Official (ISC)2 CISSP CBK Reference (6th ed.). Sybex. In Domain 1: Security and Risk Management, the section "Understand, Adhere to, and Promote Professional Ethics" explicitly discusses the hierarchy of the canons, emphasizing that the duty to protect society (the first canon) is paramount.

3. HHS.gov, Office for Human Research Protections. (n.d.). The Belmont Report. While not an (ISC)² source, this foundational U.S. government document on ethics in research establishes the principle of beneficence (do no harm, maximize benefits), which aligns with the CISSP ethic of prioritizing public safety above other concerns. This principle is a cornerstone of ethical frameworks taught in university-level programs. (Section C: Applications, Paragraph 1).

1. National Institute of Standards and Technology (NIST) Special Publication 800-77, Guide to IPsec VPNs. Section 2.1, "IPsec Overview," states: "IPsec is a suite of protocols for securing IP communications at the network layer by authenticating and/or encrypting each IP packet in a data stream."

2. Internet Engineering Task Force (IETF) RFC 4301, Security Architecture for the Internet Protocol. Section 1.1, "Security Services," states: "IPsec is designed to provide security services at the IP layer, enabling it to protect a variety of higher-level protocols..." The IP layer corresponds to the Network Layer of the OSI model.

3. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Chapter 8, "Security in Computer Networks," explicitly categorizes IPSec as a network-layer security protocol in Section 8.7, "Network-Layer Security: IPsec and Virtual Private Networks." This is a standard textbook in university computer science curricula.

1. The Open Web Application Security Project (OWASP). (n.d.). Cross-Site Request Forgery (CSRF). OWASP Cheat Sheet Series. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/Cross-SiteRequestForgeryPreventionCheatSheet.html. In the introduction, it defines CSRF as "an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated."

2. Zeldovich, N., & Kaashoek, F. (2014). 6.858 Computer Systems Security, Fall 2014 - Lecture 16: Web security. MIT OpenCourseWare. Retrieved from https://ocw.mit.edu/courses/6-858-computer-systems-security-fall-2014/resources/mit6858f14lec16/. Slide 21 defines CSRF: "Malicious web site causes user’s browser to send a request to an honest site, using the user’s credentials (cookies) for that honest site."

3. Johns, M. (2008). Breaking the Web's Cookie Jar: Cross-Site Request Forgery and its mitigation. In Sicherheit 2008: Sicherheit, Schutz und Zuverlässigkeit. Lecture Notes in Informatics (LNI), P-128. Page 231. This academic paper states, "Cross-Site Request Forgery (CSRF) is a form of attack where a web site, email, or program causes a user’s web browser to perform an unwanted action on a trusted site."

1. Boneh, D., & Grossman, D. (2011). CS 155: Computer and Network Security, Lecture 5: Web Security. Stanford University. The lecture notes describe SQL injection, using the ' OR 1=1 -- payload as a canonical example of an attack that bypasses authentication by creating a tautology in the SQL WHERE clause. (See slides on "SQL Injection").

2. Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. Proceedings of the International Symposium on Secure Software Engineering. In Section 2.1, "Tautologies," the paper explicitly identifies payloads like ' or '1'='1 as a primary technique for bypassing authentication by making the where clause of a query always evaluate to true. DOI: https://doi.org/10.1109/ISSSE.2006.241671

3. Zeldovich, N., & Kaashoek, F. (2014). 6.858 Computer Systems Security, Lecture 10: Web Security. MIT OpenCourseWare. The lecture materials detail how user input can be misinterpreted as SQL commands, providing examples similar to ' OR '1'='1' to illustrate how an attacker can manipulate the query to bypass password checks.

1. (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Chapter 17, "Conducting Security Control Assessments," emphasizes that the selection and development of assessment procedures must be sufficient to produce the evidence needed to determine control effectiveness. A failure to find severe weaknesses implies the procedures used lacked the necessary coverage.

2. NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment. Section 3.1, "Planning," states, "The planning phase is the most critical... It is during this phase that the rules of engagement are established, and the overall testing methodology is determined." This highlights that the effectiveness of an audit is contingent on a well-planned methodology that ensures comprehensive coverage.

3. NIST Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. The introduction discusses the importance of selecting appropriate assessment methods and objects to obtain the required "depth and coverage" for a complete and accurate determination of control effectiveness. The scenario describes a clear failure in achieving adequate depth and coverage.

1. NIST Special Publication 800-53A, Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations. (December 2020). Page 1, Section 1, "Introduction". The document states, "This publication provides a methodology and a set of procedures for conducting assessments of security and privacy controls... to determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements..."

2. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations. (December 2018). Page 10, Section 2.4, "Step 4: Assess". This section defines the purpose of the assess step as determining "if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization."

3. Carnegie Mellon University, Software Engineering Institute, CERT Resilience Management Model (CERT-RMM) v1.2. (May 2016). Page 13, Section 2.3, "Appraisal". The document describes an appraisal (an assessment) as a method to "determine the process and practice capabilities of an organization’s operational resilience management system," which is analogous to evaluating a security program's effectiveness.

1. NIST Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control SI-12, "Information Handling and Retention," mandates that organizations handle and protect information commensurate with its security category and sensitivity throughout its lifecycle, including in non-production environments.

2. ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls. Control 8.32, "Protection of test data," states, "Test data should be selected, protected and controlled carefully." It explicitly notes the risks of using operational data and the need for protective measures if its use is unavoidable.

3. (ISC)² CISSP Official Study Guide, 9th Edition. Domain 8: Software Development Security, discusses secure software testing. It emphasizes the significant risk of using production data in test environments and states that if it must be used, the test environment must have security controls equivalent to the production environment to prevent data disclosure. (Chapter 21, "Securing the Software Development Life Cycle").

4. Tipton, H. F., & Krause, M. (Eds.). (2007). Information Security Management Handbook, Sixth Edition. Auerbach Publications. In the chapter on "Application Security," the handbook discusses the sanitization of data for testing environments, highlighting that if production data is used, the environment must be secured to prevent the disclosure of sensitive information. (Part 5, Chapter 67).

1. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control CM-6 (Configuration Settings) and its supplemental guidance emphasize that embedding credentials in software components is a significant vulnerability. The control's discussion notes the importance of managing configuration settings, including secrets, separately from the code to prevent unauthorized access.

2. Meli, M., McNiece, M., & Reaves, B. (2019). How to Break a Production System with a Single Line of Code: A Study of Hard-coded Secrets in the Wild. In Proceedings of the Internet Measurement Conference (IMC '19). Association for Computing Machinery, New York, NY, USA, 17–23. This study empirically demonstrates the prevalence and high risk of hard-coded secrets, stating, "hard-coded secrets are a serious security risk, as they can provide attackers with a 'skeleton key' to a developer's entire infrastructure." (Section 1, Paragraph 2). DOI: https://doi.org/10.1145/3355369.3355579

3. University of California, Berkeley, CS 161: Computer Security Courseware. Lecture notes on "Web Security" frequently cover common vulnerabilities. The topic of insecure credential storage explicitly warns against hard-coding secrets (e.g., API keys, database passwords) in source code, classifying it as a critical flaw that can lead to complete system compromise. (Reference to typical content in such high-level university security courses).

1. National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control AC-6, "Least Privilege," states: "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions." (Page 101).

2. Saltzer, J. H., & Schroeder, M. D. (1975). The Protection of Information in Computer Systems. In Proceedings of the IEEE, 63(9), 1278-1308. This foundational academic paper defines the principle: "Every program and every user of the system should operate using the least set of privileges necessary to complete the job." (Section I.A.3, Page 1281). DOI: https://doi.org/10.1109/PROC.1975.9939

3. National Institute of Standards and Technology (NIST) Special Publication 800-207, Zero Trust Architecture. Section 3.1.3, "Least Privilege," states: "The ZTA should also be designed to grant the least privilege needed to complete the task. This includes limiting the visibility of network resources to only those that the subject needs to perform its task." (Page 12).

1. AICPA. (2017). TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. In the Confidentiality Principle, criterion C1.2 discusses controls for the disposal of confidential information, with points of focus mentioning "protective measures, such as encryption." More fundamentally, the common criteria for Security, which underpins Confidentiality, specifically CC6.6, states, "The entity protects information during transmission and at rest," with encryption being the primary mechanism.

2. Harris, S., & Maymi, F. (2021). CISSP All-in-One Exam Guide, Ninth Edition. McGraw-Hill. Chapter 5, "Cryptography," page 211, explicitly states, "The primary goal of cryptography is to keep data confidential." It details how encryption transforms plaintext into ciphertext to protect it from unauthorized disclosure.

3. Whitman, M. E., & Mattord, H. J. (2019). Principles of Information Security (6th ed.). Cengage Learning. Chapter 8, "Cryptography," page 318, identifies encryption as the "process of converting original messages into a form that is unreadable to unauthorized individuals," which is the definition of providing confidentiality.

1. National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

Section 3, "Purpose," Page 2: "The security category of an information system will determine the minimum security requirements for that system as specified in FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems."

2. National Institute of Standards and Technology (NIST), Special Publication (SP) 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018.

Section 2.3, "RMF Step 1: Categorize," Page 21: "The security categorization of the system and the information it processes, stores, and transmits is a key first step in the risk management process because the categorization results are used as input for the subsequent steps in the RMF—in particular, for the selection of the baseline security controls in RMF Step 2 (Select)."

3. National Institute of Standards and Technology (NIST), Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

Section 3, "Minimum Security Requirements," Page 2: "The minimum security requirements apply to each federal information system based on the security category of the information system, which is determined in accordance with FIPS 199."

1. (ISC)² CISSP Official Study Guide, 9th Edition. Domain 8: Software Development Security, Chapter 21, pp. 928-929. The text explains that Static Application Security Testing (SAST) is "very effective at finding common vulnerabilities, such as buffer overflows, SQL injection, and similar well-known flaws." It contrasts this with the difficulty automated tools have with business logic.

2. NIST Special Publication 800-218, "Secure Software Development Framework (SSDF) Version 1.1." Section 4, Practice PW.8: Test Executable Code. This document recommends using static and dynamic analysis tools to "look for common types of vulnerabilities." This supports the idea that these tools are best suited for detecting known, typical vulnerability classes rather than complex, context-dependent flaws.

3. McGraw, G. (2006). Software Security: Building Security In. Addison-Wesley. Chapter 6, "Architectural Risk Analysis," and Chapter 7, "Software Penetration Testing." The book distinguishes between implementation bugs (e.g., buffer overflows), which are amenable to automated tool detection, and design flaws (e.g., business logic errors), which are not. It emphasizes that tools are good at finding "the usual suspects" in code.

4. Ayewah, N., Hovemeyer, D., Pugh, W., & Morgenthaler, J. D. (2008). Using static analysis to find bugs. IEEE Security & Privacy, 6(5), 22-29. https://doi.org/10.1109/MSP.2008.131. This academic paper discusses the effectiveness of static analysis tools, noting their strength in finding specific, well-defined bug patterns (e.g., null pointer dereferences, race conditions, SQL injection) directly in source code, which aligns with "typical source code vulnerabilities."

1. National Institute of Standards and Technology (NIST) Special Publication 800-58, Security Considerations for Voice Over IP Systems. Section 3, "VoIP Vulnerabilities and Threats," details the new attack vectors introduced by VoIP protocols like SIP. The document states, "VoIP systems are vulnerable to the same threats as other network applications... In addition, VoIP has its own set of protocol-specific and implementation-specific vulnerabilities." This supports the need for additional controls.

2. Rosen, B., et al. (2002). RFC 3261: SIP: Session Initiation Protocol. The Internet Engineering Task Force (IETF). Section 26, "Security Considerations," extensively discusses the security issues inherent to SIP, such as registration hijacking, impersonating a server, and tampering with message bodies, and recommends mechanisms like TLS to mitigate them. This confirms that the protocol's behavior requires specific security measures.

3. Geneiatakis, D., Dagiouklas, A., & Katos, V. (2015). A Survey of SIP-Based VoIP Security Issues and Solutions. Information Security Journal: A Global Perspective, 24(4-6), 137-150. https://doi.org/10.1080/19393555.2015.1112911. The paper's abstract and introduction state that the adoption of SIP introduces significant security challenges, requiring solutions like firewalls, intrusion detection systems, and cryptographic methods, reinforcing that additional controls are a primary consideration.

1. NIST SP 800-81r2, “Secure Domain Name System (DNS) Deployment Guide,” §6.5, p. 6-5: “Because of caching … changes may not be visible for up to the previous TTL value, often 24 to 48 hours.”

2. RFC 1034, “Domain Names—Concepts and Facilities,” §4.3.4: discusses TTL and cache effects delaying visibility of updates.

3. NIST SP 800-34 Rev.1, “Contingency Planning Guide for Federal Information Systems,” §3.5.2, p. 3-12: emphasizes including worst-case propagation delays (e.g., DNS) when estimating recovery time.

4. Cisco Systems, “BGP Convergence in the Service Provider Core,” White Paper, p. 2: typical convergence “within a few minutes.”

5. Microsoft Docs, “Configure NAT for disaster recovery,” Step-completion times: rule updates applied immediately once committed (no external propagation).

1. NIST Special Publication 800-34 Rev.1, “Contingency Planning Guide for Federal Information Systems,” §3.2.1, p.20: “The MTD…is the primary factor used to determine the system recovery strategy.”

2. NIST SP 800-34 Rev.1, Appendix C (Glossary), p.C-2: Definition of Maximum Tolerable Downtime and its role in selecting recovery alternatives.

3. ISO/IEC 22301:2019, Clause 8.4.3 a): Top management shall define maximum acceptable outage to guide selection of business continuity strategies.

4. MIT OpenCourseWare, Course 15.974 “Business Continuity,” Lecture 4 notes, slide 8: “Senior management must communicate MTD so that unit managers can choose cost-effective recovery options meeting that limit.”

1. National Institute of Standards and Technology (NIST) Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response. Section 3.1.2, "Collecting Evidence," states, "Collect evidence in order from most volatile to least volatile." It provides a detailed list starting with registers and cache, followed by RAM, network state, and finally persistent storage.

2. Internet Engineering Task Force (IETF) RFC 3227, Guidelines for Evidence Collection and Archiving. Section 3.2, "Order of Volatility," explicitly advises, "In general, when collecting evidence, you should proceed from the volatile to the less volatile. For example, memory is more volatile than disk."

3. Casey, E. (2011). Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet (3rd ed.). Academic Press. Chapter 7, "Data Acquisition," discusses the order of volatility as a primary consideration for live data acquisition, emphasizing the collection of memory and network information before imaging non-volatile storage. (Peer-reviewed academic textbook).

1. National Institute of Standards and Technology (NIST). (2008). Special Publication 800-115, Technical Guide to Information Security Testing and Assessment. Section 3.2, "Information Gathering," describes the process of collecting information from various sources to understand the target system's posture. The dark web is a modern, albeit illicit, source for this phase.

2. Chertoff, M., & Simon, T. (2015). The impact of the dark web on internet governance and cyber security. Centre for International Governance Innovation. Paper No. 8, page 6, discusses how the dark web facilitates "markets for malware, botnets, and stolen data," which is precisely the type of information a penetration tester would seek during reconnaissance to add value to the test.

3. Broadhurst, R., & Trivedi, H. (2020). Darknet Markets, Crime and Penology. In: The Palgrave Handbook of International Cybercrime and Cyberdeviance. Palgrave Macmillan, Cham. (DOI: https://doi.org/10.1007/978-3-319-90307-178-1). This chapter details the types of illicit goods and services available, including "stolen personal and financial information" and "hacking services," confirming the dark web as a source for intelligence on breaches and hacking activities.

1. National Institute of Standards and Technology (NIST). (2011). NIST Special Publication 800-144: Guidelines on Security and Privacy in Public Cloud Computing.

Reference: Section 5, "High-Level Security and Privacy Concerns," pp. 11-15. This section details numerous security-related challenges, including governance, compliance, trust, and architecture, which collectively represent the primary concerns for organizations considering public cloud adoption.

2. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., ... & Zaharia, M. (2009). Above the Clouds: A Berkeley View of Cloud Computing. University of California, Berkeley.

Reference: Section 5, "Obstacles and Opportunities," p. 11. The report explicitly lists "Data Confidentiality and Auditability" as a top obstacle, stating, "Perhaps the largest obstacle to the adoption of Cloud Computing is the security of data... companies are worried about the loss of data or data theft."

3. Subashini, S., & Kavitha, V. (2011). A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications, 34(1), 1-11.

Reference: Section 1, "Introduction," Paragraph 2. The paper states, "Security is one of the major issues which reduces the growth of cloud computing and complications with data privacy and data protection continue to plague the market." (https://doi.org/10.1016/j.jnca.2010.07.006)

1. (ISC)² CISSP CBK Reference, 6th Edition. Domain 3: Security Architecture and Engineering. The section on designing and implementing physical security discusses layered defense models. It explains that in environments with varying trust levels (like a shared workspace), inner layers of defense, such as locked racks and cages, are required to enforce access control policies that cannot be managed at the perimeter alone. (Specific reference: Chapter 11, "Understand and Apply Physical Security," section on "Site and Facility Design Considerations").

2. NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations. Control family: Physical and Environmental Protection (PE). Control PE-3, "Physical Access Control," emphasizes managing physical access at both the facility entry points and "within the facility." This supports the need for internal controls like cabinet locks when a facility is shared by groups with different authorizations.

3. Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4th ed.). Pearson. In Chapter 16, "Physical and Infrastructure Security," the text describes the necessity of internal physical controls within a data center. It notes that cages and locked cabinets are used to segregate equipment for different clients or departments in a shared space, reinforcing that room-level access is insufficient in such scenarios. (Specific reference: Chapter 16.2, "Physical Security Threats and Measures").

1. ISO/IEC 27002:2022, Clause 5.12 “Information classification,” Note 1 – factors include legal requirements, value, criticality, and sensitivity.

2. NIST SP 800-60 Vol.1 Rev.1, §2.1 & §3.2 – recommends classification by confidentiality, integrity, availability impact; driven by legal/regulatory, value, and operational criticality.

3. NIST SP 800-53 Rev.5, Control MP-4 “Media Marking,” Discussion – protection level is based on sensitivity and criticality.

4. MIT OpenCourseWare 6.858 Computer Systems Security, Lecture 5 notes (2020), slide “Data Classification” – lists value, legal/regulatory obligations, business criticality, sensitivity.

1. ISC2 CISSP Official Study Guide, 9th Edition: Chapter 1, "Security and Risk Management," explains the hierarchy of governance documents. It states, "Policies are high-level documents that are signed by a person of significant authority... Policies are the first and highest level of documentation." An AUP is a type of policy that must be established before other elements. (p. 28).

2. NIST Special Publication 800-12 Rev. 1, An Introduction to Information Security: Section 4.2, "Policies, Procedures, Standards, and Guidelines," clarifies the document hierarchy. It states, "Policies are the documents that record those decisions... Procedures, standards, and guidelines are then developed to support policies." This confirms that policy creation is the initial step. (p. 31).

3. Tipton, H. F., & Krause, M. (Eds.). (2007). Information Security Management Handbook, 6th Edition. Auerbach Publications. Chapter 5, "Information Security Policy," details that policies are the cornerstone of a security program. "A policy is a formal statement... It is the foundation on which the entire security structure is built." This establishes policy as the first and most critical step. (p. 61).

1. National Institute of Standards and Technology (NIST). (2003). Special Publication 800-50, Building an Information Technology Security Awareness and Training Program.

Reference: Section 5.4, "Effectiveness Measurement," states that metrics for program effectiveness can include the "number of reported security incidents." An increase in this number following training indicates the program is working as intended.

2. Alshantti, M., & Al-Ammary, J. (2018). Measuring the Effectiveness of Information Security Awareness. International Journal of Computer Science and Network Security (IJCSNS), 18(1), 138-146.

Reference: Page 141, Table 1, Metric ID M1, "Number of security incidents reported by employees," is listed as a key performance indicator for measuring the effectiveness of an awareness program.

3. Parsons, K., McCormac, A., Butavicius, M., & Ferguson, L. (2014). Human factors and information security: Individual, social and organisational perspectives. In Proceedings of the 12th Australian Information Security Management Conference.

Reference: This academic work discusses how security awareness programs aim to change behavior. It supports the principle that a measurable change, such as an increase in user reporting of suspicious activities, is a direct indicator of a program's success. The shift from passive victim to active reporter is a key goal.

1. (ISC)² CISSP Official Study Guide, 9th Edition: In Chapter 21, "Securing Network Communications," the section on Firewalls states, "Packet-filtering firewalls work by examining the header of every packet... This is typically done using a set of rules known as an access control list (ACL)." This directly equates the function of an ACL with that of a packet-filtering firewall.

2. NIST Special Publication 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy: Section 2.1.1, "Packet Filtering Firewalls," defines this type of firewall: "A packet filtering firewall is a router... that has been configured to screen (i.e., filter) packets based on rules in an access control list (ACL)."

3. Kurose, J. F., & Ross, K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. Chapter 8, "Security in Computer Networks," describes traditional packet filters as operating on a per-packet basis, examining fields in the IP and transport-layer headers, which is the precise function of a router ACL. It contrasts this with stateful filters that track TCP connections.

1. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.

Control: IA-2 (1) | IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO PRIVILEGED ACCOUNTS.

Reference: Page 178. The control enhancement explicitly states: "Require multifactor authentication to establish a nonlocal maintenance session to a privileged account..." This underscores MFA as a required standard for protecting privileged access.

2. National Institute of Standards and Technology (NIST) Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Control: 3.5.3.

Reference: Page 17. The requirement states: "Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." This establishes MFA as a fundamental requirement for securing privileged accounts.

3. Purdue University, Privileged Account Management Standard.

Section: 3.0 Standard.

Reference: Item 3 states: "Multi-factor authentication (MFA) must be used for all interactive logins to Privileged Accounts and/or Privileged Access Workstations (PAWs)." This is a direct implementation of best practices in an academic institutional standard.

1. ITIL® Service Design (2011 Edition), AXELOS. In Section 4.3, "Service Level Management," the process description explicitly states that the first stage is to identify and document the customer's requirements. Section 4.3.4.1, "Designing SLA structures," notes, "The first stage of the SLM process is to identify, document and agree the requirements for services with the business..." This establishes capturing customer requirements as the primary step.

2. Nuseibeh, B., & Easterbrook, S. (2000). Requirements Engineering: A Roadmap. Proceedings of the Conference on the Future of Software Engineering, 35-46. https://doi.org/10.1145/336512.336523. This foundational paper on requirements engineering outlines the process, which begins with requirements elicitation—the activity of "discovering the requirements for a system by communicating with clients, customers, and other stakeholders" (Section 3.1, "Requirements Elicitation"). This principle is directly applicable to defining service level requirements.

3. MIT OpenCourseWare, 6.170 Software Studio, Spring 2013. Lecture 2: Requirements and Specifications. The course materials emphasize that the software development lifecycle begins with understanding the problem and eliciting requirements from the client. This involves interviews and observation to capture what the customer needs before any design or specification document (analogous to an SLA) is created.

1. Open Networking Foundation (ONF). (2014). SDN Architecture, Issue 1. TR-502. "The SDN Controller is a logically centralized entity that translates the requirements from the SDN Application layer down to the SDN Datapaths and provides the SDN Applications with an abstract view of the network (which may include statistics and events)." (Section 6.2, Page 10).

2. Nunes, B. A. A., Mendonca, M., Nguyen, X. N., Obraczka, K., & Turletti, T. (2014). A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks. IEEE Communications Surveys & Tutorials, 16(1), 299–336. "The control plane is implemented in a centralized controller, which acts as the brain of the network. The controller has a global view of the network and is responsible for translating high-level policies, defined by network operators at the application plane, into low-level flow rules..." (Section III.A, Page 303). DOI: https://doi.org/10.1109/SURV.2013.012213.00180

3. Kreutz, D., Ramos, F. M. V., Veríssimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-Defined Networking: A Comprehensive Survey. Proceedings of the IEEE, 103(1), 14–76. "The SDN controller... translates these requirements into low-level commands understandable by the underlying forwarding elements." (Section III.A, Page 22). DOI: https://doi.org/10.1109/JPROC.2014.2371999

1. National Institute of Standards and Technology (NIST). (2011). Special Publication (SP) 800-39, Managing Information Security Risk: Organization, Mission, and Information System View.

Page 9, Section 2.2, "Risk Framing": This section emphasizes that the risk management strategy must be consistent with the organization’s overall objectives and strategic goals. It states, "The risk frame establishes the context for risk-based decisions." A major change to the business fundamentally alters this context, thus necessitating a review of the risk frame and the associated security strategy.

2. Fenz, S., & Ekelhart, A. (2011). Formalizing Information Security Knowledge. Proceedings of the 44th Hawaii International Conference on System Sciences.

Page 4, Section 3.2, "Strategic Layer": The paper discusses how the strategic layer of an information security knowledge base is derived from business assets and goals. It states, "The strategic layer represents the organization’s business goals... security goals are derived that support the achievement of the business goals." This direct linkage implies that a change in business goals must trigger a re-derivation and review of security goals and strategy.

DOI: https://doi.org/10.1109/HICSS.2011.139

3. University of California. (2023). Information Security Policy (IS-3).

Section III, "Policy Text", Subsection 6.0, "Risk Assessment": The policy mandates that a risk assessment must be performed "whenever there are significant changes to the Location's business or IT environment." Since the information security strategic plan is designed to manage risk in alignment with business objectives, a significant business change that triggers a risk assessment would also necessitate a review of the overarching strategy.

1. National Institute of Standards and Technology (NIST). (2017). NIST Special Publication 800-63-3: Digital Identity Guidelines.

Reference: Section 4.3, "Federation," page 11. The document defines federation as a process where a Credential Service Provider (CSP), acting as an Identity Provider (IdP), provides authentication and attributes to a separate Relying Party (RP). This directly describes the relationship between the HR organization and its partner.

2. Paci, F., & Sbodio, M. L. (2012). An Overview of Identity Management Systems. IBM Research Report.

Reference: Section 3, "Federated Identity Management," page 3. The report states, "Federated Identity Management (FIM) allows users from one security domain to securely access resources in another domain without needing a separate account in the target domain... This is often achieved using standards like SAML or OpenID Connect to enable Single Sign-On (SSO)." This reference clearly distinguishes federation as the model from SAML (the protocol) and SSO (the outcome).

3. University of California, Berkeley, Information Security Office. (n.d.). Identity and Access Management Definitions.

Reference: "Federation/Federated Identity" section. The definition explains that federation is a trust relationship between organizations that allows them to share identity information, enabling users from one organization to access resources at another. This aligns with the question's scenario of cross-organizational identity sharing.