Domain 1 – Section B Review: Risk and Continuity
This section integrates:
- Business Continuity Planning and Business Impact Analysis
- Personnel Security Policies and Procedures
- Risk Management Concepts
- Threat Modeling Methodologies
- Supply Chain Risk Management
- Security Awareness, Education, and Training
CISSP evaluates whether you can connect these topics into coherent risk-based decisions — not just recall individual concepts in isolation.
1. Risk Decisions Drive Everything
Every topic in Section B comes back to risk. BCP protects against disruption risk. Personnel policies manage insider risk. Threat modeling identifies design risk. Supply chain management addresses third-party risk. Awareness programs reduce human risk.
The connecting thread: CISSP expects you to evaluate each scenario through the lens of risk to the organization, then select the response that is proportional, structured, and aligned with business objectives.
Not the most technical response. Not the most aggressive response. The most risk-appropriate response.
2. Timing Determines Correctness
Many Section B questions test whether you know when an activity should occur:
- BIA before BCP — you cannot plan continuity without understanding impact
- Threat modeling during design — not after deployment
- Vendor assessment during procurement and continuously after — not just once
- Background checks before granting access — not after an incident
If two answers seem equally correct, the one with better timing is usually right.
3. People Are Part of the Control Framework
Technical controls fail when people bypass, ignore, or misunderstand them. Section B reinforces that people-focused controls — personnel policies, awareness training, separation of duties, role-based access — are not secondary to technical controls. They are parallel and equally important.
When a scenario describes a human-caused failure, the correct answer almost never starts with "deploy a tool." It starts with governance, process, or training.
Section B Decision Pattern
When unsure in Domain 1 Section B:
- Assess risk before selecting controls.
- Identify timing — is this a design, operational, or response activity?
- Address root cause before symptoms.
- Choose proportional responses over maximum enforcement.
- Verify that people-focused controls are considered alongside technical ones.
Section B – Practice Questions
Question 1
A BIA identifies that the order processing system has a maximum tolerable downtime of 4 hours, but the current disaster recovery plan targets a 24-hour recovery time.
What is the MOST appropriate action?
A. Accept the gap as residual risk
B. Increase insurance coverage for extended downtime
C. Revise the recovery strategy to align with the BIA-identified requirements
D. Reduce the MTD to match the current recovery capability
Answer & reasoning
Correct: C
The BIA determines business requirements. The recovery strategy must align with those requirements, not the other way around. MTD is derived from business impact analysis — it cannot be arbitrarily adjusted to match current capability.
Question 2
An organization's security team wants to identify potential threats to a new web application during the design phase. The team needs to systematically evaluate each component for specific threat categories.
Which approach is MOST appropriate?
A. Apply STRIDE threat modeling during architectural review
B. Conduct a penetration test after deployment
C. Commission a DREAD risk assessment
D. Wait for vulnerability scanning results before modeling threats
Answer & reasoning
Correct: A
STRIDE systematically evaluates components against six threat categories and is designed for the design phase. Penetration testing occurs post-deployment. DREAD is a scoring model, not a methodology. Waiting for scanning results means threats were not considered during design.
Question 3
A departing employee with access to trade secrets has accepted a position with a direct competitor. The exit interview is scheduled for the employee's last day.
What should occur FIRST?
A. File a lawsuit against the competitor
B. Increase monitoring of all employees in the same department
C. Immediately terminate all access without notice
D. Review the employee's NDA and non-compete obligations and coordinate access revocation
Answer & reasoning
Correct: D
Personnel security requires a structured, proportional response. Reviewing contractual obligations first ensures the organization understands its rights and the employee's obligations before taking action. Immediate termination without review may cause legal exposure. Blanket monitoring is disproportionate.
Question 4
A newly disclosed vulnerability affects a widely used open-source library. The security team needs to determine which of the organization's 200+ applications are affected.
What capability would BEST enable rapid impact assessment?
A. Annual vendor security audits
B. Comprehensive penetration testing
C. Software Bill of Materials for all deployed applications
D. Real-time network intrusion detection
Answer & reasoning
Correct: C
An SBOM provides a complete inventory of components and dependencies for each application. When a vulnerability is disclosed, the SBOM identifies affected applications immediately, rather than requiring manual investigation of each system.
Question 5
Help desk staff have been targeted by phone-based social engineering attacks. Three incidents this quarter involved attackers impersonating executives to obtain password resets.
What is the MOST effective response?
A. Implement targeted social engineering awareness training for help desk personnel
B. Replace help desk staff with automated password reset tools
C. Block all incoming phone calls to the help desk
D. Require all password resets to be approved by management
Answer & reasoning
Correct: A
This is a role-specific risk that requires role-specific training. Help desk staff need targeted training on identity verification procedures and social engineering recognition. Automation removes the human element entirely; blocking calls eliminates a necessary function; management approval creates bottlenecks.
Question 6
During a quantitative risk assessment, an asset valued at $500,000 has an exposure factor of 40% for a specific threat with an annual rate of occurrence of 0.5.
What is the annualized loss expectancy?
A. $200,000
B. $100,000
C. $250,000
D. $50,000
Answer & reasoning
Correct: B
SLE = Asset Value x EF = $500,000 x 0.40 = $200,000. ALE = SLE x ARO = $200,000 x 0.5 = $100,000. This is the expected annual loss from this threat, and it guides how much to invest in countermeasures.
Question 7
A managed service provider that handles payroll processing for an organization has subcontracted data center operations to a third party in another jurisdiction. The organization was not informed.
What control failure does this represent?
A. Insufficient encryption
B. Inadequate physical security
C. Weak access control policies
D. Missing subcontractor flow-down and notification requirements
Answer & reasoning
Correct: D
Fourth-party risk is managed through contractual requirements including subcontractor flow-down clauses and notification obligations. The failure is contractual and governance-related, not technical.
Question 8
An organization completed a BIA six months ago. Since then, the company acquired a new business unit that operates a 24/7 e-commerce platform.
What should the organization do?
A. Update the BIA to include the new business unit's critical functions and dependencies
B. Apply the existing BIA results to the new business unit
C. Defer BIA revision until the next annual review cycle
D. Conduct a penetration test of the e-commerce platform first
Answer & reasoning
Correct: A
A BIA must reflect current business operations. A new 24/7 e-commerce platform introduces different recovery requirements, dependencies, and impact thresholds that the existing BIA does not account for. Waiting for the annual cycle leaves a gap in continuity planning.
Question 9
An organization aligns its threat modeling with business objectives and uses a seven-stage process that culminates in risk and impact analysis.
Which methodology is being described?
A. STRIDE
B. DREAD
C. PASTA
D. VAST
Answer & reasoning
Correct: C
PASTA (Process for Attack Simulation and Threat Analysis) is a seven-stage, risk-centric methodology that starts with business objectives and ends with risk and impact analysis. STRIDE categorizes threats; DREAD scores them; VAST focuses on Agile scaling.
Question 10
Separation of duties has been implemented for financial transactions, but two employees in the accounting department frequently cover for each other during vacations, effectively bypassing the control.
What is the MOST appropriate corrective action?
A. Eliminate vacation time for accounting staff
B. Implement mandatory job rotation with cross-department coverage
C. Deploy automated monitoring for all financial transactions
D. Terminate both employees for policy violation
Answer & reasoning
Correct: B
Job rotation with cross-department coverage maintains separation of duties even during absences. It also serves as a detective control by exposing potential irregularities when a different person handles the role. Eliminating vacation is unreasonable; monitoring alone does not fix the separation gap; termination is disproportionate.