Exam CISSP topic 1 question 17 discussion

Although I went for B: I assume they're talking about the IT Asset Management(ITAM) Tiers of which there are three: So there is no Tier 0 Tier 1 - Asset Data Collection - method to inventory every software application and virtual OS that runs on the hardware you have in your inventory Tier 2 - Asset Data Intelligence - normalize the information, to map the assets to relevant information, and to link the assets to their contracts, projects, departments, and people. Tier 3 - Asset Lifecycle management - processes that control how you purchase, procure, and dispose of IT assets. This includes virtual devices and software, along with the associated software licenses. NIST has it as Tier 1 - Reporting, Analytics, Data storage Tier 2 - Data collection ie location/HW/SW Tier 3 - Enterprise assets - Servers, workstations, Laptops etc So for tracking mobile devices, according to these it could be Tier 3 as the diagrams seem to work backwards to what you would expect (devices at level 1 etc)

Answer id B Tier 0: Facilities, power systems, and environmental controls. Tier 1: Hardware and software supporting IT infrastructure. Tier 2: Shared services like email, directories, and collaboration tools. Tier 3: Business-critical systems and databases.

NIST ITAM Reference Architecture clearly states these would fall into Tier 3 systems. Tier 3 - Enterprise assets - Servers, workstations, Laptops etc

The correct answer is A. 0. In a typical reference architecture, Tier 0 refers to the physical devices or endpoints, including mobile devices, that interact directly with the environment. Mobile devices, as physical assets, would be tracked in this tier because they represent the lowest level in the architecture, where the hardware and direct interfaces with the system occur. Tiers 1, 2, and 3 typically deal with higher levels of abstraction, such as applications, data processing, and overall system management.

Context because I see people quoting different tiers. This is CISSP Sysytem Tier architecture reference: The protection ring model is a security architecture model that uses layers to control code execution and access in an operating system: Layer 0: The most trusted layer, where the operating system kernel resides Layer 1: Contains nonprivileged parts of the operating system Layer 2: Contains I/O drivers, low-level operations, and utilities Layer 3: Contains applications and processes

Tier 2: This tier encompasses end-user devices, such as desktops, laptops, and mobile devices. These are the devices used daily by the end users to perform their tasks

System tier 1 is responsible for identifying and discovering the assets that are owned, leased, or used by the organization, and collecting information about their attributes, location, status, and configuration. System tier 1 can use various methods and technologies to identify and discover assets, such as barcodes, QR codes, RFID tags, GPS, Bluetooth, Wi-Fi, etc.

B Mobile devices would be tracked in Tier 1 of the asset management reference architecture. Tier 1 focuses on the hardware and software assets that support the overall IT environment. This includes things like servers, workstations, network devices, and mobile devices that provide compute infrastructure and platforms. Tier 0 contains facilities, power systems and environmental controls. Tier 2 consists of shared services like directories, email systems, and collaboration tools. Tier 3 comprises core line of business systems and databases.

Tier 3 (Data Tier) Asset management systems store and manage data related to devices, including mobile devices. The Data Tier is responsible for data storage and management—this is where records of all assets (including mobile devices) are kept, tracked, and updated. Mobile devices, in this case, are considered assets whose information (e.g., device ID, status, configuration, etc.) needs to be stored, queried, and updated regularly. The system's Data Tier handles this critical function. Tier 1 (the presentation tier) does not store or manage the actual asset data—it just displays it to the user.

As per NIST 80SP1800-5b IS ASSET MANAGEMENT. It discusses the Reference architecture and how to implement such. Tier 2 includes the sensors and independent systems that feed data into the enterprise ITAM system. Tier 2 systems include passive and active collection sensor and agents. Tier 1 is the enterprise ITAM system that provides the aggregation of data from all Tier 2 systems into business and security intelligence. Tier 3 is composed of enterprise assets themselves. Tier 3 is made up of all of the assets being tracked including hardware, software, and virtual machines. To get this answer correct you must know and have read the NIST 1800 -5b. Link below.

Tier 0: This tier represents physical devices like servers, routers, and switches. Mobile devices are not directly physical devices in the same sense as servers or routers. Tier 1: This tier represents logical devices like operating systems, databases, and applications. Mobile devices run on operating systems and are considered logical devices. Tier 2: This tier represents processes and services, such as network services or application services. While mobile devices can access services, they are not themselves services. Tier 3: This tier represents data and information, which is stored and processed by devices in lower tiers. Mobile devices are not primarily used for data storage or processing.

Typically, mobile devices (smartphones, tablets) and laptops would fall under Tier 2: Important Assets. Here's why: Dependency on these devices: Many employees rely on these devices for daily work tasks, making them crucial for business operations. Data sensitivity: Mobile devices often contain sensitive company and personal data, necessitating robust security measures. Potential for data loss: The loss or theft of these devices can result in significant data breaches and financial losses. While they might not be as critical as core servers or databases (Tier 1), their importance to business operations and the potential risks associated with them warrant their classification as Tier 2 assets.

Correct answer is A. The system reference architecture with four tiers, starting from 0 to 3, and including mobile devices is the OSI Zero Trust Architecture. The four tiers are: 0. Device Tier (End-user devices): Mobile devices (smartphones, tablets) Laptops Desktops IoT devices 1. Infrastructure Tier (Network and infrastructure): Network devices (routers, switches, firewalls) Servers Data centers Cloud infrastructure 2. Application Tier (Applications and services): Web applications Mobile applications APIs Microservices 3. Data Tier (Data storage and processing): Databases Data warehouses Data lakes Big data processing The OSI Zero Trust Architecture is a security-focused framework that assumes no trust between tiers, emphasizing authentication, authorization, and encryption to protect data and resources.

Tier 3: Operational Assets Operational assets are essential for routine business activities but have minimal impact on core operations or strategic objectives. These assets are typically standardized and widely deployed across the organization. Examples of Tier 3 assets include peripherals, office productivity software licenses, and standard desktop/laptop computers.

In the context of the reference architecture for an asset management system, mobile devices would be tracked in level 2. This level is often dedicated to enterprise asset management, where we find the tracking and management of IT devices, including mobile devices. Level 2 generally encompasses the tools and processes needed to manage asset inventory, status and compliance. Level 0 is generally reserved for physical and network infrastructure. Level 1 often deals with the management of basic IT infrastructure, such as servers and networks. Level 3 typically focuses on business applications and services. So the correct answer is C. 2.

According to NIST - answer would be Tier 3 (link and publication below https://www.nccoe.nist.gov/publication/1800-/VolB/index.html#figure-5-1 NIST SPECIAL PUBLICATION 1800-5B IT Asset Management Figure 5-2, ITAM Reference Functionality, shows how data flows through the ITAM system. Tier 3 is composed of enterprise assets themselves. Tier 3 is made up of all of the assets being tracked including hardware, software, and virtual machines. Tier 2 includes the sensors and independent systems that feed data into the enterprise ITAM system. Tier 2 systems include passive and active collection sensor and agents. Tier 1 is the enterprise ITAM system that provides the aggregation of data from all Tier 2 systems into business and security intelligence.

D - See section 5-1 - https://www.nccoe.nist.gov/publication/1800-5/VolB/index.html