topic Re: CISSP questions in Exams

Practice Questions

rslade — Mon, 09 Oct 2023 09:06:12 GMT

Right.

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"

The answer is, none of them.

I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.

Re: CISSP "sample" questions

rslade — Sun, 03 Feb 2019 19:57:50 GMT

Which of the following is a key element during the initial security planning process?

a. Establish system review time frames
b. Implement a security awareness program
c. Defining reporting relationships
d. Institute a change management program

Answer: c
Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, pg 75

Right, a few initial notes. You will notice a reference. Every exam question is (or was) backed up by at least two references from source security literature. Note that CISSP study guides are not source security literature.

A key word in this question is "initial." Establishing system review time frames, security awareness programs, and change management programs are all important, but they come later in security planning.

Note also one rather important point. All of these answers are "correct" in a way. If you are confronted with four "right" answers, and one of them is the "management" answer, that one is probably the one that will get you the point. Defining reporting relationships is both something you want to establish early in planning, and it's also the "management" answer. (One person I helped coach through the exam said that this one tip applied to about 10% of the total exam.)

Re: CISSP "sample" questions

shahzadafridi — Mon, 04 Feb 2019 12:24:21 GMT

Is it possible for you to share your whole question database once as pdf and rather discuss the difficult question in this forum. It will be of great help for those who are preparing for exam and will save some time

Re: CISSP "sample" questions

rslade — Mon, 04 Feb 2019 18:13:04 GMT

> shahzadafridi (Viewer II) posted a new reply in Certifications on 02-04-2019

> Is it possible for you to share your whole question database once as pdf and
> rather discuss the difficult question in this forum.

Some people are just *never* satisfied.

(Alternatively, no good deed goes unpunished.)

I tried that. Once. Having pointed out that you would never see any of these
questions on the exam, I got people who complained that they studied and
memorized the sample questions, took the exam, and didn't see any of questions
on the exam ...

Pay attention. These questions are not for "studying," except incidentally. These
questions are to prepare you for the types of questions that you will see on the
exam.

Actually, a good way to study is to try and *write* questions. That gets you into
the mindset of the exam itself. Try writing some questions, post them here, and
I'll tell you whether they are too easy, too hard, or not the type of thing you'll
see. Remember Bloom's Taxonomy: simple facts, synthesis of two or more facts,
analysis of the implications of two or more facts, and, most importantly,
questions requiring judgment and critical thinking.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
BEWARE OF GOD
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: CISSP "sample" questions

rslade — Wed, 06 Feb 2019 18:13:01 GMT

Which of the following is NOT an element of a security planning mission statement?

a. Objectives statement
b. Background statement
c. Scope statement
d. Confidentiality statement

Answer: d
Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, page 73

This is the type of question that ensures you do not just memorize a bunch of security buzzwords. You have to understand the concepts behind them. What is a "security planning mission statement"? Well, it's more simply known as a policy. What does a policy contain? Among other things, the background of your enterprise, your objectives, and the scope of what you are trying to protect. What you are going to do about confidentiality (unless you are an unusual company and either don't care about confidentiality, or it's really, really important) generally is in your subordinate standards or procedures.

Don't get hung up on whether the question has exactly the wording you have studied. That way lies failure. Make sure you understand the fundamentals behind the words.

Re: CISSP "sample" questions

shahzadafridi — Mon, 04 Feb 2019 19:32:39 GMT

Can data classification or encryption (criteria to encrypt) be included in confidentiality statement?

Re: CISSP "sample" questions

rslade — Mon, 04 Feb 2019 19:58:04 GMT

> shahzadafridi (Viewer II) posted a new reply in Certifications on 02-04-2019

> Can data classification or encryption (criteria to encrypt) be included in
> confidentiality statement?

Why not?

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Maybe we're all just part of God's `Sim Universe' video game.
Let's just hope that He's not playing on a Windows machine, or
we're all screwed. - Jeff Ehrhart
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: CISSP "sample" questions

shahzadafridi — Mon, 04 Feb 2019 20:13:09 GMT

Then it is part of policy so why "D" option. I have doubts on background statement

Re: CISSP "sample" questions

dcontesti — Mon, 04 Feb 2019 21:48:38 GMT

@rslade I agree with your answer D.

Your question has "element of a security planning mission statement". In the planning phase, I am not concerned with encryption or data classification. I would suggest at this point in time, I do not understand either the data classification or encryption requirements.....do I need a 3 by 3 matrix for data classification or a 4X4, a 5X5? nor do I understand where or when I can apply encryption. If I carefully read the question, I am PLANNING the Security mission.

I recommend that folks read every word, and not read meaning or anything into the questions. I have too often seen people rush through the exam and fail

My nickel Canadian on a warm Monday (14 C or 57 F) here in Ontario.

Regards

Diana

Re: CISSP "sample" questions

rslade — Mon, 04 Feb 2019 22:32:11 GMT

@dcontesti wrote:

My nickel Canadian on a warm Monday (14 C or 57 F) here in Ontario.

Glad it's warmed up back there. Out here there is actually snow in my front yard, and it's apparently going down to minus nine overnight ...

And thanks for jumping in on the policy question. I was going to mention that you need to stick to the concepts, and that the concept here is that policy is high-level and abstract, and that protection details belong in the subordinate documents, but yours works, too 🙂

Oh, and a strong Amen! on reading the questions carefully ...

Re: CISSP "sample" questions

denbesten — Mon, 04 Feb 2019 22:37:14 GMT

@shahzadafridi wrote:
Then it is part of policy so why "D" option. I have doubts on background statement

Exactly what @rslade wanted you to think about. One can make a case for any of the four answers, but one of these things (read some of the comments) is less "good" than the rest. Since Rob gave you the reference, you can go to the source and understand why the particular answer was chosen.

What Rob is doing here is similar to what we know about the (ISC)² test development process. The difference being that Rob follows up by explaining the thought process behind the answer, whereas (ISC)²'s next step is to use the question on actual exams, with zero-weighting until the answer is "proven" good, bad or indifferent.

Rob is doing a wonderful thing here. It is not about a building a "brain dump" of actual questions... It's learning to get inside the head of the test-writers, understanding how/why the questions were written and selecting the answer that matches their way of thinking. In the case of CISSP, that person would be someone with many years of cross-functional IT security experience that keeps up with current trends and generally holds a position where they are making/leading decisions as part of the company's management. This is an important skill not just for the CISSP exam, but for communicating with people in general.

Understanding that this skill exists and learning to use it contributed more to my passing than any of the time I spent with study materials. It has also served me well as a go-between between management and techies and also between techies of different disciplines.

Re: CISSP "sample" questions

dcontesti — Mon, 04 Feb 2019 23:57:47 GMT

@rslade @denbesten

The last time, I attended an item writing workshop, we not only had to provide the reference but we also had to write a justification for the correct answer and why the wrong answers were wrong. So a lot of thought goes into questions.

So I appreciate what Rob is doing and his dedication to assisting, although, the Subject of the thread could be changed as the format and rigour should be the same with all exams.

Regards

Diana

Re: CISSP "sample" questions

shahzadafridi — Tue, 05 Feb 2019 07:47:24 GMT

If you are some credit card company or any company that deals with PII of customers i think the mission statement must include to protect this data in rest and transit. Policy statement as a high level objective will not include the technical specification off course.

P.S just giving a thought for discussion otherwise i agree with your explanation

Re: CISSP "sample" questions

rslade — Wed, 06 Feb 2019 18:12:33 GMT

In data processing systems, the value analysis should be performed in terms of which three properties?

a. Profit, loss, ROI
b. Intentional, accidental, natural disaster
c. Assets, personnel, services provided
d. Availability, integrity, confidentiality

Answer: d.
Reference: Information Systems Security; Fites & Kratz; Thompson Press; 1996; pg 54.

OK, in a sense this is kind of a trick question, for a couple of reasons. But it does have a point. The point is, choose the answer with the greatest breadth and application that does answer the question.

Answer a - incorrect - it's right, but applies only to business management.
Answer b - incorrect - it's right, but applies directly to threat analysis.
Answer c - incorrect - it's right, but considered mostly in business impact analysis.

(There is a myth that says that if you see the CIA triad [confidentiality, integrity, availability] as an answer on any question on the CISSP exam, that is the correct answer. In fact, a friend, knowing of the myth, once specifically wrote a question so that CIA was wrong ... 🙂

Re: CISSP "sample" questions

rslade — Fri, 08 Feb 2019 17:46:46 GMT

Which of the following techniques MOST clearly indicates whether specific risk reduction controls should be implemented?

a. Threat and vulnerability analysis.
b. Risk evaluation.
c. ALE calculation.
d. Countermeasure cost/benefit analysis.

Answer: d.

Reference: Computer Security Handbook (3rd edition) Hutt, Boswirth, Hoyt; pg 3.3.

A fairly simple question: it should be fairly obvious. Again, the principle here is to choose the answer that most broadly answers the question. All the answers are important parts of security and risk assessment, but:
Answer a - this analysis does not address whether specific countermeasures should be implemented.
Answer b - risk evaluation studies existing risks but doesn’t address whether specific countermeasures should be implemented.
Answer c - ALE is the calculation of loss expectancy but does not address whether specific countermeasures should be implemented.
Answer d - correct - in a countermeasures cost/benefit analysis, the annualized cost of safeguards is compared with the expected cost of loss.

Oh, one more point: if you saw this question on an exam these days, it should be reworded slightly. Acronyms in questions are now supposed to be spelled out in full.

Re: CISSP "sample" questions

rslade — Sat, 09 Feb 2019 19:35:05 GMT

Prior to implementation, a complete description of an operational security issue should specify threat, vulnerability, and

a. safeguard.
b. asset.
c. exposure.
d. control.

Answer: b.

(Reference: Fitzgerald, Jerry, Internal Controls for Computerized Systems, 1978, pg 7)

This isn't really a type of question, as such, it's just one that a surprising number of people get wrong. We tend to concentrate on "problems" and forget what it is that we are trying to protect. Don't get that (or any other kind) of tunnel vision.

Which, I suppose, is as good a segue as any to another point. Remember that the CISSP is a general, and even international, certification. When presented with a question, don't pick an answer that is specifically suited to your job or company: pick the answer that is most suited to security in general.

Re: CISSP "sample" questions

rslade — Mon, 11 Feb 2019 19:31:11 GMT

What step can a company take to reduce the risk of its employees violating software copyright laws?

a. Remove copy programs from personal computers.
b. Install application licensing meters to prevent an excess of users for each license.
c. Establish a company policy prohibiting the unauthorized duplicating of software.
d. Prohibit the use of software on multiple computers.

Answer: c.

This is another question that lots and lots of people get wrong. But, by this time, you should get it right because it illustrates points already made.
Answer a - wrong - Well, it's possible, and might work, but it's not really practical, is it? Copying is a basic function of computers: users have a need to copy files. Besides, even if you took it off, people could put it back.
Answer b - wrong - A meter notes and possibly alerts you to the use of software beyond the number of licensed copies. It may or may not prevent copying. It would help, but it is not a complete solution.
Answer c - correct - The policy doesn’t prevent copying, but does reduce the liability risk if employees are caught making illegal copies. (And that's the real risk in violating copyright, yes?) And it means you can fire them if they do. (If there's no policy against it, what did they do that was wrong?)
Answer d - wrong - It's kind of impractical because more than one user may need to use the program. I mean, really ...

Oh, and remember that earlier point about the management answer being the right one?

Re: CISSP "sample" questions

rslade — Wed, 13 Feb 2019 19:42:18 GMT

Who is ultimately responsible to ensure that information is categorized and that specific protective measures are taken?

a. Security Officer
b. Senior Management
c. Data Owner
d. Custodian

Answer: b.
Reference: Commonsense Computer Security; Martin Smith; 1993; pg 63.

This is possibly as close to a "trick" question that you'll get on the exam. If you are just skimming the question, and the answers, the fact that the data owner is generally responsible for assigning data classification is going to jump out at you. Again, read the whole question. The key word here is "ultimately." "Ultimately," senior management is responsible for everything. The security officer may play some role in data classification, but unless you work in a MAC (Mandatory Access Control) environment won't be the one making individual decisions. And the custodian just acts on behalf of the owner.

Re: CISSP "sample" questions

dcontesti — Wed, 13 Feb 2019 22:42:45 GMT

@rslade I agree with your answer but as a seasoned item writer, I would really object to this question being on an exam as it is a trick. Sr. Management have the ultimate responsibility, however the Data Owner is the only person who truly understands the value of the data....and if they get it wrong, it doesn't matter what Sr. Management does in terms of data value, etc.

Also think that you would find the stats on a question like this would be poor.

Just my nickel

Diana

Re: dcontesti mentioned you in (ISC)Â² Community

rslade — Wed, 13 Feb 2019 23:53:04 GMT

> dcontesti (Contributor I) mentioned you in a post! Join the conversation below:

> @rslade I agree with your answer but as a seasoned item writer, I would really
> object to this question being on an exam as it is a trick. Sr. Management have
> the ultimate responsibility, however the Data Owner is the only person who truly
> understands the value of the data....and if they get it wrong, it doesn't matter
> what Sr. Management does in terms of data value, etc. Also think that you
> would find the stats on a question like this would be poor. Just my nickel

I don't disagree with you.

At the same time, I think that, as an example, it does emphasize two important
points:
1) the importance of the "management" answer, and
2) read the question carefully!

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
GOVERNMENT.SYS corrupted, reboot Ottawa? (Y/N)
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB