cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: CISSP "sample" questions


@shahzadafridi wrote:
Then it is part of policy so why "D" option. I have doubts on background statement

Exactly what @rslade wanted you to think about.  One can make a case for any of the four answers, but one of these things (read some of the comments) is less "good" than the rest.  Since Rob gave you the reference, you can go to the source and understand why the particular answer was chosen.

 

What Rob is doing here is similar to what we know about the (ISC)² test development process.  The difference being that Rob follows up by explaining the thought process behind the answer, whereas (ISC)²'s next step is to use the question on actual exams, with zero-weighting until the answer is "proven" good, bad or indifferent.

 

Rob is doing a wonderful thing here.  It is not about a building a "brain dump" of actual questions...   It's learning to get inside the head of the test-writers, understanding how/why the questions were written and selecting the answer that matches their way of thinking.  In the case of CISSP, that person would be someone with many years of cross-functional IT security experience that keeps up with current trends and generally holds a position where they are making/leading decisions as part of the company's management.  This is an important skill not just for the CISSP exam, but for communicating with people in general. 

 

Understanding that this skill exists and learning to use it contributed more to my passing  than any of the time I spent with study materials.  It has also served me well as a go-between between management and techies and also between techies of different disciplines.

Highlighted
Community Champion

Re: CISSP "sample" questions

@rslade @denbesten 

The last time, I attended an item writing workshop, we not only had to provide the reference but we also had to write a justification for the correct answer and why the wrong answers were wrong.   So a lot of thought goes into questions.

 

So I appreciate what Rob is doing and his dedication to assisting, although, the Subject of the thread could be changed as the format and rigour should be the same with all exams.

 

Regards


Diana

 

 

Highlighted
Newcomer I

Re: CISSP "sample" questions

If you are some credit card company or any company that deals with PII of customers i think the mission statement must include to protect this data in rest and transit. Policy statement as a high level objective will not include the technical specification off course.

P.S just giving a thought for discussion otherwise i agree with your explanation
Highlighted
Community Champion

Re: CISSP "sample" questions

In data processing systems, the value analysis should be performed in terms of which three properties?

a. Profit, loss, ROI
b. Intentional, accidental, natural disaster
c. Assets, personnel, services provided
d. Availability, integrity, confidentiality

 


Answer: d.
Reference: Information Systems Security; Fites & Kratz; Thompson Press; 1996; pg 54.

 

OK, in a sense this is kind of a trick question, for a couple of reasons.  But it does have a point.  The point is, choose the answer with the greatest breadth and application that does answer the question.


Answer a - incorrect - it's right, but applies only to business management.
Answer b - incorrect - it's right, but applies directly to threat analysis.
Answer c - incorrect - it's right, but considered mostly in business impact analysis.

(There is a myth that says that if you see the CIA triad [confidentiality, integrity, availability] as an answer on any question on the CISSP exam, that is the correct answer.  In fact, a friend, knowing of the myth, once specifically wrote a question so that CIA was wrong ...  🙂


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Tags (1)
Highlighted
Community Champion

Re: CISSP "sample" questions

Which of the following techniques MOST clearly indicates whether specific risk reduction controls should be implemented?

a. Threat and vulnerability analysis.
b. Risk evaluation.
c. ALE calculation.
d. Countermeasure cost/benefit analysis.


Answer: d.


Reference: Computer Security Handbook (3rd edition) Hutt, Boswirth, Hoyt; pg 3.3.

 

A fairly simple question: it should be fairly obvious.  Again, the principle here is to choose the answer that most broadly answers the question.  All the answers are important parts of security and risk assessment, but:
Answer a - this analysis does not address whether specific countermeasures should be implemented.
Answer b - risk evaluation studies existing risks but doesn’t address whether specific countermeasures should be implemented.
Answer c - ALE is the calculation of loss expectancy but does not address whether specific countermeasures should be implemented.
Answer d - correct - in a countermeasures cost/benefit analysis, the annualized cost of safeguards is compared with the expected cost of loss.

 

Oh, one more point: if you saw this question on an exam these days, it should be reworded slightly.  Acronyms in questions are now supposed to be spelled out in full.


............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468