Then it is part of policy so why "D" option. I have doubts on background statement
Exactly what @rslade wanted you to think about. One can make a case for any of the four answers, but one of these things (read some of the comments) is less "good" than the rest. Since Rob gave you the reference, you can go to the source and understand why the particular answer was chosen.
What Rob is doing here is similar to what we know about the (ISC)² test development process. The difference being that Rob follows up by explaining the thought process behind the answer, whereas (ISC)²'s next step is to use the question on actual exams, with zero-weighting until the answer is "proven" good, bad or indifferent.
Rob is doing a wonderful thing here. It is not about a building a "brain dump" of actual questions... It's learning to get inside the head of the test-writers, understanding how/why the questions were written and selecting the answer that matches their way of thinking. In the case of CISSP, that person would be someone with many years of cross-functional IT security experience that keeps up with current trends and generally holds a position where they are making/leading decisions as part of the company's management. This is an important skill not just for the CISSP exam, but for communicating with people in general.
Understanding that this skill exists and learning to use it contributed more to my passing than any of the time I spent with study materials. It has also served me well as a go-between between management and techies and also between techies of different disciplines.
The last time, I attended an item writing workshop, we not only had to provide the reference but we also had to write a justification for the correct answer and why the wrong answers were wrong. So a lot of thought goes into questions.
So I appreciate what Rob is doing and his dedication to assisting, although, the Subject of the thread could be changed as the format and rigour should be the same with all exams.
In data processing systems, the value analysis should be performed in terms of which three properties?
a. Profit, loss, ROI
b. Intentional, accidental, natural disaster
c. Assets, personnel, services provided
d. Availability, integrity, confidentiality
Reference: Information Systems Security; Fites & Kratz; Thompson Press; 1996; pg 54.
OK, in a sense this is kind of a trick question, for a couple of reasons. But it does have a point. The point is, choose the answer with the greatest breadth and application that does answer the question.
Answer a - incorrect - it's right, but applies only to business management.
Answer b - incorrect - it's right, but applies directly to threat analysis.
Answer c - incorrect - it's right, but considered mostly in business impact analysis.
(There is a myth that says that if you see the CIA triad [confidentiality, integrity, availability] as an answer on any question on the CISSP exam, that is the correct answer. In fact, a friend, knowing of the myth, once specifically wrote a question so that CIA was wrong ... 🙂
Which of the following techniques MOST clearly indicates whether specific risk reduction controls should be implemented?
a. Threat and vulnerability analysis.
b. Risk evaluation.
c. ALE calculation.
d. Countermeasure cost/benefit analysis.
Reference: Computer Security Handbook (3rd edition) Hutt, Boswirth, Hoyt; pg 3.3.
A fairly simple question: it should be fairly obvious. Again, the principle here is to choose the answer that most broadly answers the question. All the answers are important parts of security and risk assessment, but:
Answer a - this analysis does not address whether specific countermeasures should be implemented.
Answer b - risk evaluation studies existing risks but doesn’t address whether specific countermeasures should be implemented.
Answer c - ALE is the calculation of loss expectancy but does not address whether specific countermeasures should be implemented.
Answer d - correct - in a countermeasures cost/benefit analysis, the annualized cost of safeguards is compared with the expected cost of loss.
Oh, one more point: if you saw this question on an exam these days, it should be reworded slightly. Acronyms in questions are now supposed to be spelled out in full.