Prior to implementation, a complete description of an operational security issue should specify threat, vulnerability, and
(Reference: Fitzgerald, Jerry, Internal Controls for Computerized Systems, 1978, pg 7)
This isn't really a type of question, as such, it's just one that a surprising number of people get wrong. We tend to concentrate on "problems" and forget what it is that we are trying to protect. Don't get that (or any other kind) of tunnel vision.
Which, I suppose, is as good a segue as any to another point. Remember that the CISSP is a general, and even international, certification. When presented with a question, don't pick an answer that is specifically suited to your job or company: pick the answer that is most suited to security in general.
What step can a company take to reduce the risk of its employees violating software copyright laws?
a. Remove copy programs from personal computers.
b. Install application licensing meters to prevent an excess of users for each license.
c. Establish a company policy prohibiting the unauthorized duplicating of software.
d. Prohibit the use of software on multiple computers.
This is another question that lots and lots of people get wrong. But, by this time, you should get it right because it illustrates points already made.
Answer a - wrong - Well, it's possible, and might work, but it's not really practical, is it? Copying is a basic function of computers: users have a need to copy files. Besides, even if you took it off, people could put it back.
Answer b - wrong - A meter notes and possibly alerts you to the use of software beyond the number of licensed copies. It may or may not prevent copying. It would help, but it is not a complete solution.
Answer c - correct - The policy doesn’t prevent copying, but does reduce the liability risk if employees are caught making illegal copies. (And that's the real risk in violating copyright, yes?) And it means you can fire them if they do. (If there's no policy against it, what did they do that was wrong?)
Answer d - wrong - It's kind of impractical because more than one user may need to use the program. I mean, really ...
Oh, and remember that earlier point about the management answer being the right one?
Who is ultimately responsible to ensure that information is categorized and that specific protective measures are taken?
a. Security Officer
b. Senior Management
c. Data Owner
Reference: Commonsense Computer Security; Martin Smith; 1993; pg 63.
This is possibly as close to a "trick" question that you'll get on the exam. If you are just skimming the question, and the answers, the fact that the data owner is generally responsible for assigning data classification is going to jump out at you. Again, read the whole question. The key word here is "ultimately." "Ultimately," senior management is responsible for everything. The security officer may play some role in data classification, but unless you work in a MAC (Mandatory Access Control) environment won't be the one making individual decisions. And the custodian just acts on behalf of the owner.
@rslade I agree with your answer but as a seasoned item writer, I would really object to this question being on an exam as it is a trick. Sr. Management have the ultimate responsibility, however the Data Owner is the only person who truly understands the value of the data....and if they get it wrong, it doesn't matter what Sr. Management does in terms of data value, etc.
Also think that you would find the stats on a question like this would be poor.
Just my nickel