cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
rslade
Influencer II

Which of the following is a key element during the initial security planning process?

a. Establish system review time frames
b. Implement a security awareness program
c. Defining reporting relationships
d. Institute a change management program

 

 

Answer: c
Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, pg 75

 

 

Right, a few initial notes.  You will notice a reference.  Every exam question is (or was) backed up by at least two references from source security literature.  Note that CISSP study guides are not source security literature.

 

A key word in this question is "initial."  Establishing system review time frames, security awareness programs, and change management programs are all important, but they come later in security planning.

 

Note also one rather important point.  All of these answers are "correct" in a way.  If you are confronted with four "right" answers, and one of them is the "management" answer, that one is probably the one that will get you the point.  Defining reporting relationships is both something you want to establish early in planning, and it's also the "management" answer.  (One person I helped coach through the exam said that this one tip applied to about 10% of the total exam.)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
shahzadafridi
Newcomer I

Is it possible for you to share your whole question database once as pdf and rather discuss the difficult question in this forum. It will be of great help for those who are preparing for exam and will save some time
rslade
Influencer II

> shahzadafridi (Viewer II) posted a new reply in Certifications on 02-04-2019

> Is it possible for you to share your whole question database once as pdf and
> rather discuss the difficult question in this forum.

Some people are just *never* satisfied.

(Alternatively, no good deed goes unpunished.)

I tried that. Once. Having pointed out that you would never see any of these
questions on the exam, I got people who complained that they studied and
memorized the sample questions, took the exam, and didn't see any of questions
on the exam ...

Pay attention. These questions are not for "studying," except incidentally. These
questions are to prepare you for the types of questions that you will see on the
exam.

Actually, a good way to study is to try and *write* questions. That gets you into
the mindset of the exam itself. Try writing some questions, post them here, and
I'll tell you whether they are too easy, too hard, or not the type of thing you'll
see. Remember Bloom's Taxonomy: simple facts, synthesis of two or more facts,
analysis of the implications of two or more facts, and, most importantly,
questions requiring judgment and critical thinking.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
BEWARE OF GOD
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

Which of the following is NOT an element of a security planning mission statement?

a. Objectives statement
b. Background statement
c. Scope statement
d. Confidentiality statement

 


Answer: d
Reference: Handbook of Information Security Management, edited by Ruthberg and Tipton, Auerbach, 1993, page 73

 

This is the type of question that ensures you do not just memorize a bunch of security buzzwords.  You have to understand the concepts behind them.  What is a "security planning mission statement"?  Well, it's more simply known as a policy.  What does a policy contain?  Among other things, the background of your enterprise, your objectives, and the scope of what you are trying to protect.  What you are going to do about confidentiality (unless you are an unusual company and either don't care about confidentiality, or it's really, really important) generally is in your subordinate standards or procedures.

 

Don't get hung up on whether the question has exactly the wording you have studied.  That way lies failure.  Make sure you understand the fundamentals behind the words.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
shahzadafridi
Newcomer I

Can data classification or encryption (criteria to encrypt) be included in confidentiality statement?
rslade
Influencer II

> shahzadafridi (Viewer II) posted a new reply in Certifications on 02-04-2019

> Can data classification or encryption (criteria to encrypt) be included in
> confidentiality statement?

Why not?

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Maybe we're all just part of God's `Sim Universe' video game.
Let's just hope that He's not playing on a Windows machine, or
we're all screwed. - Jeff Ehrhart
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
shahzadafridi
Newcomer I

Then it is part of policy so why "D" option. I have doubts on background statement
dcontesti
Community Champion

@rslade I agree with your answer D. 

 

Your question has "element of a security planning mission statement".  In the planning phase, I am not concerned with encryption or data classification.  I would suggest at this point in time, I do not understand either the data classification or encryption requirements.....do I need a 3 by 3 matrix for data classification or a 4X4, a 5X5? nor do I understand where or when I can apply encryption.  If I carefully read the question,  I am PLANNING the Security mission.

 

I recommend that folks read every word, and not read meaning or anything into the questions.  I have too often seen people rush through the exam and fail

 

My nickel Canadian on a warm Monday (14 C or 57 F) here in Ontario.

 

Regards

 

Diana

 

 

rslade
Influencer II


@dcontesti wrote:

 

My nickel Canadian on a warm Monday (14 C or 57 F) here in Ontario.


Glad it's warmed up back there.  Out here there is actually snow in my front yard, and it's apparently going down to minus nine overnight ...

 

And thanks for jumping in on the policy question.  I was going to mention that you need to stick to the concepts, and that the concept here is that policy is high-level and abstract, and that protection details belong in the subordinate documents, but yours works, too  🙂

 

Oh, and a strong Amen! on reading the questions carefully ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468