Right.
For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
Agree with Rob, on the capability to closely parse and understand a few sentences being critical for folks in security roles - lines of code, requirements, configurations, vision/mission statements you name it - the confirmation of knowledge an experience is sporting the trick if you can’t comprehend then drop the mark - you may well have compensating qualities that make it up elsewhere.
I just wrote the CSSLP(let you know how I did when I get certified), there were one or two questions that made me smile, but not more than that. CISSP had a few more but was statistically similar - as long as it’s not to many the attention to detail required is in the balance a good thing.
I don’t even think this is a tricky question. Management has budgets, data owners not so likely, so who to spend effort persuading? SOX has been around for a while as well so it’s clear where the buck stops.
@Early_Adopter Sorry I was not disagreeing with Rob. I was trying to say that this is a trick question as the word "ultimately" should be bolded and I think if it was tested the stats would be terrible. Just my opinion.
As Rob and I have stated previously, reading the question is key. Unfortunately, people still speed read questions and miss words or make up definitions.
Diana
So perhaps I should have said I feel that Rob’s last points bore out the need to include perceived slippery, questions that took people back to fundamentals(Not my intention to imply disagreement). Not so many slippery questions that a candidate needs to have their wordsmithing guild license, but enough that a candidate that would otherwise fail can pick up a couple of marks from good palication of attention to detail, or conversely a speeds and feeds uber-technocrati would need to pause for thought and consider.
I would disagree(just my opinion) with that particular question being a trick however - bolding or emphasis on words as it’s ulikley to be present in most things needed to be closely read, especially if someone is trying to slip In a spurious requirement or constraint. Perhaps some me sort of AI powered policy Super emacs from the cloud* will come along as a review tool to highlight pitfalls, but we’re not there as yet.
Couple of more musings - areas of ambiguity are quite good to research, and while you should not really verbally test a skill, allowing a candidate to use a skill such as comphension is important/useful.
*like a reverse ‘Grammerly’, please send everything you write to my machine freinds so they can check it for you... 🙂
@Early_Adopter wrote:
Couple of more musings - areas of ambiguity are quite good to research, and while you should not really verbally test a skill, allowing a candidate to use a skill such as comphension is important/useful.
*like a reverse ‘Grammerly’, please send everything you write to my machine freinds so they can check it for you... 🙂
I have to agree, which is why I believe one of the old board committees, implemented Class B CPEs.....
Diana
Which one of the following is NOT a goal of the change control management process?
a. Ensure changes are authorized.
b. Ensure coherence of changes.
c. Ensure changes are documented.
d. Ensure correctness of changes.
Answer: b
Reference: Fites and Kratz, Information Systems Security: A Practitioner’s Reference, International Thompson Computer Press, 1996, 1996, pg 321
Change control management should ensure that all changes are authorized, documented, and correct. What the heck are "coherent" changes? OK, you could argue that changes should be coherent with policies, other parts of the system, or some other factor, but you know that changes are supposed to be authorized, documented, and correct, so why try and make something you don't know fit?
Which brings up a point that trips up a lot of people in a lot of ways: just because you don't know it, doesn't make it the right answer.
I don't know why this is so important, but it is. Maybe most of us lack self-confidence, and automatically assume that if we don't understand it, it must be something important that we've missed. However, if you really are a security professional, most of the time that's wrong.
Which brings up another important point: most of the time, the right answer is going to jump out at you. Very often, your first response is the right one. Don't "overthink" yourself into a wrong answer.
Which of the following actions should management take when classified information must be made available to different user populations?
a. Increase security controls on the information.
b. Raise the classification label to the next highest level.
c. Disburse the information to multiple local area network servers.
d. Require specific approval each time the information is accessed.
answer: a
This is a case of read the question carefully, and read all the answers carefully. Note that increasing security controls doesn't necessarily mean just making the controls more stringent. It can also refer to increasing aspects like granularity, which is probably what is wanted here.
Raising classification to a higher level doesn't help with disparate populations. Distributing files to other servers probably won't help with this problem at all. Requiring specific approval might work, but would be very time consuming.
@rslade wrote:Who is ultimately responsible to ensure that information is categorized and that specific protective measures are taken?
a. Security Officer
b. Senior Management
c. Data Owner
d. Custodian
Answer: b.
Reference: Commonsense Computer Security; Martin Smith; 1993; pg 63.
This is possibly as close to a "trick" question that you'll get on the exam. If you are just skimming the question, and the answers, the fact that the data owner is generally responsible for assigning data classification is going to jump out at you. Again, read the whole question. The key word here is "ultimately." "Ultimately," senior management is responsible for everything. The security officer may play some role in data classification, but unless you work in a MAC (Mandatory Access Control) environment won't be the one making individual decisions. And the custodian just acts on behalf of the owner.
The way I see it, this is difficult, if not impossible, to answer. First, "ultimately responsible" would have to be defined. Second, responsibility can be (and almost always is) delegated from the top to the bottom of the pyramid. In a philosophical way, the one who delegates is still "ultimately" responsible, but in real-life scenarios, if your data is going to be hacked and you, as CXO, delegated the above responsibilities to, say, the data owner or just the plain, old security officer, it's those guys who fall on their swords, not you.
This is not the type of question I'd want in my test (though I have a sneaking suspicion I will), and it doesn't really look useful, either - hackers don't give many fcuks, flying or otherwise, about wordplay.
This is not the type of question I'd want in my test (though I have a sneaking suspicion I will), and it doesn't really look useful, either - hackers don't give many fcuks, flying or otherwise, about wordplay.
So most of your post was appropriate, HOWEVER this last line is NOT.
You could have easily said "hackers don't care..... OR anything.
Your language is inappropriate on a professional forum
Please refrain even with your fancy spelling.
@SamanthaO_isc2 Suggest you add this word to the Pr0N list.......
Diana
Point taken. Even though I'm very liberal about the usage of profanity, I will comply.