cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
rslade
Influencer II

> OneOfTheMartins (Viewer) posted a new reply in Certifications on 02-20-2019

>   The way I see
> it, this is difficult, if not impossible, to answer.

Definitely difficult: not impossible. This is definitely going to be the most
difficult exam you've ever written.

> First, "ultimately
> responsible" would have to be defined. Second, responsibility can be (and almost
> always is) delegated from the top to the bottom of the pyramid. In a
> philosophical way, the one who delegates is still "ultimately" responsible

And that's the way to answer it.

> but
> in real-life scenarios, if your data is going to be hacked and you, as CXO,
> delegated the above responsibilities to, say, the data owner or just the plain,
> old security officer, it's those guys who fall on their swords, not you.

Yeah, we've all seen situation where the guys at the top wriggle out of their
responsibilities by throwing some underling under the bus. As I've said elsewhere,
don't concentrate too much on "it *could* happen this way" ...

>   This
> is not the type of question I'd want in my test (though I have a sneaking
> suspicion I will), and it doesn't really look useful, either - hackers don't
> give many fcuks, flying or otherwise, about wordplay.

It's not wordplay, in this case. It's an important point, and one that I've seen in
my consulting work. I recall one contract where they had a very serious problem.
I identified it and told them what they had to do to fix it. They didn't want to do
that. OK, my contract is over: I've done my part. That was the fix, but they
didn't like it. I didn't have to (well, couldn't) force them. Six months later they
had to sell out to a competitor. But that was their responsibility, and their choice.
Not my responsibility.

We tend to forget that, in security. We are the experts, we have the knowledge
and experience, and we are advising people who frequently have little or no clue
about the issues we face. We are responsible for giving our best advice. But it's
senior management who have ultimate responsibility, and sometimes they throw
our advice out the window. They have the final say.

And, as I've said elsewhere, "pick the management answer" is an important
(although not the only) tip for the exam.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Nothing is too high for the daring of mortals; we storm heaven
itself in our folly. - Horace, Epistles
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

Thank you sir.

OneOfTheMartins
Newcomer I


@dcontesti wrote:

Thank you sir.


Seconded. I'll keep this in mind, especially the "management answer" theory, when preparing for the exam.

denbesten
Community Champion


@rslade wrote:

...it's just one that a surprising number of people get wrong....

This also serves as an example of why Psycho-analytics are performed on the exam  Over time, (ISC)² deletes questions which are regularly answered incorrectly by those who pass. So, if most people disagree with "D", the question will eventually get kicked out, regardless of if D is right or wrong.

 

Although this may seem like a harmful practice of "live patient trials", there are two mitigating factors.  First, new questions are not graded until they have passed muster and secondly, if you truly deserve the certificate (know your stuff, exceed the experience requirements and are able to "think like a manager") you will easily be able to afford a few "unjust" hits. 

 

Since your goal is to pass the test, there is more value in understanding why Rob selected "D" (even if incorrectly), than there is in defending "B".   The idea being that understanding another person's position helps you grow your knowledge, whereas defending a position simply cements your own belief.

 

On the other hand, if the goal is to "annoy Rob", have at defending "B". There is sport in that Smiley Happy.  

 

rslade
Influencer II

> denbesten (Advocate I) posted a new reply in Certifications on 02-22-2019 12:00

>   On the other
> hand, if the goal is to "annoy Rob", have at defending "B". There is sport in
> that .

It's people like you what cause unrest ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
A closed mouth gathers no foot.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

The PRIMARY difference between the TCSEC and ITSEC data classifications is:

 

a. ITSEC classifications are based on integrity
b. TCSEC classifications are based on government requirements
c. ITSEC classifications are based on international requirements
d. TCSEC classifications are based on mandatory requirements

 

answer: a

 

I've never seen a reference for this question, although I assume there must be one, somewhere.  This is the type of question that proves that, no, you can't just get the right book and have all the answers.  You have to understand that, although TCSEC is based on government requirements, and ITSEC is based on international input, and TCSEC does talk (at some levels) about mandatory (as opposed to discretionary) requirements, that the addition of integrity is a fundamental change over TCSEC (which was only concerned with confidentiality).  You have to understand the concepts, and the implications.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
TXWayne
Newcomer II


@denbesten wrote:

@rslade wrote:

...it's just one that a surprising number of people get wrong....

This also serves as an example of why Psycho-analytics are performed on the exam  Over time, (ISC)² deletes questions which are regularly answered incorrectly by those who pass. So, if most people disagree with "D", the question will eventually get kicked out, regardless of if D is right or wrong.

 

Smiley Happy.  

 


Actually they really resist a question getting kicked out as in eliminated. I just participated in something ISC2 tried for the first time and that is a CISSP item rework workshop.  We got questions "kicked back" to rework to address some defect that statistics showed as a poor performer.  There were many scenarios the questions fell in and although I thought it would be easier than writing original content it was not.  There were a few that were so easy they were not salvageable, in my opinion anyone subject to a good security awareness program could answer the question and thus I recommended tossing it. It was another great learning experience for me provided by ISC2.

rslade
Influencer II

What is the PRIMARY use of a password?

a. Allow access to files.
b. Identify the user.
c. Authenticate the user.
d. Segregate various user’s accesses.


Answer: c.
Reference: Info Systems Security; Fites & Kratz; pg 4; 1.2.4

Some of the easier questions you'll face allow you to quickly eliminate a couple of the options.  In this case, while file access and other types of access are going to be related to a login process, they clearly aren't primary.  That leaves you with two fairly similar options: identifying and authenticating the user.  At this point you should be a little careful, and remember that identification is the function of the username.  The password is used for authentication.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
denbesten
Community Champion


@TXWayne wrote:

...We got questions "kicked back" to rework to address some defect that statistics showed as a poor performer...


That seems like a valuable enhancement.  There is value in "human review" and salvaging what one can.  I do suspect that the reworked question would reenter the whole testing and psycho-analysis processes and if it remains a poor performer, it would again be kicked back/out.

 

The fascinating part to me is that although citations and references are important to the question development process, it is group consensus that ultimately determines the correct answer. Over time, this eliminates the problem of faulty references.

dcontesti
Community Champion

So many moons ago, all items that had bad stats were kicked out to determine if they were worth saving or not.

 

When one was rewritten, it did go back into the process and started its life all over again, so that new stats were generated to determine if the rewrite made the question any better.....some times it worked, other times, it didn't

 

Diana