@Vigenere I believe this is the method they use so that we (that's the royal we) can notify them that at question may be flawed. They had a similar process when tests were pencil and paper.
From their submission form:
Basically, states that they will pass the question to the appropriate people for review and validation and potential correction.
Which type of access control allows users to specify who can access their files?
(Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55)
Answer a - Mandatory access control bases access on the preset labels of the sensitivity of objects and the clearance of subjects.
Answer b - The user (or creator) of an object grants authorization to support discretionary access control.
Answer c - Relational is not a type of access control.
Answer d - Administrative is not a type of access control.
Remember: just because you don't know it doesn't make it the right answer.
Hello @rslade , serious question here (even though this may not sound like one). How are we supposed to recognize what "does exist" and "doesn't exist" in answer choices - when it seems many of the practice questions/answers in general, rather than using standard wording like we're used to seeing in our study materials, use words that appear to have been pulled out of a thesaurus?
You make mention that the references here (and I believe also the two sources used for content on the actual exam) don't come from "Study Guides", yet that is what we all have been using to study (such as Sybex/Wiley), and you go out of your way to use wording that doesn't appear in those books or any popular study material.
On another note, in the practice question right above this post, you have in the explanation:
" Administrative is not a type of access control."
Can you please explain this because everywhere I checked, it is a type of access control (Physical, Technical/Logical, Administrative/Directive, Preventative, Detective, Corrective, Deterrent, Recovery)
> redacted (Viewer) mentioned you in a post! Join the conversation below:
> Hello @rslade , serious question here (even though this may not sound like one).
> How are we supposed to recognize what "does exist" and "doesn't exist" in answer
OK, as to the first part, well, the exam exists to determine whether you know something about security, and part of knowing about something is knowing what does and doesn't exist. Don't try to "game" the exam by assuming that if you don't know it, it must be the right answer. Assume you do know about security, and answer on the basis of what you know.
> - when it seems many of the practice questions/answers in general,
> rather than using standard wording we're used to seeing in our study materials,
> appear to have been pulled out of a thesaurus?
As to wording, make sure you understand. If you understand, rather than simply having memorized a bunch of text, then you won't be thrown by a slightly altered (or modified, or edited, or amended, or ...) choice of words.
> You make mention that the
> references here (and I believe also the two sources used for content on the
> actual exam) don't come from "Study Guides", yet that is what we all have been
> using to study (such as Sybex/Wiley), and you go out of your way to use wording
> that doesn't appear in those books or any popular study material.
There are lots more sources for study. Look up some of the best at
There are lots more at
You can't pass the exam with a "brain dump" from a study guide. *Any* study guide.
Q: When you're designing a security system for Internet-delivered email, which of the following is least important? - Nonrepudiation - Availability - Message Integrity - Access restriction
In my opinion, As the question asked for LEAST important, and also says, internet-delivered email.
Availability of Internet is not in our control. It depends on ISP. And the email goes off, once we get Internet.
Other three more important, which are in our control.
Correct me, if I'm wrong.
@rslade , thank you very much for your responses. This thread was a wake-up call.
I have a question about how you recommend we approach the exam questions. In doing practice tests I was experimenting with the technique of reading the answers FIRST (before even reading the question). I found it helped me get my head around each answer first before being possibly thrown off in the question itself.
However, after reading your sample questions here, I'm thinking now this might be a really bad idea. In the practice tests, the answers are all usually things that exist (even if they are distractors), but based on your examples it sounds like quite a few questions might have answers choices that aren't even a real thing in security...
Any advice on how to approach the questions? Should we stick with the traditional read the question first, then the answers then the question again and the answers again?