cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
329 Replies
dcontesti
Community Champion

@Vigenere I believe this is the method they use so that we (that's the royal we) can notify them that at question may be flawed.  They had a similar process when tests were pencil and paper.

 

From their submission form:

 

Errata Data

The purpose of this form is to collect content corrections, errors, and copy edits that are found after the product has been released. All errata entries will be shared with a Subject Matter Expert (SME) to confirm and approve these changes. Once approved by a SME, the appropriate corrections will be made to the product in a timely manner.

_______________________________________________________________

 

Basically, states that they will pass the question to the appropriate people for review and validation and potential correction.

 

Good luck 

 

d

 

mgbecken
Viewer II

Thank you so much for these!  Love the explanations of the CISSP mindset!

rslade
Influencer II

Which type of access control allows users to specify who can access their files?

a. Mandatory
b. Discretionary
c. Relational
d. Administrative


Answer: b.

 

(Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55)

 

Discussion:
Answer a - Mandatory access control bases access on the preset labels of the sensitivity of objects and the clearance of subjects.
Answer b - The user (or creator) of an object grants authorization to support discretionary access control.
Answer c - Relational is not a type of access control.
Answer d - Administrative is not a type of access control.

Remember: just because you don't know it doesn't make it the right answer.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
redacted
Reader I

Hello @rslade , serious question here (even though this may not sound like one). How are we supposed to recognize what "does exist" and "doesn't exist" in answer choices - when it seems many of the practice questions/answers in general, rather than using standard wording like we're used to seeing in our study materials, use words that appear to have been pulled out of a thesaurus?

 

You make mention that the references here (and I believe also the two sources used for content on the actual exam) don't come from "Study Guides", yet that is what we all have been using to study (such as Sybex/Wiley), and you go out of your way to use wording that doesn't appear in those books or any popular study material.

 

 

 

On another note, in the practice question right above this post, you have in the explanation:

 

" Administrative is not a type of access control."

 

Can you please explain this because everywhere I checked, it is a type of access control (Physical, Technical/Logical, Administrative/Directive, Preventative, Detective, Corrective, Deterrent, Recovery)

 

Thanks

 

rslade
Influencer II

> redacted (Viewer) edited a reply in Certifications on 03-10-2020 03:14 PM in the

>       On another note, in the practice question right above this post,
> you have in the explanation:   " Administrative is not a type of access
> control."   Can you please explain this because everywhere I checked, it is a
> type of access control (Physical, Technical/Logical, Administrative,
> Preventative, Detective, Corrective, Deterrent, Recovery)   Thanks  

Those are controls types, not access control types.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Always forgive your enemies; nothing annoys them so much.
- Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> redacted (Viewer) mentioned you in a post! Join the conversation below:

 

> Hello @rslade , serious question here (even though this may not sound like one).
> How are we supposed to recognize what "does exist" and "doesn't exist" in answer
> selections

 

OK, as to the first part, well, the exam exists to determine whether you know something about security, and part of knowing about something is knowing what does and doesn't exist. Don't try to "game" the exam by assuming that if you don't know it, it must be the right answer.  Assume you do know about security, and answer on the basis of what you know.

 

> - when it seems many of the practice questions/answers in general,
> rather than using standard wording we're used to seeing in our study materials,
> appear to have been pulled out of a thesaurus?

 

As to wording, make sure you understand. If you understand, rather than simply having memorized a bunch of text, then you won't be thrown by a slightly altered (or modified, or edited, or amended, or ...) choice of words.

 

>   You make mention that the
> references here (and I believe also the two sources used for content on the
> actual exam) don't come from "Study Guides", yet that is what we all have been
> using to study (such as Sybex/Wiley), and you go out of your way to use wording
> that doesn't appear in those books or any popular study material.        

 

There are lots more sources for study. Look up some of the best at
http://victoria.tc.ca/int-grps/books/techrev/mnbksccd.htm
There are lots more at
http://victoria.tc.ca/int-grps/books/techrev/mnbksc.htm

 

You can't pass the exam with a "brain dump" from a study guide. *Any* study guide.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
sai_murthy
Newcomer I

Q: When you're designing a security system for Internet-delivered email, which of the following is least important? - Nonrepudiation - Availability - Message Integrity - Access restriction

 

In my opinion, As the question asked for LEAST important, and also says, internet-delivered email.

Availability of Internet is not in our control. It depends on ISP. And the email goes off, once we get Internet.
Other three more important, which are in our control.

Correct me, if I'm wrong.

redacted
Reader I

@rslade , thank you very much for your responses. This thread was a wake-up call.

 

I have a question about how you recommend we approach the exam questions. In doing practice tests I was experimenting with the technique of reading the answers FIRST (before even reading the question). I found it helped me get my head around each answer first before being possibly thrown off in the question itself.

 

However, after reading your sample questions here, I'm thinking now this might be a really bad idea. In the practice tests, the answers are all usually things that exist (even if they are distractors), but based on your examples it sounds like quite a few questions might have answers choices that aren't even a real thing in security...

 

Any advice on how to approach the questions? Should we stick with the traditional read the question first, then the answers then the question again and the answers again?

 

Thanks

 

rslade
Influencer II

> sai_murthy (Newcomer I) posted a new reply in Certifications on 03-12-2020 03:05

> In my opinion, As the question asked for LEAST important, and also says,
> internet-delivered email. Availability of Internet is not in our control. It
> depends on ISP. And the email goes off, once we get Internet. Other three more
> important, which are in our control. Correct me, if I'm wrong.

Something being important doesn't mean it is within our control. For business
continuity and disaster recovery, for example, a great many things are not within
our control, but they are important and we have to plan for them.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If the law is against you, argue the facts. If the facts are
against you, argue the law. If the law and the facts are against
you, raise your voice. - common advice to new lawyers
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> redacted (Viewer II) mentioned you in a post! Join the conversation below:

> @rslade , thank you very much for your responses. This thread was a wake-up
> call.

Glad to be of service.

>   I have a question about how you recommend we approach the exam
> questions. In doing practice tests I was experimenting with the technique of
> reading the answers FIRST (before even reading the question). I found it helped
> me get my head around each answer first before being possibly thrown off in the
> question itself.

Ah. A very interesting approach, and I think it has a lot of merit.

>   However, after reading your sample questions here, I'm
> thinking now this might be a really bad idea. In the practice tests, the answers
> are all usually things that exist (even if they are distractors), but based on
> your examples it sounds like quite a few questions might have answers choices
> that aren't even a real thing in security...   Any advice on how to approach the
> questions? Should we stick with the traditional read the question first, then
> the answers then the question again and the answers again?   Thanks  

I don't want to give the idea that you will see made up distractors on every
question. I suspect you'll actually encounter very few. I just always found that a
number of candidates really got thrown by made up distractors, so I tend to push
that idea so people will remember it.

I still think your idea of reading the answers first does have merit. As you say, it
can get you thinking along the lines the question pursues. If you encounter a made
up distractor, in that case, it simply won't make sense, and reading the question
then should. I don't think it's likely that a made up distractor will throw you into
the completely wrong frame of mind.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Good people do not need laws to tell them to act responsibly,
while bad people will find a way around the laws. - Plato
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468