For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
From an operations security standpoint, which one of the following dial-in access configurations is best?
a. Force the port to log out when the modem loses carrier.
b. Disable the port when the modem disconnects.
c. Reset the modem when the phone line disconnects.
d. Force a modem reset when the DTR line transitions.
Reference: Fites & Kratz, Information Systems Security: A Practitioner’s Reference; International Thomson Computer Press; 1996; pg 385.
a - correct, this is a control measure that will force the user to reauthenticate, and prevent someone from simply taking over a free line they come across
b - wrong, this allows for a good way to do a DOS on the dialup facility
c - wrong, once the phone line is disconnected it can’t be reset, and simply resetting the modem may leave a live session behind it
d - wrong, this is a normal occurrence (DTR - data terminal ready)
(Reference: Fites and Kratz, Information Systems Security: A Practitioner’s Reference, International Thomson Computer Press, 1996)
Which one of the following would NOT be considered a media control task?
a. Decompressing the storage medium.
b. Storing on-site backups in a protected area.
c. Maintaining a control log noting all media entries, removals, and returns.
d. Erasing volumes at the end of their retention period.
(Reference: Rita Summer - “Secure Computing: Threats and Safeguards”; McGraw-Hill; 1997; pg 585.
Decompression definitely is part of media management, but it isn't a control.
In what way can violation clipping levels assist in violation tracking and analysis?
a. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred.
b. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant.
c. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to usercodes with a privileged status.
d. Clipping levels enable a security administrator to view all reductions in security levels which have been made to usercodes which have incurred violations.
Answer a - correct, the clipping level establishes a normal error rate that can be ignored for violation analysis purposes.
Which of the following is permitted by an adequate separation of duties in a mainframe computer environment?
a. Computer users may reconcile control totals.
b. Computer users may access the system files.
c. Programmers may change production data.
d. Programmers may initiate transactions.
Why are user IDs critical in the review of audit trails?
a. they show which files were altered.
b. they establish individual accountability.
c. they cannot be easily altered.
d. they trigger corrective controls.
(Reference: Fites and Kratz, Information Systems Security: A Practitioner’s Reference, International Thomson Computer Press, 1996, pg 127.
Answer a - wrong, the identification of a specific user does not in itself show the activities conducted under the user’s name.
Answer b - correct.
Answer c - wrong, audit trail information should be secured so it cannot be altered.
Answer d - wrong, user Ids by themselves do not trigger corrective controls - the activity conducted may trigger corrective action.
OK, as a celebration of the fact that my account seems to have (as mysteriously as it died) revived, herewith:
At what stage of the applications development process should the security department become involved?
a. Prior to the implementation
b. Prior to systems testing
c. During unit testing
d. During requirements development
Reference: Secure Computing(Threats & Safeguards); R. Summers; McGraw-Hill; 1997; pg 250.
This is an example of choosing the best answer from among those provided. "Requirements" is probably not the phase to start thinking about security: you should probably start right at the initiation and concept phase. But that isn't one of the options we are given. So, choose the earliest possible phase from the options you are given:
Answer a - incorrect - prior to implementation is 7 steps down in the software development life cycle. At this point, security safeguards would be expensive to retrofit.
Answer b - incorrect - prior to system test is vague and several steps (5) required preceding it.
Answer c - incorrect - unit test is where you would want to test the security of the system. Security dept. should have been involved much earlier.
Answer d - correct - Security dept. should be involved at the beginning of the project. It is much easier than adding it later.