Right.
For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
You comments are gem.
Especially where you say "if you don't know something, it doesn't mean it is correct".
I was getting so much wound up in the terms I never heard of.
When verifying the key control objectives of a system design, the security
specialist should ensure that the
a. Final system design has security administrator approval
b. Auditing procedures have been defined
c. Vulnerability assessment has been completed
d. Impact assessment has been approved
Answer: c.
Reference: HISM, edited by Ruthberg & Tipton; Auerbach; 1993, pg 309.
Discussion:
Answer a is a fabricated distractor. (The security admin probably doesn't do design
approval.)
Answer b is a necessary step in the security administration process, but isn't a
primary part of system control design.
Answer c - correct - a key step in the System Design process.
Answer d is possibly important, particularly in risk assessment or business
continuity planning, but, again, isn't vital to system control design.
====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
They always say time changes things, but you actually have to
change them yourself. - Andy Warhol
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
@rajus wrote:Especially where you say "if you don't know something, it doesn't mean it is correct".
I was getting so much wound up in the terms I never heard of.
Quite common. It's part of the design of exam questions to account for people who are good at guessing which answer "sounds good," even if they don't know the field.
@rslade This question looks incomplete to me.
"Prior to implementation <of what?>, a complete description of an operational security issue should specify threat, vulnerability, and"
@Vigenere wrote:This question looks incomplete to me.
"Prior to implementation <of what?>, a complete description of an operational security issue should specify threat, vulnerability, and"
There are two types of people in this world: those who can tolerate ambiguity.
@Vigenere Are you referring to this question:
At what stage of the applications development process should the security department become involved?
a. Prior to the implementation (of the application(s))
b. Prior to systems testing (of the application(s))
c. During unit testing (of the application(s))
d. During requirements development (of the application(s))
If so, what's incomplete? The question clearly states "applications development process," so we know we're talking about an...application or applications, right? Then, by default, each of the answer choices points back to same - it's simply that "of the application(s)" is not tacked on to the end of each choice, but I added that phrase and perhaps this makes the answer choices more clear. Does this help?
And further to the point, if you've just started studying for the CISSP exam or have not reached Domain 8 yet, you may not know that this question is referring to aspects of the SDLC. Good luck as you forge ahead.