Right.
For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
79. Who of the following is responsible for ensuring that proper controls are in place to address confidentiality, integrity, and availability of IT systems and data?
A. Business and functional managers
B. IT security practitioners
C. System and information owners
D. Chief Information Officer
This one gets me a little bit. "Responsible" always makes me look for the top of the food chain, D. in this case.
However, I also think of it in the way that senior managers are the ones approving control costs or policies, but not necessarily actually verifying that those controls are in place. Unless, I think of it in the way that they are still the ones responsible if something is not being checked. So I still go with D.
(this source said C. FYI)
It is C. Two keywords to look at it is "ultimately" "organization", if you see this then I will go with D. but the question the keywords are "responsible" "in place" "to ensure", I will go with C. In the real world, CIO will ask the system owner and data owner is responsible.
Unfortunately - you are wrong - the ultimate is the CIO
the question does not carry ultimate keyword.
This one is straight out of a Shon Harris book (an old one, 6th edition...the one I bought the first time I considered taking this test before I realized it was above my pay-grade at the time). I hope the actual exam wouldn't ask it this way anyway. Your points are exactly my issue with it. If it said "ultimately" there would be no question, but if I saw this exact wording next Tuesday, I think I would still click "D" on principle alone.
in that way, CISSP is poor in framing the right words. if you ask my honest opinion. there are two words which we use during SIAM(Service integration and management) i.e., Accountability and Responsibility. Accountability is who owns the particular element and responsibility is the one who takes care or manages that particular element. if I put the question in this context, accountability is with CIO, Data owner, responsibility is with information security professional.
Again I perfectly understand what you are trying to say.
hi all
I am planning to take membership of CCCure (CISSP test engine). can you please help me if I am taking the right decision. I do understand, no text engine in the world is going to help me pass but may get me closer to clinch the CISSP. if there are any other best test engines, can you please suggest.
@Startzc wrote:79. Who of the following is responsible for ensuring that proper controls are in place to address confidentiality, integrity, and availability of IT systems and data?
A. Business and functional managers
B. IT security practitioners
C. System and information owners
D. Chief Information Officer
This one gets me a little bit. "Responsible" always makes me look for the top of the food chain, D. in this case.
However, I also think of it in the way that senior managers are the ones approving control costs or policies, but not necessarily actually verifying that those controls are in place. Unless, I think of it in the way that they are still the ones responsible if something is not being checked. So I still go with D.
(this source said C. FYI)
CIO is responsible for making sure the IT systems are operating, backed up, etc. They are not (always) responsible for the CONTROLS around the CIA triad. If they are the system owner also, they MAY be responsible for them but not always.
A. Business and functional managers - May have input to the controls required for their business needs/data but since they are not the owners of the systems so they aren't responsible for ensuring they are in place.
B. IT security practitioners - May be responsible for auditing/verifying that the security controls are in place and may report on non-compliance and try to get others to fix them.
C. System and information owners - Since a system/information owner is ultimately responsible for the data in the system, they are the ones held responsible if the proper controls are not in place. By giving them this responsibility it gives them the power to direct people to fix the non-compliance.
D. Chief Information Officer - Now in some agencies this person is all of the above choices. In some agencies they are both D & C. But not always. The key to remember here is that just because a CIO is the system/information owner in one agency does not mean this is the correct answer for all agencies. Thus making it not the correct choice. Here is another way to look at it:
What are the responsibilities around the CIA triad of each person?
A. Business and functional managers - Define the sensitivity of their data and the functional requirements of the data/system
B. IT security practitioners - Help define ways that controls can be put into place to protect the said requirements of an IT/Information system. Also responsible for auditing the controls to ensure compliance is met.
C. System and information owners - Ensuring that everything that has been agreed upon is being done to protect the system and data that THEY OWN (as a business process) or that they have been designated as the owner of. You need one person to be ultimately responsible for making decisions about the CIA controls. That is why you assign a system/information owner. That is also the person who will make risk based decisions for the system/information. They will not be the person doing the actual checking to ensure the proper CIA controls are in place, but they should have processes, procedures, and people in place to do that. If they fail to have the processes in place, they will be held responsible for the failure to ensure that the CIA controls were being properly applied.
D. Chief Information Officer - Responsible for keeping the IT systems running. That is their main job. System security controls around CIA may not be functioning well, but the IT systems can still be functioning. Most CIO's priorities are #1 Availability. Does no good to have a system with good integrity and confidentiality if no one can access it. Then #2 would be integrity. If they can't keep the data correct, what good is having confidentiality of bad data? Then would be #3 Confidentiality.
I can see why you would want to argue for D. And in some places the CIO is the system owner so you would be correct. However the key word in the question is responsible. You are focusing on the word ensuring. At the end of the day the system/information owner is responsible for ensuring that the proper CIA controls were; #1 selected, #2 in place, #3 functioning as agreed upon. And if they are not, to have a plan for getting into compliance, or being able to direct someone to handle the non-compliance.
I guess I'll find out for sure next Tuesday (if I get a question like that). I love the discussion though!