cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Practice Questions

Right.

 

For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"

 

The answer is, none of them.

 

I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.

 

So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.

 

For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.

 

I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
322 Replies
kamalamalhotra
Newcomer III

if you ask me, you will never face this question in CISSP exam. however, from my perspective Management discretion determines the frequency of security audits.
tsiaterlis
Newcomer II

Appreciate the reply.

 

The "correct" answer given for this question was "Inherent Risk". 

While I really enjoy the brain work behind these practice questions, I'm beginning to wonder if they are a legitimate help to getting an idea about what to expect on the exam. 

Regards,

TS

Integrity doesn't only apply to data.
kamalamalhotra
Newcomer III

it is very poor worded question. Inherent risk means something that cannot be removed so we have accepted the risk however we cannot remediate. In real world, i build an automated defense system to make sure that this risk does not go above or below the parameter set. Frequent security audit should be held towards the ones which might evolve or something out of the blue. Again that is my two cents.

@tsiaterlis to answer your question. there is a lot of garbage questionnaire in the market. i would suggest not to go for those. if you completely read through this channel, you will get a lot of good questions triggered by Robert. i know he is MIA now. But this are very good questions. I would suggest you read through the material multiple number of times, that will help.
dcontesti
Community Champion

Sorry I believe this is a terrible question.  Not sure where you are getting them from but I probably would have picked C.

 

Inherent risk is typically the risk that exists in the absence of security controls.

Residual risk is the risk that remains after security controls have been implemented

Threat Landscape is typically something done to understand the risk that an organization is facing.

 

My thoughts only

 

d

 

kamalamalhotra
Newcomer III

@dcontesti, i agree with you completely. Management discretion is the right answer. terrible worded question.
tsiaterlis
Newcomer II

@dcontesti as far as this question's origin, I got it from a recent webinar of FI security professionals (whom were all certified) that were assisting those prepping for CISSP. 

I shared these two questions recently, because I got both of them "wrong" when they appeared to be correct to me. I've heard the CISSP makes you feel like that pretty often, so I posted them here to see if the wording was odd or if it was just me. 

 

I guess it really does boil down to @kamalamalhotra 's recent comment: "there is a lot of garbage questionnaire in the market."

 

I've recently invested in CISSP Sample Questions Fifth Edition by Shon Harris & Jonathan Ham. We'll see if these are equally soul crushing.

Regards,

TS

Integrity doesn't only apply to data.
kamalamalhotra
Newcomer III

The fact remains that the questions you go through, those never appear in the exam. There used to be a very good site cccure.com however it is now contaminated. 

tsiaterlis
Newcomer II

Oh, well aware. I've already been through ISC2 SSCP (and many other certifications from other organizations that I won't mention) From my experience,100% of security professionals I've spoken with about practice questions, realize they won't find exact questions. Rather it's more about attempting to get a feel for approach/style/scenario examples we may encounter. 

As we've seen just in this thread... there is plenty of debate, even with between CISSPs, on what constitutes a "good" question. 

Regards,

TS

Integrity doesn't only apply to data.
tsiaterlis
Newcomer II

Good day all-


I have one more for everyone that I got wrong and thought I got right. 

Which of the following is the most important step in protecting sensitive information?

a)labeling

b)storage

c)retention

d)sanitization

 

Apparently this was considered a rather "easy" one by the group. 

Regards,

TS

Integrity doesn't only apply to data.
dcontesti
Community Champion

So I would probably pick none of the above.

 

Based on the other questions presented, can we hazard a guess that they chose B....Making a wild guess they are saying that data should be stored encrypted.

 

A could also be correct, except if it is not labeled how do you know its sensitive.  Once data is labeled, there should be instructions (making an assumption they have a data classification policy).  That policy should articulate how data is handled, stored, how long it is retained, etc........

 

C - retention becomes a function of a combination of things such as Management's desires, regulations/laws covering specific information (I.e.; Medical data has to be kept for seven years or longer, financial records also need to be kept for seven years.

 

Overall a terrible question with with NO right answer.

 

D is definitely a throw away answer.

 

Actually the only answer that I feel is correct is Encryption but alas that is not there.

 

My 2 cents, I am sending this one to Rob to see what he thinks.

 

 

d