Right.
For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
Hey @rslade, thanks for your posts; they have been very helpful. Hoping to get your help with the question below from Sybex:
Identification is the first step toward what ultimate goal?
A. Accountability
B. Authorization
C. Auditing
D. Nonrepudiation
The answer is A. However I thought it would D, given 'ultimately' you want to tie the activity to a User (the UserID from Identification) and ensure they cannot deny they did the activity? Thanks.
I do not see this question being as straight forward as @alekos thinks. A is not Authorization, it says Accountiability.
The stem asks the ultimate goal of Identification and the key is apparently A (as per @TheMax 's question).
IMHO, I believe A and D are similar but different.
Accountabiltiy: The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded.
Non-redudiation: Non-repudiation is the assurance that someone cannot deny the validity of something.
Both accountability and non-repudiation require a subject/someone to have an Identity or be identified. Unfortunately, I have to agree that A is the most correct answer, however, I have several issues with this question.
I have sent an external note to Rob for his opinion and if he replies, I will post his answer.
d
Another way of looking at this is to think "End Game, End Game, End Game". If the confusion is around Non-repudiation and Accountability in the context of the question, then you should ask yourself: "Is getting a person not deny his/her action (Non-repudiation) the ULTIMATE goal of identification?".
The very reason non-repudiation is implemented is that not only someone will not be able to deny her/his action, she/he will face the consequences of her/his action: Accountability. Why do think police and prosecutors collect so much evidences about someone accused of a crime? Is that for the alleged criminal to just not deny his/her actions? No, they want to make sure the person will ultimately go jail/prison (Accountability).
Do not over think the question. The key word use in the question is ultimate (End Game). If "Accountability" was not one of the answer choice, Non-repudiation would have been the answer.
This is how I look at it.
So to break down the issues with the question:
1. Ultimately - grammar, word can mean different things to different people (especially as this is an international exam). Typically for native English speakers, the word "Ultimately", means Eventually or in due course. In due course B could be right as well as well as C and D.
2. AAA - in most sources the last A is typically ACCOUNTING, not accountability.
3. Option C is Audit, part of accounting. A number of references refer to Accounting (accountability) and audit being one and the same. So C could also be correct.
So my issue with the question is that A, B and C could also be potentially correct as well as (a distant cousin) D.
And to answer @ndouzounasesse the question is BAD as there are potentially three correct answers.
In this instance, I believe the author was going for A but as I stated, the question is poor.