Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Influencer II

Practice Questions



For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions.  As in, "what's the best set of practice questions to use while studying for the exam?"


The answer is, none of them.


I have looked at an awful lot of practice question sets, and they are uniformly awful.  Most try to be "hard" by bringing in trivia: that is not representative of the exam.  Most concentrate on a bunch of facts: that is not representative of the exam.


So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam.  Note that none of these questions will appear on the exam.  You can't pass the CISSP exam by memorizing a brain dump.  These will just give you a feel.


For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.


I'll be doing this over time, "replying" to this post to add questions.  Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.


Other posts:

This message may or may not be governed by the terms of or
328 Replies
Influencer II

> scootoure (Viewer) mentioned you in a post! Join the conversation below:

>  This access controls concept is something that I am finding extremely
> confusing due to the mixed information across resources. Sybex Official Study
> Guide Edition 8, specifically separates Rule-Based Access control from
> Discretionary Access control (p.628) stating each is 1 of the 5 access control
> models.

OK, in this, at least, the Sybex Official Study Guide Edition 8 is dead wrong. Rule
Based Access Control (RBAC) and Role Based Access Control (again, possibly
confusingly, RBAC) are orthogonal to mandatory and discretionary access
control. Mandatory access control can be either rule or role based (or both), and
so can discretionary.

> However, the Desitination Certification video
> (
> i7gW&index=16) explicitly states that both Rule-Based and Role-Based Access
> Controls are Discretionary and mentions in the comments that everyone else that
> says otherwise is incorrect.

And the Desitination Certification video (and attendant comments) is (are) wrong.
Rule-Based Access Control simply uses rules to decide access. Role-Based Access
Control assigns and manages people and access on the basis of jobs. They aren't
mutually contradictory, as mandatory and discretionary access control are.

>   Can you provide insight into why your logic
> contradicts the Sybex official study guide.

Because Sybex is wrong.

> What should I follow?

Me. I'm an information scientist. I know everything 🙂

For example, I know that the original paper presenting role based access control
*assumed* that it would be used in mandatory access control systems, and only in
them. But there was no inherent reason for that, and, these days, we mostly use it
in discretionary access control systems (since there aren't that many mandatory
access control systems around).

"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm


Other posts:

This message may or may not be governed by the terms of or
Viewer III

Much appreciated @rslade !

Viewer II

Hey @rslade, thanks for your posts; they have been very helpful. Hoping to get your help with the question below from Sybex:

Identification is the first step toward what ultimate goal?
A. Accountability
B. Authorization
C. Auditing
D. Nonrepudiation

The answer is A. However I thought it would D, given 'ultimately' you want to tie the activity to a User (the UserID from Identification) and ensure they cannot deny they did the activity? Thanks.

Newcomer II

This is an easy one, you are just over thinking it. This has to do with the AAA, which is Authentication, Authorization and Accounting.

To achieve Authentication you need identification and some books explicitly bring up this fact; so the AAA looks more like IAAA.


Community Champion



I do not see this question being as straight forward as @alekos thinks.  A is not Authorization, it says Accountiability.


The stem asks the ultimate goal of Identification and the key is apparently A (as per @TheMax 's question).


IMHO, I believe A and D are similar but different.


Accountabiltiy: The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded.


Non-redudiation: Non-repudiation is the assurance that someone cannot deny the validity of something.


Both accountability and non-repudiation require a subject/someone to have an Identity or be identified.  Unfortunately, I have to agree that A is the most correct answer, however, I have several issues with this question. 


I have sent an external note to Rob for his opinion and if he replies, I will post his answer.




Viewer II

Thanks @dcontesti .

Newcomer II

Let me elaborate a little. Let’s say the AAA is a destination on a bus route with 3 stops:

1st stop Authentication
2nd stop Authorization
3rd stop Accountability

The first thing we need to do is get on the bus which is equivalent to Identity. The question asks what is the ultimate goal of identity, which can be translated to what is the last stop? The last stop is Accountability; not non repudiation.

Non repudiation is not a stop of its own but a place you walk to after you get off the bus. For example a user uses their fingerprint or digital signature to authenticate to the system which provides non repudiation. This would be a short walk off the Authentication stop.

Now, we might encounter non repudiation at the end of our bus route; but this still does not mean it’s the ultimate destination.

As an example, we have a user that is denying having logged on to the system and performing certain actions. We go ahead and perform an audit and confirm that the user authenticated with their username, password and fingerprint. Since the fingerprint was used to identify and authenticate the user cannot repudiate the login. In this case the identity was confirmed through diligent accounting of the users actions. Non repudiation occurred much earlier in the process and through accounting we went back and confirmed it.


Newcomer I



Another way of looking at this is to think "End Game, End Game, End Game". If the confusion is around Non-repudiation and Accountability in the context of the question, then you should ask yourself: "Is getting a person not deny his/her action (Non-repudiation) the ULTIMATE goal of identification?".


The very reason non-repudiation is implemented is that not only someone will not be able to deny her/his action, she/he will face the consequences of her/his action: Accountability. Why do think police and prosecutors collect so much evidences about someone accused of a crime? Is that for the alleged criminal to just not deny his/her actions? No, they want to make sure the person will ultimately go jail/prison (Accountability).


Do not over think the question. The key word use in the question is ultimate (End Game). If "Accountability" was not one of the answer choice, Non-repudiation would have been the answer.


This is how I look at it. 

Community Champion

So to break down the issues with the question:


1. Ultimately - grammar, word can mean different things to different people (especially as this is an international exam).  Typically for native English speakers, the word "Ultimately", means Eventually or in due course.  In due course B could be right as well as well as C and D.


2. AAA - in most sources the last A is typically ACCOUNTING, not accountability.


3. Option C is Audit,  part of accounting. A number of references refer to Accounting (accountability) and audit being one and the same.  So C could also be correct.


So my issue with the question is that A, B and C could also be potentially correct as well as (a distant cousin) D.


And to answer @ndouzounasesse the question is BAD as there are potentially three correct answers.


In this instance, I believe the author was going for A but as I stated, the question is poor.










Newcomer II

FYI Accountability and Accounting are interchangeable terms in the AAA and CISSP candidates should know this fact.

“Ultimately” for CISSPs means where the “buck stops”. We are not here trying to find the root meaning of the word which is originally Latin.

If this question has you all “blown up” I don’t see how you would ever pass the real exam. Simple question, clear answer, with the the detractor being non repudiation.