For (and from) all the newbies out there who want help for studying, there have been numerous questions about, well, questions. As in, "what's the best set of practice questions to use while studying for the exam?"
The answer is, none of them.
I have looked at an awful lot of practice question sets, and they are uniformly awful. Most try to be "hard" by bringing in trivia: that is not representative of the exam. Most concentrate on a bunch of facts: that is not representative of the exam.
So, from my own stash, collected and developed over the decades, I'm going to give you some samples that do represent the types of questions that you will probably see on the exam. Note that none of these questions will appear on the exam. You can't pass the CISSP exam by memorizing a brain dump. These will just give you a feel.
For each question I'll give the answer, what type of question this represents, and possibly ways to approach this type of question.
I'll be doing this over time, "replying" to this post to add questions. Others are free to add sample questions if they wish, but be ready to be (possibly severely) critiqued.
Pull yourself away from the mindset that "a normal user" has to be an employee of the company. Anyone visiting a company's public facing web site to make a purchase, search for information, or watch a streaming video is a "normal user." These people would not have any inside information about the system itself, but they (may) have their own accounts and privileges, even if that account is "Guest" and the privileges are None or Temporary.
Is the TCSEC information in the study guide still tested at all or is it just for historical information. I came up when the Orange Book was still pretty much the DoD security bible. Even though Common Criteria has long since replaced it I've seen a lot of TCSEC questions in official and 3rd party practice questions.
Date sent: Tue, 05 Jan 2021 03:14:45 +0000 (UTC)
From: ISC Â² Community <firstname.lastname@example.org>
> Startzc (Newcomer II) posted a new reply in Exams on 01-04-2021 10:14 PM
> Is the TCSEC information in the study guide still tested at all or is it just
> for historical information. I came up when the Orange Book was still pretty much
> the DoD security bible. Even though Common Criteria has long since replaced it
1) You will, occasionally, see historical stuff in the exam. (I remember one
question on the exam I took, back in the paper-based days, and thinking that,
besides myself, nobody else in the room was likely to have actually used that
technology. Even then I was an "old timer.") There aren't likely to be many, so
don't expend too much time cramming for them, but you will probably see them.
2) Look for the fundamentals in the historical materials. For example, TCSEC
was largely based on Bell-LaPadula, and was therefore exclusively concerned with
confidentiality. So a major, and foundational, difference between TCSEC and
ITSEC was the addition of concern about integrity. (The Common Criteria is, like
most of the more recent frameworks, primarily concerned with documentation. It
is perfectly possible to do a Common Criteria compliant system or device that
essentially says "we don't care about security, and you can trust that statement as
long as we didn't lie to you" as long as you document it properly.)
> I've seen a lot of TCSEC questions in official and 3rd party practice questions.
Yeah. Pretty much all practice question sets are a) grabbed from someone else, b)
cribbed out of old trivia that the collector didn't know and so figured nobody else
did, and c) "just the facts, ma'am." (None of which accurately represents the
actual exam.) (See the opening post of this topic.)