Thank you so much for these!  Love the explanations of the CISSP mindset!

Which type of access control allows users to specify who can access their files?

a. Mandatory
b. Discretionary
c. Relational
d. Administrative

Answer: b.

 

(Reference: Gasser, Morrie, Building a Secure Computer System, New York: Nostrand Reinhold, 1988, pg 55)

 

Discussion:
Answer a - Mandatory access control bases access on the preset labels of the sensitivity of objects and the clearance of subjects.
Answer b - The user (or creator) of an object grants authorization to support discretionary access control.
Answer c - Relational is not a type of access control.
Answer d - Administrative is not a type of access control.

Remember: just because you don't know it doesn't make it the right answer.

Hello @rslade , serious question here (even though this may not sound like one). How are we supposed to recognize what "does exist" and "doesn't exist" in answer choices - when it seems many of the practice questions/answers in general, rather than using standard wording like we're used to seeing in our study materials, use words that appear to have been pulled out of a thesaurus?

 

You make mention that the references here (and I believe also the two sources used for content on the actual exam) don't come from "Study Guides", yet that is what we all have been using to study (such as Sybex/Wiley), and you go out of your way to use wording that doesn't appear in those books or any popular study material.

 

 

 

On another note, in the practice question right above this post, you have in the explanation:

 

" Administrative is not a type of access control."

 

Can you please explain this because everywhere I checked, it is a type of access control (Physical, Technical/Logical, Administrative/Directive, Preventative, Detective, Corrective, Deterrent, Recovery)

 

Thanks

 

> redacted (Viewer) edited a reply in Certifications on 03-10-2020 03:14 PM in the

>       On another note, in the practice question right above this post,
> you have in the explanation:   " Administrative is not a type of access
> control."   Can you please explain this because everywhere I checked, it is a
> type of access control (Physical, Technical/Logical, Administrative,
> Preventative, Detective, Corrective, Deterrent, Recovery)   Thanks  

Those are controls types, not access control types.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Always forgive your enemies; nothing annoys them so much.
- Oscar Wilde
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

> redacted (Viewer) mentioned you in a post! Join the conversation below:

 

> Hello @rslade , serious question here (even though this may not sound like one).
> How are we supposed to recognize what "does exist" and "doesn't exist" in answer
> selections

 

OK, as to the first part, well, the exam exists to determine whether you know something about security, and part of knowing about something is knowing what does and doesn't exist. Don't try to "game" the exam by assuming that if you don't know it, it must be the right answer.  Assume you do know about security, and answer on the basis of what you know.

 

> - when it seems many of the practice questions/answers in general,
> rather than using standard wording we're used to seeing in our study materials,
> appear to have been pulled out of a thesaurus?

 

As to wording, make sure you understand. If you understand, rather than simply having memorized a bunch of text, then you won't be thrown by a slightly altered (or modified, or edited, or amended, or ...) choice of words.

 

>   You make mention that the
> references here (and I believe also the two sources used for content on the
> actual exam) don't come from "Study Guides", yet that is what we all have been
> using to study (such as Sybex/Wiley), and you go out of your way to use wording
> that doesn't appear in those books or any popular study material.        

 

There are lots more sources for study. Look up some of the best at
http://victoria.tc.ca/int-grps/books/techrev/mnbksccd.htm
There are lots more at
http://victoria.tc.ca/int-grps/books/techrev/mnbksc.htm

 

You can't pass the exam with a "brain dump" from a study guide. *Any* study guide.

Q: When you're designing a security system for Internet-delivered email, which of the following is least important? - Nonrepudiation - Availability - Message Integrity - Access restriction

 

In my opinion, As the question asked for LEAST important, and also says, internet-delivered email.

Availability of Internet is not in our control. It depends on ISP. And the email goes off, once we get Internet.
Other three more important, which are in our control.

Correct me, if I'm wrong.

@rslade , thank you very much for your responses. This thread was a wake-up call.

 

I have a question about how you recommend we approach the exam questions. In doing practice tests I was experimenting with the technique of reading the answers FIRST (before even reading the question). I found it helped me get my head around each answer first before being possibly thrown off in the question itself.

 

However, after reading your sample questions here, I'm thinking now this might be a really bad idea. In the practice tests, the answers are all usually things that exist (even if they are distractors), but based on your examples it sounds like quite a few questions might have answers choices that aren't even a real thing in security...

 

Any advice on how to approach the questions? Should we stick with the traditional read the question first, then the answers then the question again and the answers again?

 

Thanks

 

> sai_murthy (Newcomer I) posted a new reply in Certifications on 03-12-2020 03:05

> In my opinion, As the question asked for LEAST important, and also says,
> internet-delivered email. Availability of Internet is not in our control. It
> depends on ISP. And the email goes off, once we get Internet. Other three more
> important, which are in our control. Correct me, if I'm wrong.

Something being important doesn't mean it is within our control. For business
continuity and disaster recovery, for example, a great many things are not within
our control, but they are important and we have to plan for them.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If the law is against you, argue the facts. If the facts are
against you, argue the law. If the law and the facts are against
you, raise your voice. - common advice to new lawyers
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

> redacted (Viewer II) mentioned you in a post! Join the conversation below:

> @rslade , thank you very much for your responses. This thread was a wake-up
> call.

Glad to be of service.

>   I have a question about how you recommend we approach the exam
> questions. In doing practice tests I was experimenting with the technique of
> reading the answers FIRST (before even reading the question). I found it helped
> me get my head around each answer first before being possibly thrown off in the
> question itself.

Ah. A very interesting approach, and I think it has a lot of merit.

>   However, after reading your sample questions here, I'm
> thinking now this might be a really bad idea. In the practice tests, the answers
> are all usually things that exist (even if they are distractors), but based on
> your examples it sounds like quite a few questions might have answers choices
> that aren't even a real thing in security...   Any advice on how to approach the
> questions? Should we stick with the traditional read the question first, then
> the answers then the question again and the answers again?   Thanks  

I don't want to give the idea that you will see made up distractors on every
question. I suspect you'll actually encounter very few. I just always found that a
number of candidates really got thrown by made up distractors, so I tend to push
that idea so people will remember it.

I still think your idea of reading the answers first does have merit. As you say, it
can get you thinking along the lines the question pursues. If you encounter a made
up distractor, in that case, it simply won't make sense, and reading the question
then should. I don't think it's likely that a made up distractor will throw you into
the completely wrong frame of mind.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Good people do not need laws to tell them to act responsibly,
while bad people will find a way around the laws. - Plato
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB