1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 376
Выбрать главу

The author sincerely believes that the more questions you practice, the better prepared you are to take the CISSP Exam with greater confidence because the real exam includes 250 questions. The total number of 2,250 questions represents nine times the number of questions tested on the exam, thus providing a great value to the CISSP Exam candidate. This value is in the form of increasing the chances to pass the CISSP Exam.

Because ISC2 did not publish the percentage-weights for ten domains, the author has assigned the following percentage-weights for each domain (for example, Domain 1 = 15%) based on what he thinks is important to the CISSP Exam candidate. These assigned weights are based on the author’s assumption that all the ten domains cannot receive equal weight in the exam due to the differences in relative importance of these domains. These weights are assigned as a systematic way to distribute the 2,250 questions among the ten domains, as follows:

Domain 1: Access Control (15%)

Domain 2: Telecommunications and Network Security (15%)

Domain 3: Information Security Governance and Risk Management (10%)

Domain 4: Software Development Security (10%)

Domain 5: Cryptography (10%)

Domain 6: Security Architecture and Design (10%)

Domain 7: Security Operations (10%)

Domain 8: Business Continuity and Disaster Recovery Planning (5%)

Domain 9: Legal, Regulations, Investigations, and Compliance (10%)

Domain 10: Physical and Environmental Security (5%)

The following table presents the number of traditional questions and scenario questions for each of the ten domains. Domain Traditional Questions Scenario Questions 1 338 (2,250 x 15%) 9 2 338 7 3 225 9 4 225 11 5 225 7 6 225 12 7 225 8 8 112 7 9 225 5 10 112 7 Totals 2,250 82

The real CISSP Exam consists of 250 M/C questions with four choices of a., b., c., and d. for each question. There can be some scenario-based questions in addition to most of traditional questions. Regardless of the type of questions on the exam, there is only one correct answer (choice). You must complete the entire CISSP Exam in one six-hour session. The scope of the CISSP Exam consists of the subject matter covered in ten domains of this book, which is in accordance with the description of the CISSP Exam (content specifications) as defined in the ISC2’s “CISSP Candidate Information Bulletin” with an effective date of January 1, 2012. Note that these practice questions are also good for the CISSP Exam with an effective date of January 1, 2009 because we accommodated both effective dates (January 2009 and January 2012) due to their minor differences in the content specifications.

With no bias intended and for the sake of simplicity, the pronoun “he” has been used throughout the book rather than “he/she” or “she.”

—S. Rao VallabhaneniChicago, IllinoisAugust 2011

How to Study for the CISSP Exam

To study for the CISSP Exam, follow these guidelines:

Read the official description of the CISSP Exam at the end of this section.

Read the glossary terms and acronyms found in Appendixes A and B at the back of this book to become familiar with the technical terms and acronyms.

Take the sample practice tests for each of the ten domains.

If you score less than 75 percent for each domain, study the glossary terms again until you master the subject matter or score higher than 75 percent.

Complete the scenario-based practice questions to integrate your learning and thought processes.

The types of questions a candidate can expect to see on the CISSP Exam are mostly objective and traditional multiple-choice questions and some scenario-based multiple-choice questions with only one choice as the correct answer. Answering these multiple-choice questions requires a significant amount of practice and effort.

The following tips and techniques are helpful for answering the multiple-choice questions:

Stay with your first impression of the correct choice.

Know the subject area or topic. Don’t read too much into the question.

Remember that all questions are independent of specific countries, products, practices, vendors, hardware, software, or industries.

Read the last sentence of the question first, followed by all the choicesthen read the body of the question. Underline or circle the key words.

Read the question twice (or read the underlined or circled key words twice) and watch for tip-off words such as not, except, all, every, always, never, least, or most that denote absolute conditions.

Don’t project the question into your own organizational environment, practices, policies, procedures, standards, and guidelines.

Try to eliminate wrong choices quickly by striking or drawing a line through the choices or by using other ways convenient to you.

When you are left with two probable choices after the process of elimination, take a big picture approach. For example, if choices a. and d. remain and choice d. could be a part of choice a., then select choice a. However, if choice d. could be a more complete answer, then select choice d.

Don’t spend too much time on one question. If you are not sure of an answer, move on and come back to it if time permits. The last resort is to guess the answer. There is no penalty for guessing a wrong answer.

Transfer all questions to the answer sheet either after each question is answered individually or in small groups of 10 or 15 questions. Allocate sufficient time for this task because it is important. Mark the right answer in the correct circle on the answer sheet.

Remember that success on the exam depends on your education and experience, time-management skills, preparation effort and time, memory recall of the subject matter, state of mind, and decision-making skills.

Description of the CISSP Examination

The following is the official description of the Certified Information System Security Professional (CISSP) Examination content specifications as defined in the ISC2’s “CISSP Candidate Information Bulletin” with an effective date of January 1, 2012. The scope of the CISSP Exam consists of the following subject matter (content specifications) covered in the ten domains.

DOMAIN 1: ACCESS CONTROL

Overview

Access control domain covers any mechanism by which a system grants or revokes the right to access data or perform some action. The access control mechanism controls various operations a user may or may not perform.

Access controls systems include

File permissions such as create, read, edit, or delete on a file server

Program permissions such as the right to execute a program on an application server

Data rights such as the right to retrieve or update information in a database

The candidate should fully understand access control concepts, methodologies, and implementation within centralized and decentralized environments across the enterprise’s computer systems. Access control techniques and detective and corrective measures should be studied to understand the potential risks, vulnerabilities, and exposures.

Key Areas of Knowledge

Control access by applying the following concepts/methodologies/techniques.

1. Policies

2. Types of controls such as preventive, detective, and corrective

3. Techniques such as nondiscretionary, discretionary, and mandatory

~ 376 ~