[ISN] REVIEW: "CISSP Practice Questions Exam Cram 2", Michael C. Gregg

InfoSec News isn at c4i.org
Wed Aug 24 05:44:10 EDT 2005

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade at sprint.ca>

BKCISPE2.RVW   20050614

"CISSP Practice Questions Exam Cram 2", Michael C. Gregg, 2005,
0-7897-3305-6, U$29.99/C$42.99/UK#21.99
%A   Michael C. Gregg
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2005
%G   0-7897-3305-6
%I   Macmillan Computer Publishing (MCP)
%O   U$29.99/C$42.99/UK#21.99 800-858-7674 info at mcp.com pr at mcp.com
%O  http://www.amazon.com/exec/obidos/ASIN/0789733056/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0789733056/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   202 p. + CD-ROM
%T   "CISSP Practice Questions Exam Cram 2"

All CISSP (Certified Information Systems Security Professional)
candidates want sample questions to practice on before they write the
exam.  This set is not the worst I've seen (that would have been the
question volume of the "CISSP Examination Textbooks" [cf.
BKCISPET.RVW]), but it comes close.

As usual, the book is divided into chapters by the domains of the
CISSP CBK (Common Body of Knowledge).  The questions are on the
simplest level of the questioning taxonomy; fact based; rather than
occupying the analytical and critical thinking levels that most actual
CISSP exam questions represent.  (Krutz and Vines' "Advanced CISSP
Prep Guide: Exam Q & A" [cf. BKADCIPG.RVW] is as simplistic, but also
tends to veer off-topic.)  Wording on the questions is careless: a
question that asks about "effectiveness" probably really means
efficiency, otherwise the answer given is incorrect.  Gregg seems to
have decided and doctrinaire opinions, probably based on a quick
reading of one of the less accurate CISSP exam guides.  There is an
attempt to make many of these simplistic questions more "complex" by
creating scenarios: generally the scenarios have nothing to do with
the point of the question and are simply excess verbiage.  Major
concepts are left out: in access controls, for example, Gregg seems to
have no idea of the difference between access controls and overall
security control types, and there is nothing to address the major
topics of identification, authentication, authorization, and
accountability.  The telecommunications chapter has almost no
questions on basic data communications concepts.  (And Ethernet is
*not* synchronous communication: a frame can be transmitted at any
time.  I suspect Gregg thinks any block communication is synchronous,
and it's been a long time since that was true.)  Building construction
and layered defence issues are missing from physical security.  Lots
of stuff is missing from the cryptography section, and there is a
larger number of errors than in other domains.  Astoundingly, the
security management quiz has almost nothing on policy.  Investigations
are the primary concern in that domain, with very little relating to
law (or ethics).  Malware gets all of one question in application

The majority of answers given are not wrong as such: a qualified
security professional would probably get most of them right, albeit
with much head-scratching.  (In this, the book is similar to "The
Total CISSP Exam Prep Book" [cf. BKTCIEPB.RVW].)  However, this set of
questions would not provide a good basis for assessing your chances of
passing the CISSP exam.

copyright Robert M. Slade, 2005   BKCISPE2.RVW   20050614

======================  (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca      slade at victoria.tc.ca      rslade at sun.soci.niu.edu
 Book review menus:   http://victoria.tc.ca/techrev/mnbk.htm
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

More information about the ISN mailing list