CISA / CISM Exam Preparation Tip #2 -- Read the Question Carefully


As noted in Tip #1, the wording of exam questions can be challenging in themselves.  Here’s a paraphrase of one of my favourite examples:

Which of the following should be a concern to an IS auditor reviewing a wireless network?

A. Wi-Fi Protected Access (WPA) encryption is enabled.

B. SSID (Service Set IDentifier) broadcasting is enabled.

C. Anti-malware software is running on all wireless clients.

D. MAC (Media Access Control) access control filtering is used on all wireless access points.

Now when reading that quickly, one might see a list of important security features an IS auditor would typically look for when reviewing an organization’s wireless networking infrastructure.  And of those security features, WPA is arguably the most effective, and therefore the most important.  So the temptation might be to choose answer “A”.

But of course that's wrong.  The correct answer is “B”.  Why?  Because of the way the question is worded.

The question asks “which of the following should be a concern...”  Would an auditor be concerned that WPA is enabled?  No, but they’d sure be concerned if it was not enabled.  Similarly, answers “C” and “D” are both good security practices, and would make the auditor happy, not concerned.

The only item of concern is broadcasting SSIDs.  While supressing SSIDs isn’t crucial to security, in my own opinion, of the choices presented, it’s the only item of concern.

If you chose “B”, it probably shows you are getting the feel of exam question syntax and semantics.  Well done!

But if you’re like me, and repeatedly get tricked by the wording, only to curse when you see the logic of the correct answer, keep practising, you’ll get it.

And keep telling yourself to read the question carefully!

Share This: 


This example WLAN security question and the "right" answer above just illustrates how superficial the level of expertise that is being tested in CISA/CISM exams.

Have a read of the wireless security resources below and you'll find that the IS auditor concerned would look pretty ignorant if they raised this with an informed wireless network engineer in the real world.

I know because I was such an IS auditor a long time ago and went round this loop. And ended up reading the conflicting guidance out there - this is one of the few times I have agreed with MicroSoft on a networking subject.

One of the wisest pieces of advice I got out of the local ISACA chapter revision courses was forget anything you've learnt in the real world.

Just assess the question and answers as written in the test in black & white adding whatever the Review Manual opines - however ill informed, superficial or out of date the underlying "knowledge" being tested might be.

Not that creating these questions is easy so stuff like this ends up in the exams.

Bottom line:

1) Do what you have to do to pass the exam
2) If you pass these exams don't start thinking you know it all - research a subject beyond the Review Manual level in your job when you need to make judgements.
3) If you hire people look beyond their certificates for real world experience and knowledge. Passing multiple choice exams covering very broad fields of knowledge is not that difficult.

Add new comment