CISSP (Chapter 2 - Information Security Governance and Risk Management) Flashcards by Ben Troglia

Who has the primary responsibility of determining the classification level for information?

A. The functional manager
B. Senior management
C. The owner
D. The user

C. A company can have one specific data owner or different data owners who have been delegated the responsibility of protecting specific sets of data. One of the responsibilities that goes into protecting this information is properly classifying it.

How well did you know this?

Not at all

Perfectly

If different user groups with different security access levels need to access the same information, which of the following actions should management take?

A. Decrease the security level on the information to ensure accessibility and usability of the information.
B. Require specific written approval each time an individual needs to access the information.
C. Increase the security controls on the information.
D. Decrease the classification label on the information.

C. If data is going to be available to a wide range of people, more granular security should be implemented to ensure that only the necessary people access
Chapter 2: Information Security Governance and Risk Management
151
the data and that the operations they carry out are controlled. The security implemented can come in the form of authentication and authorization technologies, encryption, and specific access control mechanisms.

How well did you know this?

Not at all

Perfectly

What should management consider the most when classifying data?

A. The type of employees, contractors, and customers who will be accessing the data
B. Availability, integrity, and confidentiality
C. Assessing the risk level and disabling countermeasures
D. The access controls that will be protecting the data

B. The best answer to this question is B, because to properly classify data, the data owner must evaluate the availability, integrity, and confidentiality requirements of the data. Once this evaluation is done, it will dictate which employees, contractors, and users can access the data, which is expressed in answer A. This assessment will also help determine the controls that should be put into place.

How well did you know this?

Not at all

Perfectly

Who is ultimately responsible for making sure data is classified and protected?

A. Data owners
B. Users
C. Administrators
D. Management

D. The key to this question is the use of the word “ultimately.” Though management can delegate tasks to others, it is ultimately responsible for everything that takes place within a company. Therefore, it must continually ensure that data and resources are being properly protected.

How well did you know this?

Not at all

Perfectly

Which factor is the most important item when it comes to ensuring security is successful in an organization?

A. Senior management support
B. Effective controls and implementation methods
C. Updated and relevant security policies and procedures
D. Security awareness by all employees

A. Without senior management’s support, a security program will not receive the necessary attention, funds, resources, and enforcement capabilities.

How well did you know this?

Not at all

Perfectly

When is it acceptable to not take action on an identified risk?

A. Never. Good security addresses and reduces all risks.
B. When political issues prevent this type of risk from being addressed.
C. When the necessary countermeasure is complex.
D. When the cost of the countermeasure outweighs the value of the asset and potential loss.

D. Companies may decide to live with specific risks they are faced with if the cost of trying to protect themselves would be greater than the potential loss if the threat were to become real. Countermeasures are usually complex to a degree, and there are almost always political issues surrounding different risks, but these are not reasons to not implement a countermeasure.

How well did you know this?

Not at all

Perfectly

Which is the most valuable technique when determining if a specific security control should be implemented?

A. Risk analysis
B. Cost/benefit analysis
C. ALE results
D. Identifying the vulnerabilities and threats causing the risk

B. Although the other answers may seem correct, B is the best answer here. This is because a risk analysis is performed to identify risks and come up with suggested countermeasures. The ALE tells the company how much it could lose if a specific threat became real. The ALE value will go into the cost/benefit analysis, but the ALE does not address the cost of the countermeasure and the benefit of a countermeasure. All the data captured in answers A, C, and D are inserted into a cost/benefit analysis.

How well did you know this?

Not at all

Perfectly

Which best describes the purpose of the ALE calculation?

A. Quantifies the security level of the environment
B. Estimates the loss possible for a countermeasure
C. Quantifies the cost/benefit result
D. Estimates the loss potential of a threat in a span of a year

D. The ALE calculation estimates the potential loss that can affect one asset from a specific threat within a one-year time span. This value is used to figure out the amount of money that should be earmarked to protect this asset from this threat.

How well did you know this?

Not at all

Perfectly

The security functionality defines the expected activities of a security mechanism, and assurance defines which of the following?

A. The controls the security mechanism will enforce
B. The data classification after the security mechanism has been implemented
C. The confidence of the security the mechanism is providing
D. The cost/benefit relationship

C. The functionality describes how a mechanism will work and behave. This may have nothing to do with the actual protection it provides. Assurance is the level of confidence in the protection level a mechanism will provide. When systems and mechanisms are evaluated, their functionality and assurance should be examined and tested individually.

How well did you know this?

Not at all

Perfectly

How do you calculate residual risk?

A. Threats × risks × asset value
B. (Threats × asset value × vulnerability) × risks
C. SLE × frequency = ALE
D. (Threats × vulnerability × asset value) × controls gap

D. The equation is more conceptual than practical. It is hard to assign a number to an individual vulnerability or threat. This equation enables you to look at the potential loss of a specific asset, as well as the controls gap (what the specific countermeasure cannot protect against). What remains is the residual risk, which is what is left over after a countermeasure is implemented

How well did you know this?

Not at all

Perfectly

Why should the team that will perform and review the risk analysis information be made up of people in different departments?

A. To make sure the process is fair and that no one is left out.
B. It shouldn’t. It should be a small group brought in from outside the organization because otherwise the analysis is biased and unusable.
C. Because people in different departments understand the risks of their department. Thus, it ensures the data going into the analysis is as close to reality as possible.
D. Because the people in the different departments are the ones causing the risks, so they should be the ones held accountable.

C. An analysis is only as good as the data that go into it. Data pertaining to risks the company faces should be extracted from the people who understand best the business functions and environment of the company. Each department understands its own threats and resources, and may have possible solutions to specific threats that affect its part of the company.

How well did you know this?

Not at all

Perfectly

Which best describes a quantitative risk analysis?

A. A scenario-based analysis to research different security threats
B. A method used to apply severity levels to potential loss, probability of loss, and risks
C. A method that assigns monetary values to components in the risk assessment
D. A method that is based on gut feelings and opinions

C. A quantitative risk analysis assigns monetary values and percentages to the different components within the assessment. A qualitative analysis uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures.

How well did you know this?

Not at all

Perfectly

Why is a truly quantitative risk analysis not possible to achieve?

A. It is possible, which is why it is used.
B. It assigns severity levels. Thus, it is hard to translate into monetary values.
C. It is dealing with purely quantitative elements.
D. Quantitative measures must be applied to qualitative elements.

D. During a risk analysis, the team is trying to properly predict the future and all the risks that future may bring. It is somewhat of a subjective exercise and requires educated guessing. It is very hard to properly predict that a flood will take place once in ten years and cost a company up to $40,000 in damages, but this is what a quantitative analysis tries to accomplish.

How well did you know this?

Not at all

Perfectly

What is CobiT and where does it fit into the development of information security systems and security programs?

A. Lists of standards, procedures, and policies for security program development
B. Current version of ISO 17799
C. A framework that was developed to deter organizational internal fraud
D. Open standards for control objectives

D. The Control Objectives for Information and related Technology (CobiT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs.

How well did you know this?

Not at all

Perfectly

What are the four domains that make up CobiT?

A. Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
B. Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate
C. Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate
D. Acquire and Implement, Deliver and Support, and Monitor and Evaluate

A. CobiT has four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Each category drills down into subcategories. For example, Acquire and Implement contains the following subcategories:
• Acquire and Maintain Application Software
• Acquire and Maintain Technology Infrastructure
• Develop and Maintain Procedures
• Install and Accredit Systems
• Manage Changes

How well did you know this?

Not at all

Perfectly

What is the ISO/IEC 27799 standard?

A. A standard on how to protect personal health information
B. The new version of BS 17799
C. Definitions for the new ISO 27000 series
D. The new version of NIST 800-60

A. It is referred to as the health informatics, and its purpose is to provide guidance to health organizations and other holders of personal health information on how to protect such information via implementation
of ISO/IEC 27002.

CobiT was developed from the COSO framework. What are COSO’s main objectives and purpose?

A. COSO is a risk management approach that pertains to control objectives and IT business processes.
B. Prevention of a corporate environment that allows for and promotes financial fraud.
Chapter 2: Information Security Governance and Risk Management
145
C. COSO addresses corporate culture and policy development.
D. COSO is risk management system used for the protection of federal systems.

B. COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board of director responsibility, and internal communication structures. Its main purpose is to help ensure

OCTAVE, NIST 800-30, and AS/NZS 4360 are different approaches to carrying out risk management within companies and organizations. What are the differences between these methods?

A. NIST 800-30 and OCTAVE are corporate based, while AS/NZS is international.
B. NIST 800-30 is IT based, while OCTAVE and AS/NZS 4360 are corporate based.
C. AS/NZS is IT based, and OCTAVE and NIST 800-30 are assurance based.
D. NIST 800-30 and AS/NZS are corporate based, while OCTAVE is international.

B. NIST 800-30 Risk Management Guide for Information Technology Systems is a U.S. federal standard that is focused on IT risks. OCTAVE is a methodology to set up a risk management program within an organizational structure. AS/NZS 4360 takes a much broader approach to risk management. This methodology can be used to understand a company’s financial, capital, human safety, and business decisions risks. Although it can be used to analyze security risks, it was not created specifically for this purpose.

A server that houses sensitive data has been stored in an unlocked room for the last few years at Company A. The door to the room has a sign on the door that reads “Room 1.” This sign was placed on the door with the hope that people would not look for important servers in this room. Realizing this is not optimum security, the company has decided to install a reinforced lock and server cage for the server and remove the sign. They have also hardened the server’s configuration and employed strict operating system access controls.

The fact that the server has been in an unlocked room marked “Room 1” for the last few years means the company was practicing which of the following?

A. Logical security
B. Risk management
C. Risk transference
D. Security through obscurity

D. Security through obscurity is not implementing true security controls, but rather attempting to hide the fact that an asset is vulnerable in the hope that an attacker will not notice. Security through obscurity is an approach to try and fool a potential attacker, which is a poor way of practicing security. Vulnerabilities should be identified and fixed, not hidden.

The new reinforced lock and cage serve as which of the following?

A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls

B. Physical controls are security mechanisms in the physical world, as in locks, fences, doors, computer cages, etc. There are three main control types, which are administrative, technical, and physical.

The operating system access controls comprise which of the following?

A. Logical controls
B. Physical controls
C. Administrative controls
D. Compensating controls

A. Logical (or technical) controls are security mechanisms, as in firewalls, encryption, software permissions, and authentication devices. They are commonly used in tandem with physical and administrative controls to provide a defense-in-depth approach to security.

A company has an e-commerce website that carries out 60 percent of its annual revenue. Under the current circumstances, the annualized loss expectancy for a website against the threat of attack is $92,000. After implementing a new application-layer firewall, the new annualized loss expectancy would be $30,000. The firewall costs $65,000 per year to implement and maintain.

How much does the firewall save the company in loss expenses?

A. $62,000
B. $3,000
C. $65,000
D. $30,000

A. $62,000 is the correct answer. The firewall reduced the annualized loss expectancy (ALE) from $92,000 to $30,000 for a savings of $62,000. The formula for ALE is single loss expectancy × annualized rate of occurrence
= ALE. Subtracting the ALE value after the firewall is implemented from the value before it was implemented results in the potential loss savings this type of control provides.

What is the value of the firewall to the company?

A. $62,000
B. $3,000
C. –$62,000
D. –$3,000

D. –$3,000 is the correct answer. The firewall saves $62,000, but costs $65,000 per year. 62,000 – 65,000 = –3,000. The firewall actually costs the company more than the original expected loss, and thus the value to the company is a negative number. The formula for this calculation is (ALE before the control is implemented) – (ALE after the control is implemented) – (annual cost of control) = value of control.

Which of the following describes the company’s approach to risk management?

A. Risk transference
B. Risk avoidance
C. Risk acceptance
D. Risk mitigation

D. Risk mitigation involves employing controls in an attempt to reduce the either the likelihood or damage associated with an incident, or both. The four ways of dealing with risk are accept, avoid, transfer, and mitigate (reduce). A firewall is a countermeasure installed to reduce the risk of a threat.

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. What is the Single Loss Expectancy (SLE) for the facility suffering from a fire? A. $80,000 B. $480,000 C. $320,000 D. 60%

B. $480,000 is the correct answer. The formula for single loss expectancy (SLE) is asset value × exposure factor (EF) = SLE. In this situation the formula would work out as asset value ($800,000) × exposure factor (60%) = $480,000. This means that the company has a potential loss value of $480,000 pertaining to this one asset (facility) and this one threat type (fire

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. What is the Annualized Rate of Occurrence (ARO)? A. 1 B. 10 C. .1 D. .01

C. The annualized rate occurrence (ARO) is the frequency that a threat will most likely occur within a 12-month period. It is a value used in the ALE formula, which is SLE × ARO = ALE.

A small remote office for a company is valued at $800,000. It is estimated, based on historical data, that a fire is likely to occur once every ten years at a facility in this area. It is estimated that such a fire would destroy 60 percent of the facility under the current circumstances and with the current detective and preventative controls in place. What is the Annualized Loss Expectancy (ALE)? A. $480,000 B. $32,000 C. $48,000 D. .6

C. $48,000 is the correct answer. The annualized loss expectancy formula (SLE × ARO = ALE) is used to calculate the loss potential for one asset experiencing one threat in a 12-month period. The resulting ALE value helps to determine the amount that can be reasonably be spent in the protection of that asset. In this situation, the company should not spend over $48,000 on protecting this asset from the threat of fire. ALE values help organizations rank the severity level of the risks they face so they know which ones to deal with first and how much to spend on each.

The international standards bodies ISO and IEC developed a series of standards that are used in organizations around the world to implement and maintain information security management systems. The standards were derived from the British Standard 7799, which was broken down into two main pieces. Organizations can use this series of standards as guidelines, but can also be certified against them by accredited third parties. Which of the following are incorrect mappings pertaining to the individual standards that make up the ISO/IEC 27000 series? i. ISO/IEC 27001 outlines ISMS implementation guidelines, and ISO/IEC 27003 outlines the ISMS program’s requirements. ii. ISO/IEC 27005 outlines the audit and certification guidance, and ISO/IEC 27002 outlines the metrics framework. iii. ISO/IEC 27006 outlines the program implementation guidelines, and ISO/IEC 27005 outlines risk management guidelines. iv. ISO/IEC 27001 outlines the code of practice, and ISO/IEC 27004 outlines the implementation framework. A. i, iii B. i, ii C. ii, iii, iv D. i, ii, iii, iv

D. Unfortunately, you will run into questions on the CISSP exam that will be this confusing, so you need to be ready for them. The proper mapping for the ISO/IEC standards are as follows: • ISO/IEC 27001 ISMS requirements • ISO/IEC 27002 Code of practice for information security management • ISO/IEC 27003 Guideline for ISMS implementation • ISO/IEC 27004 Guideline for information security management measurement and metrics framework • ISO/IEC 27005 Guideline for information security risk management • ISO/IEC 27006 Guidance for bodies providing audit and certification of information security management systems

The information security industry is made up of various best practices, standards, models, and frameworks. Some were not developed first with security in mind, but can be integrated into an organizational security program to help in its effectiveness and efficiency. It is important to know of all of these different approaches so that an organization can choose the ones that best fit its business needs and culture. Which of the following best describes the approach(es) that should be put into place if an organization wants to integrate a way to improve its security processes over a period of time? i. Information Technology Infrastructure Library should be integrated because it allows for the mapping of IT service process management, business drivers, and security improvement. ii. Six Sigma should be integrated because it allows for the defects of security processes to be identified and improved upon. iii. Capability Maturity Model should be integrated because it provides distinct maturity levels. CISSP All-in-One Exam Guide 148 iv. The Open Group Architecture Framework should be integrated because it provides a structure for process improvement. A. i, iii B. ii, iii, iv C. ii, iii D. ii, iv

C. The best process improvement approaches provided in this list are Six Sigma and the Capability Maturity Model. The following outlines the definitions for all items in this question: • TOGAF Model and methodology for the development of enterprise architectures developed by The Open Group • ITIL Processes to allow for IT service management developed by the United Kingdom’s Office of Government Commerce • Six Sigma Business management strategy that can be used to carry out process improvement • Capability Maturity Model Integration (CMMI) Organizational development for process improvement developed by Carnegie Mellon

C. Mandatory vacation is an administrative detective control that allows for an organization to investigate an employee’s daily business activities to uncover any potential fraud that may be taking place. The employee should be forced to be away from the organization for a two-week period and another person put into that role. The idea is that the person who was rotated into that position may be able to detect suspicious activities

A. Separation of duties is an administrative control that is put into place to ensure that one person cannot carry out a critical task by himself. If a person were able to carry out a critical task alone, this could put the organization at risk. Collusion is when two or more people come together to carry out fraud. So if a task was split between two people, they would have to carry out collusion (working together) to complete that one task and carry out fraud.

Todd is a new security manager and has the responsibility of implementing personnel security controls within the financial institution where he works. Todd knows that many employees do not fully understand how their actions can put the institution at risk; thus, an awareness program needs to be developed. He has determined that the bank tellers need to get a supervisory override when customers have checks over $3,500 that need to be cashed. He has also uncovered that some employees have stayed in their specific positions within the company for over three years. Todd would like to be able to investigate some of the bank’s personnel activities to see if any fraudulent activities have taken place. Todd is already ensuring that two people must use separate keys at the same time to open the bank vault. Todd wants to be able to prevent fraud from taking place, but he knows that some people may get around the types of controls he puts into place. In those situations he wants to be able to identify when an employee is doing something suspicious. Which of the following incorrectly describes what Todd is implementing in this scenario and what those specific controls provide? A. Separation of duties by ensuring that a supervisor must approve the cashing of a check over $3,500. This is an administrative control that provides preventative protection for Todd’s organization. B. Rotation of duties by ensuring that one employee only stays in one position for up to three months of a time. This is an administrative control that provides detective capabilities. C. Security awareness training, which is a preventive administrative control that can also emphasize enforcement. D. Dual control, which is an administrative detective control that can ensure that two employees must carry out a task simultaneously.

D. Dual control is an administrative preventative control. It ensures that two people must carry out a task at the same time, as in two people having separate keys when opening the vault. It is not a detective control. Notice that the question asks what Todd is not doing. Remember that on the exam you need to choose the best answer. In many situations you will not like the question or the corresponding answers on the CISSP exam, so prepare yourself. The questions can be tricky, which is one reason why the exam itself is so difficult.

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data. Which of the following best describes what Sam should address first in this situation? A. Integrate data protection roles and responsibilities within the security awareness training and require everyone to attend it within the next 15 days. B. Review the current classification policies to ensure that they properly address the company’s risks. C. Meet with senior management and get permission to enforce data owner tasks for each business unit manager. D. Audit all of the current data protection controls in place to get a firm understanding of what vulnerabilities reside in the environment.

B. While each answer is a good thing for Sam to carry out, the first thing that needs to be done is to ensure that the policies properly address data classification and protection requirements for the company. Policies provide direction, and all other documents (standards, procedures, guidelines) and security controls are derived from the policies and support them.

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data. Sam needs to get senior management to assign the responsibility of protecting specific data sets to the individual business unit managers, thus making them data owners. Which of the following would be the most important in the criteria the managers would follow in the process of actually classifying data once this responsibility has been assigned to them? A. Usefulness of the data B. Age of the data C. Value of the data D. Compliance requirements of the data

C. Data is one of the most critical assets to any organization. The value of the asset must be understood so that the organization knows which assets require the most protection. There are many components that go into calculating the value of an asset: cost of replacement, revenue generated from asset, amount adversaries would pay for the asset, cost that went into the development of the asset, productivity costs if asset was absent or destroyed, and liability costs of not properly protecting the asset. So the data owners need to be able to determine the value of the data to the organization for proper classification purposes.

Sam has just been hired as the new security officer for a pharmaceutical company. The company has experienced many data breaches and has charged Sam with ensuring that the company is better protected. The company currently has the following classifications in place: public, confidential, and secret. There is a data classification policy that outlines the classification scheme and the definitions for each classification, but there is no supporting documentation that the technical staff can follow to know how to meet these goals. The company has no data loss prevention controls in place and only conducts basic security awareness training once a year. Talking to the business unit managers, he finds out that only half of them even know where the company’s policies are located and none of them know their responsibilities pertaining to classifying data. From this scenario, what has the company accomplished so far? A. Implementation of administrative controls B. Implementation of operational controls C. Implementation of physical controls D. Implementation of logical controls

A. The company has developed a data classification policy, which is an administrative control.

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. Which of the following best describes what Susan needs to ensure the operations staff creates for proper configuration standardization? A. Dual control B. Redundancy C. Training D. Baselines

D. The operations staff needs to know what minimum level of security is required per system within the network. This minimum level of security is referred to as a baseline. Once a baseline is set per system, then the staff has something to compare the system against to know if changes have not taken place properly, which could make the system vulnerable.

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. Which of the following is the best way to illustrate to her boss the dangers of the current configuration issues? A. Map the configurations to the compliancy requirements. B. Compromise a system to illustrate its vulnerability. C. Audit the systems. D. Carry out a risk assessment.

D. Susan needs to illustrate these vulnerabilities (misconfigured systems) in the context of risk to her boss. This means she needs to identify the specific vulnerabilities, associate threats to those vulnerabilities, and calculate their risks. This will allow her boss to understand how critical these issues are and what type of action needs to take place

Susan has been told by her boss that she will be replacing the current security manager within her company. Her boss explained to her that operational security measures have not been carried out in a standard fashion, so some systems have proper security configurations and some do not. Her boss needs to understand how dangerous it is to have some of the systems misconfigured along with what to do in this situation. ``` Which of the following is one of the most likely solutions that Susan will come up with and present to her boss? A. Development of standards B. Development of training C. Development of monitoring D. Development of testing ```

A. Standards need to be developed that outline proper configuration management processes and approved baseline configuration settings. Once these standards are developed and put into place, then employees can be trained on these issues and how to implement and maintain what is outlined in the standards. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are configurations that do not meet the requirements outlined in the standards. You will find that some CISSP questions seem subjective and their answers hard to pin down. Questions that ask what is “best” or “more likely” are common