合格させるISC CISSP試験最速合格
準備CISSP問題解答でCISSP試験問題集
質問 # 728
Refer to the information below to answer the question.
In a Multilevel Security (MLS) system, the following sensitivity labels are used in increasing levels of sensitivity: restricted, confidential, secret, top secret. Table A lists the clearance levels for four users, while Table B lists the security classes of four different files.
In a Bell-LaPadula system, which user has the MOST restrictions when writing data to any of the four files?
- A. User D
- B. User A
- C. User C
- D. User B
正解:A
質問 # 729
Qualitative loss resulting from the business interruption does NOT usually include:
- A. Loss of competitive advantage or market share
- B. Loss of market leadership
- C. Loss of revenue
- D. Loss of public confidence and credibility
正解:C
解説:
Explanation/Reference:
Explanation:
Loss of revenue is a quantitative loss, A Qualitative loss. The quantitative impact can be determined by evaluating financial losses such as lost revenue, assets or production units, and salary paid to an idled workforce.
Qualitative impact includes such factors as reputation, goodwill, value of the brand and lost opportunity, among others.
Incorrect Answers:
B: Loss of market share is qualitative loss.
C: Qualitative impact can lead eventually to financial losses over time, for example due to loss of customer confidence.
D: Loss of market leadership is qualitative loss.
References:
http://searchdisasterrecovery.techtarget.com/answer/Debating-quantitative-impact-vs-qualitative-impact
質問 # 730
A Simple Power Analysis (SPA) attack against a device directly observes which of the following?
- A. Magnetism
- B. Static discharge
- C. Generation
- D. Consumption
正解:D
質問 # 731
Afirewall that performs stateful inspection of the data packet across all
layers is considered a:
- A. First-generation firewall.
- B. Third-generation firewall.
- C. Second-generation firewall.
- D. Fourth-generation firewall.
正解:B
解説:
The correct answer is Third-generation firewall. A stateful inspection firewall is considered a third-generation firewall.
質問 # 732
Which of the following is given the responsibility of the maintenance and protection of the data?
- A. Data owner
- B. Security administrator
- C. User
- D. Data custodian
正解:D
解説:
Explanation/Reference:
Explanation:
The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually filled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and fulfilling the requirements specified in the company's security policy, standards, and guidelines that pertain to information security and data protection.
Incorrect Answers:
A: The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner is not is given the responsibility of the maintenance and protection of the data.
C: The user is any individual who routinely uses the data for work-related tasks. The user is not given the responsibility of the maintenance and protection of the data.
D: The security administrator is responsible for implementing and maintaining specific security network devices and software in the enterprise. The security administrator is not is given the responsibility of the maintenance and protection of the data.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 122
質問 # 733
Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud simulates the tones of coins being deposited into a payphone?
- A. Red Boxes
- B. Blue Boxes
- C. White Boxes
- D. Black Boxes
正解:A
解説:
The Red box basically simulates the sounds of coins being dropped into the coin slot of a payphone. The traditional Red Box consisting of a pair of Wien-bridge oscillators with the timing controlled by 555 timer chips. The Blue Box, The mother of all boxes, The first box in history, which started the whole phreaking scene. Invented by John Draper (aka "Captain Crunch") in the early 60s, who discovered that by sending a tone of 2600Hz over the telephone lines of AT&T, it was possible to make free calls. A Black Box is a device that is hooked up to your phone that fixes your phone so that when you get a call, the caller doesn't get charged for the call. This is good for calls up to 1/2 hour, after 1/2 hour the Phone Co. gets suspicious, and then you can guess what happens. The White Box turns a normal touch tone keypad into a portable unit. This kind of box can be commonly found in a phone shop.
質問 # 734
What is the primary purpose of using redundant array of inexpensive disks (RAID) level zero?
- A. To implement integrity.
- B. To improve system performance.
- C. To provide fault tolerance and protection against file server hard disk crashes.
- D. To maximize usage of hard disk space.
正解:B
解説:
Redundant array of inexpensive disks (RAID) are primarily used to implove speed, availability, and redundancy, not integrity. They provide fault tolerance and protection against file server hard disk crashes. NOTE: For the purpose of the exam you need to be familiar with RAID 1 to 5, RAID 10, and Raid
50.
PC Magazine had a great article on RAID that has great explanations, see below: Anyone who's ever looked into purchasing a NAS device or server, particularly for a business, has inevitably stumbled across the term "RAID." RAID stands for Redundant Array of Inexpensive or (the more marketing-friendly "Independent) Disks." In general, RAID uses two or more hard disk drives to improve the performance or provide some level of fault tolerance for a machine-typically a NAS or server. Fault tolerance is simply providing a "safety net" for failed hardware, usually a hard drive, by ensuring that the machine with the failed component can still operate. Fault tolerance lessens interruptions in productivity and the chance of data loss.
Hardware RAID There are two ways to configure RAID: with hardware or software. Hardware RAID is most traditionally implemented in businesses and organizations where disk fault tolerance and optimized performance are must-haves, not luxuries. There are some advantages and disadvantages with hardware-based RAID. It's more expensive, because configuring it requires an additional hardware component, a RAID controller which is a piece of hardware that controls the RAID array. RAID controllers can be internal, meaning they connect inside of a server to the motherboard or external (usually reserved for enterprise, high-level RAID solutions). Hardwarebased RAID is also considered a better performing, more efficient way to implement RAID than software RAID. Hardware-based RAID is used most in corporate servers and business-class NAS drives.
Software RAID Software RAID is arguably not as reliable as hardware RAID, but it's definitely more economical and can still deliver basic fault tolerance. You can't configure RAID arrays as complex with software as you can with hardware, but if you just want to implement mirroring (which is copying data from one drive to another, to keep that data accessible in case a drive fails) then software RAID is a cheaper, less complicated to set up option. Instead of using a bunch of disks and a controller to make an array, some software RAID solutions can use logical partitions on a single disk. That's what makes it both cheaper and less reliable-if that single disk fails completely, your data is gone.
Windows 7 (Pro and Ultimate editions) has inherent support for RAID; you can set up a single disk with two partitions, and have those partitions mirrored (RAID 1) or you can setup disk striping for performance (RAID 0). This type of RAID is available in other operating systems as well like Apple's Snow Leopard Server 10.6, Linux and Windows Server 2003 and 2008. Since this type of RAID already comes as a feature in the OS, the price can't be beat. Software RAID can also comprise of virtual RAID solutions offered by vendors such as Dot Hill to deliver powerful host-based virtual RAID adapters. This is a solution that is more tailored to enterprise networks.
Which RAID Is Right For Me? Once you've decided whether software or hardware RAID best suits your purposes, you need to pick a RAID level-this refers to how you are going to configure RAID on your device. There are several RAID levels, and the one you choose depends on whether you are using RAID for performance or fault tolerance (or both). It also matters whether you have hardware or software RAID, because software supports fewer levels than hardware-based RAID. In the case of hardware RAID, the type of controller you have matters, too. Different controllers support different levels of RAID and also dictate the kinds of disks you can use in an array: SAS, SATA or SSD).
Here's a rundown on each level of RAID: RAID 0 is used to boost a server's performance. It's also known as "disk striping." With RAID 0, data is written across multiple disks. This means the work that the computer is doing is handled by multiple disks rather than just one, increasing performance because multiple drives are reading and writing data, improving disk I/O. A minimum of two disks is required. Both software and hardware RAID support RAID 0 as do most controllers. The downside is that there is no fault tolerance. If one disk fails then that affects the entire array and the chances for data loss or corruption increases.
RAID 1 is a fault-tolerance configuration known as "disk mirroring." With RAID 1, data is copied seamlessly and simultaneously, from one disk to another, creating a replica, or mirror. If one disk gets fried, the other can keep working. It's the simplest relatively low-cost way to implement fault-tolerance. The downside is that RAID 1 causes a slight drag on performance. RAID 1 can be implemented through either software or hardware RAID. A minimum of two disks are required for RAID 1 hardware implementations. With software RAID 1, instead of two physical disks, data is mirrored between volumes on a single disk. One additional point to remember is that RAID 1 cuts total disk capacity in half: if a server with two 1 TB drives is configured with RAID 1, then total storage capacity will be 1 TB not 2 TB.
RAID 5 is by far the most common RAID configuration for business servers and enterprise NAS devices. This RAID level provides better performance than mirroring as well as fault-tolerance. With RAID 5, data and parity (which is additional data used for recovery) are striped across three or more disks. Disk drives typically fail in sectors, rather than the entire drive dying. When RAID 5 is configured, if a portion of a disk fails, that data gets recreated from the remaining data and parity, seamlessly and automatically. This is beneficial because RAID 5 allows many NAS and server drives to be "hot-swappable" meaning in case a drive in the array fails, that drive can be swapped with a new drive without shutting down the server or NAS and without having to interrupt users who may be accessing the server or NAS. It's a great solution for data redundancy, because as drives fail (and they eventually will), the data can be re-built to new disks as failing disks are replaced. RAID 5 can be implemented as a software or hardware solution. You'll get better performance with hardware RAID 5, because the work is done by the controller without taxing the system processor. The downside to RAID 5 is the performance hit to servers that perform a lot of write operations. For example, with RAID 5 on a server that has a database that many employees access in a workday, there could be noticeable lag. RAID 10 is a combination of RAID 1 and 0 and is often denoted as RAID 1+0. It combines the mirroring of RAID 1 with the striping of RAID 0. It's the RAID level that gives the best performance, but it is also costly, requiring two times as many disks of other RAID levels, for a minimum of four. This is the RAID level ideal for highly used database servers or any server that's performing many write operations. RAID 10 can be implemented as hardware or software but the general consensus is that many of the performance advantages are lost when you use software RAID 10. RAID 10 requires a minimum of four disks.
Other RAID Levels
There are other RAID levels: 2, 3, 4, 7, 0+1...but they are really variants of the main RAID configurations already mentioned and used for specific instances. Here are some short descriptions of each:
RAID 2 is similar to RAID 5, but instead of disk striping using parity, striping occurs at the bit-level. RAID 2 is seldom deployed because costs to implement are usually prohibitive (a typical setup requires 10 disks) and gives poor performance with some disk I/O operations.
RAID 3 is also similar to RAID 5, except this solution requires a dedicated parity drive. RAID 3 is seldom used but in the most specific types of database or processing environments that would benefit from it.
RAID 4 is similar to RAID except disk striping happens at the byte level, rather than the bit-level as in RAID 3.
RAID 7 is a proprietary level of RAID owned by the now-extinct Storage Computer Corporation.
RAID 0+1 is often interchanged for RAID 10 (which is RAID 1+0) but the two are not same. RAID 0+1 is a mirrored array with segments that are RAID 0 arrays. It's implemented in specific infrastructures requiring high performance but not a high level of scalability.
For most small to mid-size business purposes, RAID 0, 1, 5 and in some cases 10 suffice for good fault tolerance and or performance solutions. For most home users RAID 5 may be overkill, but software RAID 1 mirroring provides decent fault tolerance, and hardware mirroring with two physical drives is provides even better, if you can afford it.
One last thought: Remember, RAID is not backup, nor does it replace a backup strategy-preferably an automated one. RAID can be a great way to optimize NAS and server performance, but it's only part of an overall disaster recovery solution.
Reference:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 65).
and
PC MAGAZINE article at http://www.pcmag.com/article2/0,2817,2370235,00.asp
質問 # 735
A prolonged electrical power supply that is below normal voltage is a:
- A. surge
- B. blackout
- C. brownout
- D. fault
正解:C
解説:
Explanation/Reference:
Explanation:
When power companies are experiencing high demand, they frequently reduce the voltage in an electrical grid, which is referred to as a brownout. Constant voltage transformers can be used to regulate this fluctuation of power. They can use different ranges of voltage and only release the expected 120 volts of alternating current to devices.
Interference interrupts the flow of an electrical current, and fluctuations can actually deliver a different level of voltage than what was expected. Each fluctuation can be damaging to devices and people.
The following explains the different types of voltage fluctuations possible with electric power:
Power excess:
Spike Momentary high voltage
Surge Prolonged high voltage
Power loss:
Fault Momentary power outage
Blackout Prolonged, complete loss of electric power
Power degradation:
Sag/dip Momentary low-voltage condition, from one cycle to a few seconds
Brownout Prolonged power supply that is below normal voltage
In-rush current Initial surge of current required to start a load
Incorrect Answers:
B: A blackout is a prolonged complete loss of power, not a prolonged low voltage. Therefore, this answer is incorrect.
C: A surge is a prolonged high voltage, not a prolonged low voltage. Therefore, this answer is incorrect.
D: A fault is a momentary power outage, not a prolonged low voltage. Therefore, this answer is incorrect.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 462-463
質問 # 736
How is Annualized Loss Expectancy (ALE) derived from a threat?
- A. SLE/EF
- B. AV x EF
- C. SLE x ARO
- D. ARO x (SLE - EF)
正解:C
解説:
Three steps are undertaken in a quantitative risk assessment:
Initial management approval
Construction of a risk assessment team, and
The review of information currently available within the organization.
There are a few formulas that you MUST understand for the exam. See them below:
SLE (Single Loss Expectancy)
Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as
the difference between the original value and the remaining value of an asset after a single exploit.
The formula for calculating SLE is as follows: SLE = asset value (in $) x exposure factor (loss due
to successful threat exploit, as a %)
Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of
service (perhaps due to business continuity or security issues).
ALE (Annualized Loss Expectancy)
Next, the organization would calculate the annualized rate of occurrence (ARO).
This is done to provide an accurate calculation of annualized loss expectancy (ALE).
ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the
period of a year.
When this is completed, the organization calculates the annualized loss expectancy (ALE).
The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset
after an SLE.
The calculation follows ALE = SLE x ARO
Note that this calculation can be adjusted for geographical distances using the local annual
frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is
now a value for SLE, it is possible to determine what the organization should spend, if anything, to
apply a countermeasure for the risk in question.
Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers,
or avoids.
Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the
countermeasure divided by the years of its life (i.e., use within the organization). Finally, the
organization is able to compare the cost of the risk versus the cost of the countermeasure and
make some objective decisions regarding its countermeasure selection.
The following were incorrect answers:
All of the other choices were incorrect.
The following reference(s) were used for this quesiton:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle Edition.
質問 # 737
When an outgoing request is made on a port number greater than 1023, this type of firewall creates an ACL to allow the incoming reply on that port to pass:
- A. Dynamic packet filtering
- B. CIrcuit level proxy
- C. Application level proxy
- D. packet filtering
正解:A
解説:
The dynamic packet filtering firewall is able to create ACL's on the fly to allow replies on dynamic ports (higher than 1023). Packet filtering is incorrect. The packet filtering firewall usually requires that the dynamic ports be left open as a group in order to handle this situiation. Circuit level proxy is incorrect. The circuit level proxy builds a conduit between the trusted and untrusted hosts and does not work by dynamically creating ACL's. Application level proxy is incorrect. The application level proxy "proxies" for the trusted host in its communications with the untrusted host. It does not dynamically create ACL's to control traffic.
質問 # 738
Which of the following is most concerned with personnel security?
- A. Management controls
- B. Operational controls
- C. Technical controls
- D. Human resources controls
正解:B
解説:
Many important issues in computer security involve human users, designers,
implementers, and managers.
A broad range of security issues relates to how these individuals interact with computers and the
access and authorities they need to do their jobs. Since operational controls address security
methods focusing on mechanisms primarily implemented and executed by people (as opposed to
systems), personnel security is considered a form of operational control.
Operational controls are put in place to improve security of a particular system (or group of
systems). They often require specialized expertise and often rely upon management activities as
well as technical controls. Implementing dual control and making sure that you have more than
one person that can perform a task would fall into this category as well.
Management controls focus on the management of the IT security system and the management of
risk for a system. They are techniques and concerns that are normally addressed by management.
Technical controls focus on security controls that the computer system executes. The controls can
provide automated protection for unauthorized access of misuse, facilitate detection of security
violations, and support security requirements for applications and data.
Reference use for this question:
NIST SP 800-53 Revision 4 http://dx.doi.org/106028/NIST.SP.800-53r4
You can get it as a word document by clicking HERE
NIST SP 800-53 Revision 4 has superseded the document below:
SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for
Information Technology Systems, November 2001 (Page A-18).
質問 # 739
Which of the following access control models is based on sensitivity labels?
- A. Rule-based access control
- B. Role-based access control
- C. Mandatory access control
- D. Discretionary access control
正解:C
解説:
Explanation/Reference:
Explanation:
Mandatory Access control is considered nondiscretionary and is based on a security label system Incorrect Answers:
A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the files and resources they own.
C: Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion.
D: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 220-228
質問 # 740
The concept of Due Care states that senior organizational management
must ensure that:
- A. All risks to an information system are eliminated.
- B. Other management personnel are delegated the responsibility for information system security.
- C. The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches.
- D. Certain requirements must be fulfilled in carrying out their responsibilities to the organization.
正解:D
解説:
*Answer "All risks to an information system are eliminated" is incorrect because all risks to information systems cannot be eliminated
*answer "Other management personnel are delegated the responsibility for information system security" is incorrect because senior management cannot delegate its responsibility for information system security under due care
*answer "The cost of implementing safeguards is greater than the potential resultant losses resulting from information security breaches" is incorrect because the cost of implementing safeguards should be less than or equal to the potential resulting losses relative to the exercise of
due care.
質問 # 741
Users require access rights that allow them to view the average salary of groups of employees.
Which control would prevent the users from obtaining an individual employee's salary?
- A. Reduce the number of people who have access to the system for statistical purposes
- B. Limit access to predefined queries
- C. Segregate the database into a small number of partitions each with a separate security level
- D. Implement Role Based Access Control (RBAC)
正解:D
質問 # 742
Which approach to a security program ensures people responsible for protecting the company's assets are DRIVING the program?
- A. The bottom-up approach
- B. The top-down approach
- C. The technology approach
- D. The Delphi approach
正解:B
解説:
A security program should use a top-down approach, meaning that the initiation,
support, and direction come from top management; work their way through middle management;
and then reach staff members.
In contrast, a bottom-up approach refers to a situation in which staff members (usually IT ) try to
develop a security program without getting proper management support and direction. A bottom-
up approach is commonly less effective, not broad enough to address all security risks, and
doomed to fail.
A top-down approach makes sure the people actually responsible for protecting the company's
assets (senior management) are driving the program.
The following are incorrect answers:
The Delphi approach is incorrect as this is for a brainstorming technique.
The bottom-up approach is also incorrect as this approach would be if the IT department tried to
develop a security program without proper support from upper management.
The technology approach is also incorrect as it does not fit into the category of best answer.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 63). McGraw-Hill. Kindle
Edition.
質問 # 743
The ideal operating humidity range is defined as 40 percent to 60 percent. High humidity
(greater than 60 percent) can produce what type of problem on computer parts?
- A. Energy-plating
- B. Corrosion
- C. Static electricity
- D. Element-plating
正解:B
解説:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 333.
質問 # 744
The primary purpose for using one-way hashing of user passwords within a password file is which of the following?
- A. It minimizes the amount of processing time used for encrypting passwords.
- B. It prevents an unauthorized person from trying multiple passwords in one logon attempt.
- C. It minimizes the amount of storage required for user passwords.
- D. It prevents an unauthorized person from reading the password.
正解:D
解説:
Explanation/Reference:
Explanation:
A one-way hash function performs a mathematical encryption operation on a password that cannot be reversed. This prevents an unauthorized person from reading the password.
Some systems and applications send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a file containing all users' password hash values, not the passwords themselves, and when the authenticating system is asked to verify a user's password, it compares the hashing value sent to what it has in its file.
Incorrect Answers:
A: One-way hashing of user passwords does not prevent an unauthorized person from trying multiple passwords in one logon attempt. This is not the purpose of one-way hashing.
C: One-way hashing of user passwords does not minimize the amount of storage required for user passwords; it increases it because a hashed password is typically much longer than the password itself.
D: One-way hashing of user passwords does not minimize the amount of processing time used for encrypting passwords.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 1059
質問 # 745
In the DoD reference model, which layer conforms to the OSI transport layer?
- A. Network Access Layer
- B. Internet Layer
- C. Process/Application Layer
- D. Host-to-Host Layer
正解:D
解説:
In the DoD reference model, the Host-to-Host layer parallels the function of the OSI's transport layer. This layer contains the Transmission Control Protocol (TCP), and the User Datagram Protocol (UDP).
*the DoD Process/Application layer, corresponds to the OSI's top three layers, the Application, Presentation, and Session layers. *The DoD Internet layer corresponds to the OSI's Network layer.
*the DoD Network Access Layer, is the equivalent of the Data Link and Physical layers of the OSI model. Source: MCSE:TCP/IP Study Guide by Todd Lammle, Monica Lammle, and John Chellis (Sybex, 1997) and Handbook of Information Security Management 1999 by Micki Krause and Harold f. Tipton (Auerbach, 1999).
質問 # 746
Which of the following actions should be undertaken prior to deciding on a physical baseline Protection Profile (PP)?
- A. Check the technical design.
- B. Choose a suitable location.
- C. Conduct a site survey.
- D. Categorize assets.
正解:C
解説:
Conducting a site survey is the action that should be undertaken prior to deciding on a physical baseline Protection Profile (PP). A PP is a document that defines the security requirements and objectives for a system or a product, and that can be used as a basis for evaluation, testing, or certification. A physical baseline PP is a type of PP that focuses on the physical security aspects of a system or a product, such as the locks, doors, windows, fences, cameras, alarms, or sensors. Conducting a site survey is a process that involves inspecting, measuring, and documenting the physical characteristics and conditions of a site, such as the layout, dimensions, access points, environmental factors, or potential threats. Conducting a site survey can help to determine the appropriate physical security requirements and objectives for a system or a product, and to select the suitable physical security controls and measures to meet those requirements and objectives. The other options are not the actions that should be undertaken prior to deciding on a physical baseline PP, as they either do not relate to the physical security aspects, or do not involve inspecting, measuring, or documenting the site.
References: CISSP - Certified Information Systems Security Professional, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations; CISSP Exam Outline, Domain 3. Security Architecture and Engineering, 3.4 Implement and manage physical security, 3.4.1 Apply physical security concepts, 3.4.1.1 Site and facility design considerations
質問 # 747
......
ISC CISSP認定試験は情報セキュリティ分野で世界的に認められた認定資格です。組織の情報資産のセキュリティに責任を持つ専門家を対象とし、情報セキュリティに関連するさまざまなトピックをカバーしています。この認定試験は業界で高く評価され、世界中の多くの組織に認められています。試験を受験するには、情報セキュリティ分野での最低5年間のプロフェッショナル経験が必要で、情報セキュリティの8つのドメインに強い理解を示す必要があります。
ISC CISSP 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
リアルISC CISSP試験問題 [更新されたのは2025年]:https://www.goshiken.com/ISC/CISSP-mondaishu.html
無料CISSP試験問題集には合格させるお手軽に試験合格:https://drive.google.com/open?id=1k_vI9geoZ4J1OdpoE2ryXGgDTglDTV4N