[2023年11月]更新のCISSP問題集完全版解答でISC Certification試験学習ガイド
試験問題と解答CISSP学習ガイド
ISC CISSP認定試験を受ける資格を得るには、個人が情報セキュリティの分野で最低5年の経験を持たなければなりません。認定試験は、情報セキュリティの8つのドメインに関する個人の知識と理解をテストするように設計された250の複数選択質問で構成されています。これらのドメインには、セキュリティとリスク管理、資産セキュリティ、セキュリティアーキテクチャとエンジニアリング、コミュニケーションとネットワークセキュリティ、アイデンティティとアクセス管理、セキュリティ評価とテスト、セキュリティ運用、ソフトウェア開発セキュリティが含まれます。 ISC CISSP認定試験に合格すると、情報セキュリティに関する個人の専門知識が示されており、この分野のさまざまなキャリアの機会への扉を開くことができます。
質問 # 291
Which of the following is the MOST important element of change management documentation?
- A. Business case justification
- B. Number of changes being made
- C. List of components involved
- D. A stakeholder communication
正解:A
質問 # 292
How is Annualized Loss Expectancy (ALE) derived from a threat?
- A. ARO x (SLE - EF)
- B. AV x EF
- C. SLE/EF
- D. SLE x ARO
正解:D
解説:
Three steps are undertaken in a quantitative risk assessment:
Initial management approval
Construction of a risk assessment team, and
The review of information currently available within the organization.
There are a few formulas that you MUST understand for the exam. See them below:
SLE (Single Loss Expectancy)
Single loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit.
The formula for calculating SLE is as follows: SLE = asset value (in $) x exposure factor
(loss due to successful threat exploit, as a %)
Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues).
ALE (Annualized Loss Expectancy)
Next, the organization would calculate the annualized rate of occurrence (ARO).
This is done to provide an accurate calculation of annualized loss expectancy (ALE).
ARO is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year.
When this is completed, the organization calculates the annualized loss expectancy (ALE).
The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in value of an asset after an SLE.
The calculation follows ALE = SLE x ARO
Note that this calculation can be adjusted for geographical distances using the local annual frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). Given that there is now a value for SLE, it is possible to determine what the organization should spend, if anything, to apply a countermeasure for the risk in question.
Remember that no countermeasure should be greater in cost than the risk it mitigates, transfers, or avoids.
Countermeasure cost per year is easy and straightforward to calculate. It is simply the cost of the countermeasure divided by the years of its life (i.e., use within the organization).
Finally, the organization is able to compare the cost of the risk versus the cost of the countermeasure and make some objective decisions regarding its countermeasure selection.
The following were incorrect answers:
All of the other choices were incorrect.
The following reference(s) were used for this quesiton:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10048-10069). Auerbach Publications. Kindle
Edition.
質問 # 293
*Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process?
- A. Build and test
- B. Implement security controls
- C. Categorize Information System (IS)
- D. Select security controls
正解:A
解説:
Reference:
https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP+Directive+cont
質問 # 294
Which of the following would best define a digital envelope?
- A. A message that is signed with a secret key and encrypted with the sender's private key.
- B. A message that is encrypted and signed with a digital certificate.
- C. A message that is encrypted with the recipient's public key and signed with the sender's private key.
- D. A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver.
正解:D
解説:
Explanation/Reference:
Explanation:
Hybrid cryptography is the combined use of symmetric and asymmetric algorithms where the symmetric key encrypts data and an asymmetric key encrypts the symmetric key.
A digital envelope is another term used to describe hybrid cryptography.
When a message is encrypted with a symmetric key (secret key) and the symmetric key is encrypted with an asymmetric key, it is collectively known as a digital envelope.
Incorrect Answers:
A: A message that is encrypted and signed with a digital certificate is not the correct definition of a digital envelope. The message would have to be encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key to be a digital envelope. This answer does not specify what type of encryption is used.
B: A message that is signed with a secret key and encrypted with the sender's private key is not the correct definition of a digital envelope. A private key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key.
D: A message that is encrypted with the recipient's public key and signed with the sender's private key is not the correct definition of a digital envelope. A public key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 811
質問 # 295
Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel environment as well as to sustain data operations. Which of the following is not an element that can threaten power systems?
- A. Humidity
- B. UPS
- C. Brownouts
- D. Noise
正解:B
質問 # 296
When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?
- A. To find areas of compromise in confidentiality and integrity
- B. To force the software to fail and document the process
- C. To allow for objective pass or fail decisions
- D. To identify malware or hidden code within the test results
正解:C
質問 # 297
Which of the following access control techniques best gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure?
- A. Discretionary access control
- B. Role-based access control
- C. Access control lists
- D. Non-mandatory access control
正解:B
解説:
Role-based access control (RBAC) gives the security officers the ability to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are given to users in that role. An access control list
(ACL) is a table that tells a system which access rights each user has to a particular system object. With discretionary access control, administration is decentralized and owners of resources control other users' access. Non-mandatory access control is not a defined access control technique.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 9).
質問 # 298
Which of the following authorization standards is built to handle Application Programming Interface (API) access for Federated Identity Management (FIM)?
- A. Security Assertion Markup Language (SAML)
- B. Terminal Access Control Access Control System Plus (TACACS+)
- C. Open Authentication (OAUTH)
- D. Remote Authentication Dial-in User service (RADIUS)
正解:C
質問 # 299
Which of the following computer recovery sites is the least expensive and the most difficult to test?
- A. warm site.
- B. non-mobile hot site.
- C. cold site.
- D. mobile hot site.
正解:C
解説:
Is the least expensive because it is basically a structure with power and would be the most difficult to test because you would have to install all of the hardware infrastructure in order for it to be operational for the test.
The following answers are incorrect:
non-mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.
mobile hot site. Is incorrect because it is more expensive then a cold site and easier to test because all of the infrastructure is in place.
warm site. Is incorrect because it is more expensive then a cold site and easier to test because more of the infrastructure is in place.
質問 # 300
Role based access control is attracting increasing attention particularly for what applications?
- A. Technical
- B. Security
- C. Commercial
- D. Scientific
正解:C
解説:
Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications.
質問 # 301
A Simple Power Analysis (SPA) attack against a device directly observes which of the following?
- A. Consumption
- B. Magnetism
- C. Generation
- D. Static discharge
正解:A
質問 # 302
It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security?
- A. security analyst
- B. systems programmer
- C. systems auditor
- D. security administrator
正解:B
解説:
Reason: The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs. The system programmer does not need access to the working (AKA: Production) security systems.
Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business). To maintain system integrity, any changes they make to production systems should be tracked by the organization's change management control system.
Because the security administrator's job is to perform security functions, the performance of non-security tasks must be strictly limited. This separation of duties reduces the likelihood of loss that results from users abusing their authority by taking actions outside of their assigned functional responsibilities.
References:
OFFICIAL (ISC)2 GUIDE TO THE CISSP EXAM (2003), Hansche, S., Berti, J., Hare,
H., Auerbach Publication, FL, Chapter 5 - Operations Security, section 5.3,"Security
Technology and Tools," Personnel section (page 32).
KRUTZ, R. & VINES, R. The CISSP Prep Guide: Gold Edition (2003), Wiley Publishing
Inc., Chapter 6: Operations Security, Separations of Duties (page 303).
質問 # 303
Which of the following establishes the minimal national standards for certifying and accrediting national security systems?
- A. NIACAP
- B. DIACAP
- C. HIPAA
- D. TCSEC
正解:A
解説:
Explanation/Reference:
Explanation:
National Information Assurance Certification and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the Information Assurance (IA) and security posture of a system or site. This process focuses on an enterprise-wide view of the information system (IS) in relation to the organization's mission and the IS business case.
Incorrect Answers:
B: The DoD Information Assurance Certification and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question.
C: HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. This is not what is described in the question.
D: Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. This is not what is described in the question.
References:
http://infohost.nmt.edu/~sfs/Regs/nstissi_1000.pdf
質問 # 304
Which security modes is MOST commonly used in a commercial environment because it protects the integrity of financial and accounting data?
- A. Clark-Wilson
- B. Beil-LaPadula
- C. Graham-Denning
- D. Biba
正解:A
解説:
Section: Security Architecture and Engineering
質問 # 305
At which of the Orange Book evaluation levels is configuration management required?
- A. B1 and above.
- B. B2 and above.
- C. C2 and above.
- D. C1 and above.
正解:B
解説:
Explanation/Reference:
Explanation:
Configuration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classified information, equipment can be identified in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB).
The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by configuration management.
Incorrect Answers:
A: Configuration management is not required at level C1.
B: Configuration management is not required at level C2.
C: Configuration management is not required at level B1.
References:
http://surflibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf
質問 # 306
Intellectual property rights are PRIMARY concerned with which of the following?
- A. Right of the owner to control delivery method
- B. Right of the owner to enjoy their creation
- C. Owner's ability to realize financial gain
- D. Owner's ability to maintain copyright
正解:C
解説:
Section: Security and Risk Management
質問 # 307
CobiT was developed from the COSO framework. Which of the choices below best describe the COSO's main objectives and purpose?
- A. COSO main purpose is to define a sound risk management approach within financial companies.
- B. COSO is risk management system used for the protection of federal systems.
- C. COSO main purpose is to help ensure fraudulent financial reporting cannot take place in an organization
- D. COSO addresses corporate culture and policy development.
正解:C
解説:
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)2 was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, which studied factors that lead to fraudulent financial reporting and produced recommendations for public companies, their auditors, the Securities Exchange Commission, and other regulators. COSO identifies five areas of internal control necessary to meet the financial reporting and disclosure objectives.
These include:
(1)
control environment,
(2)
risk assessment,
(3)
control activities,
(4)
information and communication, and
(5)
monitoring.
The COSO internal control model has been adopted as a framework by some organizations working toward Sarbanes-Oxley Section 404 compliance.
COSO deals more at the strategic level, while CobiT focuses more at the operational level. CobiT is a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, financial accounting principles, board
of director responsibility, and internal communication structures.
Its main purpose is to help ensure fraudulent financial reporting cannot take place in an
organization.
COBIT
Control Objectives for Information and related Technology (COBIT)4 is published by the IT
Governance Institute and integrates the following IT and risk frameworks:
CobiT 4.1
Val IT 2.0
Risk IT
IT Assurance Framework (ITAF)
Business Model for Information Security (BMIS)
The COBIT framework examines the effectiveness, efficiency, confidentiality, integrity, availability,
compliance, and reliability aspects of the high-level control objectives. The framework provides an
overall structure for information technology control and includes control objectives that can be
utilized to determine effective security control objectives that are driven from the business needs.
The Information Systems Audit and Control Association (ISACA) dedicates numerous resources to
the support and understanding of COBIT.
The following answers are incorrect:
COSO main purpose if to define a sound risk management approach within financial companies.
COSO addresses corporate culture and policy development.
COSO is risk management system used for the protection of federal systems.
The following reference(s) were/was used to create this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 9791-9800). Auerbach Publications. Kindle Edition.
質問 # 308
What is the result of the Exclusive Or operation, 1XOR 0?
- A. Indeterminate
- B. 0
- C. 1
- D. 2
正解:B
解説:
The correct answer is a. An XOR operation results in a 0 if the two
input bits are identical and a 1 if one of the bits is a 1 and the other is a 0.
質問 # 309
The equation Z = f [wn in ], where Z is the output, wn are weighting
functions, and in is a set of inputs describes:
- A. An artificial neural network (ANN)
- B. A knowledge-based system
- C. An expert system
- D. A knowledge acquisition system
正解:A
解説:
The equation defines a single layer ANN as shown in Figure.
Each input, in, is multiplied by a weight, wn , and these products are fed into a summation transfer function, , that generates an output,
Z. Most neural networks have multiple layers of summation and weighting functions, whose interconnections can also be changed. There are a number of different learning paradigms for neural networks, including reinforcement learning and back propagation. In reinforcement learning a training set of inputs is provided to the ANN along with a measure of how close the network is coming to a solution. Then, the weights and connections are readjusted. In back propagation, information is fed back inside the neural network from the output and is used by the ANN to make weight and connection adjustments. *Answers An expert system and A knowledge-based system are distracters that describe systems that use knowledge-based rules of experts to solve problems using an inferencing mechanism. *A knowledge acquisition system refers to the means of identifying and acquiring the knowledge to be entered into the knowledge base of an expert system.
質問 # 310
......
ISC CISSP(Certified Information Systems Security Professional)試験は、情報セキュリティの分野における候補者の知識とスキルをテストするために設計された認定試験です。この試験は、情報セキュリティの専門家の能力を測定するための基準として、世界的に認められています。ISC(国際情報システムセキュリティ認定コンソーシアム)によって作成され、情報セキュリティの分野で最も求められている認定資格の一つです。
ISC CISSP(認定情報システムセキュリティプロフェッショナル)認定は、情報セキュリティの分野で世界的に認められ、高く評価されている認定です。この認定は、(ISC)²としても知られる国際情報システムセキュリティ認証コンソーシアムによって授与されます。 CISSP認定は、情報セキュリティの分野における個人の知識と専門知識を検証するように設計されており、この分野で習熟度を示すためのベンチマークと見なされます。
Certified Information Systems Security Professional無料で更新される100%試験高合格率保証:https://www.goshiken.com/ISC/CISSP-mondaishu.html
リアル試験問題と解答でISC CISSP問題集はここにある:https://drive.google.com/open?id=1k_vI9geoZ4J1OdpoE2ryXGgDTglDTV4N