[2023年12月] ベストな問題集を使おう ISC Certification CISSP 専門試験問題 [Q334-Q359]

Share

[2023年12月] ベストな問題集を使おうISC Certification CISSP専門試験問題

100%の合格率を試そう!更新されたのはCISSP試験問題 [2023]

質問 # 334
A user has infected a computer with malware by connecting a Universal Serial Bus (USB) storage device.
Which of the following is MOST effective to mitigate future infections?

  • A. Implement centralized technical control of USB port connections
  • B. Develop a written organizational policy prohibiting unauthorized USB devices
  • C. Encrypt removable USB devices containing data at rest
  • D. Train users on the dangers of transferring data in USB devices

正解:A


質問 # 335
Which of the following is a method of multiplexing data where a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. This method allocates bandwidth dynamically to physical channels having information to transmit?

  • A. Time-division multiplexing
  • B. Asynchronous time-division multiplexing
  • C. Statistical multiplexing
  • D. Frequency division multiplexing

正解:C

解説:
Statistical multiplexing is a type of communication link sharing, very similar to dynamic bandwidth allocation (DBA). In statistical multiplexing, a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. The link sharing is adapted to the instantaneous traffic demands of the data streams that are transferred over each channel. This is an alternative to creating a fixed sharing of a link, such as in general time division multiplexing (TDM) and frequency division multiplexing
(FDM). When performed correctly, statistical multiplexing can provide a link utilization improvement, called the statistical multiplexing gain.
Generally, the methods for multiplexing data include the following :
Time-division multiplexing (TDM): information from each data channel is allocated bandwidth based on pre-assigned time slots, regardless of whether there is data to transmit. Time-division multiplexing is used primarily for digital signals, but may be applied in analog multiplexing in which two or more signals or bit streams are transferred appearing simultaneously as sub-channels in one communication channel, but are physically taking turns on the channel. The time domain is divided into several recurrent time slots of fixed length, one for each sub-channel. A sample byte or data block of sub-channel 1 is transmitted during time slot 1, sub-channel 2 during time slot 2, etc. One TDM frame consists of one time slot per sub-channel plus a synchronization channel and sometimes error correction channel before the synchronization. After the last sub-channel, error correction, and synchronization, the cycle starts all over again with a new frame, starting with the second sample, byte or data block from sub-channel 1, etc.
Asynchronous time-division multiplexing (ATDM): information from data channels is allocated bandwidth as needed, via dynamically assigned time slots. ATM provides functionality that is similar to both circuit switching and packet switching networks: ATM uses asynchronous time-division multiplexing, and encodes data into small, fixed-sized packets (ISO-OSI frames) called cells. This differs from approaches such as the Internet
Protocol or Ethernet that use variable sized packets and frames. ATM uses a connection- oriented model in which a virtual circuit must be established between two endpoints before the actual data exchange begins. These virtual circuits may be "permanent", i.e. dedicated connections that are usually preconfigured by the service provider, or "switched", i.e. set up on a per-call basis using signalling and disconnected when the call is terminated.
Frequency division multiplexing (FDM): information from each data channel is allocated bandwidth based on the signal frequency of the traffic. In telecommunications, frequency- division multiplexing (FDM) is a technique by which the total bandwidth available in a communication medium is divided into a series of non-overlapping frequency sub-bands, each of which is used to carry a separate signal. This allows a single transmission medium such as the radio spectrum, a cable or optical fiber to be shared by many signals.
Reference used for this question:
http://en.wikipedia.org/wiki/Statistical_multiplexing
and
http://en.wikipedia.org/wiki/Frequency_division_multiplexing
and
Information Systems Audit and Control Association, Certified Information Systems Auditor
2 002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page
1 14).


質問 # 336
A contingency plan should address:

  • A. Potential risks.
  • B. Identified risks.
  • C. Residual risks.
  • D. All answers are correct.

正解:D

解説:
Because it is rarely possible or cost effective to eliminate all risks, an attempt is made to reduce risks to an acceptable level through the risk assessment process. This process
allows, from a set of potential risks (whether likely or not), to come up with a set of identified,
possible risks.
The implementation of security controls allows reducing the identified risks to a smaller set of
residual risks. Because these residual risks represent the complete set of situations that could
affect system performance, the scope of the contingency plan may be reduced to address only this
decreased risk set.
As a result, the contingency plan can be narrowly focused, conserving resources while ensuring
an effective system recovery capability.
Source: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST
Special Publication 800-34, Contingency Planning Guide for Information Technology Systems,
December 2001 (page 7).


質問 # 337
What is maintained by using write blocking devices whan forensic evidence is examined?

  • A. lntegrity
  • B. Inventory
  • C. Availability
  • D. Confidentiality

正解:A


質問 # 338
Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided?

  • A. Transport
  • B. Presentation
  • C. Data Link
  • D. Application

正解:C

解説:
RFC 1661 - The Point-to-Point Protocol (PPP) specifies that the Point-to-Point
Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-
to-point links. PPP is comprised of three main components:
1 A method for encapsulating multi-protocol datagrams.
2 A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection.
3 A family of Network Control Protocols (NCPs) for establishing and configuring different network-
layer protocols.


質問 # 339
During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-house. The college collecting this data is fully aware of the regulations for Health Insurance Portability and Accountability Act (HIPAA) and is fully compliant.
What is the best approach for the CISO?
Below are the common phases to creating a Business Continuity/Disaster Recovery (BC/DR) plan. Drag the remaining BC\DR phases to the appropriate corresponding location.

正解:

解説:

Explanation


質問 # 340
What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every five years and an exposure factor (EF) of 30%?

  • A. $150,000
  • B. $300,000
  • C. $1,500
  • D. $60,000

正解:D

解説:
The cost of a countermeasure should not be greater in cost than the risk it mitigates (ALE). For a quantitative risk assessment, the equation is ALE = ARO x SLE where the SLE is calculated as the product of asset value x exposure factor. An event that happen once every five years would have an ARO of .2 (1 divided by 5).
SLE = Asset Value (AV) x Exposure Fact (EF)
SLE = 1,000,000 x .30 = 300,000
ALE = SLE x Annualized Rate of Occurance (ARO)
ALE = 300,000 x .2 = 60,000
Know your acronyms:
ALE -- Annual loss expectancy
ARO -- Annual rate of occurrence
SLE -- Single loss expectancy
The following are incorrect answers:
$300,000 is incorrect. See the explanation of the correct answer for the correct calculation.
$150,000 is incorrect. See the explanation of the correct answer for the correct calculation.
$1,500 is incorrect. See the explanation of the correct answer for the correct calculation.
Reference(s) used for this question:
Mc Graw Hill, Shon Harris, CISSP All In One (AIO) book, Sixth Edition , Pages 87-88 and
Official ISC2 Guide to the CISSP Exam, (OIG), Pages 60-61


質問 # 341
Title II of HIPAA includes a section, Administrative Simplification, not requiring:

  • A. Improved efficiency in healthcare delivery by standardizing electronic data interchange
  • B. Protection of confidentiality of health data through setting and enforcing standards
  • C. Protection of security of health data through setting and enforcing standards
  • D. Protection of availability of health data through setting and enforcing standards

正解:D


質問 # 342
The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when:

  • A. (C < L - (residual risk)) or C is less than L minus residual risk
  • B. (C > L - (residual risk)) or C is greater than L minus residual risk
  • C. (C > L) or C is greater than L
  • D. (C < L) or C is less than L

正解:D

解説:
Explanation/Reference:
Explanation:
If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards. Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm- Leach-Bliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or appropriate administrative and technical security measures to protect consumer information. The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S. Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible for compliance. Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply. The act of compliance includes demonstrating due diligence, which is defined as "reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations". Reasonableness in software systems includes industries standards and may allow for imperfection. Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes "reasonable" security measures
for several reasons, including:
1. Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology;
2. Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and
3. Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non-compliance.
In general, the costs of improved security are certain, but the improvement in security depends on unknown variables and probabilities outside the control of companies.
References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 315.
http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf


質問 # 343
Which of the following is a key principle in the evolution of computer
crime laws in many countries?

  • A. Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime.
  • B. All members of the United Nations have agreed to uniformly define and prosecute computer crime.
  • C. Unauthorized acquisition of computer-based information without the intent to resell is not a crime.
  • D. The definition of property was extended to include electronic information.

正解:D

解説:
*Answer "All members of the United Nations have agreed to uniformly define and prosecute computer crime" is incorrect because all nations do not agree on the definition of computer crime and corresponding punishments.
*Answer "Existing laws against embezzlement, fraud, and wiretapping cannot be applied to computer crime" is incorrect because the existing laws can be applied against computer crime. * Answer "Unauthorized acquisition of computer-based information without the intent to resell is not a crime" is incorrect because in some countries, possession without intent to sell is considered a crime.


質問 # 344
Which of the following is NOT an example of a detective control?

  • A. Backup data restore
  • B. System Monitor
  • C. IDS
  • D. Motion detector

正解:A

解説:
Explanation/Reference:
Explanation:
Backup data restore is a Recovery/Technical control.
Incorrect Answers:
A, B, C: Detective controls include Motion detectors, Closed-circuit TVs, Monitoring and Supervising, Job rotation, Investigations, Audit logs, and IDS.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 32, 33


質問 # 345
Which of the following can best be defined as a cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext-ciphertext pairs?

  • A. A known-algorithm attack
  • B. A chosen-plaintext attack
  • C. A known-plaintext attack
  • D. A chosen-ciphertext attack

正解:C

解説:
RFC2828 (Internet Security Glossary) defines a known-plaintext attack as a
cryptanalysis technique in which the analyst tries to determine the key from knowledge of some
plaintext-ciphertext pairs (although the analyst may also have other clues, such as the knowing the
cryptographic algorithm). A chosen-ciphertext attack is defined as a cryptanalysis technique in
which the analyst tries to determine the key from knowledge of plaintext that corresponds to
ciphertext selected (i.e., dictated) by the analyst. A chosen-plaintext attack is a cryptanalysis
technique in which the analyst tries to determine the key from knowledge of ciphertext that
corresponds to plaintext selected (i.e., dictated) by the analyst. The other choice is a distracter.
The following are incorrect answers:
A chosen-plaintext attacks
The attacker has the plaintext and ciphertext, but can choose the plaintext that gets encrypted to
see the corresponding ciphertext. This gives her more power and possibly a deeper understanding
of the way the encryption process works so she can gather more information about the key being
used. Once the key is discovered, other messages encrypted with that key can be decrypted.
A chosen-ciphertext attack
In chosen-ciphertext attacks, the attacker can choose the ciphertext to be decrypted and has
access to the resulting decrypted plaintext. Again, the goal is to figure out the key. This is a harder
attack to carry out compared to the previously mentioned attacks, and the attacker may need to
have control of the system that contains the cryptosystem.
A known-algorithm attack
Knowing the algorithm does not give you much advantage without knowing the key. This is a
bogus detractor. The algorithm should be public, which is the Kerckhoffs's Principle . The only
secret should be the key.
Reference(s) used for this question:
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 866). McGraw-Hill.
Kindle Edition.
and
Kerckhoffs's Principle


質問 # 346
Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)?

  • A. The National Security Agency (NSA)
  • B. The National Computer Security Center (NCSC)
  • C. The National Institute of Standards and Technology (NIST)
  • D. The American National Standards Institute (ANSI)

正解:C

解説:
FIPS publications are issued by NIST after approval by the Secretary of Commerce
pursuant to Section 5131 of the Information Technology Reform Act of 1996, Public Law 104-106,
and the FISMA Act of 2002.
The following answers are incorrect because :
The National Computer Security Center (NCSC) was established in 1981 within NSA to help
support and drive NSA's DoD computer security responsibilities.
The National Security Agency (NSA) is incorrect because NSA does not publish FIPS and is the
agency officially responsible for security within the US government.
The American National Standards Institute (ANSI) is also incorrect as ANSI does not publish FIPS
and is an organization that defines coding standards and signaling schemes in the United States
and represents the United States in ISO and the International Telecommunication Union (ITU).
Reference : Shon Harris AIO v3 , Appendix B : Who's Who


質問 # 347
DRAG DROP
Match the objectives to the assessment questions in the governance domain of Software Assurance Maturity Model (SAMM).

正解:

解説:


質問 # 348
Given the various means to protect physical and logical assets, match the access management area to the technology.

正解:

解説:

Explanation


質問 # 349
For a service provider, which of the following MOST effectively addresses confidentiality concerns for customers using cloud computing?

  • A. File system permissions
  • B. Hash functions
  • C. Non-repudiation controls
  • D. Data segregation

正解:D


質問 # 350
Which of the following is included in change management?

  • A. User Acceptance Testing (UAT) before implementation
  • B. Business continuity testing
  • C. Technical review by business owner
  • D. Cost-benefit analysis (CBA) after implementation

正解:B


質問 # 351
Packet Filtering Firewalls can also enable access for:

  • A. only authorized application port or service integers.
  • B. only authorized application port or ex-service numbers.
  • C. only unauthorized application port or service numbers.
  • D. only authorized application port or service numbers.

正解:D

解説:
Firewall rules can be used to enable access for traffic to specific ports or services.
"Service numbers" is rather stilted English but you may encounter these types of wordings on the
actual exam -- don't let them confuse you.
"Only unauthorized application port or service numbers" is incorrect. Unauthorized ports/services
would be blocked in a properly installed firewall rather than permitting access.
"Only authorized application port or ex-service numbers" is incorrect. "Ex-service" numbers is a
nonsense term meant to distract you.
"Only authorized application port or service integers." While service numbers are in fact integers,
the more usual (and therefore better) answer is either service or "service number."
References
CBK, p. 464
AIO3, pp. 482 - 484


質問 # 352
Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high traffic passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets?

  • A. SNMP V3
  • B. UDP
  • C. SNMP V2
  • D. SNMP V1

正解:A

解説:
Simple Network Management Protocol (SNMP) is an Internet-standard protocol for
managing devices on IP networks. Devices that typically support SNMP include routers, switches,
servers, workstations, printers, modem racks, and more. It is used mostly in network management
systems to monitor network-attached devices for conditions that warrant administrative attention.
SNMP is a component of the Internet Protocol Suite as defined by the Internet Engineering Task
Force (IETF).
SNMP V3
Although SNMPv3 makes no changes to the protocol aside from the addition of cryptographic
security, it looks much different due to new textual conventions, concepts, and terminology.
SNMPv3 primarily added security and remote configuration enhancements to SNMP.
Security has been the biggest weakness of SNMP since the beginning. Authentication in SNMP
Versions 1 and 2 amounts to nothing more than a password (community string) sent in clear text
between a manager and agent. Each SNMPv3 message contains security parameters which are
encoded as an octet string. The meaning of these security parameters depends on the security
model being used.
SNMPv3 provides important security features:
Confidentiality - Encryption of packets to prevent snooping by an unauthorized source.
Integrity - Message integrity to ensure that a packet has not been tampered with in transit
including an optional packet replay protection mechanism.
Authentication - to verify that the message is from a valid source.
The following answers are incorrect:
UDP
SNMP can make use of the User Datagram Protocol (UDP) protocol but the UDP protocol by itself
is not use for network monitoring.
SNMP V1
SNMP version 1 (SNMPv1) is the initial implementation of the SNMP protocol. SNMPv1 operates
over protocols such as User Datagram Protocol (UDP), Internet Protocol (IP), OSI Connectionless
Network Service (CLNS), AppleTalk Datagram-Delivery Protocol (DDP), and Novell Internet
Packet Exchange (IPX). SNMPv1 is widely used and is the de facto network-management protocol
in the Internet community.
SNMP V2
SNMPv2 (RFC 1441-RFC 1452), revises version 1 and includes improvements in the areas of
performance, security, confidentiality, and manager-to-manager communications. It introduced
GetBulkRequest, an alternative to iterative GetNextRequests for retrieving large amounts of
management data in a single request. However, the new party-based security system in SNMPv2,
viewed by many as overly complex, was not widely accepted.
The following reference(s) were/was used to create this question:
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 587). McGraw-Hill.
Kindle Edition.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 7434-7436). Auerbach Publications. Kindle Edition.


質問 # 353
Which of the following is not an EPA-approved replacement for Halon?

  • A. Bromine
  • B. Innergen
  • C. FM-200
  • D. FE-13

正解:A

解説:
Halon is a compound consisting of bromine, fluorine, and carbon. Halons are used
as fire extinguishing agents, both in built-in systems and in handheld portable fire extinguishers.
Halon production in the U.S. ended on December 31, 1993, because they contribute to ozone
depletion. Bromine being part of Halon is not a safe replacement for Halon.
The following are some of the EPA-approved replacements for halon:
Several substitutes have been approved by the SNAP program that may be considered as
potential candidates for specific use conditions as cited in 40 CFR 82 Appendix A to Subpart G,
Substitutes Subject to Use Restrictions and Unacceptable Substitutes. It should be noted that the
following substitutions are merely comments on usage and not conditions. For example, the Army
has considered the use of HFC-125 in the crew compartments of its ground combat vehicles. Also,
the Army has installed IG-541 in normally occupied areas. The following substitutes are listed:
Total Flooding Agents Acceptable Substitutes
Water Mist Systems using Potable or Natural Sea Water
[Foam] A (formerly identified as Water Mist Surfactant Blend A) This agent is not a clean agent,
but is a low-density, short duration foam.
Carbon Dioxide (Must meet NFPA 12 and OSHA 1910.162(b)5 requirements
Water Sprinklers
Total Flooding Agents Substitutes Acceptable Subject To Use Conditions
Normally Occupied Areas
C4F10 (PFC-410 or CEA-410)
C3F8 (PFC-218 or CEA-308)
HCFC Blend A (NAF S-III)
HFC-23 (FE 13)
HFC-227ea (FM 200)
IG-01 (Argon)
IG-55 (Aragonite)
HFC-125
HFC-134a
Normally Unoccupied Areas
Powdered Aerosol C
CF3I
HCFC-22
HCFC-124
HFC-125
HFC-134a
Gelled Halocarbon/Dry Chem. Suspension (PGA)
Inert Gas/Powdered Aerosol Blend (FS 0140)
IG-541 (Inergen)
Unacceptable Substitutes
HFC-32
The following were incorrect answers:
The following are all safe replacement for Halon:
FE-13 is an Halon replacement (Halon 1301) in total flooding and inerting applications where its low toxicity provides for improved safety margins, the protected spaces are large, the cylinder storage area is remote from the protected space, or where the temperatures are likely to go below 0(o)C (32(o)F). Of the clean agents available, DuPont FE-13 has the lowest toxicity and is the safest for protecting areas where people are present. DuPont FE-13 provides the ultimate in human safety while protecting high-value assets and business continuity with a clean agent.
DuPont FE-13 is: safe for people a clean agent that does not leave a residue electrically nonconductive and noncorrosive an environmentally preferred alternative to Halon with zero ozone depletion potential (ODP)
FM-200 is a colorless, liquefied compressed gas. It is stored as a liquid and dispensed into the hazard as a colorless, electrically non-conductive vapor that is clear and does not obscure vision. It leaves no residue and has acceptable toxicity for use in occupied spaces at design concentration. FM-200 does not displace oxygen and, therefore, is safe for use in occupied spaces without fear of oxygen deprivation.
INERGEN is a blend of inert atmospheric gases that contains 52% nitrogen, 40% argon, 8% carbon dioxide, used for fire suppression system agent. It is considered a clean agent for use in gaseous fire suppression applications. Inergen does not contain halocarbons, and has no ozone depletion potential. It is non-toxic. Inergen is used at design concentrations of 35-50% to lower the concentration of oxygen to a point that cannot support combustion, but still safe for humans.
Reference(s) used for this quesiton: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25616-25620). Auerbach Publications. Kindle Edition. and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (pp. 473-474). McGraw-Hill. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 25623-25626). Auerbach Publications. Kindle Edition. and http://en.wikipedia.org/wiki/Inergen and http://www.p2sustainabilitylibrary.mil/P2_Opportunity_Handbook/3_III_2.html


質問 # 354
Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with:

  • A. Preventive/physical
  • B. Detective/administrative
  • C. Detective/physical
  • D. Detective/technical

正解:B

解説:
Additional detective/administrative controls are job rotation, the sharing of
responsibilities, and reviews of audit records.
Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of
Computer Security, 2001, John Wiley & Sons, Page 35


質問 # 355
How should a risk be HANDLED when the cost of the countermeasure OUTWEIGHS the cost of the risk?

  • A. Perform another risk analysis
  • B. Accept the risk
  • C. Reject the risk
  • D. Reduce the risk

正解:B

解説:
Which means the company understands the level of risk it is faced.
The following answers are incorrect because :
Reject the risk is incorrect as it means ignoring the risk which is dangerous.
Perform another risk analysis is also incorrect as the existing risk analysis has already shown the
results.
Reduce the risk is incorrect is applicable after implementing the countermeasures.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 39


質問 # 356
An Architecture where there are more than two execution domains or privilege levels is called:

  • A. Ring Layering
  • B. Network Environment.
  • C. Security Models

正解:A

解説:
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged
(least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
Ring Architecture
All of the other answers are incorrect because they are detractors.
References:
OIG CBK Security Architecture and Models (page 311)
and
https://en.wikipedia.org/wiki/Ring_%28computer_security%29


質問 # 357
An effective information security policy should not have which of the following characteristics?

  • A. Be designed with a short-to mid-term focus.
  • B. Include separation of duties.
  • C. Be understandable and supported by all stakeholders.
  • D. Specify areas of responsibility and authority.

正解:A

解説:
This is not a very good practice, specially for the CISSP examination, when you plan and develop the security policy for your enterprise you should always plan it with a long term focus. The policy should be created to be there for a long time, and you should only make revisions of it every certain time to comply with changes or things that could have changed. In a security policy the duties should be well specified, be understandable by the people involved in it, and specify areas of responsibility.


質問 # 358
Which of the following is a method used to prevent Structured Query Language (SQL) injection attacks?

  • A. Data validation
  • B. Data warehousing
  • C. Data compression
  • D. Data classification

正解:A


質問 # 359
......

CISSP試験問題を今すぐ試そう!最新の[2023年最新] 正解回答付き:https://www.goshiken.com/ISC/CISSP-mondaishu.html

合格させるCISSP試験にはリアル問題解答:https://drive.google.com/open?id=1XRGCtKVvpvfb1eaOJxIifOTVxnNoW4A6