
2024年最新のCISSPプレミアム資料テストPDFの無料問題集お試しセット
試験合格を向けてCISSP今すぐ弊社のISC Certification試験パッケージを使おう
ISC CISSP認定試験は、サイバーセキュリティ専門家に必要なスキルと知識を提供する厳格で包括的な認定プログラムです。業界でのグローバルな認知度と高い価値を持つCISSP認定は、情報セキュリティに特化したい人にとって優れた投資です。
質問 # 345
In the "Do" phase of the Plan-Do-Check-Act model, which of the following is performed?
- A. Ensure that business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity have been established.
- B. Ensure the business continuity policy, controls, processes, and procedures have been implemented.
- C. Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.
- D. Maintain and improve the Business Continuity Management (BCM) system by taking corrective action, based on the results of management review.
正解:B
質問 # 346
Which of following is NOT a service provided by AAA servers (Radius, TACACS and DIAMETER)?
- A. Administration
- B. Authorization
- C. Authentication
- D. Accounting
正解:A
解説:
Explanation/Reference:
Explanation:
The AAA term refers to authentication, authorization, and accounting/audit. Administration is not one of the options, therefore, the correct answer.
Incorrect Answers:
A, C, D: Authentication, Accounting, and Authorization are what the AAA term refers to.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 236
質問 # 347
Refer to the information below to answer the question.
A large organization uses unique identifiers and requires them at the start of every system session. Application access is based on job classification. The organization is subject to periodic independent reviews of access controls and violations. The organization uses wired and wireless networks and remote access. The organization also uses secure connections to branch offices and secure backup and recovery strategies for selected information and processes.
Following best practice, where should the permitted access for each department and job classification combination be specified?
- A. Security standards
- B. Security procedures
- C. Human resource policy
- D. Human resource standards
正解:A
質問 # 348
For a service provider, which of the following MOST effectively addresses confidentiality concerns for customers using cloud computing?
- A. File system permissions
- B. Non-repudiation controls
- C. Hash functions
- D. Data segregation
正解:D
解説:
For a service provider, data segregation is the most effective way to address confidentiality concerns for customers using cloud computing. Data segregation is the process of separating the data of different customers or tenants in a shared cloud environment, so that they cannot access or interfere with each other's data. Data segregation can be achieved by using encryption, access control, virtualization, or other techniques. Data segregation can help to protect the confidentiality, integrity, and availability of the customer's data, as well as to comply with the privacy and regulatory requirements. Hash functions, file system permissions, and non-repudiation controls are not the most effective ways to address confidentiality concerns for customers using cloud computing, as they do not provide the same level of isolation and protection as data segregation. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 3, Security Architecture and Engineering, page 337. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 3, Security Architecture and Engineering, page 353.
質問 # 349
Which of the following is the PRIMARY benefit of implementing an Information Security Management System (ISMS)?
- A. Increases employee education and awareness of security policies
- B. Ensures user compliance with computing standards
- C. Improves customer confidence by demonstrating adherence to best practices
- D. Correlates system events to monitor and demonstrate system health
正解:C
質問 # 350
In which of the following models are Subjects and Objects identified and the permissions applied to each subject/object combination are specified? Such a model can be used to quickly summarize what permissions a subject has for various system objects.
- A. Bell-LaPadula model
- B. Access Control Matrix model
- C. Biba model
- D. Take-Grant model
正解:B
解説:
Explanation/Reference:
Explanation:
An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs).
Incorrect Answers:
B: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows specific rules. This is not what is described in the question.
C: The Bell-LaPadula Model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question.
D: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. This is not what is described in the question.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 229
質問 # 351
Which one of the following authentication mechanisms creates a problem for mobile users?
- A. Mechanism with reusable passwords
- B. Challenge response mechanism.
- C. One-time password mechanism.
- D. Mechanisms based on IP addresses
正解:D
解説:
Anything based on a fixed IP address would be a problem for mobile users because their location and its associated IP address can change from one time to the next.
Many providers will assign a new IP every time the device would be restarted. For example an insurance adjuster using a laptop to file claims online. He goes to a different client each time and the address changes every time he connects to the ISP.
NOTE FROM CLEMENT:
The term MOBILE in this case is synonymous with Road Warriors where a user is constantly traveling and changing location. With smartphone today that may not be an issue but it would be an issue for laptops or WIFI tablets. Within a carrier network the IP will tend to be the same and would change rarely. So this question is more applicable to devices that are not cellular devices but in some cases this issue could affect cellular devices as well.
The following answers are incorrect:
Mechanism with reusable password. This is incorrect because reusable password mechanism would not present a problem for mobile users. They are the least secure and change only at specific interval one-time password mechanism. This is incorrect because a one-time password mechanism would not present a problem for mobile users. Many are based on a clock and not on the IP address of the user Challenge response mechanism.
This is incorrect because challenge response mechanism would not present a problem for mobile users.
質問 # 352
Which software development model is actually a meta-model that incorporates a number of the software development models?
- A. The Waterfall model.
- B. The Critical Patch Model (CPM).
- C. The modified Waterfall model.
- D. The Spiral model.
正解:D
解説:
The spiral model for software engineering has evolved to encompass the best features of the classic waterfall model, while at the same time adding an element known as risk analysis. The spiral model is more appropriate for large, industrial software projects and has four main blocks/quadrants. Each release or version of the software requires going through new planning, risk analysis, engineering and customer evaluation phases and this is illustrated in the model by the spiral evolution outwards from the center.
For each new release of a software product, a risk analysis audit should be performed to decide whether the new objectives can be completed within budget (time and costs), and decisions have to be made about whether to proceed. The level of planning and customer evaluation is missing from the waterfall model which is mainly concerned with small software programs. The spiral model also illustrated the evolutionary development of software where a solution may be initially proposed which is very basic (first time round the loop) and then later releases add new features and possibly a more elaborate GUI.
質問 # 353
Which of the following is the BEST reason for writing an information security policy?
- A. To implement effective information security controls
- B. To reduce the number of audit findings
- C. To support information security governance
- D. To deter attackers
正解:C
解説:
The best reason for writing an information security policy is to support information security governance.
Information security governance is the process or the framework of establishing and enforcing the policies and standards for the protection and the management of the information and the systems within an organization, as well as for overseeing and evaluating the performance and the effectiveness of the information security program and the information security controls. Information security governance can provide some benefits for security, such as enhancing the visibility and the accountability of the information security program and the information security controls, preventing or detecting any unauthorized or improper activities or changes, and supporting the audit and the compliance activities. Information security governance can involve various elements and roles, such as:
* Information security strategy, which is the plan or the direction that defines and describes the objectives, scope, principles, and priorities of the information security program and the information security controls, as well as the alignment and the integration of the information security program and the information security controls with the business goals and the risk appetite of the organization.
* Information security policy, which is the document or the statement that defines and describes the rules and the requirements for the protection and the management of the information and the systems within the organization, as well as the roles and the responsibilities of the information security stakeholders, such as the management, the staff, the customers, or the partners.
* Information security standards, which are the documents or the specifications that define and describe the mandatory or the minimum criteria or the guidelines for the implementation and the operation of the information security program and the information security controls, as well as the alignment and the compliance of the information security program and the information security controls with the industry regulations or the best practices.
* Information security procedures, which are the documents or the instructions that define and describe the specific tasks or the steps for the execution and the maintenance of the information security program and the information security controls, as well as the monitoring and the reporting of the performance and the effectiveness of the information security program and the information security controls.
* Information security roles, which are the functions or the positions that are responsible for the design, the implementation, the operation, the evaluation, or the improvement of the information security program and the information security controls, such as the information security manager, the information security officer, the information security analyst, or the information security auditor.
Writing an information security policy is the best reason for writing an information security policy, as it is the foundation and the core of the information security governance process or framework, and it provides the guidance and the direction for the information security program and the information security controls, as well as for the information security stakeholders. Writing an information security policy can involve various tasks or duties, such as:
* Defining and documenting the purpose, scope, objectives, and principles of the information security policy, and ensuring that they are consistent and aligned with the information security strategy and the business goals of the organization.
* Defining and documenting the rules and the requirements of the information security policy, and ensuring that they are clear, concise, comprehensive, and relevant to the information and the systems that are being protected and managed by the organization.
* Defining and documenting the roles and the responsibilities of the information security policy, and ensuring that they are assigned and communicated to the information security stakeholders, such as the management, the staff, the customers, or the partners, and that they are acknowledged and accepted by the information security stakeholders.
* Reviewing and updating the information security policy, and ensuring that it is current and valid, and
* that it reflects and addresses any changes or issues that may affect the information security program and the information security controls, or the information and the systems that are being protected and managed by the organization.
To reduce the number of audit findings, to deter attackers, and to implement effective information security controls are not the best reasons for writing an information security policy, although they may be related or possible outcomes or benefits of writing an information security policy. To reduce the number of audit findings is an outcome or a benefit of writing an information security policy, as it implies that the information security policy has helped to improve the performance and the effectiveness of the information security program and the information security controls, as well as to comply with the industry regulations or the best practices, and that the information security policy has supported the audit and the compliance activities, by providing the evidence or the data that can validate or verify the information security program and the information security controls. However, to reduce the number of audit findings is not the best reason for writing an information security policy, as it is not the primary or the most important purpose or objective of writing an information security policy, and it may not be true or applicable for all information security policies.
質問 # 354
An organization purchased a commercial off-the-shelf (COTS) software several years ago. The information technology (IT) Director has decided to migrate the application into the cloud, but is concerned about the application security of the software in the organization's dedicated environment with a cloud service provider. What is the BEST way to prevent and correct the software's security weal
- A. Follow the software end-of-life schedule
- B. Implement a dedicated COTS sandbox environment
- C. Transfer the risk to the cloud service provider
- D. Examine the software updating and patching process
正解:B
質問 # 355
Which of the following is the BEST method to identify security controls that should be implemented for a web-based application while in development?
- A. Secure software development.
- B. Application threat modeling
- C. Agile software development
- D. Penetration testing
正解:B
解説:
Application threat modeling visualizes an application's attack surface to identify threats and vulnerabilities that pose a risk to functionality or data. By decomposing the application architecture into its security-relevant components, teams can better understand the various threats and risks the application might face.
質問 # 356
Which Internet Protocol Security (IPSec) mechanism, when added to an Internet Protocol (IP) datagram, provides both confidentiality and integrity?
- A. Encapsulating Security Payload (ESP)
- B. Authentication Header (AH)
- C. Message Authentication Code (MAC)
- D. Internet Key Exchange (IKE)
正解:A
質問 # 357
Application of which of the following Institute of Electrical and Electronics Engineers (IEEE) standards will prevent an unauthorized wireless device from being attached to a network?
- A. IEEE 802.1H
- B. IEEE 802.1Q
- C. IEEE 802.1F
- D. IEEE 802.1X
正解:D
質問 # 358
Which of the following mechanisms are PRIMARILY used to safeguard and provide countermeasures for an organizational Information System (IS) to protect the confidentiality, integrity, and availability of its data?
- A. Data Controls
- B. Security Controls
- C. Information Controls
- D. User Controls
正解:B
質問 # 359
What balance MUST be considered when web application developers determine how informative application error messages should be constructed?
- A. Availability versus auditability
- B. Risk versus benefit
- C. Confidentiality versus integrity
- D. Performance versus user satisfaction
正解:B
解説:
According to the CXL blog2, the balance that must be considered when web application developers determine how informative application error messages should be constructed is risk versus benefit. Application error messages are the messages that are displayed or communicated to the users when an error or a problem occurs in the web application, such as a login failure, a form validation error, or a server error. Application error messages are important for the user experience and the conversion rate, as they help the users to understand and resolve the error or the problem, as well as to continue or complete their tasks or goals on the web application. However, application error messages also pose some risks or challenges for the web application developers, as they may reveal or expose some sensitive or confidential information about the web application, such as the system architecture, the database structure, or the security vulnerabilities, which may be exploited or attacked by the malicious users or hackers. Therefore, web application developers need to consider the balance between the risk and the benefit when determining how informative application error messages should be constructed. The risk is the potential or possibility of harm or damage to the web application, the data, or the users, as a result of the application error messages, such as the loss of privacy, integrity, or availability.
The benefit is the value or advantage of the application error messages for the web application, the data, or the users, such as the improvement of usability, functionality, or security. Web application developers need to weigh the risk and the benefit of the application error messages, and decide how much and what kind of information to include or exclude in the application error messages, as well as how to present or format the information in the application error messages, in order to achieve the optimal balance between the risk and the benefit. Availability versus auditability is not the balance that must be considered when web application developers determine how informative application error messages should be constructed, as it is not related to the information or the presentation of the application error messages, but to the performance or the monitoring of the web application. Availability is the property that ensures that the web application, the data, or the users are accessible or usable when needed or desired, and are protected from unauthorized or unintended denial or disruption. Auditability is the property that ensures that the web application, the data, or the users are traceable or accountable for their actions or events, and are supported by the logging or recording mechanisms.
Availability and auditability are both important for the web application, the data, and the users, but they are not the balance that must be considered when determining how informative application error messages should be constructed, as they do not affect or influence the information or the presentation of the application error messages. Confidentiality versus integrity is not the balance that must be considered when web application developers determine how informative application error messages should be constructed, as it is not related to the information or the presentation of the application error messages, but to the protection or the quality of the data. Confidentiality is the property that ensures that the data is only accessible or disclosed to the authorized parties, and is protected from unauthorized or unintended access or disclosure. Integrity is the property that ensures that the data is accurate, complete, and consistent, and is protected from unauthorized or unintended modification or corruption. Confidentiality and integrity are both important for the data, but they are not the balance that must be considered when determining how informative application error messages should be constructed, as they do not affect or influence the information or the presentation of the application error messages. Performance versus user satisfaction is not the balance that must be considered when web application developers determine how informative application error messages should be constructed, as it is not related to the information or the presentation of the application error messages, but to the efficiency or the effectiveness of the web application. Performance is the measure or indicator of how well the web application performs its functions or services, such as the speed, reliability, or scalability of the web application. User satisfaction is the measure or indicator of how satisfied the users are with the web application, its functions or services, or its user experience, such as the usability, functionality, or security of the web application. Performance and user satisfaction are both important for the web application, but they are not the balance that must be considered when determining how informative application error messages should be constructed, as they do not affect or influence the information or the presentation of the application error messages. References: 2
質問 # 360
A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its
20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization?
- A. Cross-certification
- B. Security Assertion Markup language (SAML)
- C. Trusted third-party certification
- D. Lightweight Directory Access Protocol (LDAP)
正解:B
解説:
Explanation/Reference:
Reference: https://www.netiq.com/documentation/access-manager-43/applications-configuration-guide/ data/b1ka6lkd.html
質問 # 361
Which of the following should be performed by an operator?
- A. Changing profiles
- B. Installing system software
- C. Approving changes
- D. Adding and removal of users
正解:B
解説:
Explanation/Reference:
Explanation:
Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment.
Incorrect Answers:
A: Changing profiles should not be performed by an operator; this should be performed by a security administrator.
B: Approving changes should not be performed by an operator; this should be performed by a change control analyst or panel.
C: Adding and removal of users should not be performed by an operator; this should be performed by a security administrator.
質問 # 362
......
2024年最新の問題をマスターISC Certification合格目指してCISSPリアル試験!:https://www.goshiken.com/ISC/CISSP-mondaishu.html
完全版は2024年最新のCISSP試験問題集ガイドはトレーニング専門GoShiken:https://drive.google.com/open?id=120zbvku5izhK07LkMvb-F1j5uopzHGEB