[2025年03月] 問題集簡単概要CISSP試験問題GoShiken [Q840-Q855]

Share

[2025年03月] 問題集簡単概要CISSP試験問題GoShiken

CISSPトレーニング認証最新版をゲットISC Certification


CISSP認定試験は、情報セキュリティの8つのドメインをカバーする包括的な試験です。これらのドメインには、セキュリティとリスク管理、資産セキュリティ、セキュリティエンジニアリング、コミュニケーションとネットワークセキュリティ、アイデンティティとアクセス管理、セキュリティ評価とテスト、セキュリティ運用、ソフトウェア開発セキュリティが含まれます。この試験は、250の複数選択の質問で構成されており、これらの各ドメインで候補者の知識、スキル、能力をテストするように設計されています。 CISSP認定試験に合格するには、1000ポイントのうち少なくとも700ポイントのスコアと、情報セキュリティ分野での最低5年間の専門的経験が必要です。

 

質問 # 840
Which of the following is NOT a characteristic of a distributed data
processing (DDP) approach?

  • A. Distances from user to processing resource are transparent to the
    user.
  • B. Security is enhanced because of networked systems.
  • C. Consists of multiple processing locations that can provide
    alternatives for computing in the event of a site becoming
    inoperative.
  • D. Data stored at multiple, geographically separate locations is easily available to the user.

正解:B

解説:
Security is more of a concern in distributed systems since there are
vulnerabilities associated with the network and the many locations
from which unauthorized access to the computing resources can
occur. The other answers are characteristics of a DDP architecture.


質問 # 841
Which statement below is accurate about the difference between issuespecific and system-specific policies?

  • A. Issue-specific policy is much more technically focused.
  • B. Issue-specific policy commonly addresses only one system.
  • C. System-specific policy is much more technically focused.
  • D. System-specific policy is similar to program policy.

正解:C

解説:
Often, managerial computer system security policies are categorized
into three basic types:
Program policy used to create an organization's computer security
program
Issue-specific policies used to address specific issues of concern
to the organization
System-specific policies technical directives taken by management
to protect a particular system
Program policy and issue-specific policy both address policy from
a broad level, usually encompassing the entire organization. However,
they do not provide sufficient information or direction, for
example, to be used in establishing an access control list or in training users on what actions are permitted. System-specific policy fills this need. System-specific policy is much more focused, since it addresses
only one system.
Table A.1 helps illustrate the difference between these three types
of policies. Source: National Institute of Standards and Technology, An
Introduction to Computer Security: The NIST Handbook Special Publica-
tion 800-12.

image002


質問 # 842
Which of the following is NOT a preventive login control?

  • A. Account expiration
  • B. Password aging
  • C. Minimum password length
  • D. Last login message

正解:D

解説:
Explanation/Reference:
Explanation:
Password management and account management are preventive login controls.
Password aging determines how long a password can be used for before the password must be changed.
For example a maximum password age of 30 days would force users to change their passwords every 30 days.
Minimum password length determines the minimum number of characters a password should have. A minimum of eight characters is generally regarded as a requirement for a good password.
Account expiration determines when a user account will expire. This is especially useful for temporary workers and helps to ensure that unused accounts are not left active.
A last login message is not a preventive login control. A last login message is informational only and does nothing to improve the security of the system.
Incorrect Answers:
B: Password aging is an example of a preventive login control.
C: Minimum password length is an example of a preventive login control.
D: Account expiration is an example of a preventive login control.


質問 # 843
During examination of Internet history records, the following string occurs within a Unique Resource Locator (URL):
http://www.companysite.com/products/products.asp?productid=123
or 1=1
What type of attack does this indicate?

  • A. Cross-Site Scripting (XSS)
  • B. Directory traversal
  • C. Shellcode injection
  • D. Structured Query Language (SQL) injection

正解:D

解説:
Structured Query Language (SQL) injection is a type of attack that exploits a vulnerability in a web application that does not properly validate or sanitize the user input before passing it to a database. An attacker can inject malicious SQL commands into the input field, such as a search box or a login form, and execute them on the database server. The injected SQL commands can be used to perform various actions, such as accessing, modifying, or deleting data, bypassing authentication, or executing commands on the server. The string in the question is an example of a SQL injection attack, where the attacker appends a logical expression
"or 1=1" to the productid parameter, which will always evaluate to true and return all the records from the products table.


質問 # 844
Which of the following is the MOST appropriate control for asset data labeling procedures?

  • A. Reviewing audit trails of logging records
  • B. Categorizing the types of media being used
  • C. Reviewing off-site storage access controls
  • D. Logging data media to provide a physical inventory control

正解:D

解説:
Logging data media to provide a physical inventory control is the most appropriate control for asset data labeling procedures. Asset data labeling procedures are the procedures that define how the data media, such as tapes, disks, or drives, are labeled, classified, and handled, based on the sensitivity and value of the data they contain. Asset data labeling procedures are important for ensuring the security, confidentiality, and accountability of the data media, and for preventing any unauthorized access, disclosure, or loss of the data media. Logging data media to provide a physical inventory control is a control that supports the asset data labeling procedures, as it involves recording and tracking the details and locations of the data media, such as serial numbers, bar codes, owners, custodians, and storage locations. Logging data media to provide a physical inventory control can help to maintain the accuracy and completeness of the data media inventory, and to detect and report any missing, stolen, or damaged data media. References: [CISSP CBK, Fifth Edition, Chapter 2, page 105]; [100 CISSP Questions, Answers and Explanations, Question 16].


質問 # 845
When conducting a third-party risk assessment of a new supplier, which of the following reports should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles?

  • A. Service Organization Control (SOC) 1, Type 2
  • B. International Organization for Standardization (ISO) 27001
  • C. Service Organization Control (SOC) 2, Type 2
  • D. International Organization for Standardization (ISO) 27002

正解:C

解説:
When conducting a third-party risk assessment of a new supplier, the Service Organization Control (SOC) 2, Type 2 report should be reviewed to confirm the operating effectiveness of the security, availability, confidentiality, and privacy trust principles. SOC 2 reports are issued by independent auditors and provide detailed information about a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. A Type 2 report includes an auditor's opinion on the design and operating effectiveness of the controls.


質問 # 846
Discretionary Access Control (DAC) restricts access according to

  • A. data classification labeling.
  • B. authorizations granted to the user.
  • C. page views within an application.
  • D. management accreditation.

正解:B

解説:
Discretionary Access Control (DAC) restricts access according to authorizations granted to the user. DAC is a type of access control that allows the owner or creator of a resource to decide who can access it and what level of access they can have. DAC uses access control lists (ACLs) to assign permissions to resources, and users can pass or change their permissions to other users


質問 # 847
Place the following information classification steps in sequential order.

正解:

解説:


質問 # 848
In which of the following programs is it MOST important to include the collection of security process data?

  • A. Security continuous monitoring
  • B. Business continuity testing
  • C. Annual security training
  • D. Quarterly access reviews

正解:D


質問 # 849
A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the benefits of this approach?

  • A. Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).
  • B. Potential threats are addressed later in the Software Development Life Cycle (SDLC).
  • C. Reduce application development costs.
  • D. Improve user acceptance of implemented security controls.

正解:A


質問 # 850
Which type of routing below commonly broadcasts its routing table
information to all other routers every minute?

  • A. Distance Vector Routing
  • B. Dynamic Control Protocol Routing
  • C. Static Routing
  • D. Link State Routing

正解:A

解説:
Distance vector routing uses the routing information protocol
(RIP) to maintain a dynamic table of routing information that is
updated regularly. It is the oldest and most common type of
dynamic routing.
* static routing, defines a specific route in a configuration file on the router and does not require the routers to exchange route information dynamically.
* link state routers, functions like distance vector routers, but only use firsthand information when building routing tables by maintaining a copy of every other router's Link
State Protocol (LSP) frame. This helps to eliminate routing errors and considerably lessens convergence time.
*Answer Dynamic Control Protocol Routing is a distracter.
Source: Mastering Network Security by Chris Brenton (Sybex, 1999).


質問 # 851
Why would a database be denormalized?

  • A. To prevent duplication of data
  • B. To ensure data integrity
  • C. To save storage space
  • D. To increase processing efficiency

正解:D

解説:
A database is denormalized when there is a need to improve processing efficiency.
There is, however, a risk to data integrity when this occurs. Since it implies the introduction of duplication, it will not likely allow saving of storage space.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices
(page 109).


質問 # 852
Which of the following should be emphasized during the Business Impact Analysis (BIA) considering that the BIA focus is on business processes?

  • A. Dependencies
  • B. Composition
  • C. Priorities
  • D. Service levels

正解:A

解説:
Explanation/Reference:
Explanation:
Data points obtained as part of the BIA information gathering process will be used later during analysis. It is important that the team members ask about how different tasks-whether processes, transactions, or services, along with any relevant dependencies-get accomplished within the organization.
Incorrect Answers:
A: To determine the dependencies, not the composition, between the business processes is an import step of the BIA process.
B: To determine the dependencies, not the priorities, between the business processes is an import step of the BIA process.
D: To determine the service levels, not the priorities, between the business processes is an import step of the BIA process.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 905


質問 # 853
A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance?

  • A. Asset ownership database using domain login records
  • B. A script to report active user logins on assets
  • C. Enterprise asset management framework
  • D. Asset baseline using commercial off the shelf software

正解:C

解説:
According to the CISSP CBK Official Study Guide1, the approach that should be followed to determine and maintain ownership information to bring the company into compliance is the enterprise asset management framework. An enterprise asset management framework is a set of principles, processes, and practices that are used or applied to manage or control the assets or the resources that are deployed or utilized in the enterprise or the organization, such as the hardware, software, data, or information of the enterprise or the organization.
An enterprise asset management framework helps to ensure the security or the integrity of the enterprise or the organization, as well as the assets or the resources that are deployed or utilized in the enterprise or the organization, by enforcing or implementing the policies, procedures, or standards that govern or regulate the identification, classification, ownership, valuation, allocation, utilization, maintenance, protection, or disposal of the assets or the resources of the enterprise or the organization. An enterprise asset management framework also helps to ensure the compliance or the conformity of the enterprise or the organization, as well as the assets or the resources that are deployed or utilized in the enterprise or the organization, by adhering or conforming to the laws, regulations, or requirements that apply or relate to the assets or the resources of the enterprise or the organization, such as the legal, contractual, or ethical obligations or responsibilities of the enterprise or the organization. Following an enterprise asset management framework helps to determine and maintain ownership information to bring the company into compliance, as it provides or supports a systematic or a structured approach or method to identify or assign the owners or the custodians of the assets or the resources of the enterprise or the organization, as well as to document or record the ownership information or the details of the assets or the resources of the enterprise or the organization, such as the name, description, location, status, or value of the assets or the resources of the enterprise or the organization. Determining and maintaining ownership information helps to bring the company into compliance, as it ensures or verifies the accountability or the responsibility of the owners or the custodians of the assets or the resources of the enterprise or the organization, as well as the accuracy, completeness, or consistency of the ownership information or the details of the assets or the resources of the enterprise or the organization, which may help to avoid or prevent the disputes, conflicts, or issues that may arise or occur regarding the assets or the resources of the enterprise or the organization, such as the theft, loss, misuse, or abuse of the assets or the resources of the enterprise or the organization. Asset baseline using commercial off the shelf software is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, although it may be a benefit or a consequence of following an enterprise asset management framework. An asset baseline is a reference or a standard that is used or applied to measure or compare the performance or the quality of the assets or the resources of the enterprise or the organization, by using or applying the appropriate metrics or indicators, such as the availability, reliability, or efficiency of the assets or the resources of the enterprise or the organization. Commercial off the shelf software is a type of software that is readily available or accessible in the market or the industry, which can be purchased or acquired by the enterprise or the organization, without requiring or involving any customization or modification of the software, such as the operating systems, applications, or utilities of the software. Using commercial off the shelf software helps to create or establish an asset baseline, as it provides or supports a common or a consistent platform or tool to collect or analyze the data or the information that are related or relevant to the performance or the quality of the assets or the resources of the enterprise or the organization, such as the usage, configuration, or status of the assets or the resources of the enterprise or the organization. Creating or establishing an asset baseline helps to manage or control the assets or the resources of the enterprise or the organization, as it enables or facilitates the monitoring, evaluation, or improvement of the performance or the quality of the assets or the resources of the enterprise or the organization, by using or applying the appropriate methods or mechanisms, such as the reporting, auditing, or optimization of the assets or the resources of the enterprise or the organization. However, using commercial off the shelf software to create or establish an asset baseline is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, as it does not address or target the identification, documentation, or verification of the owners or the custodians of the assets or the resources of the enterprise or the organization, which are the essential or the fundamental components or elements of the ownership information or the details of the assets or the resources of the enterprise or the organization. Asset ownership database using domain login records is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, although it may be a benefit or a consequence of following an enterprise asset management framework. An asset ownership database is a repository or a storage that is used or applied to store or maintain the ownership information or the details of the assets or the resources of the enterprise or the organization, such as the name, description, location, status, or value of the assets or the resources of the enterprise or the organization. A domain login record is a record or a log that is used or applied to record or document the login or the access of the users or the employees to the domain or the network of the enterprise or the organization, such as the username, password, date, time, or duration of the login or the access of the users or the employees to the domain or the network of the enterprise or the organization. Using domain login records helps to create or establish an asset ownership database, as it provides or supports a source or a basis to identify or assign the owners or the custodians of the assets or the resources of the enterprise or the organization, as well as to document or record the ownership information or the details of the assets or the resources of the enterprise or the organization, based on the login or the access of the users or the employees to the domain or the network of the enterprise or the organization, which may indicate or reflect the usage, configuration, or status of the assets or the resources of the enterprise or the organization. However, using domain login records to create or establish an asset ownership database is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, as it does not provide or support a comprehensive or a complete approach or method to identify or assign the owners or the custodians of the assets or the resources of the enterprise or the organization, as well as to document or record the ownership information or the details of the assets or the resources of the enterprise or the organization, as it may not cover or include all the assets or the resources of the enterprise or the organization, or all the users or the employees of the enterprise or the organization, which may lead to the gaps, errors, or inconsistencies in the ownership information or the details of the assets or the resources of the enterprise or the organization. A script to report active user logins on assets is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, although it may be a benefit or a consequence of following an enterprise asset management framework. A script is a program or a code that is used or applied to perform or execute a specific or a particular function or task in the system or the network, by using or applying the appropriate commands or instructions, such as the batch, shell, or PowerShell commands or instructions of the system or the network. Reporting active user logins on assets is the process of generating or producing a report or a document that shows or displays the active or the current user logins or accesses to the assets or the resources of the enterprise or the organization, such as the username, password, date, time, or duration of the user logins or accesses to the assets or the resources of the enterprise or the organization. Using a script helps to report active user logins on assets, as it provides or supports a fast or an efficient way or method to collect or analyze the data or the information that are related or relevant to the active or the current user logins or accesses to the assets or the resources of the enterprise or the organization, by using or applying the appropriate commands or instructions, such as the batch, shell, or PowerShell commands or instructions of the system or the network. Reporting active user logins on assets helps to manage or control the assets or the resources of the enterprise or the organization, as it enables or facilitates the monitoring, evaluation, or improvement of the usage, configuration, or status of the assets or the resources of the enterprise or the organization, by using or applying the appropriate methods or mechanisms, such as the reporting, auditing, or optimization of the assets or the resources of the enterprise or the organization. However, using a script to report active user logins on assets is not the approach that should be followed to determine and maintain ownership information to bring the company into compliance, as it does not address or target the identification, documentation, or verification of the owners or the custodians of the assets or the resources of the enterprise or the organization, which are the essential or the fundamental components or elements of the ownership information or the details of the assets or the resources of the enterprise or the organization.


質問 # 854
Which of the following is an initial consideration when developing an information security management system?

  • A. Identify the contractual security obligations that apply to the organizations
  • B. Identify the level of residual risk that is tolerable to management
  • C. Identify relevant legislative and regulatory compliance requirements
  • D. Understand the value of the information assets

正解:D

解説:
When developing an information security management system (ISMS), an initial consideration is to understand the value of the information assets that the organization owns or processes. An information asset is any data, information, or knowledge that has value to the organization and supports its mission, objectives, and operations. Understanding the value of the information assets helps to determine the appropriate level of protection and investment for them, as well as the potential impact and consequences of losing, compromising, or disclosing them. Understanding the value of the information assets also helps to identify the stakeholders, owners, and custodians of the information assets, and their roles and responsibilities in the ISMS.
The other options are not initial considerations, but rather subsequent or concurrent considerations when developing an ISMS. Identifying the contractual security obligations that apply to the organizations is a consideration that depends on the nature, scope, and context of the information assets, as well as the relationships and agreements with the external parties. Identifying the level of residual risk that is tolerable to management is a consideration that depends on the risk appetite and tolerance of the organization, as well as the risk assessment and analysis of the information assets. Identifying relevant legislative and regulatory compliance requirements is a consideration that depends on the legal and ethical obligations and expectations of the organization, as well as the jurisdiction and industry of the information assets.


質問 # 855
......

認証トレーニングCISSP試験問題集テストエンジン:https://www.goshiken.com/ISC/CISSP-mondaishu.html

ISC Certification CISSPリアル試験問題と解答無料最新になります:https://drive.google.com/open?id=1SLbMWuMvI42SPtVrphn7OJc-Oqprxq2a