CISSP試験問題集を試そう!ベストCISSP試験問題トレーニングを提供しています
実践サンプルと問題集指導には2025年最新のCISSP有効なテスト問題集
ISC CISSP 認定試験は、情報セキュリティ分野で最も難しい認定試験の一つと考えられています。試験は、情報セキュリティのさまざまなドメインにおける候補者の知識とスキルをテストするように設計されており、合格スコアは厳格な評価プロセスによって決定されます。試験は、6時間以内に完了しなければならない250の多肢選択問題で構成されています。試験はコンピュータベースであり、世界中のPearson VUEテストセンターで実施されています。
質問 # 542
Which of the following represents a relation, which is the basis of a relational database?
- A. One-dimensional table
- B. Two-dimensional table
- C. Four-dimensional table
- D. Three-dimensional table
正解:B
解説:
Explanation/Reference:
Explanation:
The relational database model is based on a series of interrelated two-dimensional tables that have columns representing the variables and rows that contain specific instances of data.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1171
質問 # 543
Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server?
- A. Reduction variables
- B. Bind variables
- C. Resolution variables
- D. Assimilation variables
正解:B
解説:
Bind variables are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 47.
質問 # 544
Operation security requires the implementation of physical security to control which of the following?
- A. contingency conditions
- B. evacuation procedures
- C. unauthorized personnel access
- D. incoming hardware
正解:C
質問 # 545
Which programming methodology allows a programmer to use pre-determined blocks of code end consequently reducing development time and programming costs?
- A. Object oriented
- B. Assembly language
- C. Blocked algorithm
- D. Application security
正解:A
質問 # 546
Data which is properly secured and can be described with terms like genuine or not corrupted from the original refers to data that has a high level of what?
- A. Non-Repudiation
- B. Availability
- C. Authorization
- D. Authenticity
正解:D
解説:
Authenticity refers to the characteristic of a communication, document or any data
that ensures the quality of being genuine or not corrupted from the original.
The following answers are incorrect:
Authorization is wrong because this refers to a users ability to access data based upon a set of
credentials.
Availability is wrong because this refers to systems which deliver data are accessible when and
where required by users.
Non-Repudiation is wrong because this is where a user cannot deny their actions on data they
processed. Classic example is a legal document you signed either manually with a pen or digitally
with a signing certificate. If it is signed then you cannot proclaim you did not send the document or
do a transaction.
The following reference(s) were/was used to create this question:
2011 EC-COUNCIL Official Curriculum, Ethical Hacking and Countermeasures, Volume 1, Module
1, Page. 11
質問 # 547
Which one of the following is an advantage of an effective release control strategy from a configuration control standpoint?
- A. Allows for future enhancements to existing features
- B. Ensures that there is no loss of functionality between releases
- C. Enforces backward compatibility between releases
- D. Ensures that a trace for all deliverables is maintained and auditable
正解:D
質問 # 548
An organization has determined that its previous waterfall approach to software development is not keeping pace with business demands. To adapt to the rapid changes required for product delivery, the organization has decided to move towards an Agile software development and release cycle. In order to ensure the success of the Agile methodology, who is MOST critical in creating acceptance tests or acceptance criteria for each release?
- A. Independent testers
- B. Software developers
- C. Project managers
- D. Business customers
正解:D
質問 # 549
Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process?
- A. Categorize Information System (IS)
- B. Build and test
- C. Implement security controls
- D. Select security controls
正解:B
解説:
Section: Mixed questions
Explanation/Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP
+Directive+controls+are+a+form+of+change+management+policy+and+procedures.+Which+of+the
+following+subsections+are+recommended+as+part+of+the+change+management
+process&source=bl&ots=riGvVpSS3E&sig=ACfU3U3dLYheW_GfTZcAYfN97fnDFlMmZg&hl=en&sa=X&v ed=2ahUKEwjukoqK96npAhULtRoKHZEpBmcQ6AEwAHoECBQQAQ#v=onepage&q=CISSP%20Directive
%20controls%20are%20a%20form%20of%20change%20management%20policy%20and%20procedures.
%20Which%20of%20the%20following%20subsections%20are%20recommended%20as%20part%20of%
20the%20change%20management%20process&f=false
質問 # 550
Which of the following is an essential element of a privileged identity lifecycle management?
- A. Account provisioning based on multi-factor authentication
- B. Frequently review performed activities and request justification
- C. Account information to be provided by supervisor or line manager
- D. Regularly perform account re-validation and approval
正解:D
解説:
A privileged identity lifecycle management is a process of managing the access rights and activities of users who have elevated permissions to access sensitive data or resources in an organization2. An essential element of a privileged identity lifecycle management is to regularly perform account re-validation and approval, which means verifying that the privileged users still need their access rights and have them approved by the appropriate authority. This can help prevent unauthorized or excessive access, reduce the risk of insider threats, and ensure compliance with policies and regulations. Account provisioning based on multi-factor authentication, frequently review performed activities and request justification, and account information to be provided by supervisor or line manager are also important aspects of a privileged identity lifecycle management, but they are not as essential as account re-validation and approval. References: 2: Official (ISC)2 CISSP CBK Reference, 5th Edition, Chapter 5, page 283.
質問 # 551
Which of the following is a Key Performance Indicator (KPI) for a security training and awareness program?
- A. The number of security controls implemented
- B. The number of attendees at security training events
- C. The number of security audits performed
- D. The number of security training materials created
正解:B
解説:
The Key Performance Indicator (KPI) for a security training and awareness program is the number of attendees at security training events. A KPI is a measurable value that indicates the progress and performance of a process, activity, or function, against a predefined goal or objective. A KPI can help to evaluate the effectiveness and efficiency of the process, activity, or function, as well as to identify and resolve any issues or gaps. A security training and awareness program is a program that educates and informs the employees, users, or stakeholders of an organization, system, or network, about the security policies, procedures, standards, and best practices, as well as the security threats, risks, and incidents, that affect the security of the organization, system, or network. A security training and awareness program can help to improve the security posture and culture of the organization, system, or network, by enhancing the security knowledge, skills, and behavior of the employees, users, or stakeholders. The number of attendees at security training events is a KPI for a security training and awareness program, as it measures the participation and engagement of the employees, users, or stakeholders in the security training and awareness program, as well as the coverage and reach of the security training and awareness program. The number of attendees at security training events can help to evaluate the effectiveness and efficiency of the security training and awareness program, by indicating the level of interest, awareness, and commitment of the employees, users, or stakeholders in the security of the organization, system, or network, as well as the quality, relevance, and attractiveness of the security training and awareness program. The number of security audits performed, the number of security training materials created, or the number of security controls implemented are not the KPIs for a security training and awareness program, as they are more related to the security assessment, development, or implementation processes, rather than the security education or information processes. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1: Security Governance Through Principles and Policies, page 38; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 1: Security and Risk Management, Question 1.10, page 64.
質問 # 552
Are employers required to submit enrollments by the standard transactions?
- A. Though Employers are not CEs and they have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards
- B. Employers are not CEs and do not have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards.
- C. Employers are CEs and do not have to send enrollment using HIPAA standard transactions. Further, the employer health plan IS also a CE and must be able to conduct applicable transactions using the HIPAA standards.
- D. Employers are CEs and have to send enrollment using HIPAA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPAA standards.
正解:B
質問 # 553
Which Web Services Security (WS-Security) specification handles the management of security tokens and the underlying policies for granting access? Click on the correct specification in the image below.
正解:
解説:
Explanation
WS-Authorization
Reference: Java Web Services: Up and Running" By Martin Kalin page 228
質問 # 554
Which of the following is the FIRST step for defining Service Level Requirements (SLR)?
- A. Discussing technology and solution requirements with the customer
- B. Creating a prototype to confirm or refine the customer requirements
- C. Capturing and documenting the requirements of the customer
- D. Drafting requirements for the service level agreement (SLA)
正解:C
質問 # 555
What is the MOST effective way to mitigate distributed denial of service (DDoS) attacks?
- A. Deploy a web application firewall (WAF).
- B. Detect and block bad Internet Protocol (IP) subnets on the corporate firewall.
- C. Block access to Transmission Control Protocol (TCP) ports under attack.
- D. Engage an upstream Internet service provider (ISP).
正解:D
質問 # 556
The security team has been tasked with performing an interface test against a frontend external facing application and needs to verify that all input fields protect against invalid input. Which of the following BEST assists this process?
- A. Instruction set simulation
- B. Application fuzzing
- C. Sanity testing
- D. Regression testing
正解:B
解説:
The technique that can be used to verify that all input fields protect against invalid input is application fuzzing.
Application fuzzing is a technique that involves the generation, injection, or submission of random, malformed, or unexpected data or input, to an application, system, or resource, to test or evaluate the behavior, response, or output, of the application, system, or resource, to the data or input, as well as to identify or detect any errors, bugs, or vulnerabilities, that may exist or occur in the application, system, or resource, due to the data or input. Application fuzzing can be used to verify that all input fields protect against invalid input, by providing various types or formats of data or input, such as strings, numbers, symbols, or commands, to the input fields of the application, system, or resource, and by observing or analyzing the results or effects of the data or input, such as crashes, exceptions, or anomalies, on the application, system, or resource. Application fuzzing can help to ensure the functionality, performance, or security of the application, system, or resource, by discovering, testing, or validating the input validation, sanitization, or filtering mechanisms or functions, that are implemented or applied to the application, system, or resource, to prevent, mitigate, or handle the invalid input. Instruction set simulation, regression testing, or sanity testing are not the techniques that can be used to verify that all input fields protect against invalid input, as they are either more related to the methods, techniques, or tools, that are used to emulate, verify, or check the functionality, performance, or compatibility of the application, system, or resource, rather than to test or evaluate the behavior, response, or output of the application, system, or resource, to the random, malformed, or unexpected data or input. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 8: Software Development Security, page 552; CISSP Official (ISC)2 Practice Tests, Third Edition, Domain 8: Software Development Security, Question 8.14, page
306.
質問 # 557
What is the maximum number of different keys that can be used when encrypting with Triple DES?
- A. 0
- B. 1
- C. 2
- D. 3
正解:C
解説:
Triple DES encrypts a message three times. This encryption can be accomplished in several ways. The most secure form of triple DES is when the three encryptions are performed with three different keys. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 152).
質問 # 558
Which item below is a federated identity standard?
- A. Security Assertion Markup Language (SAML)
- B. Kerberos
- C. 802.11i
- D. Lightweight Directory Access Protocol (LDAP)
正解:A
解説:
A federated identity standard is Security Assertion Markup Language (SAML). SAML is a standard that enables the exchange of authentication and authorization information between different parties, such as service providers and identity providers, using XML-based messages called assertions. SAML can facilitate the single sign-on (SSO) process, which allows a user to access multiple services or applications with a single login session, without having to provide their credentials multiple times. SAML can also support the federated identity management, which allows a user to use their identity or credentials from one domain or organization to access the services or applications from another domain or organization, without having to create or maintain separate accounts. 802.11i, Kerberos, and LDAP are not federated identity standards, as they are related to the wireless network security, the network authentication protocol, or the directory service protocol, not the exchange of authentication and authorization information between different parties. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 5, Identity and Access Management, page 692. Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 5, Identity and Access Management, page 708.
質問 # 559
Employers
- A. are covered entities
- B. are not covered entities
- C. are not legal entities
- D. are covered entities if they do not use encryption
正解:B
解説:
The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is An entity that is one or more of these types of entities is referred to as a "covered entity" in the Administrative Simplification regulations
Reference: https://www.cms.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp
質問 # 560
Which of the following would MOST likely ensure that a system development project meets business objectives?
- A. Development of a project plan identifying all development activities
- B. User involvement in system specification and acceptance
- C. Development and tests are run by different individuals
- D. Strict deadlines and budgets
正解:B
解説:
Effective user involvement is the most critical factor in ensuring that the application meets business objectives.
A great way of getting early input from the user community is by using Prototyping. The prototyping method was formally introduced in the early 1980s to combat the perceived weaknesses of the waterfall model with regard to the speed of development. The objective is to build a simplified version (prototype) of the application, release it for review, and use the feedback from the users' review to build a second, better version.
This is repeated until the users are satisfied with the product. t is a four-step process:
initial concept,
design and implement initial prototype,
refine prototype until acceptable, and
complete and release final version.
There is also the Modified Prototype Model (MPM. This is a form of prototyping that is ideal for Web application development. It allows for the basic functionality of a desired system or component to be formally deployed in a quick time frame. The maintenance phase is set to begin after the deployment. The goal is to have the process be flexible enough so the application is not based on the state of the organization at any given time. As the organization grows and the environment changes, the application evolves with it, rather than being frozen in time.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 12101-12108 and 12099-12101). Auerbach
Publications. Kindle Edition.
and
Information Systems Audit and Control Association, Certified Information Systems Auditor
2002 review manual, chapter 6: Business Application System Development, Acquisition,
Implementation and Maintenance (page 296).
質問 # 561
What is called the formal acceptance of the adequacy of a system's overall security by the management?
- A. Certification
- B. Evaluation
- C. Acceptance
- D. Accreditation
正解:D
解説:
Explanation/Reference:
Explanation:
Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full. The following are incorrect answers:
Certification is incorrect. Certification is the process of evaluating the security stance of the software or system against a selected set of standards or policies. Certification is the technical evaluation of a product.
This may precede accreditation but is not a required precursor. Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or system has met a set of functional or service level criteria (the new payroll system has passed its acceptance test). Certification is the better term in this context. Evaluation is incorrect. Evaluation is certainly a part of the certification process but it is not the best answer to the question.
References: The Official Study Guide to the CBK from ISC2, pages 559-560 AIO3, pp. 314 - 317 AIOv4 Security Architecture and Design (pages 369 - 372) AIOv5 Security Architecture and Design (pages 370 -
372)
質問 # 562
Which one of the following is generally NOT considered a covered
entity under Title II, Administrative Simplification, of the HIPAA law?
- A. Employers
- B. Health plans
- C. Health care providers who transmit health information
electronically in connection with standard transactions - D. Health care clearinghouses
正解:A
解説:
Employers are not specifically covered under HIPAa. HIPAA
applies to health care providers that transmit health care information
in electronic form, health care clearinghouses, and health plans. However, some employers may be covered under the Gramm-Leach-Bliley
Act. The Gramm-Leach-Bliley (GLB) Act was enacted on November 12,
1999, to remove Depression era restrictions on banks that limited certain business activities, mergers, and affiliations. It repeals the restrictions on banks affiliating with securities firms contained in sections 20 and 32 of the Glass-Steagall Act. GLB became effective on November
13, 2001. GLB also requires health plans and insurers to protect member and subscriber data in electronic and other formats. These health plans and insurers will fall under new state laws and regulations that
are being passed to implement GLB, since GLB explicitly assigns
enforcement of the health plan and insurer regulations to state insurance authorities (15 USc. b6805). Some of the privacy and security requirements of Gramm-Leach-Bliley are similar to those of HIPAA.
Most states required that health plans and insurers comply with the
GLB requirements by July 1, 2001, and financial institutions were
required to be in full compliance with Gramm-Leach-Bliley by this
date. The other answers are incorrect since they are covered by the
HIPAAregulations.
質問 # 563
......
最新100%合格率保証付きの素晴らしいCISSP試験問題PDF:https://www.goshiken.com/ISC/CISSP-mondaishu.html
CISSP有効な認定試験問題集解答学習ガイド:https://drive.google.com/open?id=1a6b9pJUnh26fnlUalgmjve04XbZyfX81