• ホーム
  • ブログ
  • GoShikenからの試験合格準備の必需品CSSLP試験トレーニング問題 [Q18-Q33]

GoShikenからの試験合格準備の必需品CSSLP試験トレーニング問題 [Q18-Q33]

Share

GoShikenからの試験合格準備の必需品CSSLP試験トレーニング問題

有効なパス率はISC CertificationのCSSLP試験問題

質問 # 18
Which of the following security design patterns provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's data?

  • A. Secure assertion
  • B. Password propagation
  • C. Authenticated session
  • D. Account lockout

正解:B

解説:
Explanation/Reference:
Explanation: Password propagation provides an alternative by requiring that a user's authentication credentials be verified by the database before providing access to that user's data. Answer: D is incorrect.
Account lockout implements a limit on the incorrect password attempts to protect an account from automated password-guessing attacks. Answer: B is incorrect. Authenticated session allows a user to access more than one access-restricted Web page without re-authenticating every page. It also integrates user authentication into the basic session model. Answer: A is incorrect. Secure assertion distributes application-specific sanity checks throughout the system.


質問 # 19
Which of the following are the phases of the Certification and Accreditation (C&A) process? Each correct answer represents a complete solution. Choose two.

  • A. Detection
  • B. Continuous Monitoring
  • C. Auditing
  • D. Initiation

正解:B、D

解説:
Explanation/Reference:
Explanation: The Certification and Accreditation (C&A) process consists of four distinct phases: 1.Initiation
2.Security Certification 3.Security Accreditation 4.Continuous Monitoring The C&A activities can be applied to an information system at appropriate phases in the system development life cycle by selectively tailoring the various tasks and subtasks. AnswerB and C are incorrect. Auditing and detection are not phases of the Certification and Accreditation process.


質問 # 20
Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site?

  • A. DITSCAP
  • B. NIACAP
  • C. ASSET
  • D. NSA-IAM

正解:B

解説:
NIACAP is a process, which provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that maintain the information assurance and the security posture of a system or site. Answer D is incorrect. DITSCAP is a process, which establishes a standard process, a set of activities, general task descriptions, and a management structure to certify and accredit the IT systems that will maintain the required security posture. Answer A is incorrect. The NSA-IAM evaluates information systems at a high level and uses a subset of the SSE-CMM process areas to measure the implementation of information security on these systems. Answer C is incorrect. ASSET is a tool developed by NIST to automate the process of self-assessment through the use of the questionnaire in NIST.


質問 # 21
What project management plan is most likely to direct the quantitative risk analysis process for a project in a matrix environment?

  • A. Human resource management plan
  • B. Risk analysis plan
  • C. Staffing management plan
  • D. Risk management plan

正解:D

解説:
Explanation/Reference:
Explanation: The risk management plan defines how risks will be identified, analyzed, responded to, and then monitored and controlled regardless of the structure of the organization. AnswerD is incorrect. The human resources management plan does define how risks will be analyzed. Answer: B is incorrect. The staffing management plan does define how risks will be analyzed. Answer: A is incorrect. The risk analysis plan does define how risks will be analyzed.


質問 # 22
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. What are the different types of policies? Each correct answer represents a complete solution. Choose all that apply.

  • A. Advisory
  • B. Systematic
  • C. Informative
  • D. Regulatory

正解:A、C、D

解説:
Following are the different types of policies: Regulatory: This type of policy ensures that the organization is following standards set by specific industry regulations. This policy type is very detailed and specific to a type of industry. This is used in financial institutions, health care facilities, public utilities, and other government-regulated industries, e.g., TRAI. Advisory: This type of policy strongly advises employees regarding which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, handle financial transactions, or process confidential information. Informative: This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one to teach individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company's goals and mission, and a general reporting structure in different situations. Answer B is incorrect. No such type of policy exists.


質問 # 23
Maria has been recently appointed as a Network Administrator in Gentech Inc. She has been tasked to perform network security testing to find out the vulnerabilities and shortcomings of the present network infrastructure. Which of the following testing approaches will she apply to accomplish this task?

  • A. Black-box testing
  • B. Unit testing
  • C. White-box testing
  • D. Gray-box testing

正解:A

解説:
Maria is new for this organization and she does not have any idea regarding the present infrastructure. Therefore, black box testing is best suited for her. Blackbox testing is a technique in which the testing team has no knowledge about the infrastructure of the organization. The testers must first determine the location and extent of the systems before commencing their analysis. This testing technique is costly and time consuming. Answer B is incorrect. White box testing, also known as Clear box or Glass box testing, takes into account the internal mechanism of a system or application. The connotations of "Clear box" and "Glass box" indicate that a tester has full visibility of the internal workings of the system. It uses knowledge of the internal structure of an application. It is applicable at the unit, integration, and system levels of the software testing process. It consists of the following testing methods: Control flow-based testing Create a graph from source code. Describe the flow of control through the control flow graph. Design test cases to cover certain elements of the graph. Data flow-based testing Test connections between variable definitions. Check variation of the control flow graph. Set DEF (n) contains variables that are defined at node n. Set USE (n) are variables that are read. Answer A is incorrect. Graybox testing is a combination of whitebox testing and blackbox testing. In graybox testing, the test engineer is equipped with the knowledge of system and designs test cases or test data based on system knowledge. The security tester typically performs graybox testing to find vulnerabilities in software and network system. Answer D is incorrect. Unit testing is a type of testing in which each independent unit of an application is tested separately. During unit testing, a developer takes the smallest unit of an application, isolates it from the rest of the application code, and tests it to determine whether it works as expected. Unit testing is performed before integrating these independent units into modules. The most common approach to unit testing requires drivers and stubs to be written. Drivers and stubs are programs. A driver simulates a calling unit, and a stub simulates a called unit.


質問 # 24
In which of the following alternative processing sites is the backup facility maintained in a constant order, with a full complement of servers, workstations, and communication links ready to assume the primary operations responsibility?

  • A. Mobile Site
  • B. Explanation:
    A hot site is a duplicate of the original site of the organization, with full computer systems as well as near-complete backups of user data. It provides the backup facility, which is maintained in a constant order, with a full complement of servers, workstations, and communication links ready to assume the primary operations responsibility. A hot site is a backup site in case disaster has taken place in a data center. A hot site is located off site and provides the best protection. It is an exact replica of the current data center. In case a disaster struck to the data center, administrators just need to take the backup of recent data in hot site and the data center is back online in a very short time. It is very expensive to create and maintain the hot site. There are lots of third party companies that provide disaster recovery solutions by maintaining hot sites at their end.
  • C. Cold Site
  • D. Warm Site
  • E. Hot Site

正解:E

解説:
is incorrect. A cold site is a backup site in case disaster has taken place in a data center. This is the least expensive disaster recovery solution, usually having only a single room with no equipment. All equipment is brought to the site after the disaster. It can be on site or off site. Answer D is incorrect. Mobile sites are self-reliant, portable shells custom-fitted with definite telecommunications and IT equipment essential to meet system requirements. These are presented for lease through commercial vendors. Answer C is incorrect. A warm site is, quite logically, a compromise between hot and cold sites. Warm sites will have hardware and connectivity already established, though on a smaller scale than the original production site or even a hot site. These sites will have backups on hand, but they may not be complete and may be between several days and a week old. An example would be backup tapes sent to the warm site by courier.


質問 # 25
Which of the following processes provides a standard set of activities, general tasks, and a management structure to certify and accredit systems, which maintain the information assurance and the security posture of a system or site?

  • A. DITSCAP
  • B. NIACAP
  • C. ASSET
  • D. NSA-IAM

正解:B

解説:
Explanation/Reference:
Explanation: NIACAP is a process, which provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that maintain the information assurance and the security posture of a system or site. AnswerD is incorrect. DITSCAP is a process, which establishes a standard process, a set of activities, general task descriptions, and a management structure to certify and accredit the IT systems that will maintain the required security posture. Answer: A is incorrect. The NSA- IAM evaluates information systems at a high level and uses a subset of the SSE-CMM process areas to measure the implementation of information security on these systems. Answer: C is incorrect. ASSET is a tool developed by NIST to automate the process of self-assessment through the use of the questionnaire in NIST.


質問 # 26
Which of the following security controls works as the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy?

  • A. Trusted computing base (TCB)
  • B. Common data security architecture (CDSA)
  • C. Internet Protocol Security (IPSec)
  • D. Application program interface (API)

正解:A

解説:
Explanation/Reference:
Explanation: Trusted computing base (TCB) refers to hardware, software, controls, and processes that cause a computer system or network to be devoid of malicious software or hardware. Maintaining the trusted computing base (TCB) is essential for security policy to be implemented successfully. AnswerD is incorrect. Internet Protocol Security (IPSec) is a standard-based protocol that provides the highest level of VPN security. IPSec can encrypt virtually everything above the networking layer. It is used for VPN connections that use the L2TP protocol. It secures both data and password. IPSec cannot be used with Point-to-Point Tunneling Protocol (PPTP). Answer: A is incorrect. The Common data security architecture (CDSA) is a set of layered security services and cryptographic framework. It deals with the communications and data security problems in the emerging Internet and intranet application space. It presents an infrastructure for building cross-platform, interoperable, security-enabled applications for client-server environments. Answer: B is incorrect. An application programming interface (API) is an interface implemented by a software program which enables it to interact with other software. It facilitates interaction between different software programs similar to the way the user interface facilitates interaction between humans and computers. An API is implemented by applications, libraries, and operating systems to determine their vocabularies and calling conventions, and is used to access their services. It may include specifications for routines, data structures, object classes, and protocols used to communicate between the consumer and the implementer of the API.


質問 # 27
You work as a Network Administrator for uCertify Inc. You need to secure web services of your company in order to have secure transactions. Which of the following will you recommend for providing security?

  • A. S/MIME
  • B. VPN
  • C. HTTP
  • D. SSL

正解:D

解説:
Explanation/Reference:
Explanation: The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. URLs that require an SSL connection start with https: instead of http:. AnswerC is incorrect. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e- mail encapsulated in MIME. S/MIME provides the following cryptographic security services for electronic messaging applications:
authentication, message integrity, non-repudiation of origin (using digital signatures), privacy, and data security (using encryption). AnswerD is incorrect. Hypertext Transfer Protocol (HTTP) is a client/server TCP/IP protocol used on the World Wide Web (WWW) to display Hypertext Markup Language (HTML) pages. HTTP defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when a client application or browser sends a request to the server using HTTP commands, the server responds with a message containing the protocol version, success or failure code, server information, and body content, depending on the request.
HTTP uses TCP port 80 as the default port. AnswerB is incorrect. A Virtual Private Network (VPN) is a computer network that is implemented in an additional software layer (overlay) on top of an existing larger network for the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet. The links between nodes of a Virtual Private Network are formed over logical connections or virtual circuits between hosts of the larger network. The Link Layer protocols of the virtual network are said to be tunneled through the underlying transport network.


質問 # 28
Which of the following sections come under the ISO/IEC 27002 standard?

  • A. Financial assessment
  • B. Risk assessment
  • C. Security policy
  • D. Asset management

正解:B、C、D

解説:
Explanation/Reference:
Explanation: ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC) as ISO/IEC
17799:2005. This standard contains the following twelve main sections: 1.Risk assessment: It refers to assessment of risk. 2.Security policy: It deals with the security management. 3.Organization of information security: It deals with governance of information security. 4.Asset management: It refers to inventory and classification of information assets. 5.Human resources security: It deals with security aspects for employees joining, moving and leaving an organization. 6.Physical and environmental security: It is related to protection of the computer facilities. 7.Communications and operations management: It is the management of technical security controls in systems and networks. 8.Access control: It deals with the restriction of access rights to networks, systems, applications, functions and data. 9.Information systems acquisition, development and maintenance: It refers to build security into applications. 10.Information security incident management: It refers to anticipate and respond appropriately to information security breaches. 11.Business continuity management: It deals with protecting, maintaining and recovering business-critical processes and systems.
12.Compliance: It is used for ensuring conformance with information security policies, standards, laws and regulations. AnswerC is incorrect. Financial assessment does not come under the ISO/IEC 27002 standard.


質問 # 29
The rights of an author or a corporation to make profit from the creation of their products (such as software, music, etc.) are protected by the Intellectual Property law. Which of the following are the components of the Intellectual Property law? Each correct answer represents a part of the solution. Choose two.

  • A. Industrial Property law
  • B. Trademark law
  • C. Patent law
  • D. Copyright law

正解:A、D

解説:
Explanation/Reference:
Explanation: The Industrial Property law and the Copyright law are the components of the Intellectual Property law.


質問 # 30
You work as the Senior Project manager in Dotcoiss Inc. Your company has started a software project using configuration management and has completed 70% of it. You need to ensure that the network infrastructure devices and networking standards used in this project are installed in accordance with the requirements of its detailed project design documentation. Which of the following procedures will you employ to accomplish the task?

  • A. Configuration identification
  • B. Functional configuration audit
  • C. Physical configuration audit
  • D. Configuration control

正解:C

解説:
Explanation/Reference:
Explanation: Physical Configuration Audit (PCA) is one of the practices used in Software Configuration Management for Software Configuration Auditing. The purpose of the software PCA is to ensure that the design and reference documentation is consistent with the as-built software product. PCA checks and matches the really implemented layout with the documented layout. AnswerC is incorrect. Functional Configuration Audit or FCA is one of the practices used in Software Configuration Management for Software Configuration Auditing. FCA occurs either at delivery or at the moment of effecting the change. A Functional Configuration Audit ensures that functional and performance attributes of a configuration item are achieved. Answer B is incorrect. Configuration control is a procedure of the Configuration management. Configuration control is a set of processes and approval stages required to change a configuration item's attributes and to re-baseline them. It supports the change of the functional and physical attributes of software at various points in time, and performs systematic control of changes to the identified attributes. Answer: A is incorrect. Configuration identification is the process of identifying the attributes that define every aspect of a configuration item. A configuration item is a product (hardware and/ or software) that has an end-user purpose. These attributes are recorded in configuration documentation and baselined. Baselining an attribute forces formal configuration change control processes to be effected in the event that these attributes are changed.


質問 # 31
Which of the following ISO standards provides guidelines for accreditation of an organization that is concerned with certification and registration related to ISMS?

  • A. ISO 27003
  • B. ISO 27004
  • C. ISO 27005
  • D. ISO 27006

正解:D

解説:
ISO 27006 is an information security standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is entitled as "Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems". The ISO 27006 standard provides guidelines for accreditation of an organization which is concerned with certification and registration related to ISMS. The ISO 27006 standard contains the following elements: Scope Normative references Terms and definitions Principles General requirements Structural requirements Resource requirements Information requirements Process requirements Management system requirements for certification bodies Information security risk communication Information security risk monitoring and review Annex A.
Defining the scope of process Annex B.
Asset valuation and impact assessment Annex C.
Examples of typical threats Annex D.
Vulnerabilities and vulnerability assessment methods Annex E.
Information security risk assessment (ISRA) approaches Answer C is incorrect.
The ISO 27003 standard provides guidelines for implementing an ISMS (Information Security Management System).
Answer D is incorrect. The ISO 27004 standard provides guidelines on specifications and use of measurement techniques for the assessment of the effectiveness of an implemented information security management system and controls. Answer B is incorrect. The ISO 27005 standard provides guidelines for information security risk management.


質問 # 32
You work as a Security Manager for Tech Perfect Inc. You want to save all the data from the SQL injection attack, which can read sensitive data from the database and modify database data using some commands, such as Insert, Update, and Delete. Which of the following tasks will you perform? Each correct answer represents a complete solution. Choose three.

  • A. Create parameterized queries by using bound and typed parameters.
  • B. Use an encapsulated library for accessing databases.
  • C. Apply maximum number of database permissions.
  • D. Create parameterized stored procedures.

正解:A、B、D

解説:
The methods of mitigating SQL injection attacks are as follows: 1.Create parameterized queries by using bound and typed parameters. 2.Create parameterized stored procedures. 3.Use a encapsulated library in order to access databases. 4.Minimize database permissions. Answer A is incorrect. In order to save all the data from the SQL injection attack, you should minimize database permissions.


質問 # 33
......


ISC CSSLP 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • セキュリティドキュメントの定義と開発
  • プライバシー要件の特定と分析
トピック 2
  • テスト結果のセキュリティへの影響を分析する
  • データ分類要件を特定して分析する
トピック 3
  • 安全なアーキテクチャと設計の原則、パターン、およびツール
  • モデル(非機能)のセキュリティプロパティと制約を使用する
トピック 4
  • ソフトウェア開発方法論内のセキュリティの管理
  • ソフトウェアセキュリティ要件の定義
トピック 5
  • ビルドプロセス中にセキュリティを適用する
  • 安全な運用アーキテクチャを定義する
トピック 6
  • 関連する安全なコーディング慣行を順守する
  • 文書化されていない機能を特定する
トピック 7
  • 検証および妥当性確認テストの実行
  • アーキテクチャリスク評価の実行

 

全問CSSLP問題集とCertified Secure Software Lifecycle Professional Practice Testトレーニングコース:https://www.goshiken.com/ISC/CSSLP-mondaishu.html

無料テストエンジンCertified Secure Software Lifecycle Professional Practice Test認定試験:https://drive.google.com/open?id=1ObSmKtrGa1I0u2u8N37Sw7GoI-6wV6Y4

関するブログ

もっと
CSSLP無料問題集