ISC Certification CISSP 最新問題集 2025年03月22日 に更新されました [Q500-Q519]

Share

ISC Certification CISSP最新問題集で2025年03月22日

2025年最新の問題をマスター!ISC Certification合格目指そう!CISSPリアル試験問題集!

質問 # 500
Which of the following floors would be most appropriate to locate information processing facilities in a 6-stories building?

  • A. Third floor
  • B. Sixth floor
  • C. Ground floor
  • D. Basement

正解:A

解説:
You data center should be located in the middle of the facility or the core of a building to provide protection from natural disasters or bombs and provide easier access to emergency crewmembers if necessary. By being at the core of the facility the external wall would act as a secondary layer of protection as well.
Information processing facilities should not be located on the top floors of buildings in case of a fire or flooding coming from the roof. Many crimes and theft have also been conducted by simply cutting a large hole on the roof.
They should not be in the basement because of flooding where water has a natural tendancy to flow down :-) Even a little amount of water would affect your operation considering the quantity of electrical cabling sitting directly on the cement floor under under your raise floor.
The data center should not be located on the first floor due to the presence of the main entrance where people are coming in and out. You have a lot of high traffic areas such as the elevators, the loading docks, cafeteria, coffee shopt, etc.. Really a bad location for a data center.
So it was easy to come up with the answer by using the process of elimination where the top, the bottom, and the basement are all bad choices. That left you with only one possible answer which is the third floor.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 5th Edition, Page 425.


質問 # 501
Which of the following are Systems Engineering Life Cycle (SELC) Technical Processes?

  • A. Acquisition, Measurement, Configuration Management, Production, Operation, Support
  • B. Stakeholder Requirements Definition, Architectural Design, Implementation, Verification,
    Operation
  • C. Concept, Requirements, Design, Implementation, Production, Maintenance, Support,
    Disposal
  • D. Concept, Development, Production, Utilization, Support, Retirement

正解:B


質問 # 502
In the following choices there is one that is a typical biometric characteristics that is not used to uniquely authenticate an individual's identity?

  • A. Skin scans
  • B. Palm scans
  • C. Iris scans
  • D. Retina scans

正解:A

解説:
Answer A, B and C can be used to uniquely identify a person, but in the case of the Skin, there are no unique characteristics that can differentiate two distinct individuals in an acceptable accurate way. In the case of the IRIS and the
Retina, there are not two of them equal. In the case of the palm, every person has different marks on it. The skin is common to all and does not have specific textures or marks to make it unique in comparison to another individual.


質問 # 503
Under MAC, a file is a(n):

  • A. Subject
  • B. Sensitivity
  • C. Privilege
  • D. Object

正解:D

解説:
It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.


質問 # 504
Which technique can be used to make an encryption scheme more resistant to a known plaintext attack?

  • A. Hashing the data after encryption
  • B. Compressing the data after encryption
  • C. Hashing the data before encryption
  • D. Compressing the data before encryption

正解:D

解説:
Compressing the data before encryption is a technique that can be used to make an encryption scheme more resistant to a known plaintext attack. A known plaintext attack is a type of cryptanalysis where the attacker has access to some pairs of plaintext and ciphertext encrypted with the same key, and tries to recover the key or decrypt other ciphertexts. A known plaintext attack can exploit the statistical properties or patterns of the plaintext or the ciphertext to reduce the search space or guess the key. Compressing the data before encryption can reduce the redundancy and increase the entropy of the plaintext, making it harder for the attacker to find any correlations or similarities between the plaintext and the ciphertext. Compressing the data before encryption can also reduce the size of the plaintext, making it more difficult for the attacker to obtain enough plaintext-ciphertext pairs for a successful attack.
The other options are not techniques that can be used to make an encryption scheme more resistant to a known plaintext attack, but rather techniques that can introduce other security issues or inefficiencies. Hashing the data before encryption is not a useful technique, as hashing is a one-way function that cannot be reversed, and the encrypted hash cannot be decrypted to recover the original data. Hashing the data after encryption is also not a useful technique, as hashing does not add any security to the encryption, and the hash can be easily computed by anyone who has access to the ciphertext. Compressing the data after encryption is not a recommended technique, as compression algorithms usually work better on uncompressed data, and compressing the ciphertext can introduce errors or vulnerabilities that can compromise the encryption.


質問 # 505
The ideal operating humidity range is defined as 40 percent to 60 percent. High humidity
(greater than 60 percent) can produce what type of problem on computer parts?

  • A. Energy-plating
  • B. Static electricity
  • C. Element-plating
  • D. Corrosion

正解:D

解説:
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide:
Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 333.


質問 # 506
Which of the following is needed for System Accountability?

  • A. Documented design as laid out in the Common Criteria.
  • B. Authorization.
  • C. Audit mechanisms.
  • D. Formal verification of system design.

正解:C

解説:
Is a means of being able to track user actions. Through the use of audit logs and
other tools the user actions are recorded and can be used at a later date to verify what actions
were performed.
Accountability is the ability to identify users and to be able to track user actions.
The following answers are incorrect:
Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria
is an international standard to evaluate trust and would not be a factor in System Accountability.
Authorization. Is incorrect because Authorization is granting access to subjects, just because you
have authorization does not hold the subject accountable for their actions.
Formal verification of system design. Is incorrect because all you have done is to verify the system
design and have not taken any steps toward system accountability.
References:
OIG CBK Glossary (page 778)


質問 # 507
Which choice below is NOT an accurate statement about the visibility of
IT security policy?

  • A. Include the IT security policy as a regular topic at staff meetings at all levels of the organization.
  • B. The IT security policy could be visible through panel discussions
    with guest speakers.
  • C. The IT security policy should be afforded high visibility.
  • D. The IT security policy should not be afforded high visibility.

正解:D

解説:
Especially high visibility should be afforded the formal issuance of
IT security policy. This is because nearly all employees at all levels
will in some way be affected, major organizational resources are
being addressed, and many new terms, procedures, and activities
will be introduced.
Including IT security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions,
guest speakers, question/answer forums, and newsletters can
be beneficial.


質問 # 508
Mandatory Access Controls (MAC) are based on:

  • A. security classification and security clearance
  • B. data labels and user access permissions
  • C. data segmentation and data classification
  • D. user roles and data encryption

正解:A

解説:
Mandatory Access Controls (MAC) are based on security classification and security clearance. MAC is a type of access control model that assigns permissions to subjects and objects based on their security labels, which indicate their level of sensitivity or trustworthiness. MAC is enforced by the system or the network, rather than by the owner or the creator of the object, and it cannot be modified or overridden by the subjects. MAC can provide some benefits for security, such as enhancing the confidentiality and the integrity of the data, preventing unauthorized access or disclosure, and supporting the audit and compliance activities. MAC is commonly used in military or government environments, where the data is classified according to its level of sensitivity, such as top secret, secret, confidential, or unclassified. The subjects are granted security clearance based on their level of trustworthiness, such as their background, their role, or their need to know. The subjects can only access the objects that have the same or lower security classification than their security clearance, and the objects can only be accessed by the subjects that have the same or higher security clearance than their security classification. This is based on the concept of no read up and no write down, which requires that a subject can only read data of lower or equal sensitivity level, and can only write data of higher or equal sensitivity level. Data segmentation and data classification, data labels and user access permissions, and user roles and data encryption are not the bases of MAC, although they may be related or useful concepts or techniques. Data segmentation and data classification are techniques that involve dividing and organizing the data into smaller and more manageable units, and assigning them different categories or levels based on their characteristics or requirements, such as their type, their value, their sensitivity, or their usage. Data segmentation and data classification can provide some benefits for security, such as enhancing the visibility and the control of the data, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities. However, data segmentation and data classification are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as discretionary access control (DAC) or role-based access control (RBAC). Data labels and user access permissions are concepts that involve attaching metadata or tags to the data and the users, and specifying the rules or the criteria for accessing the data and the users. Data labels and user access permissions can provide some benefits for security, such as enhancing the identification and the authentication of the data and the users, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities.
However, data labels and user access permissions are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as DAC or RBAC. User roles and data encryption are techniques that involve defining and assigning the functions or the responsibilities of the users, and transforming the data into an unreadable form that can only be accessed by authorized parties who possess the correct key. User roles and data encryption can provide some benefits for security, such as enhancing the authorization and the confidentiality of the data and the users, facilitating the implementation and the enforcement of the security policies and controls, and supporting the audit and compliance activities. However, user roles and data encryption are not the bases of MAC, as they are not the same as security classification and security clearance, and they can be used with other access control models, such as DAC or RBAC.


質問 # 509
Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations?

  • A. The Economic Espionage Act of 1996.
  • B. The Computer Fraud and Abuse Act of 1986.
  • C. The Federal Sentencing Guidelines of 1991.
  • D. The Computer Security Act of 1987.

正解:C

解説:
Explanation/Reference:
Explanation:
Senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991.
Incorrect Answers:
A: The Computer Security Law of 1987 is not addressing senior management responsibility. The purpose is to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems.
C: The Economic Espionage Act of 1996 does not address senior management responsibility. Deals with a wide range of issues, including not only industrial espionage, but the insanity defense, the Boys & Girls Clubs of America, requirements for presentence investigation reports, and the United States Sentencing Commission reports regarding encryption or scrambling technology, and other technical and minor amendments.
D: Computer Fraud and Abuse Act of 1986 concerns acts where computers of the federal government or certain financial institutions are involved. It does not address senior management responsibility.
References:
Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 548


質問 # 510
Which of the following are the three MAIN categories of security controls?

  • A. Corrective, detective, recovery
  • B. Preventative, corrective, detective
  • C. Confidentiality, integrity, availability
  • D. Administrative, technical, physical

正解:D


質問 # 511
If your property Insurance has Replacement Cost Valuation (RCV) clause your damaged property will be compensated:

  • A. Based on new, comparable, or identical item for old regardless of condition of lost item
  • B. Based on the value of item on the date of loss
  • C. Based on the value listed on the Ebay auction web site
  • D. Based on value of item one month before the loss

正解:A

解説:
RCV is the maximum amount your insurance company will pay you for damage to
covered property before deducting for depreciation. The RCV payment is based on the current
cost to replace your property with new, identical or comparable property.
The other choices were detractor:
Application and definition of the insurance terms Replacement Cost Value (RCV), Actual Cash
Value (ACV) and depreciation can be confusing. It's important that you understand the terms to
help settle your claim fairly.
An easy way to understand RCV and ACV is to think in terms of "new" and "used."
Replacement cost is the item's current price, new. "What will it cost when I replace it?"
Actual cash is the item's used price, old. "How much money is it worth since I used it for five
years?"
Hold Back
Most policies only pay the Actual Cash Value upfront, and then they pay you the "held back"
depreciation after you incur the expense to repair or replace your personal property items.
NOTE: You must remember to send documentation to the insurance company proving you've
incurred the additional expense you will be reimbursed.
Actual Cash Value (ACV)
ACV is the amount your insurance company will pay you for damage to covered property after
deducting for depreciation. ACV is the replacement cost of a new item, minus depreciation. If
stated as a simple equation, ACV could be defined as follows: ACV=RCV-Depreciation
Unfortunately, ACV is not always as easy to agree upon as a simple math equation. The ACV can
also be calculated as the price a willing buyer would pay for your used item.
Depreciation
Depreciation (sometimes called "hold back") is defined as the "loss in value from all causes,
including age, and wear and tear." Although the definition seems to be clear, in our experience,
value" as a real-world application is clearly subjective and varies widely. We have seen the same
adjuster apply NO depreciation (100 percent value) on one claim and 40 percent depreciation
almost half value) on an almost identical claim.
This shows that the process of applying depreciation is subjective and clearly negotiable.
Excessive Depreciation
When the insurance company depreciates more than they should, it is called "Excessive
depreciation." Although not ethical, it is very common. Note any items that have excessive
depreciation and write a letter to your insurance company.
References:
http://carehelp.org/downloads/category/1-insurance-handouts.html?download=17%3Ahandout08-
rcv-and-acv
and
http://www.schirickinsurance.com/resources/value2005.pdf
and
TIPTON, Harold F. & KRAUSE, MICKI, information Security Management Handbook, 4th Edition,
Volume 1
Property Insurance overview, Page 587.


質問 # 512
Which of the following steps should be performed first in a business impact analysis (BIA)?

  • A. Identify all business units within the organization.
  • B. Estimate the Recovery Time Objectives (RTO).
  • C. Evaluate the criticality of business functions.
  • D. Evaluate the impact of disruptive events.

正解:A

解説:
Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and identifying possible issues about our infrastructure. It's an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other words, how much many we loose with our systems down. The first step on it should always be the identifying of the business units in the company. You can then go to other requirements like estimate losses and downtime costs.


質問 # 513
The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as
"_________________," RSA is quite feasible for computer use.

  • A. computing in Galois fields
  • B. computing in Galbraith fields
  • C. computing in Gladden fields
  • D. computing in Gallipoli fields

正解:A

解説:
Explanation/Reference:
Explanation:
The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as computing in Galois fields, RSA is quite feasible for computer use.
A Galois field is a finite field.
Incorrect Answers:
B: A finite field is not called a Gladden field. Gladden fields are not used in RSA.
C: A finite field is not called a Gallipoli field. Gallipoli fields are not used in RSA.
D: A finite field is not called a Galbraith field. Galbraith fields are not used in RSA.


質問 # 514
Trust relationships between organizations can BEST be maintained by confirming which of the following?

  • A. The Intrusion Detection System (IDS) is fully operational, and the systems have been certified and accredited as secure.
  • B. The systems have been certified and accredited as secure, and the availability of the information is maintained
  • C. Authentication standards are being adhered to and the confidentiality of information is protected by contract.
  • D. Access is only given through a Virtual Private Network (VPN), and the Intrusion Detection System (IDS) is fully operational.

正解:D


質問 # 515
What is the main objective of proper separation of duties?

  • A. To ensure access controls are in place.
  • B. To prevent employees from disclosing sensitive information.
  • C. To ensure that no single individual can compromise a system.
  • D. To ensure that audit trails are not tampered with.

正解:C

解説:
The primary objective of proper separation of duties is to ensure that one person acting alone cannot compromise the company's security in any way. A proper separation of duties does not prevent employees from disclosing information, nor does it ensure that access controls are in place or that audit trails are not tampered with. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 12: Operations Security (Page 808).


質問 # 516
What is the recommended height of perimeter fencing to keep out casual
trespassers?

  • A. 3 to 4 high
  • B. 1 to 2 high
  • C. 8 to 12 high
  • D. 6 to 7 high

正解:A

解説:
3 to 4 high fencing is considered minimal
protection, only for restricting casual trespassers. Answers "6 to 7 high" and "8 to 12 high" are better protection against intentional intruders.


質問 # 517
How does an organization verify that an information system's current hardware and software match the standard system configuration?

  • A. By reviewing the configuration after the system goes into production
  • B. By running vulnerability scanning tools on all devices in the environment
  • C. By comparing the actual configuration of the system against the baseline
  • D. By verifying all the approved security patches are implemented

正解:C


質問 # 518
What works as an E-mail message transfer agent?

  • A. S/MIME
  • B. SMTP
  • C. SNMP
  • D. S-RPC

正解:B


質問 # 519
......


CISSP認定を取得することは、情報セキュリティの専門家にとって重要なキャリアマイルストーンになる可能性があります。認定は世界的に認識されており、個人に新しいキャリアの機会を開くことができます。認定に加えて、CISSP保有者は、情報セキュリティに専念する専門家のコミュニティにもアクセスでき、この分野での知識と専門知識を促進するためにトレーニングとネットワーキングイベントに参加できます。


試験は、250の多肢選択問題から成り、候補者の8つのセキュリティドメインに関する知識とスキルをテストするように設計されています。これらのドメインには、セキュリティとリスク管理、資産セキュリティ、セキュリティエンジニアリング、通信およびネットワークセキュリティ、アイデンティティおよびアクセス管理、セキュリティ評価およびテスト、セキュリティ運用、およびソフトウェア開発セキュリティが含まれます。試験は挑戦的に設計されており、候補者は少なくとも8つのドメインのうち2つで5年以上の職業経験、または関連する学位で4年以上の経験を持つ必要があります。試験に合格するには、1000点中700点以上のスコアが必要であり、認定は3年間有効です。

 

完全版は2025年最新のCISSP試験問題集テストガイドはトレーニング専門Fast2test:https://jp.fast2test.com/CISSP-premium-file.html

合格準備CISSPにはFast2testが提供するあなたをCertified Information Systems Security Professional (CISSP)試験合格させます顕著練習問題:https://drive.google.com/open?id=14mqZ5Wcl0YAu4YSVdHqlsFDbF0S-XCnG


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어