CISSP日本語版問題解説 & CISSP試験問題集

ISCのCISSP試験に参加するのは大ブレークになる一方が、CISSP試験情報は雑多などの問題が注目している。たくさんの品質高く問題集を取り除き、我々It-PassportsのCISSP問題集を選らんでくださいませんか。我々のCISSP問題集はあなたに質高いかつ完備の情報を提供し、成功へ近道のショットカットになります。

ISC CISSP試験は容易ではなく、難易度が非常に高いです。試験は複数選択式の形式で、6時間以内に250問を解答する必要があります。この試験では、候補者が実際の現場で知識を応用する能力を測定し、情報セキュリティ分野でキャリアを向上させたいプロフェッショナルにとって高く評価される認定資格となっています。

ISC CISSP（認定情報システムセキュリティプロフェッショナル）認定試験は、情報セキュリティの分野で非常に尊敬され、世界的に認められた認定です。セキュリティとリスク管理、資産セキュリティ、セキュリティエンジニアリング、コミュニケーションとネットワークセキュリティ、アイデンティティとアクセス管理、セキュリティ評価とテスト、テスト、セキュリティ運用、ソフトウェアなど、情報セキュリティのさまざまな分野の候補者の知識とスキルをテストするように設計されています。開発セキュリティ。

>> CISSP日本語版問題解説 <<

ISC CISSP試験問題集 & CISSP対応内容

ISCの認証資格は最近ますます人気になっていますね。国際的に認可された資格として、ISCの認定試験を受ける人も多くなっています。その中で、CISSP認定試験は最も重要な一つです。では、この試験に合格するためにどのように試験の準備をしているのですか。がむしゃらに試験に関連する知識を勉強しているのですか。それとも、効率が良い試験CISSP参考書を使っているのですか。

ISC Certified Information Systems Security Professional (CISSP) 認定 CISSP 試験問題 (Q1618-Q1623):

質問 # 1618
Which of the following types of physical security testing does an organization perform in order to focus on a specific area of interest or to save time?

A. White Box
B. Gray Box
C. Black Box
D. Crystal Box

正解：B

解説：
Gray Box Testing strikes a balance between White Box (full knowledge) and Black Box (zero knowledge).
It focuses on specific areas by providing testers with limited information (e.g., building layouts, access control systems), saving time while still simulating a semi-informed attacker.
Example: A tester knows the location of server rooms but must bypass guards/alarms.

質問 # 1619
What is called the probability that a threat to an information system will materialize?

A. Risk
B. Vulnerability
C. Threat
D. Hole

正解：A

解説：
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 16, 32.

質問 # 1620
Which of the following is an example of least privilege?

A. An operator does not know more about the system than the minimum required to do the job.
B. An operator does not have more system rights than the minimum
required to do the job.
C. An operator cannot generate and verify transactions alone.
D. The operators' duties are frequently rotated.

正解：B

解説：
Least Privilege embodies the concept that users or operators should be granted the lowest level of system access or system rights that allows them to perform their job.
* Answer "An operator does not know more about the system than the minimum required to do the job" is need-to-know
* "The operators' duties are frequently rotated" is job rotation
* "An operator cannot generate and verify transactions alone" is separation of duties.

質問 # 1621
During which phase of an IT system life cycle are security requirements developed?

A. Implementation
B. Functional design analysis and Planning
C. Operation
D. Initiation

正解：B

解説：
The software development life cycle (SDLC) (sometimes referred to as the
System Development Life Cycle) is the process of creating or altering software systems, and the models and methodologies that people use to develop these systems.
The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:
This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include:
* Conduct the risk assessment and use the results to supplement the baseline security controls;
* Analyze security requirements;
* Perform functional and security testing;
* Prepare initial documents for system certification and accreditation; and
* Design security architecture.
Reviewing this publication you may want to pick development/acquisition. Although initiation would be a decent choice, it is correct to say during this phase you would only brainstorm the idea of security requirements. Once you start to develop and acquire hardware/software components then you would also develop the security controls for these. The Shon Harris reference below is correct as well.
Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently:
- Project initiation
- Functional design analysis and planning
- System design specifications
- Software development
- Installation
- Maintenance support
- Revision and replacement
According to the author (Shon Harris), security requirements should be developed during the functional design analysis and planning phase.
SDLC POSITIONING FROM NIST 800-64
SDLC Positioning in the enterprise
Information system security processes and activities provide valuable input into managing
IT systems and their development, enabling risk identification, planning and mitigation. A risk management approach involves continually balancing the protection of agency information and assets with the cost of security controls and mitigation strategies throughout the complete information system development life cycle (see Figure 2-1 above).
The most effective way to implement risk management is to identify critical assets and operations, as well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization, revenue source, or topologies. Identification and verification of critical assets and operations and their interconnections can be achieved through the system security planning process, as well as through the compilation of information from the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA) processes to establish insight into the agency's vital business operations, their supporting assets, and existing interdependencies and relationships.
With critical assets and operations identified, the organization can and should perform a business impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services they provide and assess the consequences of their disruption. By identifying these systems, an agency can manage security effectively by establishing priorities. This positions the security office to facilitate the IT program's cost-effective performance as well as articulate its business impact and value to the agency.
SDLC OVERVIEW FROM NIST 800-64
SDLC Overview from NIST 800-64 Revision 2
NIST 800-64 Revision 2 is one publication within the NISTstandards that I would recommend you look at for more details about the SDLC. It describe in great details what activities would take place and they have a nice diagram for each of the phases of the
SDLC. You will find a copy at:
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
DISCUSSION:
Different sources present slightly different info as far as the phases names are concerned.
People sometimes gets confused with some of the NIST standards. For example NIST
800-64 Security Considerations in the Information System Development Life Cycle has slightly different names, the activities mostly remains the same.
NIST clearly specifies that Security requirements would be considered throughout ALL of the phases. The keyword here is considered, if a question is about which phase they would be developed than Functional Design Analysis would be the correct choice.
Within the NIST standard they use different phase, howeverr under the second phase you will see that they talk specifically about Security Functional requirements analysis which confirms it is not at the initiation stage so it become easier to come out with the answer to this question. Here is what is stated:
The security functional requirements analysis considers the system security environment, including the enterprise information security policy and the enterprise security architecture.
The analysis should address all requirements for confidentiality, integrity, and availability of information, and should include a review of all legal, functional, and other security requirements contained in applicable laws, regulations, and guidance.
At the initiation step you would NOT have enough detailed yet to produce the Security
Requirements. You are mostly brainstorming on all of the issues listed but you do not develop them all at that stage.
By considering security early in the information system development life cycle (SDLC), you may be able to avoid higher costs later on and develop a more secure system from the start.
NIST says:
NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-
64, Security Considerations in the Information System Development Life Cycle, by Tim
Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their planning for every phase of the system life cycle, and to select, acquire, and use appropriate and cost-effective security controls.
I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for this exam.
References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth
Edition, Page 956
and
NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-
Revision2.pdf
and
http://www.mks.com/resources/resource-pages/software-development-life-cycle-sdlc- system-development

質問 # 1622
A Business Impact Analysis (BIA) does not:

A. Determine critical and necessary business functions and their resource dependencies.
B. Estimate the financial impact of a disruption.
C. Recommend the appropriate recovery solution.
D. Identify critical computer applications and the associated outage tolerance.

正解：C

解説：
Remember that when we talk about a BIA (Business Impact Analysis), we are analyzing and identifying possible issues about our infrastructure, in this kind of analysis we don't make suggestions about what to do to recover from them.
This is not an action plan, It's an analysis about the business, the process that it relays on, the level of the systems and a estimative of the financial impact, or in other words, how much many we loose with our systems down.

質問 # 1623
......

今日、知識は精神労働よりも多くの富を生み出すことができるため、知識能力と精神労働は肉体労働よりも価値があります。ある分野で専門知識の能力を高めれば、多くの価値を生み出し、高収入で良い仕事を得ることができます。 CISSP認定試験に合格すると、その達成に役立ちます。CISSPトレーニング資料は、CISSPテストの準備に最適な学習資料です。 CISSPガイド資料では、重要な情報を組み合わせて、クライアントが基盤を固め、時代とともに前進するのを支援します。

CISSP試験問題集: https://www.it-passports.com/CISSP.html