ShikenPASS ISCのCISSP 専門試験試験資料は特別にデザインされたもので、IT領域のエリートが組み立てられた強い団体が受験生の皆様に向いて研究した資料です。認証試験に合格したら、あなたはIT領域で国際的な価値を表すことができます。ShikenPASSには多くのダンプおよびトレーニング資料のサプライヤーがありますから、あなたが試験に受かることを保証します。ShikenPASSは事実を通じて話しますから、奇跡が現れるときに我々が言ったすべての言葉を証明できます。
ShikenPASSのITの専門研究者はISC CISSP 専門試験認証試験の問題と解答を研究して、彼らはあなたにとても有効な訓練試験オンラインサービスツールを提供します。もしあなたはShikenPASSの製品を購入したければ弊社が詳しい問題集を提供して、君にとって完全に準備します。弊社のShikenPASS商品を安心に選択してShikenPASS試験に100%合格しましょう。
試験科目：「Certified Information Systems Security Professional」
問題と解答：全2635問 CISSP 関連資格知識
NO.1 Which of the following MOST influences the design of the organization's electronic monitoring
A. Level of organizational trust
B. Results of background checks
C. Business ethical considerations
D. Workplace privacy laws
NO.2 Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP)?
A. UDP provides for Error Correction, TCP does not.
B. UDP is useful for longer messages, rather than TCP.
C. TCP is connection-oriented, UDP is not.
D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery.
Explanation: TCP is a reliable connection-oriented transport for guaranteed delivery of data.
Protocols represent certain rules and regulations that are essential in order to have data
communication between two entities. Internet Protocols work in sending and receiving data packets.
This type of communication may be either connection-less or connection-oriented.
In a connection-oriented scenario, an acknowledgement is being received by the sender from the
receiver in support of a perfect transfer. Transmission Control Protocol or TCP is such a protocol.
On the other hand, UDP or User Datagram Protocol is of the connection-less type where no feedback
is being forwarded to the sender after delivery and the data transfer have taken place or not.
Though, it's not a guaranteed method, but, once a connection is established, UDP works much faster
than TCP as TCP has to rely on a feedback and accordingly, the entire 3-way handshaking takes place.
The following answers are incorrect:
UDP provides for Error Correction, TCP does not: UDP does not provide for error correction, while
UDP is useful for longer messages, rather than TCP: UDP is useful for shorter messages due to its
TCP does not guarantee delivery of data, while UDP does guarantee data delivery: The opposite is
References Used for this question:
James's TCP-IP FAQ - Understanding Port Numbers.
NO.3 During which phase of an IT system life cycle are security requirements developed?
B. Functional design analysis and Planning
CISSP 更新 CISSP 答案
Explanation: The software development life cycle (SDLC) (sometimes referred to as the
System Development Life Cycle) is the process of creating or altering software systems, and the
models and methodologies that people use to develop these systems.
The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:
This section addresses security considerations unique to the second SDLC phase. Key security
activities for this phase include:
* Conduct the risk assessment and use the results to supplement the baseline security controls;
* Analyze security requirements;
* Perform functional and security testing;
* Prepare initial documents for system certification and accreditation; and
* Design security architecture.
Reviewing this publication you may want to pick development/acquisition. Although initiation would
be a decent choice, it is correct to say during this phase you would only brainstorm the idea of
security requirements. Once you start to develop and acquire hardware/software components then
you would also develop the security controls for these. The Shon Harris reference below is correct as
Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC differently:
- Project initiation
- Functional design analysis and planning
- System design specifications
- Software development
- Maintenance support
- Revision and replacement
According to the author (Shon Harris), security requirements should be developed during the
functional design analysis and planning phase.
SDLC POSITIONING FROM NIST 800-64
SDLC Positioning in the enterprise
Information system security processes and activities provide valuable input into managing
IT systems and their development, enabling risk identification, planning and mitigation. A risk
management approach involves continually balancing the protection of agency information and
assets with the cost of security controls and mitigation strategies throughout the complete
information system development life cycle (see Figure 2-1 above).
The most effective way to implement risk management is to identify critical assets and operations, as
well as systemic vulnerabilities across the agency. Risks are shared and not bound by organization,
revenue source, or topologies. Identification and verification of critical assets and operations and
their interconnections can be achieved through the system security planning process, as well as
through the compilation of information from the Capital Planning and Investment Control (CPIC) and
Enterprise Architecture (EA) processes to establish insight into the agency's vital business operations,
their supporting assets, and existing interdependencies and relationships.
With critical assets and operations identified, the organization can and should perform a business
impact analysis (BIA). The purpose of the BIA is to relate systems and assets with the critical services
they provide and assess the consequences of their disruption. By identifying these systems, an
agency can manage security effectively by establishing priorities. This positions the security office to
facilitate the IT program's cost-effective performance as well as articulate its business impact and
value to the agency.
SDLC OVERVIEW FROM NIST 800-64
SDLC Overview from NIST 800-64 Revision 2
NIST 800-64 Revision 2 is one publication within the NISTstandards that I would recommend you look
at for more details about the SDLC. It describe in great details what activities would take place and
they have a nice diagram for each of the phases of the
SDLC. You will find a copy at:
Different sources present slightly different info as far as the phases names are concerned.
People sometimes gets confused with some of the NIST standards. For example NIST
800-64 Security Considerations in the Information System Development Life Cycle has slightly
different names, the activities mostly remains the same.
NIST clearly specifies that Security requirements would be considered throughout ALL of the phases.
The keyword here is considered, if a question is about which phase they would be developed than
Functional Design Analysis would be the correct choice.
Within the NIST standard they use different phase, howeverr under the second phase you will see
that they talk specifically about Security Functional requirements analysis which confirms it is not at
the initiation stage so it become easier to come out with the answer to this question. Here is what is
The security functional requirements analysis considers the system security environment, including
the enterprise information security policy and the enterprise security architecture.
The analysis should address all requirements for confidentiality, integrity, and availability of
information, and should include a review of all legal, functional, and other security requirements
contained in applicable laws, regulations, and guidance.
At the initiation step you would NOT have enough detailed yet to produce the Security
Requirements. You are mostly brainstorming on all of the issues listed but you do not develop them
all at that stage.
By considering security early in the information system development life cycle (SDLC), you may be
able to avoid higher costs later on and develop a more secure system from the start.
NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-
64, Security Considerations in the Information System Development Life Cycle, by Tim
Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements in their
planning for every phase of the system life cycle, and to select, acquire, and use appropriate and
cost-effective security controls.
I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is a must for
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth
Edition, Page 956
NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-
NO.4 Which of the following is not one of the three goals of Integrity addressed by the Clark-
A. Preservation of the internal and external consistency.
B. Prevention of the modification of information by authorized users.
C. Prevention of the modification of information by unauthorized users.
D. Prevention of the unauthorized or unintentional modification of information by authorized users.
Explanation: There is no need to prevent modification from authorized users. They are authorized
and allowed to make the changes. On top of this, it is also NOT one of the goal of Integrity within
As it turns out, the Biba model addresses only the first of the three integrity goals which is
Prevention of the modification of information by unauthorized users. Clark-Wilson addresses all three
goals of integrity.
The Clark-Wilson model improves on Biba by focusing on integrity at the transaction level and
addressing three major goals of integrity in a commercial environment. In addition to preventing
changes by unauthorized subjects, Clark and Wilson realized that high-integrity systems would also
have to prevent undesirable changes by authorized subjects and to ensure that the system continued
to behave consistently. It also recognized that it would need to ensure that there is constant
mediation between every subject and every object if such integrity was going to be maintained.
Integrity is addressed through the following three goals:
1. Prevention of the modification of information by unauthorized users.
2. Prevention of the unauthorized or unintentional modification of information by authorized users.
3 . Preservation of the internal and external consistency.
The following reference(s) were used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 17689-17694). Auerbach Publications. Kindle
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 31.