最新的CISSP認證考試的新考古題匯總ISC CISSP認證考試是目前IT人士報名參加的考試中很受歡迎的一個認證考試。通過了ISC CISSP認證考試不僅能使你工作和生活帶來提升,而且還能鞏固你在IT 領域的地位。但是事實情況是它通過率確很低。 最新的 ISC Certification CISSP 免費考試真題 (Q350-Q355):問題 #350
When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems?
A. Functional business units
B. Executive management staff
C. Senior business unit management
D. BCP committee
答案:C
解題說明:
Explanation/Reference:
Explanation:
Senior management is ultimately responsible for all phases of the plan, and who should be most concerned about the protection of its assets. They must sign off on all policy issues, and they will be held liable for overall success or failure of a security solution.
Incorrect Answers:
A: If possible the BCP plan should by endorsed by the Executive management staff, but the Executive management staff is not responsible for identifying and prioritizing time-critical systems.
C: The BCP committee does not identify and prioritize systems. The BCP committee oversees, initiates, plans, approves, tests and audits the BCP. It also implements the BCP, coordinates activities, approve the BIA survey. The BCP committee also oversees the creation of continuity plans and reviews the results of quality assurance activities
D: Functional business units are a part of the BCP committee. Functional business units are not responsible for identifying and prioritizing time-critical system.
References:
Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 55
問題 #351
What is surreptitious transfer of information from a higher classification compartment to a lower classification compartment without going through the formal communication channels?
A. Data Transfer
B. Security domain
C. Covert Channel
D. Object Reuse
答案:C
解題說明:
Explanation/Reference:
Explanation:
A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the system's security policy.
The channel to transfer this unauthorized data is the result of one of the following conditions:
Improper oversight in the development of the product
Improper implementation of access controls within the software
Existence of a shared resource between the two entities which are not properly controlled
Incorrect Answers:
A: Object reuse is where media is given to someone without first deleting any existing data. This is not what is described in the question.
C: The term security describes a logical structure (domain) where resources are working under the same security policy and managed by the same group. This is not what is described in the question.
D: Data transfer describes all types and methods of transferring data whether it is authorized or not. It does not describe the specific type of transfer in the question.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 378
問題 #352
Which one of the following is an advantage of an effective release control strategy form a configuration control standpoint?
A. Ensures that a trace for all deliverables is maintained and auditable
B. Enforces backward compatibility between releases
C. Allows for future enhancements to existing features
D. Ensures that there is no loss of functionality between releases
答案:D
解題說明:
Section: Software Development Security
問題 #353
The Diffie-Hellman algorithm is used for:
A. Non-repudiation
B. Digital signature
C. Key agreement
D. Encryption
答案:C
解題說明:
Explanation/Reference:
Explanation:
The Diffie-Hellman algorithm is the first asymmetric key agreement algorithm, which was developed by Whitfield Diffie and Martin Hellman.
Incorrect Answers:
A, B: The Diffie-Hellman algorithm does not offer encryption or digital signature functionality.
D: Non-repudiation requires digital signature functionality, which the Diffie-Hellman algorithm does not offer.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, pp. 812, 813, 830
問題 #354
Enterprise Access Management (EAM) provides access control
management services to Web-based enterprise systems. Which of the
following functions is NOT normally provided by extant EAM
approaches?
A. Interoperability among EAM implementations
B. Accommodation of a variety of authentication mechanisms
C. Role-based access control
D. Single sign-on
答案:A
解題說明:
In general, security credentials produced by one EAM solution are
not recognized by another implementation. Thus, reauthentication is
required when linking from one Web site to another related Web site
if the sites have different EAM implementations.
Answer "Single sign-on" (SSO) is approached in a number of ways. For example,
SSO can be implemented on Web applications in the same domain
residing on different servers by using nonpersistent, encrypted
cookies on the client interface. This is accomplished by providing a
cookie to each application that the user wishes to access. Another
solution is to build a secure credential for each user on a reverse
proxy that is situated in front of the Web server. The credential is,
then, presented at each instance of a user attempting to access
protected Web applications. For answer b, most EAM solutions
accommodate a variety of authentication technologies, including
tokens, ID/passwords and digital certificates. Similarly, for answer
c, EAM solutions support role-based access controls, albeit they may
be implemented in different fashions. Enterprise-level roles should
be defined in terms that are universally accepted across most ecommerce applications.
