1、 ISC CISSP Certpass Version 2015-11-28 Number:CISSP File Version:2015-11-28 ISC 2 CISSP 1400 Questions Exam Name:(ISC)2 Certified Information Systems Security Professional Last Update:Nov 28,2015 Exam AQUESTION 1All of the following are basic components of a security policy EXCEPT theA.definition of
2、 the issue and statement of relevant terms.B.statement of roles and responsibilitiesC.statement of applicability and compliance requirements.D.statement of performance of characteristics and requirements.Correct Answer:DSection:(none)ExplanationExplanation/Reference:Policies are considered the first
3、 and highest level of documentation,from which the lower level elements ofstandards,procedures,and guidelines flow.This order,however,does not mean that policies are moreimportant than the lower elements.These higherlevel policies,which are the more general policies andstatements,should be created f
4、irst in the process for strategic reasons,and then the more tacticalelements can follow.-Ronald Krutz The CISSP PREP Guide(gold edition)pg 13QUESTION 2A security policy would include all of the following EXCEPTA.BackgroundB.Scope statementC.Audit requirementsD.EnforcementCorrect Answer:BSection:(non
5、e)ExplanationQUESTION 3Which one of the following is an important characteristic of an information security policy?A.Identifies major functional areas of information.B.Quantifies the effect of the loss of the information.C.Requires the identification of information owners.D.Lists applications that s
6、upport the business function.Correct Answer:ASection:(none)ExplanationExplanation/Reference:Information security policies area high-level plans that describe the goals of the procedures.Policies arenot guidelines or standards,nor are they procedures or controls.Policies describe security in generalt
7、erms,not specifics.They provide the blueprints for an overall security program just as a specificationdefines your next product-Roberta Bragg CISSP Certification Training Guide(que)pg 206QUESTION 4Ensuring the integrity of business information is the PRIMARY concern of ExactP CISSPA.Encryption Secur
8、ityB.Procedural Security.C.Logical SecurityD.On-line SecurityCorrect Answer:BSection:(none)ExplanationExplanation/Reference:Procedures are looked at as the lowest level in the policy chain because they are closest to the computersand provide detailed steps for configuration and installation issues.T
9、hey provide the steps to actuallyimplement the statements in the policies,standards,and guidelines.Security procedures,standards,measures,practices,and policies cover a number of different subject areas.-Shon Harris All-in-oneCISSP Certification Guide pg 44-45QUESTION 5Which of the following would b
10、e the first step in establishing an information security program?A.Adoption of a corporate information security policy statementB.Development and implementation of an information security standards manualC.Development of a security awareness-training programD.Purchase of security access control soft
11、wareCorrect Answer:ASection:(none)ExplanationQUESTION 6What is the function of a corporate information security policy?A.Issue corporate standard to be used when addressing specific security problems.B.Issue guidelines in selecting equipment,configuration,design,and secure operations.C.Define the sp
12、ecific assets to be protected and identify the specific tasks which must be completed tosecure them.D.Define the main security objectives which must be achieved and the security framework to meetbusiness objectives.Correct Answer:DSection:(none)ExplanationExplanation/Reference:Information security p
13、olicies are high-level plans that describe the goals of the procedures CISSP orcontrols.Policies describe security in general,not specifics.They provide the blueprint fro an overallsecurity program just as a specification defines your next product.-Roberta Bragg CISSP CertificationTraining Guide(que
14、)pg 587QUESTION 7Why must senior management endorse a security policy?A.So that they will accept ownership for security within the organization.B.So that employees will follow the policy directives.C.So that external bodies will recognize the organizations commitment to security.D.So that they can b
15、e held legally accountable.Correct Answer:ASection:(none)ExplanationExplanation/Reference:This really does not a reference as it should be known.Upper management is legally accountable(up to290 million fine).External organizations answer is not really to pertinent(however it stated that otherorganiz
16、ations will respect a BCP and disaster recover plan).Employees need to be bound to the policyregardless of who signs it but it gives validity.Ownership is the correct answer in this statement.However,here is a reference.Fundamentally important to any security programs success us the seniormanagement
17、s high-level statement of commitment to the information security policy process and a seniormanagements understanding of how important security controls and protections are to the enterprisescontinuity.Senior management must be aware of the importance of security implementation to preservethe organi
18、zations viability(and for their own due care protection)and must publicly support that processthroughout the enterprise.-Ronald Krutz The CISSP PREP Guide(gold edition)pg 13QUESTION 8In which one of the following documents is the assignment of individual roles and responsibilities MOSTappropriately
19、defined?A.Security policyB.Enforcement guidelinesC.Acceptable use policyD.Program manualCorrect Answer:CSection:(none)ExplanationExplanation/Reference:An acceptable use policy is a document that the employee signs in which the expectations,roles andresponsibilities are outlined.Issue-specific polici
20、es address specific security issues that managementfeels need more detailed explanation and attention to make sure a comprehensive structure is built and allemployees understand how they are to comply to these security issues.-Shon Harris Allinone CISSPCertification Guide pg 62QUESTION 9Which of the
21、 following defines the intent of a system security policy?A.A definition of the particular settings that have been determined to provide optimum security.B.A brief,high-level statement defining what is and is not permitted during the operation of the system.C.A definition of those items that must be
22、 excluded on the system.D.A listing of tools and applications that will be used to protect the system.Correct Answer:ASection:(none)ExplanationExplanation/Reference:A system-specific policy presents the managements decisions that are closer to the actual computers,networks,applications,and data.This
23、 type of policy can provide an approved software list,which containsa list of applications that can be installed on individual workstations.This policy can describe howdatabases are to be protected,how computers are to be locked down,and how firewall,intrusion dictionsystems,and scanners are to be e
24、mployed.Pg 93 Shon Harris CISSP All-In-One Certification ExamGuideQUESTION 10When developing an information security policy,what is the FIRST step that should be taken?A.Obtain copies of mandatory regulations.B.Gain management approval.C.Seek acceptance from other departments.D.Ensure policy is comp
25、liant with current working practices.Correct Answer:BSection:(none)ExplanationQUESTION 11Which one of the following is NOT a fundamental component of a Regulatory Security Policy?A.What is to be done.B.When it is to be done.C.Who is to do it.D.Why is it to be doneCorrect Answer:CSection:(none)Explan
26、ationExplanation/Reference:Regulatory Security policies are mandated to the organization but it up to them to implement it.Regulatory-This policy is written to ensure that the organization is following standards set by a specific industry andis regulated by law.The policy type is detailed in nature
27、and specific to a type of industry.This is used infinancial institutions,health care facilities,and public utilities.-Shon Harris All-in-one CISSP CertificationGuide pg 93-94QUESTION 12Which one of the following statements describes management controls that are instituted to implement asecurity poli
28、cy?A.They prevent users from accessing any control function.B.They eliminate the need for most auditing functions.C.They may be administrative,procedural,or technical.D.They are generally inexpensive to implement.Correct Answer:CSection:(none)ExplanationExplanation/Reference:Administrative,physical,
29、and technical controls should be utilized to achieve the managements directives.-Shon Harris All-in-one CISSP Certification Guide pg 60QUESTION 13Which must bear the primary responsibility for determining the level of protection needed for informationsystems resources?A.IS security specialistsB.Seni
30、or ManagementC.Seniors security analystsD.system auditorsCorrect Answer:BSection:(none)ExplanationQUESTION 14Which of the following choices is NOT part of a security policy?A.definition of overall steps of information security and the importance of securityB.statement of management intend,supporting
31、 the goals and principles of information securityC.definition of general and specific responsibilities for information security managementD.description of specific technologies used in the field of information securityCorrect Answer:DSection:(none)ExplanationQUESTION 15Which of the following embodie
32、s all the detailed actions that personnel are required to follow?A.StandardsB.GuidelinesC.ProceduresD.BaselinesCorrect Answer:CSection:(none)ExplanationQUESTION 16A significant action has a state that enables actions on an ADP system to be traced to individuals who maythen be held responsible.The ac
33、tion does NOT include:A.Violations of security policy.B.Attempted violations of security policy.C.Non-violations of security policy.D.Attempted violations of allowed actions.Correct Answer:CSection:(none)ExplanationExplanation/Reference:Significant action:The quality or state that enables actions on
34、 an ADP system to be traced to individualswho may then be held responsible.These actions include violations and attempted violations of thesecurity policy,as well as allowed actions.QUESTION 17Security is a process that is:A.ContinuousB.IndicativeC.ExaminedD.AbnormalCorrect Answer:ASection:(none)Exp
35、lanationExplanation/Reference:Security is a continuous process;as such you must closely monitor your systems on a regular basis.Logfiles are usually a good way to find an indication of abnormal activities.However some care must beexercise as to what will be logged and how the logs are protected.Havi
36、ng corrupted logs is about as goodas not having logs at all.QUESTION 18What are the three fundamental principles of security?A.Accountability,confidentiality,and integrityB.Confidentiality,integrity,and availabilityC.Integrity,availability,and accountabilityD.Availability,accountability,and confiden
37、tialityCorrect Answer:BSection:(none)ExplanationQUESTION 19Which of the following prevents,detects,and corrects errors so that the integrity,availability,andconfidentiality of transactions over networks may be maintained?A.Communications security management and techniquesB.Networks security manageme
38、nt and techniquesC.Clients security management and techniquesD.Servers security management and techniquesCorrect Answer:ASection:(none)ExplanationQUESTION 20Making sure that the data is accessible when and where it is needed is which of the following?A.ConfidentialityB.integrityC.acceptabilityD.avai
39、labilityCorrect Answer:DSection:(none)ExplanationQUESTION 21Which of the following describes elements that create reliability and stability in networks and systems andwhich assures that connectivity is accessible when needed?A.AvailabilityB.AcceptabilityC.ConfidentialityD.IntegrityCorrect Answer:ASe
40、ction:(none)ExplanationQUESTION 22Most computer attacks result in violation of which of the following security properties?A.AvailabilityB.ConfidentialityC.Integrity and controlD.All of the choices.Correct Answer:DSection:(none)ExplanationExplanation/Reference:Most computer attacks only corrupt a sys
41、tems security in very specific ways.For example,certain attacksmay enable a hacker to read specific files but dont allow alteration of any system components.Anotherattack may allow a hacker to shut down certain system components but doesnt allow access to any files.Despite the varied capabilities of
42、 computer attacks,they usually result in violation of only four differentsecurity properties:availability,confidentiality,integrity,and control.QUESTION 23An area of the Telecommunications and Network Security domain that directly affects the InformationSystems Security tenet of Availability can be
43、defined as:A.Netware availabilityB.Network availabilityC.Network acceptabilityD.Network accountabilityCorrect Answer:BSection:(none)ExplanationExplanation/Reference:CISSPQUESTION 24Which one of the following is the MOST crucial link in the computer security chain?A.Access controlsB.PeopleC.Managemen
44、tD.Awareness programsCorrect Answer:CSection:(none)ExplanationQUESTION 25The security planning process must define how security will be managed,who will be responsible,andA.Who practices are reasonable and prudent for the enterprise.B.Who will work in the security department.C.What impact security w
45、ill have on the intrinsic value of data.D.How security measures will be tested for effectiveness.Correct Answer:DSection:(none)ExplanationQUESTION 26Information security is the protection of data.Information will be protected mainly based on:A.Its sensitivity to the company.B.Its confidentiality.C.I
46、ts value.D.All of the choices.Correct Answer:DSection:(none)ExplanationExplanation/Reference:Information security is the protection of data against accidental or malicious disclosure,modification,ordestruction.Information will be protected based on its value,confidentiality,and/or sensitivity to the
47、company,and the risk of loss or compromise.At a minimum,information will be update-protected so thatonly authorized individuals can modify or erase the information.QUESTION 27Organizations develop change control procedures to ensure thatA.All changes are authorized,tested,and recorded.B.Changes are
48、controlled by the Policy Control Board(PCB).C.All changes are requested,scheduled,and completed on time.D.Management is advised of changes made to systems.Correct Answer:ASection:(none)ExplanationExplanation/Reference:Change Control:Changes must be authorized,tested,and recorded.Changed systems may
49、require re-certification and re-accreditation.Pg 699 Shon Harris:All-in-One CISSP CertificationQUESTION 28Within the organizational environment,the security function should report to an organizational level thatA.Has information technology oversight.B.Has autonomy from other levels.C.Is an external
50、operation.D.Provides the internal audit function.Correct Answer:BSection:(none)ExplanationQUESTION 29What is the MAIN purpose of a change control/management system?A.Notify all interested parties of the completion of the change.B.Ensure that the change meets user specifications.C.Document the change
