2026年CISSP全英文回忆题汇总｜最新考试真题+答案解析

A. except to the extent that the state law is less stringent

B. regardless of the extent that the state law is more stringent

C. except to the extent that the state law more stringent

D. except to the extent that the state law is legislated later than HIPPA

A. are referred to in the Static Rule

B. are referred to in the Transaction Rule

C. are referred to in the Transitional Rule

D. are referred to in the Acquision Rule

A. provide the notice no later than the date of the first service delivery, including service delivered electronically

B. have the notice available at the service delivery site for individuals to request and keep

C. get a acknowledgement of the notice from each individual on stamped paper

D. post the notice in a clear and prominent location where it is reasonable to expect individuals seeking service from the covered healthcare provider to be able to read it

A. by the HIPPA authorities

B. by the health plan

C. by any other entity but the health plan

D. by insurance companies

A. unvoluntarily protect patient health information before this date

B. voluntarily protect patient health information before this date

C. after taking permission, voluntarily protect patient health information before this date

D. compulsorily protect patient health information before this date

A. )The person outside the program gives a written request for the information

B. the patient consent in writing

C. the disclosure is allowed by a court order

D. the disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or program evaluation.

A. The definition is complicate and long.

B. The definition is referred to in the Secure Computing Act

C. The definition is very detailed.

D. The definition is deceptively simple and short

A. Though Employers are not CEs and they have to send enrollment using HIPPA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPPA standards

B. Employers are not CEs and do not have to send enrollment using HIPPA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPPA standards.

C. Employers are CEs and have to send enrollment using HIPPA standard transactions. However, the employer health plan IS a CE and must be able to conduct applicable transactions using the HIPPA standards.

D. Employers are CEs and do not have to send enrollment using HIPPA standard transactions. Further, the employer health plan IS also a CE and must be able to conduct applicable transactions using the HIPPA standards.

A. often advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits.

B. sometimes advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to the health plan, and generally help them navigate their health benefits.

C. never advocate on behalf of their employees in benefit disputes and appeals, answer questions with regard to health plan, and generally help them navigate their health benefits.

D. are prohibited by plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plan.

A. are covered entities if they do not use encryption

B. are covered entities

C. are not legal entities

D. are not covered entities

A. by priority as well as encryption levels, authenticity, storage-devices, availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.

B. by priority and cost as well as availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.

C. by priority as well availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused but need not document all the criteria used.

D. by priority as well as availability, reliability, access and use. The person responsible for criticality analysis must remain mission-focused and carefully document all the criteria used.

A. No penalties

B. HIPPA calls for severe civil and criminal penalties for noncompliance, including: -- fines up to $25k for multiple violations of the same standard in a calendar year -- fines up to $250k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

C. HIPPA calls for severe civil and criminal penalties for noncompliance, includes: -- fines up to 50k for multiple violations of the same standard in a calendar year -- fines up to $500k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

D. HIPPA calls for severe civil and criminal penalties for noncompliance, including: -- fines up to $100 for multiple violations of the same standard in a calendar year -- fines up to $750k and/or imprisonment up to 20 years for knowing misuse of individually identifiable health information

A. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003.

B. ASCA prohibits HHS from paying Medicare claims that are not submitted on paper after October 16, 2003

C. ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003, unless the Secretary grants a waiver from this requirement

D. No

A. A health plan may conduct its covered transactions through a clearinghouse, and may require a provider to conduct covered transactions with it through a clearinghouse. But the incremental cost of doing so must be borne by the health plan. It is a cost-benefit decision on the part of the health plan whether to acquire the ability to conduct HIPPA transactions directly with other entities, or to require use of a clearinghouse.

B': ") A health plan may not conduct it's covered transactions through a clearinghouse", 'C. A health plan may after taking specific permission from HIPPA authorities conduct its covered transactions through a clearinghouse

D. is not as per HIPPA allowed to require provider to conduct covered transactions with it through a clearinghouse

A. There are no specific elements which must be included in a Business Associate Agreement. However some recommended but not compulsory elements are listed in 164.504(e) (2)

B. There are specific elements which must be included in a Business Associate Agreement. These elements are listed Privacy Legislation

C. There are no specific elements which must be included in a Business Associate Agreement.

D. There are specific elements which must be included in a Business Associate Agreement. These elements are listed in 164.504(e) (2)

A. are referred to in the Transaction Rule

B. are not referred to in the Transaction Rule

C. are referred to in the Compliance Rules

D. are referred to in the Confidentiality Rule

A. are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity

B. are entities that do not perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity

C. are entities that perform services that require the use of Encrypted Insurance Information on behalf of Covered Entities. One covered entity may be a business partner of another covered entity

D. are entities that perform services that require the use of Protected Health Information on behalf of Covered Entities. One covered entity cannot be a business partner of another covered entity.

A. become the business associates of health plans even without joining a network

B. become the business associates of health plans by simply joining a network

C. do not become the business associates of health plans by simply joining a network

D. do not become the HIPPA associates of health plans by simply joining a network

A. HIPPA status analysis

B. gap analysis

C. comparison analysis

D. stop-gap analysis

A. ARE SOMETIMES covered entities.

B. ARE NOT covered entities.

C. ARE covered entities

D. ARE called uncovered entities

A. The final rule does nothing to hinder or prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans.

B. The final rule prohibits plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans

C. The final rule does hinder but does not prohibit plan sponsors from advocating on behalf of group health plan participants or providing assistance in understanding their health plans

D. The final rule does no advocating on behalf of group health plan participants or provide assistance in understanding their health plan.

A. Standardization of electronic patient health, administrative and financial data

B. Unique health identifiers for individuals, employers, health plans, and health care providers.

C. Common health identifiers for individuals, employers, health plans and health care providers.

D. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

A. through your medical software

B. through your accounting software

C. through competing unit medical software

D. based on the statutory authorities report

A. the practice of identifying the data content you currently have available through your medical software

B. the practice of and comparing that content to what is required by HIPPA, and ensuring there is a match.

C. and requires that you study the specific format of a regulated transaction to ensure that the order of the information when sent electronically matches the order that is mandated in the Implementation Guides.

D. but does not require that you study the specific format of a regulated transaction to ensure that the order of information when sent electronically matches the order that is mandated in the Implementation Guides.

A. obtain a paper copy of the notice of information practices upon request inspect and obtain a copy of your health record as provided for in 45 CFR 164.524

B. request a restriction on certain uses and disclosures of your information outside the terms as provided by 45 CFR 164.522

C. amend your health record as provided in 45 CFR 164.528 obtain an accounting of disclosures of your health information as provided in 45 CFR 164.528

D. revoke your authorization to use or disclose health information except to the extent that action has already been taken

A. No

B. Sometimes

C. Yes

D. The answer is indeterminate

A. The Office of Civil Rights of the Department of Confidentiality Services is responsible for enforcement of these rules

B. The Office of Civil Rights of the Department of Health and Human Services is responsible for enforcement of these rules

C. The Office of Health Workers Rights of the Department of Health and Human Services in responsible for enforcement of these rules

D. The Department of Civil Rights of the Office of Health and Human Services is responsible for enforcement of these rules

A. Transactions

B. availability

C. Privacy

D. Security

A. refers to the practice of trusting the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alternation or inadvertent disclose.

B. refers to the practice of modifying the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alteration or inadvertent disclosure.

C. refers to the practice of identifying the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access, alteration or inadvertent disclosure.

D. refers to the practice of improving the security policies and practices currently in place in your organization designed to protect all your data from unauthorized access alteration or inadvertent disclosure.

A. non-technical in nature and do not specifically state what the data content should be for each HIPPA transaction. They also do not state the order in which this data must appear when transmitted electronically.

B. theoretical in nature and specifically state what the data content should be for each HIPPA transaction. They also state the order in which this data must appear when transmitted electronically.

C. technical in nature and specifically state what the data content should be for each HIPPA transaction. They do not state the order in which this data must appear when transmitted electronically.

D. technical in nature and specifically state what the data content should be for each HIPPA transaction. They also state the order in which this data must appear when transmitted electronically.

A. Improved efficiency in healthcare delivery by standardizing electronic data interchange

B. Protection of confidentiality of health data through setting and enforcing standards

C. Protection of security of health data through setting and enforcing standards

D. Protection of availability of health data through setting and enforcing standards

A. clearing houses

B. banks

C. universities

D. billing agencies

A. sweeping changed in some healthcare transaction and administrative information systems

B. sweeping changes in most healthcare transaction and administrative information systems

C. minor changes in most healthcare transaction and administrative information systems

D. no changes in most healthcare transaction and minor changes in administrative information systems

A. Buffer overflow

B. DoS attack

C. All of the above

D. None of the above

A. Packet Filtering Firewalls

B. Proxy Firewalls

C. All of the above

D. None of the above

A': "Policy isn't valid without it", 'B. Management has to deal with various issues that may require exceptions

C. All of the above

D. None of the above

A. 56 bytes

B. 64 bits

C. 64 bytes

D. All of the above

E. None of the above

A. Money

B. All of the above

C. None of the above

A. Activating the built in VPN capabilities

B. Configuring built in alerts

C. All of the above

D. None of the above

A. This is ethical because it was created to test and enhance the performance of a virus protection tool

B': "It's unethical because the virus creating tool may become available to the public. ", 'C. All of the above

D. None of the above

A. Manager

B. Group leader

C. Security manager

D. User

A. Cipher Block Chaining (CBC) mode

B. Cycling Redundancy Checking (CRC) mode

C. Electronic Code Book (ECB) mode

D. Cipher Feedback (CFB) mode

A. Threat coupled with a breach.

B. Threat coupled with a vulnerability.

C. Vulnerability coupled with an attack.

D. Threat coupled with a breach of security.

A. To restrict access to systems under test.

B. To control the stability of the test environment.

C. To segregate user and development staff.

D. To secure access to systems under development.

A. The CEO should always be the spokesperson for the company during a disaster.

B. The disaster recover plan must include how the media is to be handled during the disaster.

C': "The organization's spokesperson should report bad news before the press gets a hold of it through another channel. ", 'D. An emergency press conference site should be planned ahead.

A. C2

B. B1

C. B2

D. B3

A. Recommend the appropriate recovery solution.

B. Determine critical and necessary business functions and their resource dependencies.

C. Identify critical computer applications and the associated outage tolerance.

D. Estimate the financial impact of a disruption.

A. Discretionary Access Control

B. Mandatory Access Control

C. Sensitive Access Control

D. Role-based Access Control

A. Fiber-optic cable

B. Four pairs of Category 3, 4 or 5 unshielded twisted-par (UTP) wires.

C. Two pairs of Category 5 unshielded twisted-pair (UTP) or Category 1 shielded twisted-pair (STP) wires.

D. RG.58 cable.

A. Originated by VISA and MasterCard as an Internet credit card protocol.

B. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures.

C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer.

D. Originated by VISA and MasterCard as an Internet credit card protocol using SSL.

A. Coding

B. Product design

C. Software plans and requirements

D. Detailed design

A. Compensating control

B. Detective control

C. Preventive control

D. Technical control

A. Good faith

B. Prudent man

C. Profit

D. Best interest

A. Security testing

B. Design specification and testing

C. Trusted distribution

D. System integrity

A. The Trusted Computer System Evaluation Criteria (TCSEC)

B. The Trusted Computing Base (TCB)

C. The Information Technology Security Evaluation Criteria (ITSEC)

D. The Common Criteria

A. "one-time password"

B. "two-time password"

C. static password

D. dynamic password

A. Incremental backup method.

B. Off-site backup method.

C. Full backup method.

D. Differential backup method.

A. Limited security

B. Key distribution

C. Speed

D. Scalability

A. Application layer

B. Session layer

C. Internet layer

D. Network access layer

A. Faster file access than tape.

B. Slower file access than tape.

C. Slower file access than drive.

D. Slower file access than scale.

A. Protocol filtering

B. Packet switching

C. Rule enforcement engine

D. Extended logging capability

A. To ensure referential integrity.

B. To allow easier access to data in a database.

C. To restrict user access to data in a database.

D. To provide audit trails.

A. File services

B. Mail services

C. Print services

D. Client/Server services

A. It is adaptive rather than preventive.

B. It is administrative rather than preventive.

C. It is disruptive rather than preventative.

D. It is detective rather than preventative.

A. One-time or dynamic password

B. Cognitive password

C. Static password

D. Pass phrase

A. Token Ring

B. Tokens

C. Token passing networks

D. Coupons

A. Take-Grant model

B. Access Matrix model

C. Biba model

D. Bell-Lapadula model

A. Implementing a corporate policy on copyright infringements and software use.

B. Requiring that all PCs be diskless workstations.

C. Installing metering software on the LAN so applications can be accessed through the metered software.

D. Regularly scanning used PCs to ensure that unauthorized copies of software have not been loaded on the PC.

A. Data exchange in many businesses.

B. Data change in many businesses.

C. Data compression in many businesses.

D. Data interchange in many businesses.

A. Operational Assurance and Architecture Assurance.

B. Design Assurance and Implementation Assurance.

C. Architecture Assurance and Implementation Assurance.

D. Operational Assurance and Life-Cycle Assurance.

A. Because malicious code can be embedded in the compiled code and can be difficult to detect.

B. Because the browser can safely execute all interpreted applets.

C. Because compilers are not reliable.

D. It does not. Interpreted code poses more risk than compiled code.

A. The Total Quality Model (TQM)

B. The IDEAL Model

C. The Software Capability Maturity Model

D. The Spiral Model

A. Red Boxes

B. Blue Boxes

C. White Boxes

D. Black Boxes

A. Ethernet segment

B. Ethernet datagram

C. Ethernet frame

D. Ethernet packet

A. Singe loss expectancy x annualized rate of occurrence.

B. Gross loss expectancy x loss frequency.

C. Actual replacement cost - proceeds of salvage.

D. Asset value x loss expectancy.

A. Disclosure of residual dat

A.

B. Unauthorized obtaining of a privileged execution state.

C. Data leakage through covert channels.

D. Denial of service through a deadly embrace.

A. Single array

B. Dual array

C. Triple array

D. Quadruple array

A. Because they can only identify correctly attacks they already know about.

B. Because they are application-based are more subject to attacks.

C. Because they cant identify abnormal behavior.

D. Because normal patterns of user and system behavior can vary wildly.

A. Public

B. Sensitive

C. Private

D. Confidential

A. Inheritance

B. Polyinstantiation

C. Polymorphism

D. Delegation

A. Verification

B. Validation

C. Concurrence

D. Accuracy

A. Proxy Client

B. Proxy Session

C. Proxy System

D. Proxy Server

A. Bonk attack

B. Land attack

C. Teardrop attack

D. Smurf attack

A. Start and Stop bits.

B. Start and End bits.

C. Begin and Stop bits.

D. Start and Finish bits.

A. Hardware failure

B. Natural disaster

C. Human error

D. Software failure

A. Software implementation

B. Hardware implementation

C. Network implementation

D. Netware implementation

A. Operation

B. Initiation

C. Development

D. Implementation

A. Deterrent controls

B. Output controls

C. Information flow controls

D. Asset controls

A. The societies role in the organization.

B': "The individual's role in the organization. ", 'C': "The group-dynamics as they relate to the individual's role in the organization.", 'D. The group-dynamics as they relate to the master-slave role in the organization.

A. Include separation of duties.

B. Be designed with a short-to mid-term focus.

C. Be understandable and supported by all stakeholders.

D. Specify areas of responsibility and authority.

A. Walls should have an acceptable fire rating.

B. Windows should be protected by bars.

C. Doors must resist forcible entry.

D. Location and type of fire suppression systems should be known.

A. Confidentiality

B. Integrity

C. Acceptability

D. Availability

A. Directives of Senior Management

B. Business Impact Analysis (BIA)

C. Scope and Plan Initiation

D. Skills of BCP committee

A. Transport layer

B. Network layer

C. Data link layer

D. Physical layer

A. Delegation

B. Distribution

C. Documentation

D. Destruction

A. The activity and behavior of the users while in the networked system may not be static enough to effectively implement a behavior-based ID system.

B. The activity and behavior of the users while in the networked system may be dynamic enough to effectively implement a behavior-based ID system.

C. The activity and behavior of the users while in the networked system may not be dynamic enough to effectively implement a behavior-based ID system.

D. The system is characterized by high false negative rates where intrusions are missed.

A. L2TP is a combination of PPTP and L2F.

B. L2TP and PPTP were designed for single point-to-point client to server communication.

C. L2TP operates at the network layer.

D. PPTP uses native PPP authentication and encryption services.

A. Perceived intrusiveness

B. Storage requirements

C. Accuracy

D. Reliability

A. Simple striping or mirroring.

B. Hard striping or mirroring.

C. Simple hamming code parity or mirroring.

D. Simple striping or hamming code parity.