1、计算机 CISSP认证-1 及答案解析(总分:100.00,做题时间:90 分钟)1.Which of the following best describes the relationship between CobiT and ITIL?(分数:2.00)A.CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.B.CobiT provides a corporate governance roadmap, whereas ITIL is a customizable fra
2、mework for IT service management.C.CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.D.CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.2.Jane has been charged with ensuring that
3、clients“ personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?(分数:2.00)A.HIPAAB.NIST SP 800-66C.Safe HarborD.European Union Principles on Privacy3.Global organizations that transfer data across inte
4、rnational boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?(分数:2.00)A.Comm
5、ittee of Sponsoring Organizations of the Treadway CommissionB.The Organisation for Economic Co-operation and DevelopmentC.CobiTD.International Organization for Standardization4.Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable level of ris
6、k for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?(分数:2.00)A.Security policy committeeB.Audit committeeC.Risk management committeeD.Security steering committee5.As head of sales, Jim
7、is the information owner for the sales department. Which of the following is not Jim“s responsibility as information owner?(分数:2.00)A.Assigning information classificationsB.Dictating how data should be protectedC.Verifying the availability of dataD.Determining how long to retain data6.Assigning data
8、 classification levels can help with all of the following except:(分数:2.00)A.The grouping of classified information with hierarchical and restrictive securityB.Ensuring that nonsensitive data is not being protected by unnecessary controlsC.Extracting data from a databaseD.Lowering the costs of protec
9、ting data7.Which of the following is not included in a risk assessment?(分数:2.00)A.Discontinuing activities that introduce riskB.Identifying assetsC.Identifying threatsD.Analyzing risk in order of cost or criticality8.Sue has been tasked with implementing a number of security controls, including anti
10、virus and antispam software, to protect the company“s e-mail system, What type of approach is her company taking to handle the risk posed by the system?(分数:2.00)A.Risk mitigationB.Risk acceptanceC.Risk avoidanceD.Risk transference9.The integrity of data is not related to which of the following?(分数:2
11、.00)A.Unauthorized manipulation or changes to dataB.The modification of data without authorizationC.The intentional or accidental substitution of dataD.The extraction of data to share with unauthorized entities10.There are several methods an intruder can use to gain access to company assets. Which o
12、f the following best describes masquerading?(分数:2.00)A.Changing an IP packet“s source addressB.Elevating privileges to gain accessC.An attempt to gain unauthorized access as another userD.Creating a new authorized user with hacking tools11.A number of factors should be considered when assigning valu
13、es to assets. Which of the following is not used to determine the value of an asset?(分数:2.00)A.The asset“s value in the external marketplaceB.The level of insurance required to cover the assetC.The initial and outgoing costs of purchasing, licensing, and supporting the assetD.The asset“s value to th
14、e organization“s production operations12.Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?(分数:2.00)A.Increase the database“s security
15、 controls and provide more granularity.B.Implement access controls that display each user“s permissions each time they access the database.C.Change the database“s classification label to a higher security status.D.Decrease the security so that all users can access the information as needed.13.As his
16、 company“s CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the company“s residual risk?(分数:2.00)A.threatsvulnerabilityasset value=residual riskB.SLEfrequency=ALE, which is equal to re
17、sidual riskC.(threatsasset valuevulnerability)control gap=residual riskD.(total risk-asset value)countermeasures=residual risk14.Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?(分数:2.00)A.Users have a te
18、ndency to request additional permissions without asking for others to be taken away.B.It is a violation of “least privilege.“C.It enforces the “need-to-know“ concept.D.It commonly occurs when users transfer to other departments or change positions.15.For what purpose was the COSO framework developed
19、?(分数:2.00)A.To address fraudulent financial activities and reportingB.To help organizations install, implement, and maintain CobiT controlsC.To serve as a guideline for IT security auditors to use when verifying complianceD.To address regulatory requirements related to protecting private health info
20、rmation16.Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?(分数:2.00)A.Ensuring the protection of partner dataB.Ensuring the accuracy and protection of company financial informationC.Ens
21、uring that security policies are defined and enforcedD.Ensuring the protection of customer, company, and employee data17.Jared plays a role in his company“s data classification system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance wit
22、h allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jared“s role?(分数:2.00)A.Data ownerB.Data custodianC.Data userD.Information systems auditor18.Risk assessment has several different methodologies. Whic
23、h of the following official risk methodologies was not created for the purpose of analyzing security risks?(分数:2.00)A.FAPB.OCTAVEC.ANZ 4360D.NIST SP 800-3019.Which of the following is not a characteristic of a company with a security governance program in place?(分数:2.00)A.Board members are updated q
24、uarterly on the company“s state of security.B.All security activity takes place within the security department.C.Security products, services, and consultants are deployed in an informed manner.D.The organization has established metrics and goals for improving security.20.Michael is charged with deve
25、loping a classification program for his company. Which of the following should he do first?(分数:2.00)A.Understand the different levels of protection that must be provided.B.Specify data classification criteria.C.Identify the data custodians.D.Determine protection mechanisms for each classification le
26、vel.21.There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method? (分数:2.00)A.Risk transference. Share the risk with other entities.B.Risk reduction. Reduce the risk to an acceptable level.C.Risk rejection. Accept the current
27、 risk.D.Risk assignment. Assign risk to a specific owner.22.The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description. (分数:2.00)A.Top-right quadrant is high impact, low probability.B.Top-left quadrant is high impact, medium probability
28、.C.Bottom-left quadrant is low impact, high probability.D.Bottom-right quadrant is low impact, high probability.23.What are the three types of policies that are missing from the following graphic? (分数:2.00)A.Regulatory, Informative, AdvisoryB.Regulatory, Mandatory, AdvisoryC.Regulatory, Informative,
29、 PublicD.Regulatory, Informative, Internal Use24.List in the proper order from the table on the top of the next page the learning objectives that are missing and their proper definitions. (分数:2.00)A.Understanding, recognition and retention, skillB.Skill, recognition and retention, skillC.Recognition
30、 and retention, skill, understandingD.Skill, recognition and retention, understanding25.What type of risk analysis approach does the following graphic provide? (分数:2.00)A.QuantitativeB.QualitativeC.Operationally CorrectD.Operationally Critical26.ISO/IEC 27000 is part of a growing family of ISO/IEC i
31、nformation security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electro-technical Commission (IEC). Which of the following provides an incorrect mapping of the ind
32、ividual standards that make up this family of standards?(分数:2.00)A.ISO/IEC 27002 Code of practice for information security managementB.ISO/IEC 27003 Guideline for ISMS implementationC.ISO/IEC 27004 Guideline for information security management measurement and metrics frameworkD.ISO/IEC 27005 Guideli
33、ne for bodies providing audit and certification of information security management systemsSam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His compan
34、y received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemen
35、ted reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.(分数:4.00)(1).Which of the following is the criteria Sam“s company was most likely certified under?(分数:2.00)A.SABSAB.Capability Maturity M
36、odel IntegrationC.Information Technology Infrastructure LibraryD.Prince2(2).What is the associated single loss expectancy value in this scenario?(分数:2.00)A.$65,000B.$400,000C.$40,000D.$4,000Barry has just been hired as the company security officer at an international financial institution. He has re
37、viewed the company“s data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network segment all by itself, which is monitored by a network-based intrusion detection system. The database is hosted on a server
38、 kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properly secured and requests that the company implement a secure courier service that moves backup tapes to a secured location. Hi
39、s management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data.(分数:6.00)(1).Which of the following best describes the control types the company originally had in place?(分数:2.00)A.Administrative preventi
40、ve controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective controls are the physical location of the database and PIN and smart card access controls.B.Administrative preventive controls
41、are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.C.Administrative corrective controls are the policies and procedures. Technical preven
42、tive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.D.Administrative preventive controls are the policies and procedures. Technical preventive contro
43、ls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.(2).The storage management system that Barry put into place is referre
44、d to as which of the following?(分数:2.00)A.Administrative controlB.Compensating controlC.Physical controlD.Confidentiality control(3).Which are the two most common situations that require the type of control covered in the scenario to be implemented?(分数:2.00)A.Defense-in-depth is required, and the cu
45、rrent controls only provide one protection layer.B.Primary control costs too much or negatively affects business operations.C.Confidentiality is the highest concern in a situation where defense-in-depth is required.D.Availability is the highest concern in a situation where defense-in-depth is requir
46、ed.27.Which of the following does not correctly describe a directory service?(分数:2.00)A.It manages objects within a directory by using namespaces.B.It enforces security policy by carrying out access control and identity management functions.C.It assigns namespaces to each object in databases that ar
47、e based on the X.509 standard and are accessed by LDAP.D.It allows an administrator to configure and manage how identification takes place within the network.28.Hannah has been assigned the task of installing Web access management (WAM) software. What is the best description for what WAM is commonly
48、 used for?(分数:2.00)A.Control external entities requesting access through X.500 databasesB.Control external entities requesting access to internal objectsC.Control internal entities requesting access through X.500 databasesD.Control internal entities requesting access to external objects29.There are
49、several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?(分数:2.00)A.Management password resetB.Self-service password resetC.Password synchronizationD.Assisted password reset30.A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn“t try to compromise a flaw or weakness. Which of the following is not a side-channel attack?(分数:2.00)A.Dif
