【计算机类职业资格】CISSP认证考试（信息安全治理与风险管理）-试卷1及答案解析.doc

1、CISSP 认证考试（信息安全治理与风险管理）-试卷 1 及答案解析(总分：62.00，做题时间：90 分钟)1.Which of the following best describes the relationship between CobiT and ITIL?（分数：2.00）A.CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.B.CobiT provides a corporate governance roadmap, whereas ITIL is a cu

2、stomizable framework for IT service management.C.CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them.D.CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.2.Jane has been charged with

3、ensuring that clients personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to?（分数：2.00）A.HIPAAB.NIST SP 800-66C.Safe HarborD.European Union Principles on Privacy3.Global organizations that transfer dat

4、a across international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this?（分

5、数：2.00）A.Committee of Sponsoring Organizations of the Treadway CommissionB.The Organisation for Economic Co-operation and DevelopmentC.CobiTD.International Organization for Standardization4.Steve, a department manager, has been asked to join a committee that is responsible for defining an acceptable

6、 level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining?（分数：2.00）A.Security policy committeeB.Audit committeeC.Risk management committeeD.Security steering committee5.As head o

7、f sales, Jim is the information owner for the sales department. Which of the following is not Jims responsibility as information owner?（分数：2.00）A.Assigning information classificationsB.Dictating how data should be protectedC.Verifying the availability of dataD.Determining how long to retain data6.As

8、signing data classification levels can help with all of the following except:（分数：2.00）A.The grouping of classified information with hierarchical and restrictive securityB.Ensuring that nonsensitive data is not being protected by unnecessary controlsC.Extracting data from a databaseD.Lowering the cos

9、ts of protecting data7.Which of the following is not included in a risk assessment?（分数：2.00）A.Discontinuing activities that introduce riskB.Identifying assetsC.Identifying threatsD.Analyzing risk in order of cost or criticality8.Sue has been tasked with implementing a number of security controls, in

10、cluding antivirus and antispam software, to protect the companys e-mail system. What type of approach is her company taking to handle the risk posed by the system?（分数：2.00）A.Risk mitigationB.Risk acceptanceC.Risk avoidanceD.Risk transference9.The integrity of data is not related to which of the foll

11、owing?（分数：2.00）A.Unauthorized manipulation or changes to dataB.The modification of data without authorizationC.The intentional or accidental substitution of dataD.The extraction of data to share with unauthorized entities10.There are several methods an intruder can use to gain access to company asse

12、ts. Which of the following best describes masquerading?（分数：2.00）A.Changing an IP packets source addressB.Elevating privileges to gain accessC.An attempt to gain unauthorized access as another userD.Creating a new authorized user with hacking tools11.A number of factors should be considered when assi

13、gning values to assets. Which of the following is not used to determine the value of an asset?（分数：2.00）A.The assets value in the external marketplaceB.The level of insurance required to cover the assetC.The initial and outgoing costs of purchasing, licensing, and supporting the assetD.The assets val

14、ue to the organizations production operations12.Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the security manager secure the database?（分数：2.00）A.Increase the databases se

15、curity controls and provide more granularity.B.Implement access controls that display each users permissions each time they access the database.C.Change the databases classification label to a higher security status.D.Decrease the security so that all users can access the information as needed.13.As

16、 his companys CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the companys residual risk?（分数：2.00）A.threats vulnerability asset value = residual riskB.SLE frequency = ALE, which is eq

17、ual to residual riskC.(threats asset value vulnerability) x control gap = residual riskD.(total risk - asset value) countermeasures = residual risk14.Authorization creep is to access controls what scope creep is to software development. Which of the following is not true of authorization creep?（分数：2

18、.00）A.Users have a tendency to request additional permissions without asking for others to be taken away.B.It is a violation of “least privilege.“C.It enforces the “need-to-know“ concept.D.It commonly occurs when users transfer to other departments or change positions.15.For what purpose was the COS

19、O framework developed?（分数：2.00）A.To address fraudulent financial activities and reportingB.To help organizations install, implement, and maintain CobiT controlsC.To serve as a guideline for IT security auditors to use when verifying complianceD.To address regulatory requirements related to protectin

20、g private health information16.Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role?（分数：2.00）A.Ensuring the protection of partner dataB.Ensuring the accuracy and protection of company finan

21、cial informationC.Ensuring that security policies are defined and enforcedD.Ensuring the protection of customer, company, and employee data17.Jared plays a role in his companys data classification system. In this role, he must practice due care when accessing data and ensure that the data is used on

22、ly in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jareds role?（分数：2.00）A.Data ownerB.Data custodianC.Data userD.Information systems auditor18.Risk assessment has several different

23、methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks?（分数：2.00）A.FAPB.OCTAVEC.ANZ 4360D.NIST SP 800-3019.Which of the following is not a characteristic of a company with a security governance program in place?（分数：2.00）A.Board me

24、mbers are updated quarterly on the companys state of security.B.All security activity takes place within the security department.C.Security products, services, and consultants are deployed in an informed manner.D.The organization has established metrics and goals for improving security.20.Michael is

25、 charged with developing a classification program for his company. Which of the following should he do first?（分数：2.00）A.Understand the different levels of protection that must be provided.B.Specify data classification criteria.C.Identify the data custodians.D.Determine protection mechanisms for each

26、 classification level.21.There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method? （分数：2.00）A.Risk transference. Share the risk with other entities.B.Risk reduction. Reduce the risk to an acceptable level.C.Risk rejection.

27、Accept the current risk.D.Risk assignment. Assign risk to a specific owner.22.The following graphic contains a commonly used risk management scorecard. Identify the proper quadrant and its description. （分数：2.00）A.Top-right quadrant is high impact, low probability.B.Top-left quadrant is high impact,

28、medium probability.C.Bottom-left quadrant is low impact, high probability.D.Bottom-right quadrant is low impact, high probability.23.What are the three types of policies that are missing from the following graphic? （分数：2.00）A.Regulatory, Informative, AdvisoryB.Regulatory, Mandatory, AdvisoryC.Regula

29、tory, Informative, PublicD.Regulatory, Informative, Internal Use24.List in the proper order from the table on the top of the next page the learning objectives that are missing and their proper definitions. （分数：2.00）A.Understanding, recognition and retention, skillB.Skill, recognition and retention,

30、skillC.Recognition and retention, skill, understandingD.Skill, recognition and retention, understanding25.What type of risk analysis approach does the following graphic provide? （分数：2.00）A.QuantitativeB.QualitativeC.Operationally CorrectD.Operationally Critical26.ISO/IEC 27000 is part of a growing f

31、amily of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published jointly by the International Organization for Standardization(ISO) and the International Electro-technical Commission (IEC). Which of the following provides an incorrect m

32、apping of the individual standards that make up this family of standards?（分数：2.00）A.ISO/IEC 27002 Code of practice for information security managementB.ISO/IEC 27003 Guideline for ISMS implementationC.ISO/IEC 27004 Guideline for information security management measurement and metrics frameworkD.ISO/

33、IEC 27005 Guideline for bodies providing audit and certification of information security management systemsThe following scenario applies to questions 27 and 28.Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process impro

34、vement program that has been certified by an outside entity. His company received a Level 2 during an appraisal process, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to

35、 potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400.（分数：4.00）(1).Which of the following is the criteria Sams company w

36、as most likely certified under?（分数：2.00）A.SABSAB.Capability Maturity Model IntegrationC.Information Technology Infrastructure LibraryD.Prince2(2).What is the associated single loss expectancy value in this scenario?（分数：2.00）A.$65,000B.$400,000C.40000D.4000The following scenario applies to questions

37、29, 30, and 31.Barry has just been hired as the company security officer at an international financial institution. He has reviewed the companys data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network

38、 segment all by itself, which is monitored by a network-based intrusion detection system. The database is hosted on a server kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properl

39、y secured and requests that the company implement a secure courier service that moves backup tapes to a secured location. His management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data.（分数：6.00）(1).Wh

40、ich of the following best describes the control types the company originally had in place?（分数：2.00）A.Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective con

41、trols are the physical location of the database and PIN and smart card access controls.B.Administrative preventive controls are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database a

42、nd PIN and smart card access controls.C.Administrative corrective controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIND.Adm

43、inistrative preventive controls are the policies and procedures. Technical preventive controls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the phy(2).The storage management system that Barry put

44、 into place is referred to as which of the following?（分数：2.00）A.Administrative controlB.Compensating controlC.Physical controlD.Confidentiality control(3).Which are the two most common situations that require the type of control covered in the scenario to be implemented?（分数：2.00）A.Defense-in-depth i

45、s required, and the current controls only provide one protection layer.B.Primary control costs too much or negatively affects business operations.C.Confidentiality is the highest concern in a situation where defense-in-depth is required.D.Availability is the highest concern in a situation where defe

46、nse-in-depth is required.CISSP 认证考试（信息安全治理与风险管理）-试卷 1 答案解析(总分：62.00，做题时间：90 分钟)1.Which of the following best describes the relationship between CobiT and ITIL?（分数：2.00）A.CobiT is a model for IT governance, whereas ITIL is a model for corporate governance.B.CobiT provides a corporate governance roadm

47、ap, whereas ITIL is a customizable framework for IT service management.C.CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. D.CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals.解析：解

48、析：C 正确。信息及相关技术的控制目标(Control Objectives for Information and related Technology，CobiT)是由信息系统审计与控制协会(Information Systems Audit and Control Association，ISACA)和信息技术治理协会(IT Governance Institute，ITGI)一起制定的一个 IT 治理控制框架。该框架定义了控制目标不只是用于特定的安全需求，而是应该为正确管理 IT 并确保 IT 能够满足业务需求而服务。信息技术基础结构库(Information Technology I

49、nfrastructure Library，ITIL)是公认的信息技术服务管理标准和最佳的实践指南。作为一个可定制的框架，ITIL 提供了一系列目标、实现这些目标所必需的一般活动以及完成这些既定目标所需的每一个活动的输入与输出值。从本质上讲，CobiT 解决的是“实现什么”的问题而 ITIL 解决的是“如何实现”的问题。 A 不正确。因为尽管 CobiT可以当做 IT 治理模型使用，但 ITIL 不是公司治理模型。实际上，全国虚假财务报告委员会下属的发起组织委员会(Committee of Sponsoring Organizations ofthe Treadway Commission，COSO)才是一种公司治理模型。CobiT 来源于 COSO 框架。CobiT 可以看作是一种实现众多 COSO 目标的方法，但这种观点仅限于从 IT 的角度米讲。为了实现 CobiT 中提出的诸多目标，组织或机构可以使用 ITIL，因为它提供了实现IT 服务管理目标过程级别的步骤。 B 不正确。如前所述，CobiT 可以用作 IT 治理模型，而不是公司治理模型。COSO 是一种公司治理模型。答案的后半部分是正确的。ITIL 是一个可定制的 IT 服务管理框架，有一系列有关该框架的书籍或在线资源可供查阅。 D 不正确。因为 CobiT