1、CISSP认证考试(信息安全治理与风险管理)模拟试卷 1及答案与解析 1 Which of the following best describes the relationship between CobiT and ITIL? ( A) CobiT is a model for IT governance, whereas ITIL is a model for corporate governance. ( B) CobiT provides a corporate governance roadmap, whereas ITIL is a customizable framework
2、for IT service management. ( C) CobiT defines IT goals, whereas ITIL provides the process-level steps on how to achieve them. ( D) CobiT provides a framework for achieving business goals, whereas ITIL defines a framework for achieving IT service-level goals. 2 Jane has been charged with ensuring tha
3、t clients personal health information is adequately protected before it is exchanged with a new European partner. What data security requirements must she adhere to? ( A) HIPAA ( B) NIST SP 800-66 ( C) Safe Harbor ( D) European Union Principles on Privacy 3 Global organizations that transfer data ac
4、ross international boundaries must abide by guidelines and transborder information flow rules developed by an international organization that helps different governments come together and tackle the economic, social, and governance challenges of a globalized economy. What organization is this? ( A)
5、Committee of Sponsoring Organizations of the Treadway Commission ( B) The Organisation for Economic Co-operation and Development ( C) CobiT ( D) International Organization for Standardization 4 Steve, a department manager, has been asked to join a committee that is responsible for defining an accept
6、able level of risk for the organization, reviewing risk assessment and audit reports, and approving significant changes to security policies and programs. What committee is he joining? ( A) Security policy committee ( B) Audit committee ( C) Risk management committee ( D) Security steering committee
7、 5 As head of sales, Jim is the information owner for the sales department. Which of the following is not Jims responsibility as information owner? ( A) Assigning information classifications ( B) Dictating how data should be protected ( C) Verifying the availability of data ( D) Determining how long
8、 to retain data 6 Assigning data classification levels can help with all of the following except: ( A) The grouping of classified information with hierarchical and restrictive security ( B) Ensuring that nonsensitive data is not being protected by unnecessary controls ( C) Extracting data from a dat
9、abase ( D) Lowering the costs of protecting data 7 Which of the following is not included in a risk assessment? ( A) Discontinuing activities that introduce risk ( B) Identifying assets ( C) Identifying threats ( D) Analyzing risk in order of cost or criticality 8 Sue has been tasked with implementi
10、ng a number of security controls, including antivirus and antispam software, to protect the companys e-mail system. What type of approach is her company taking to handle the risk posed by the system? ( A) Risk mitigation ( B) Risk acceptance ( C) Risk avoidance ( D) Risk transference 9 The integrity
11、 of data is not related to which of the following? ( A) Unauthorized manipulation or changes to data ( B) The modification of data without authorization ( C) The intentional or accidental substitution of data ( D) The extraction of data to share with unauthorized entities 10 There are several method
12、s an intruder can use to gain access to company assets. Which of the following best describes masquerading? ( A) Changing an IP packets source address ( B) Elevating privileges to gain access ( C) An attempt to gain unauthorized access as another user ( D) Creating a new authorized user with hacking
13、 tools 11 A number of factors should be considered when assigning values to assets. Which of the following is not used to determine the value of an asset? ( A) The assets value in the external marketplace ( B) The level of insurance required to cover the asset ( C) The initial and outgoing costs of
14、purchasing, licensing, and supporting the asset ( D) The assets value to the organizations production operations 12 Jill is establishing a companywide sales program that will require different user groups with different privileges to access information on a centralized database. How should the secur
15、ity manager secure the database? ( A) Increase the databases security controls and provide more granularity. ( B) Implement access controls that display each users permissions each time they access the database. ( C) Change the databases classification label to a higher security status. ( D) Decreas
16、e the security so that all users can access the information as needed. 13 As his companys CISO, George needs to demonstrate to the Board of Directors the necessity of a strong risk management program. Which of the following should George use to calculate the companys residual risk? ( A) threats vuln
17、erability asset value = residual risk ( B) SLE frequency = ALE, which is equal to residual risk ( C) (threats asset value vulnerability) x control gap = residual risk ( D) (total risk - asset value) countermeasures = residual risk 14 Authorization creep is to access controls what scope creep is to s
18、oftware development. Which of the following is not true of authorization creep? ( A) Users have a tendency to request additional permissions without asking for others to be taken away. ( B) It is a violation of “least privilege.“ ( C) It enforces the “need-to-know“ concept. ( D) It commonly occurs w
19、hen users transfer to other departments or change positions. 15 For what purpose was the COSO framework developed? ( A) To address fraudulent financial activities and reporting ( B) To help organizations install, implement, and maintain CobiT controls ( C) To serve as a guideline for IT security aud
20、itors to use when verifying compliance ( D) To address regulatory requirements related to protecting private health information 16 Susan, an attorney, has been hired to fill a new position at Widgets Inc. The position is Chief Privacy Officer (CPO). What is the primary function of her new role? ( A)
21、 Ensuring the protection of partner data ( B) Ensuring the accuracy and protection of company financial information ( C) Ensuring that security policies are defined and enforced ( D) Ensuring the protection of customer, company, and employee data 17 Jared plays a role in his companys data classifica
22、tion system. In this role, he must practice due care when accessing data and ensure that the data is used only in accordance with allowed policy while abiding by the rules set for the classification of the data. He does not determine, maintain, or evaluate controls, so what is Jareds role? ( A) Data
23、 owner ( B) Data custodian ( C) Data user ( D) Information systems auditor 18 Risk assessment has several different methodologies. Which of the following official risk methodologies was not created for the purpose of analyzing security risks? ( A) FAP ( B) OCTAVE ( C) ANZ 4360 ( D) NIST SP 800-30 19
24、 Which of the following is not a characteristic of a company with a security governance program in place? ( A) Board members are updated quarterly on the companys state of security. ( B) All security activity takes place within the security department. ( C) Security products, services, and consultan
25、ts are deployed in an informed manner. ( D) The organization has established metrics and goals for improving security. 20 Michael is charged with developing a classification program for his company. Which of the following should he do first? ( A) Understand the different levels of protection that mu
26、st be provided. ( B) Specify data classification criteria. ( C) Identify the data custodians. ( D) Determine protection mechanisms for each classification level. 21 There are four ways of dealing with risk. In the graphic that follows, which method is missing and what is the purpose of this method?(
27、 A) Risk transference. Share the risk with other entities. ( B) Risk reduction. Reduce the risk to an acceptable level. ( C) Risk rejection. Accept the current risk. ( D) Risk assignment. Assign risk to a specific owner. 22 The following graphic contains a commonly used risk management scorecard. Id
28、entify the proper quadrant and its description.( A) Top-right quadrant is high impact, low probability. ( B) Top-left quadrant is high impact, medium probability. ( C) Bottom-left quadrant is low impact, high probability. ( D) Bottom-right quadrant is low impact, high probability. 23 What are the th
29、ree types of policies that are missing from the following graphic?( A) Regulatory, Informative, Advisory ( B) Regulatory, Mandatory, Advisory ( C) Regulatory, Informative, Public ( D) Regulatory, Informative, Internal Use 24 List in the proper order from the table on the top of the next page the lea
30、rning objectives that are missing and their proper definitions.( A) Understanding, recognition and retention, skill ( B) Skill, recognition and retention, skill ( C) Recognition and retention, skill, understanding ( D) Skill, recognition and retention, understanding 25 What type of risk analysis app
31、roach does the following graphic provide?( A) Quantitative ( B) Qualitative ( C) Operationally Correct ( D) Operationally Critical 26 ISO/IEC 27000 is part of a growing family of ISO/IEC information security management systems (ISMS) standards. It comprises information security standards published j
32、ointly by the International Organization for Standardization(ISO) and the International Electro-technical Commission (IEC). Which of the following provides an incorrect mapping of the individual standards that make up this family of standards? ( A) ISO/IEC 27002 Code of practice for information secu
33、rity management ( B) ISO/IEC 27003 Guideline for ISMS implementation ( C) ISO/IEC 27004 Guideline for information security management measurement and metrics framework ( D) ISO/IEC 27005 Guideline for bodies providing audit and certification of information security management systems 26 The followin
34、g scenario applies to questions 27 and 28. Sam is the security manager of a company that makes most of its revenue from its intellectual property. Sam has implemented a process improvement program that has been certified by an outside entity. His company received a Level 2 during an appraisal proces
35、s, and he is putting in steps to increase this to a Level 3. A year ago when Sam carried out a risk analysis, he determined that the company was at too much of a risk when it came to potentially losing trade secrets. The countermeasure his team implemented reduced this risk, and Sam determined that
36、the annualized loss expectancy of the risk of a trade secret being stolen once in a hundred-year period is now $400. 27 Which of the following is the criteria Sams company was most likely certified under? ( A) SABSA ( B) Capability Maturity Model Integration ( C) Information Technology Infrastructur
37、e Library ( D) Prince2 28 What is the associated single loss expectancy value in this scenario? ( A) $65,000 ( B) $400,000 ( C) 40000 ( D) 4000 28 The following scenario applies to questions 29, 30, and 31. Barry has just been hired as the company security officer at an international financial insti
38、tution. He has reviewed the companys data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network segment all by itself, which is monitored by a network-based intrusion detection system. The database is ho
39、sted on a server kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properly secured and requests that the company implement a secure courier service that moves backup tapes to a secu
40、red location. His management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data. 29 Which of the following best describes the control types the company originally had in place? ( A) Administrative preven
41、tive controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective controls are the physical location of the database and PIN and smart card access controls. ( B) Administrative preventive con
42、trols are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls. ( C) Administrative corrective controls are the policies and procedures. Techni
43、cal preventive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIN ( D) Administrative preventive controls are the policies and procedures. Technical preventive controls are securing th
44、e system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the phy 30 The storage management system that Barry put into place is referred to as which of the following? ( A) Administrative control ( B) Compensating control (
45、C) Physical control ( D) Confidentiality control 31 Which are the two most common situations that require the type of control covered in the scenario to be implemented? ( A) Defense-in-depth is required, and the current controls only provide one protection layer. ( B) Primary control costs too much
46、or negatively affects business operations. ( C) Confidentiality is the highest concern in a situation where defense-in-depth is required. ( D) Availability is the highest concern in a situation where defense-in-depth is required. CISSP认证考试(信息安全治理与风险管理)模拟试卷 1答案与解析 1 【正确答案】 C 【试题解析】 C正确。信息及相关技术的控制目标 (
47、Control Objectives for Information and related Technology, CobiT)是由信息系统审计与控制协会(Information Systems Audit and Control Association, ISACA)和信息技术治理协会 (IT Governance Institute, ITGI)一起制定的一个 IT治理控制框架。该框架定义了控制目标不只是用于特定的安全需求,而是应该为正确管理 IT并确保 IT能够满足业务需求而服务。信息技术基础结构库 (Information Technology Infrastructure Libr
48、ary, ITIL)是公认的信息技术服务管理标准和最佳的实践指南。作为一个可定制的框架, ITIL提供了一系列目标、实现这些目标所必需的一般活动以及完成这些既定目标所需的每一个活动的输入与输出值。从本质上讲,CobiT解决的是 “实现什么 ”的问题而 ITIL解决的是 “如何实现 ”的问题。 A不正确。因为尽管 CobiT可以当做 IT治理模型使用,但 ITIL不是公司治理模型。实际上,全国虚假财务 报告委员会下属的发起组织委员会 (Committee of Sponsoring Organizations ofthe Treadway Commission, COSO)才是一种公司治理模型。
49、 CobiT来源于 COSO框架。 CobiT可以看作是一种实现众多 COSO目标的方法,但这种观点仅限于从 IT的角度米讲。为了实现 CobiT中提出的诸多目标,组织或机构可以使用 ITIL,因为它提供了实现 IT服务管理目标过程级别的步骤。 B不正确。如前所述, CobiT可以用作 IT治理模型,而不是公司治理模型。COSO是一种公司 治理模型。答案的后半部分是正确的。 ITIL是一个可定制的 IT服务管理框架,有一系列有关该框架的书籍或在线资源可供查阅。 D不正确。因为 CobiT定义了用于正确管理 IT并确保 IT能够满足业务需求所需要的控制目标,而是具体的 IT安全需求。 ITIL提供了实现与业务需求有关的 IT服务管理目标的步骤。之所以创建 ITIL,是因为业务需求的实现越来越多地依赖于信息技术。 【知识模块】 信息安全治理与风险管理 2 【正确答案】 C 【试题解析】 C正确。安全港 (Safe Harbor)需求的出现是为了协调美 国本土的数据隐私惯例和欧盟更为严格的隐私管控,防止意外的信息泄露和丢失。该协议对打算从欧洲输入输出隐私数据的实体必须如何保护该数据进行了概括。通过确认遵守该协议,与各欧盟实体有合作的美国公司就能更快捷、更便利地进行数据传输。 A不正确。 “健康保险可移植和可问责法案 ”(Heal