1、CISSP认证考试(法律、法规、调查与合规)模拟试卷 1及答案与解析 1 Cyberlaw categorizes computer-related crime into three categories. Which of the following is an example of a crime in which the use of a computer would be categorized as incidental? ( A) Carrying out a buffer overflow to take control of a system ( B) The electron
2、ic distribution of child pornography ( C) Attacking financial systems to steal funds ( D) Capturing passwords as they are sent to the authentication server 2 Which organization has been developed to deal with economic, social, and governance issues, and with how sensitive data is transported over bo
3、rders? ( A) European Union ( B) Council of Europe ( C) Safe Harbor ( D) Organisation for Economic Co-operation and Development 3 Different countries have different legal systems. Which of the following correctly describes customary law? ( A) Not many countries work under this law purely; most instea
4、d use a mixed system where this law, which deals mainly with personal conduct and patterns of behavior, is an integrated component. ( B) It covers all aspects of human life, but is commonly divided into responsibilities and obligations to others, and religious duties. ( C) It is a rule-based law foc
5、used on codified law. ( D) Based on previous interpretations of laws, this system reflects the communitys morals and expectations. 4 Widgets Inc. wishes to protect its logo from unauthorized use. Which of the following will protect the logo and ensure that others cannot copy and use it? ( A) Patent
6、( B) Copyright ( C) Trademark ( D) Trade secret law 5 There are four categories of software licensing. Which of the following refers to software sold at a reduced cost? ( A) Shareware ( B) Academic software ( C) Freeware ( D) Commercial software 6 There are different types of approaches to regulatio
7、ns. Which of the following is an example of self-regulation? ( A) The Health Insurance Portability and Accountability Act ( B) The Sarbanes-Oxley Act ( C) The Computer Fraud and Abuse Act ( D) PCI Data Security Standard 7 Which of the following means that a company did all it could have reasonably d
8、one to prevent a security breach? ( A) Downstream liability ( B) Responsibility ( C) Due diligence ( D) Due care 8 There are three different types of incident response teams. Which of the following correctly describes a virtual team? ( A) It consists of experts who have other duties within the organ
9、ization. ( B) It can be cost prohibitive to smaller organizations. ( C) It is a hybrid model. ( D) Core members are permanently assigned to the team. 9 A suspected crime has been reported within your organization. Which of the following steps should the incident response team take first? ( A) Establ
10、ish a procedure for responding to the incident. ( B) Call in forensics experts. ( C) Determine that a crime has been committed. ( D) Notify senior management. 10 During an incident response, what stage involves mitigating the damage caused by an incident? ( A) Investigation ( B) Containment ( C) Tri
11、age ( D) Analysis 11 Which of the following is a correct statement regarding computer forensics? ( A) It is the study of computer technology. ( B) It is a set of hardware-specific processes that must be followed in order for evidence to be admissible in a court of law. ( C) It encompasses network an
12、d code analysis, and may be referred to as electronic data discovery. ( D) Computer forensics responsibilities should be assigned to a network administrator before an incident occurs. 12 Which of the following dictates that all evidence be labeled with information indicating who secured and validate
13、d it? ( A) Chain of custody ( B) Due care ( C) Investigation ( D) Motive, Opportunity, and Means 13 There are several categories of evidence. How is a witnesss oral testimony categorized? ( A) Best evidence ( B) Secondary evidence ( C) Circumstantial evidence ( D) Conclusive evidence 14 For evidence
14、 to be legally admissible, it must be authentic, complete, sufficient, and reliable. Which characteristic refers to the evidence having a reasonable and sensible relationship to the findings? ( A) Complete ( B) Reliable ( C) Authentic ( D) Sufficient 15 Which of the following best describes exigent
15、circumstances? ( A) The methods used to capture a suspects actions are neither legal nor ethical. ( B) Enticement is used to capture a suspects actions. ( C) Hacking does not actually hurt anyone. ( D) The seizure of evidence by law enforcement because there is concern that a suspect will attempt to
16、 destroy it. 16 What role does the Internet Architecture Board play regarding technology and ethics? ( A) It creates criminal sentencing guidelines. ( B) It issues ethics-related statements concerning the use of the Internet. ( C) It edits Request for Comments. ( D) It maintains ten commandments for
17、 ethical behavior. 17 Which of the following statements is not true of dumpster diving? ( A) It is legal. ( B) It is unethical. ( C) It is illegal. ( D) It is a nontechnical attack. 18 Which of the following is a legal form of eavesdropping when performed with prior consent or a warrant? ( A) Denial
18、 of Service ( B) Dumpster diving ( C) Wiretapping ( D) Data diddling 19 What type of common law deals with violations committed by individuals against government laws, which are created to protect the public? ( A) Criminal law ( B) Civil law ( C) Tort law ( D) Regulatory law 20 During what stage of
19、incident response is it determined if the source of the incident was internal or external, and how the offender penetrated and gained access to the asset? ( A) Analysis ( B) Containment ( C) Tracking ( D) Follow-up 21 Which of the following is not true of a forensics investigation? ( A) The crime sc
20、ene should be modified as necessary. ( B) A file copy tool may not recover all data areas of the device that are necessary for investigation. ( C) Contamination of the crime scene may not negate derived evidence, but it should still be documented. ( D) Only individuals with knowledge of basic crime
21、scene analysis should have access to the crime scene. 22 Great care must be taken to capture clues from a computer or device during a forensics exercise. Which of the following does not correctly describe the efforts that should be taken to protect an image? ( A) The original image should be hashed
22、with MD5 and/or SHA-256. ( B) Two time-stamped images should be created. ( C) New media should be properly purged before images are created on them. ( D) Some systems must be imaged while they are running. 23 Which of the following attacks can be best prevented by limiting the amount of electrical s
23、ignals emitted from a computer system? ( A) Salami attack ( B) Emanations capturing ( C) Password sniffing ( D) IP spoofing 24 As a CISSP candidate, you must sign a Code of Ethics. Which of the following is from the (ISC)2 Code of Ethics for the CISSP? ( A) Information should be shared freely and op
24、enly; thus, sharing confidential information should be ethical. ( B) Think about the social consequences of the program you are writing or the system you are designing. ( C) Discourage unnecessary fear or doubt. ( D) Do not participate in Internet-wide experiments in a negligent manner. 25 What conc
25、ept states that a criminal leaves something behind and takes something with them? ( A) Modus Operandi ( B) Profiling ( C) Locards Principle of Exchange ( D) Motive, Opportunity, and Means 26 Which of the following was the first international treaty seeking to address computer crimes by coordinating
26、national laws and improving investigative techniques and international cooperation? ( A) Council of Global Convention on Cybercrime ( B) Council of Europe Convention on Cybercrime ( C) Organisation for Economic Co-operation and Development ( D) Organisation for Cybercrime Co-operation and Developmen
27、t 27 Lee is a new security manager who is in charge of ensuring that his company complies with the European Union Principles on Privacy when his company is interacting with their European partners. The set of principles that deals with transmitting data considered private is encompassed within which
28、 of the following laws or regulations? ( A) Data Protection Directive ( B) Organisation for Economic Co-operation and Development ( C) Federal Private Bill ( D) Privacy Protection Law 28 The common law system is broken down into which of the following categories? ( A) Common, civil, criminal ( B) Le
29、gislation, bills, regulatory ( C) Civil, criminal, regulatory ( D) Legislation, bills, civil 29 Privacy is becoming more threatened as the world relies more and more on technology. There are several approaches to addressing privacy, including the generic approach and regulation by industry. Which of
30、 the following best describes these two approaches? ( A) The generic approach is vertical enactment. Regulation by industry is horizontal enactment. ( B) The generic approach is horizontal enactment. Regulation by industry is vertical enactment. ( C) The generic approach is government enforced. Regu
31、lation by industry is self-enforced. ( D) The generic approach is self-enforced. Regulation by industry is government enforced. 29 The following scenario will be used for questions 30 and 31. Stephanie has been put in charge of developing incident response and forensics procedures her company needs
32、to carry out if an incident occurs. She needs to ensure that their procedures map to the international principles for gathering and protecting digital evidence. She also needs to ensure that if and when internal forensics teams are deployed, they have labels, tags, evidence bags, cable ties, imaging
33、 software, and other associated tools. 30 Which of the following best describes the organization that developed the best practices that Stephanie needs to ensure her companys procedures map to? ( A) Internet Activities Board ( B) International Organization on Computer Evidence ( C) Department of Def
34、ense Forensics Committee ( D) International Forensics Standards Board 31 Which of the following best describes what Stephanie needs to build for the deployment teams? ( A) Local and remote imaging system ( B) Forensics field kit ( C) Chain of custody procedures and tools ( D) Digital evidence collec
35、tion software CISSP认证考试(法律、法规、调查与合规)模拟试卷 1答案与解析 1 【正确答案】 B 【试题解析】 B正确。美国已经制定了法律来打击 3种类型的犯罪:计 算机辅助犯罪、针对计算机的犯罪和附带计算机犯罪。如果某种犯罪属于 “附带计算机犯罪 ”的范畴,这意味着计算机仅以一种次要的方式参与进来,但它的参与微不足道。儿童色情物品的数字发行便是一种 “附带计算机犯罪 ”的例子。真正的犯罪是获取和共享儿童色情图片或图形。这些图片既可以存储在一个文件服务器上,也可以存放在某人桌子上的物理文件中。所以,如果某种犯罪属于这种犯罪类型,并非是一个计算机攻击另外一个计算机。虽然计算机
36、未遭受攻击,但是它却以某种方式被人使用。因此,计算机成为与犯罪有关的额外的证据来源。 A不正确。因为利用缓 冲区溢出达到控制系统的目的便是一种针对计算机的犯罪。针对计算机的犯罪是指专门针对计算机 (和它的主人 )的攻击。其他针对计算机犯罪的例子还有:分布式拒绝服务攻击 (distributed denial-of-service attack)、安装旨在造成瘫痪的恶意软件、安装具有恶意目的的 rootkits和嗅探器。 C不正确。因为攻击金融系统以偷取资金是一种计算机辅助犯罪。计算机辅助犯罪是指将计算机作为开展犯罪活动的工具。计算机辅助犯罪的例子还有:通过攻击军事系统获取军事情报资料和通过攻击
37、重要的国家基础设施系统从事信 息战活动。 D不正确。因为在密码被发送到验证服务器时截获它们是一个针对计算机犯罪的例子。 “计算机辅助犯罪 ”和 “针对计算机的犯罪 ”这两个类别通常容易被混淆,因为从直觉上来看,任何攻击都属于这两类。而区分它们的一种方法就是:针对计算机的犯罪没有计算机就不可能实现,而计算机辅助犯罪在没有计算机的情况下仍然可行。因此,针对计算机的犯罪在计算机普及使用之前不存在 (也不可能存在 )。换句话说,在过去的好时光里,你不能对你的邻居进行缓冲区溢出攻击,也不能在你敌人的系统上安装恶意软件。这些犯罪都需要用到计算机。 【知识 模块】 法律、法规、调查与合规 2 【正确答案】
38、D 【试题解析】 D正确。跨国家边境传输数据的国际组织必须了解和遵循经济合作与发展组织 (Organisation for Economic Co-operation and Development, OECD)准则。因为关于私人数据的定义以及如何保护私人数据,大多数国家都有不同的法律条款,因此,国际贸易变得更加错综复杂并给国家经济带米了负面影响。OECD是一个国际化组织,它旨在帮助不同国家和政府共同应对全球化经济所面临的经济、社会和管理挑战。正因为如 此, OECD提出了不同国家应该遵循行为指南,从而确保数据得到保护,以及各国都遵循相同的一套规则。这套规则之一便是主体应该能够找出一个组织是否
39、拥有它们自己的私人信息,如果有的话,这信息是什么,从而纠正错误数据并对要求这样做的否定请求提出质疑。 A不正确。因为欧盟 (European Union)不是一个处理经济、社会和治理问题的组织,而是一个处理敏感数据保护问题的组织。欧盟的隐私原则是:必须在收集数据时具体说明收集原因:数据不能用作其他目的:不应该收集不必要的数据;数据应该只保留到完成既定任务为止:只有需要完成 既定任务的人才应该拥有数据的访问权:任何负责安全地存储数据的人都不应该允许数据的无意 “泄露 ”。 B不正确。因为欧洲理事会 (Council of Europe)负责创建网络犯罪公约(Conventionfor Cyber
40、crime)。欧洲理事会的网络犯罪公约试图创建一个应对网络犯罪的国际标准。实际上,它是第一个试图通过协调国家法律、提高侦查技术和国际合作寻求处理计算机犯罪的国际化条约。这个公约的目标包括为被告的管辖权和引渡创建一个框架。例如,只有当事故在两个司法管辖区都是犯罪行为时,条约中的引渡条款才可生效。 C不正确。因为安全港 (Safe Harbor)不是一个组织,而是对希望与欧洲各实体交换数据的组织的一系列要求。一直以来,欧洲在保护隐私数据方面的控制都要比美国和世界其他地区更加严格。所以,过去当美国和欧洲公司需要交换数据时就会出现混乱,业务也会中断,因为律师不得不介入以找出如何在不同的法律框架内工作的
41、方法。为了收拾这一残局,一个叫做 “安全港 ”框架应运而生,它描述了任何计划从欧洲转移隐私数据或者向欧洲转移隐私数据的实体都应如何保护这些数据。与欧洲实体打交道的美国公司可以以这个规则为基础获得合格证书,从而使得 数据传输能够更快、更容易地进行。 【知识模块】 法律、法规、调查与合规 3 【正确答案】 A 【试题解析】 A正确。习惯法 (Customary Law)是一个与个人行为习惯和行为模式有关的法律。它基于一个地区的传统和习俗而制定。它是随着社区的出现以及人与人的合作成为必要而产生的。不是所有的国家都纯粹依照习惯法体系行事;相反,绝大多数国家使用的是集成了习惯法的混合体系 (被编撰成法典
42、的民法系统来源于习惯法 )。习惯法通常用于世界上拥有混合法律体系的地区,比如中国和印度。习惯法体系常使用罚款或者提供 服务等赔偿方式。 B不正确。因为此选项描述的是宗教法律体系。习惯法是与个人的行为习惯和行为模式有关的法律,而宗教法律体系则通常分为对他人承担的责任和义务,以及宗教职责。宗教法律体系是基于一个地区的宗教信仰。例如,在伊斯兰教国家,法律是根据古兰经的规则而制定的。然而,每个伊斯兰教国家的法律也不尽相同。 C不正确。因为民法 (civil law)是以规则为基础,多数情况下以成文法 (即被写下来的法律 )为中心。民法是世界上使用最广泛的法律体系,也是欧洲最常用的法律体系。它是各州或各
43、国建立的进行自我规范的法律。因此,民 法还可以细分为若干小类,比如法国民法、德国民法等。 D不正确。因为普通法 (common law)是基于以前法律的解释。在过去,法官会走遍全国执行法律和解决争端。他们没有书面的法律集,所以他们根据自己的法律习惯和先例来判案。这个体系反映了社会的道德和期望。 【知识模块】 法律、法规、调查与合规 4 【正确答案】 C 【试题解析】 C正确。知识产权 (intellectual property)受几种不同法律的保护,到底受哪种法律的保护取决于知识产权的资源类型。商标法用于保护单词、名称、标志、声音 、形状、颜色或它们的组合 例如 Logo。公司之所以把这些或
44、这些的组合注册成商标是因为在人们和世界面前,它代表着这个公司 (品牌标识 )。公司的营销部门努力创新的目的是希望该公司引起人们的关注,并在众多竞争者中脱颖而出。把这种努力的结果在政府部门注册成商标是正确保护它,确保其他人不会复制和使用它的一个方法。 A不正确。因为专利权 (patent)保护发明,而商标权保护单词、名称、标注、声音、形状、颜色或它们的组合。专利被授予个人或公司,以承认其合法所有权,使他们能够防止别人使用或者复制受专利保护的发明。专利涵盖了 发明。发明必须新颖、实用而不显而易见。专利权是对知识产权最有力的保护形式。 B不正确。因为在美国,版权 (copyright)法保护作者对公
45、开发行、复制、展示和对原著改编的控制权利。这个法律涵盖了多个作品类别:图案、图形、音乐、戏剧、文学、电影、雕塑、录音和建筑。版权法并不涵盖特定资源。它保护的是对资源的想法的表现,而不是资源本身。版权法通常用于保护作家的作品、艺术家的绘画、程序员的源代码或者音乐家创作的特定节奏和结构。 D不正确。因为商业秘密法保护特定类型的信息或资源免受未经授权的使用或泄露。对于拥有商业秘 密资源的公司而言,这个资源必须带给公司某种有竞争力的价值或优势。如果开发某个商业秘密需要特殊的技能、智慧和 (或 )资金,以及不懈努力的话,该商业秘密可以受到法律保护。 【知识模块】 法律、法规、调查与合规 5 【正确答案】
46、 B 【试题解析】 B正确。当供应商开发出一个应用程序时,供应商通常会提供应用程序许可证而不是直接出售它。许可证协议包括与这个软件及其相关手册的使用和安全有关的规定。如果公司或个人未能遵守并履行这些规定,许可证有可能被吊销;根据行为的性质还可能受到刑事指控。开发这一软件并向外 颁发许可证的供应商所面临的风险是损失了本应该获得的利润。软件许可证的四个类别是:共享软件、免费软件、商业软件和学术软件。其中,学术软件是以较低成本为学术目的而提供的软件。 A不正确。因为共享软件又叫试用软件,它是供应商免费提供试用版软件的一种许可证模型。一旦用户试用了该程序,用户会被要求购买它的一个副本。这种模型是供应商
47、的软件营销方式。 C不正确。因为免费软件是免费的且公开使用的软件,它可以不受限制地被使用、复制、研究、修改和重新发行。 D不正确。因为商业软件是一种以全价销售并用于商业用途的软件。多数公司使用带有批量许可证的商业软件。批量许可证使得多个用户能够同时使用这个产品。这些主协议定义了在限制条件内正确使用这些软件的方法,比如员工在他们家中的机器上是否也能够使用公司软件。 【知识模块】 法律、法规、调查与合规 6 【正确答案】 D 【试题解析】 D正确。随着世界越米越依赖于技术,隐私权所面临的威胁也日益变大。处理隐私权问题有几种方法,其中包括由政府建立与实施的法规和由自我约束的法规等。支付卡行业数据安全
48、标准 (Payment Card Industry Data Security Standard, PCI DSS)便是一个自我约束方法的例子。支付卡行业数据安全标准是信用卡公司强制要求的,并适用于任何处理、传输、储存或接受信用卡数据的实体。目前存在多种级别的合规和惩罚,这些级别完全取决于顾客的规模和交易量的大小。然而,已有数以百万计的人在使用信用卡,几乎任何地方都接受信用卡,这意味着世界上几乎每一个企业都必须遵循 PCI DSS。 PCI DSS并不是一个由政府建立并实施的法规。虽然 CISSP考试并不要求你了解具体的法规,但是你必须了解不同法规的规定方法。 A不正确。因为健康保险易移植性和
49、可问责性 法案 (Health Insurance Portabilityand Accountability Act, HIPAA)是一个美国联邦法规,它适用于任何拥有个人医疗信息和医疗数据的组织。这个规定为在处理机密医疗信息时如何保证数据的安全性、完整性和隐私权提供了一种框架和指导原则。 HIPAA规定了应该如何管理创建、访问、共享或销毁医疗信息的任何设施的安全。 B不正确。因为萨班斯 ?奥克斯利法案 (Sarbanes-Oxley Act, SOX)是美国政府在花费投资者数十亿美元并威胁会破坏经济的公司丑闻和诈骗案发生后, 创建的法案。这个法规适用于在美国市场上公开进行交易的任何公司。这个法案的绝大部分内容都是用于管理审计行为和公司用于报告财务状况的方法。然而,有一部分直接适用于信息技术,尤其是 Section 404。 C不正确。因为计算机欺诈和滥用法案 (Compmer Fraud and Abuse Act)是主要的美国联邦反黑客的法规。它禁止 7种形式的计算机行为,并把它们定为联邦犯罪。这些犯罪从轻罪到重罪不等,其相应的惩罚也从小额罚款到大额罚款,甚至将罪犯关进监狱。以诈骗为目的未经授权或超出授权而访问一个受保护的计算机便是 这样一个例子。虽然 CISSP考试并不要求你了解具体的法律和法规,但是你需要了解不同法律和法规实施的原因。 【知识模块】 法律、
