CISSP信息系統(tǒng)安全工程師認(rèn)證考試全題庫(kù)（中英對(duì)照版）-下（740題）

PAGEPAGE469CISSP信息系統(tǒng)安全工程師認(rèn)證考試全題庫(kù)（中英對(duì)照版）-下（740題）一、單選題1.Whatpartofanorganization'sstrategicriskassessmentMOSTlikelyincludesinformationonitemsaffectingthesuccessoftheorganization?

組織戰(zhàn)略風(fēng)險(xiǎn)評(píng)估的哪些部分最可能包括影響組織成功的項(xiàng)目信息？A、KeyRiskIndicator(KRI)

關(guān)鍵風(fēng)險(xiǎn)指標(biāo)(KRI)B、Threatanalysis

威脅分析C、Vulnerabilityanalysis

弱點(diǎn)分析D、KeyPerformanceIndicator(KPI)

關(guān)鍵性能指標(biāo)(KPI)答案：A2.Howdoesanorganizationverifythataninformationsystem'scurrenthardwareandsoftwarematchthestandardsystemconfiguration?

組織如何驗(yàn)證信息系統(tǒng)的當(dāng)前硬件和軟件是否符合標(biāo)準(zhǔn)的系統(tǒng)配置？A、Byreviewingtheconfigurationafterthesystemgoesintoproduction

通過(guò)在系統(tǒng)投入生產(chǎn)后檢查配置B、Byrunningvulnerabilityscanningtoolsonalldevicesintheenvironment

通過(guò)在環(huán)境中的所有設(shè)備上運(yùn)行漏洞掃描工具C、Byparingtheactualconfigurationofthesystemagainstthebaseline

通過(guò)比較系統(tǒng)的實(shí)際配置與基線D、Byverifyingalltheapprovedsecuritypatchesareimplemented

通過(guò)驗(yàn)證所有已批準(zhǔn)的安全補(bǔ)丁的實(shí)現(xiàn)答案：C3.Whichofthefollowinganalysesisperformedtoprotectinformationassets?

執(zhí)行以下哪項(xiàng)分析以保護(hù)信息資產(chǎn)？A、Businessimpactanalysis業(yè)務(wù)影響分析B、Feasibilityanalysis可行性分析C、Costbenefitanalysis成本效益分析D、Dataanalysis數(shù)據(jù)分析答案：A4.ThecoreponentofRoleBasedAccessControl(RBAC)mustbeconstructedofdefineddataelements.Whichelementsarerequired?

基于角色的訪問(wèn)控制(RBAC)的核心組件必須由已定義的數(shù)據(jù)元素構(gòu)建。需要哪些元素？A、Users,permissions,operations,andprotectedobjects

用戶、權(quán)限、操作和受保護(hù)的對(duì)象B、Roles,accounts,permissions,andprotectedobjects

角色、帳戶、權(quán)限和受保護(hù)的對(duì)象C、Users,roles,operations,andprotectedobjects

用戶、角色、操作和受保護(hù)的對(duì)象D、Roles,operations,accounts,andprotectedobjects

角色、操作、帳戶和受保護(hù)的對(duì)象答案：C5.WhichofthefollowingprocesseshasthePRIMARYpurposeofidentifyingoutdatedsoftwareversions,missingpatches,andlapsedsystemupdates?

以下哪些進(jìn)程的主要目的是識(shí)別過(guò)時(shí)的軟件版本、丟失的補(bǔ)丁程序和失效的系統(tǒng)更新？A、Penetrationtesting

滲透試驗(yàn)B、Vulnerabilitymanagement

漏洞管理C、SoftwareDevelopmentLifeCycle(SDLC)

軟件開(kāi)發(fā)生命周期(SDLC)D、Lifecyclemanagement

生命周期管理答案：B6.WhichofthefollowingisconsideredtheFIRSTstepwhendesigninganinternalsecuritycontrolassessment?

在設(shè)計(jì)內(nèi)部安全控制評(píng)估時(shí)，以下哪一個(gè)步驟被認(rèn)為是第一步？A、Createaplanbasedonrecentvulnerabilityscansofthesystemsinquestion.

根據(jù)相關(guān)系統(tǒng)最近的漏洞掃描創(chuàng)建一個(gè)計(jì)劃B、CreateaplanbasedonprehensiveKnowledgeofKnownbreaches.

根據(jù)對(duì)已知漏洞的全面了解，制定一個(gè)計(jì)劃。C、CreateaplanbasedonarecognizedframeworkofKnowncontrols.

基于已識(shí)別的已知控制框架創(chuàng)建計(jì)劃D、Createaplanbasedonreconnaissanceoftheorganization'sinfrastructure.

根據(jù)對(duì)組織基礎(chǔ)設(shè)施的偵察，創(chuàng)建一個(gè)計(jì)劃答案：D7.WhichoftheBESTinternationallyrecognizedstandardforevaluatingsecurityproductsandsystems?

評(píng)估安全產(chǎn)品和系統(tǒng)的最佳國(guó)際公認(rèn)的標(biāo)準(zhǔn)？A、PaymentCardIndustryDataSecurityStandards(PCI-DSS)

支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)（PCI-DSS）B、monCriteria(CC)

通用標(biāo)準(zhǔn)(CC)C、HealthInsurancePortabilityandAccountabilityAct(HIPAA)

健康保險(xiǎn)可攜性和責(zé)任法案(HIPAA)D、Sarbanes-Oxley(SOX)答案：B8.Whichofthefollowinginitiatesthesystemrecoveryphaseofadisasterrecoveryplan?

以下哪一項(xiàng)將啟動(dòng)災(zāi)難恢復(fù)計(jì)劃的系統(tǒng)恢復(fù)階段？A、Evacuatingthedisastersite

疏散災(zāi)害現(xiàn)場(chǎng)B、Assessingtheextentofdamagefollowingthedisaster

評(píng)估災(zāi)難發(fā)生后的破壞程度C、Issuingaformaldisasterdeclaration

發(fā)布正式的災(zāi)難聲明D、Activatingtheorganization'shotsite

激活組織的熱門站點(diǎn)答案：C9.WhichtypeofsecuritytestingisbeingperformedwhenanethicalhackerhasnoknowledgeaboutthetargetsystembutthetestingtargetisNotifiedbeforethetest?

當(dāng)有道德的黑客不了解目標(biāo)系統(tǒng)，但在測(cè)試前已通知測(cè)試目標(biāo)時(shí)，正在執(zhí)行哪種類型的安全測(cè)試？A、Reversal

倒轉(zhuǎn)B、Graybox

灰盒C、Blind

盲測(cè)D、Whitebox

白盒答案：C10.Aninputvalidationandexceptionhandlingvulnerabilityhasbeendiscoveredonacriticalwebbasedsystem.WhichofthefollowingisMOSTsuitedtoquicklyimplementacontrol?

在一個(gè)關(guān)鍵的基于web的系統(tǒng)上發(fā)現(xiàn)了一個(gè)輸入驗(yàn)證和異常處理漏洞。以下哪一項(xiàng)最適合快速實(shí)現(xiàn)控制？A、Addanewruletotheapplicationlayerfirewall

向應(yīng)用層防火墻添加新規(guī)則B、Blockaccesstotheservice

阻止訪問(wèn)該服務(wù)C、InstallanIntrusionDetectionSystem(IDS)

安裝入侵檢測(cè)系統(tǒng)（IDS）D、Patchtheapplicationsourcecode

修補(bǔ)應(yīng)用程序源代碼答案：A11.WhichofthefollowingistheBESTmethodasecuritypractitionercanusetoensurethatsystemsandsub-systemsgracefullyhandleinvalidinput?

以下哪一種方法是安全從業(yè)者可以用于確保系統(tǒng)和子系統(tǒng)優(yōu)雅地處理無(wú)效輸入的最佳方法？A、Unittesting

單元測(cè)試B、Integrationtesting

集成測(cè)試C、Negativetesting

陰性檢測(cè)D、Acceptancetesting

驗(yàn)收測(cè)試答案：B12.WhichofthefollowingistheBESTexampleofweakmanagementmitmenttotheprotectionofsecurityassetsandresources?

以下哪一種方法是安全從業(yè)者可以用于確保系統(tǒng)和子系統(tǒng)優(yōu)雅地處理無(wú)效輸入的最佳方法？A、poorgovernanceoversecurityprocessesandprocedures

對(duì)安全流程和程序的治理不善B、immaturesecuritycontrolsandprocedures

不成熟的安全控制和程序C、variancesagainstregulatoryrequirements

與法規(guī)要求的差異D、unanticipatedincreasesinsecurityincidentsandthreats

意外增加的安全事件和威脅答案：A13.AchemicalplanwantstoupgradetheIndustrialControlSystem(ICS)totransmitdatausingEthernetinsteadofRS422.Theprojectmanagerwantstosimplifyadministrationandmaintenancebyutilizingtheofficenetworkinfrastructureandstafftoimplementthisupgrade.

WhichofthefollowingistheGREATESTimpactonsecurityforthenetwork?

一項(xiàng)化學(xué)計(jì)劃希望升級(jí)工業(yè)控制系統(tǒng)(ICS)，以便使用以太網(wǎng)而不是RS422來(lái)傳輸數(shù)據(jù)。項(xiàng)目

經(jīng)理希望通過(guò)利用辦公室網(wǎng)絡(luò)基礎(chǔ)設(shè)施和工作人員來(lái)實(shí)現(xiàn)此升級(jí)來(lái)簡(jiǎn)化管理和維護(hù)。以下哪

一項(xiàng)對(duì)網(wǎng)絡(luò)安全的影響最大？A、ThenetworkadministratorshavenoknowledgeofICS

網(wǎng)絡(luò)管理員不了解ICSB、TheICSisnowaccessiblefromtheofficenetwork

現(xiàn)在可以從辦公室網(wǎng)絡(luò)訪問(wèn)ICSC、TheICSdoesnotsupporttheofficepasswordpolicy.

ICS不支持辦公室密碼策略D、RS422ismorereliablethanEthernet

RS422比以太網(wǎng)更可靠答案：B14.WhichofthefollowingistheMAINreasonforusingconfigurationmanagement?

使用配置管理的主要原因有哪些？A、Toprovidecentralizedadministration

提供集中管理B、Toreducethenumberofchanges

減少更改次數(shù)C、Toreduceerrorsduringupgrades

減少升級(jí)過(guò)程中的錯(cuò)誤D、Toprovideconsistencyinsecuritycontrols

在安全控制中提供一致性答案：D15.WhichofthefollowingfactorsisaPRIMARYreasontodrivechangesinanInformationSecurityContinuousMonitoring(ISCM)strategy?

以下哪一個(gè)因素是推動(dòng)信息安全持續(xù)監(jiān)控（ISCM）戰(zhàn)略變革的主要原因？A、TestingandEvaluation(TE)personnelchanges

測(cè)試和評(píng)估（TE）人員變動(dòng)B、Changestocoremissionsorbusinessprocesses

對(duì)核心使命或業(yè)務(wù)流程的更改C、IncreasedCross-SiteRequestForgery(CSRF)attacks

增加的跨站點(diǎn)請(qǐng)求偽造（CSRF）攻擊D、ChangesinServiceOrganizationControl(SOC)2reportingrequirements

服務(wù)組織控制（SOC）2報(bào)告要求中的更改答案：B16.Whatarethefirsttwoponentsoflogicalaccesscontrol?

邏輯訪問(wèn)控制的前兩個(gè)組成部分是什么？A、Confidentialityandauthentication

機(jī)密性和身份驗(yàn)證B、Authenticationandidentification

身份驗(yàn)證和識(shí)別C、Identificationandconfidentiality

識(shí)別和保密D、Authenticationandavailability

身份驗(yàn)證和可用性答案：B17.Whichofthefollowingisacharacteristicoftheindependenttestingofaprogram?

以下哪項(xiàng)是程序獨(dú)立測(cè)試的特征？A、Independenttestingincreasesthelikelihoodthatatestwillexposetheeffectofahiddenfeature.

獨(dú)立測(cè)試會(huì)增加測(cè)試公開(kāi)隱藏功能效果的可能性B、Independenttestingdecreasesthelikelihoodthatatestwillexposetheeffectofahiddenfeature.

獨(dú)立測(cè)試可降低測(cè)試暴露隱藏特征效果的可能性C、Independenttestingteamshelpdecreasethecostofcreatingtestdataandsystemdesignspecification.

獨(dú)立的測(cè)試團(tuán)隊(duì)有助于降低創(chuàng)建測(cè)試數(shù)據(jù)和系統(tǒng)設(shè)計(jì)規(guī)范的成本D、IndependenttestingteamshelpidentifyfunctionalrequirementsandServiceLevelAgreements(SLA)

獨(dú)立的測(cè)試團(tuán)隊(duì)幫助確定功能要求和服務(wù)水平協(xié)議（SLA）答案：A18.WhichoneofthefollowingconsiderationshastheLEASTimpactwhenconsideringtransmissionsecurity?

在考慮傳輸安全時(shí)，以下哪一項(xiàng)考慮因素的影響最?。緼、Networkavailability網(wǎng)絡(luò)可用性B、Dataintegrity數(shù)據(jù)完整性C、Networkbandwidth網(wǎng)絡(luò)帶寬D、Nodelocations節(jié)點(diǎn)位置答案：C19.Whichofthefollowingisanadvantageof'SecureShell(SSH)?

以下哪項(xiàng)是“安全外殼”（SSH）的優(yōu)勢(shì)？A、Itoperatesatthenetworklayer.

它在網(wǎng)絡(luò)層運(yùn)行B、ItencryptstransmittedUserIDandpasswords.

它對(duì)傳輸?shù)挠脩鬒D和密碼進(jìn)行加密C、Ituseschallenge-responsetoauthenticateeachparty.

它使用質(zhì)詢-響應(yīng)來(lái)驗(yàn)證每一方D、ItusestheInternationalDataEncryptionAlgorithm(IDEA)fordataprivacy.

它使用國(guó)際數(shù)據(jù)加密算法（IDEA）來(lái)保護(hù)數(shù)據(jù)隱私答案：C20.Whatsecurityprincipleaddressestheissueof"SecuritybyObscurity"?

什么安全原則可以解決"隱蔽性安全"的問(wèn)題？A、Opendesign

開(kāi)放式設(shè)計(jì)B、Segregationofduties(SoD)

職責(zé)分離（SoD）C、RoleBasedAccessControl

基于角色的訪問(wèn)控制D、Leastprivilege

最低特權(quán)答案：D21.WhatisthePRIMARYobjectiveofbusinesscontinuityplanning?

業(yè)務(wù)連續(xù)性規(guī)劃的主要目標(biāo)是什么？A、Establishingacostestimateforbusinesscontinuityrecoveryoperations

建立業(yè)務(wù)連續(xù)性恢復(fù)操作的成本估算B、RestoringputersystemstoNormaloperationsassoonaspossible

盡快恢復(fù)計(jì)算機(jī)系統(tǒng)的正常運(yùn)行C、Strengtheningtheperceivedimportanceofbusinesscontinuityplanningamongseniormanagement

加強(qiáng)高層管理層對(duì)業(yè)務(wù)連續(xù)性規(guī)劃的重要性D、Ensuringtimelyrecoveryofmission-criticalbusinessprocesses

確保關(guān)鍵任務(wù)業(yè)務(wù)流程的及時(shí)恢復(fù)答案：B22.alargeorganizationusesbiometricstoallowaccesstoitsfacilities.Itadjuststhebiometricvalueforincorrectlygrantingordenyingaccesssothatthetwonumbersarethesame.Whatisthisvaluecalled?

一個(gè)大型組織使用生物識(shí)別技術(shù)來(lái)允許用戶訪問(wèn)其設(shè)施。它調(diào)整不正確授予或拒絕訪問(wèn)的生物特征值，使兩個(gè)數(shù)字相同這個(gè)值叫什么？A、FalseRejectionRate(FRR)

誤擊率(FRR)B、Accuracyacceptancethreshold

精度驗(yàn)收閾值C、Equalerrorrate

等誤差率D、FalseAcceptanceRate(FAR)

假接受率(FAR)答案：C23.Followingapenetrationtest,whatshouldanorganizationdoFIRST?

在滲透測(cè)試之后，一個(gè)組織應(yīng)該先做什么？A、Reviewallsecuritypoliciesandprocedures.

檢查所有的安全策略和程序B、Ensurestaffistrainedinsecurity.

確保員工接受過(guò)安全培訓(xùn)C、Determineifyouneedtoconductafullsecurityassessment.

確定您是否需要進(jìn)行一個(gè)全面的安全評(píng)估D、Evaluatetheproblemsidentifiedinthetestresult.

評(píng)估在測(cè)試結(jié)果中發(fā)現(xiàn)的問(wèn)題答案：D24.WhichofthefollowingmediasanitizationtechniquesisMOSTlikelytobeeffectiveforan

Organizationusingpubliccloudservices?

以下哪種媒體消毒技術(shù)對(duì)使用公共云服務(wù)的組織最可能有效？A、Low-levelformatting

低級(jí)格式化B、Secure-gradeoverwriteerasure

安全級(jí)別覆蓋擦除C、Cryptographicerasure

加密擦除D、Drivedegaussing

驅(qū)動(dòng)器消磁答案：B25.AnemployeeofaretailpanyhasbeengrantedanextendedleaveofabsencebyHumanResources(HR).Thisinformationhasbeenformallymunicatedtotheaccessprovisioningteam.WhichofthefollowingistheBESTactiontotake?

零售公司的員工已獲得人力資源部(HR)的延長(zhǎng)休假。此信息已正式傳達(dá)給訪問(wèn)配置團(tuán)隊(duì)。以下哪一個(gè)是最好的行動(dòng)嗎？A、Revokeaccesstemporarily.

暫時(shí)撤銷訪問(wèn)B、Blockuseraccessanddeleteuseraccountaftersixmonths.

在六個(gè)月后阻止用戶訪問(wèn)和刪除用戶帳戶C、Blockaccesstotheofficesimmediately.

立即阻止用戶進(jìn)入辦公室D、Monitoraccountusagetemporarily.

臨時(shí)監(jiān)控帳戶的使用情況答案：D26.Whichmethodologyisremendedforpenetrationtestingtobeeffectiveinthedevelopmentphaseofthelife-cycleprocess?

在生命周期過(guò)程的開(kāi)發(fā)階段，建議采用哪種方法使?jié)B透測(cè)試有效？A、White-boxtesting

白盒測(cè)試B、Softwarefuzztesting

軟件模糊測(cè)試C、Black-boxtesting

黑盒測(cè)試D、Visualtesting

目視測(cè)試答案：A27.Iftravelingabroadandacustomsofficialdemandstoexamineapersonalputer,whichof

Thefollowingshouldbeassumed?

如果出國(guó)旅行和海關(guān)官員要求檢查個(gè)人電腦，應(yīng)考慮下列哪一種？A、Theharddrivehasbeenstolen.

硬盤被盜了B、TheInternetProtocol(IP)addresshasbeencopied.

已復(fù)制因特網(wǎng)協(xié)議(IP)地址。C、Theharddrivehasbeencopied.

硬盤驅(qū)動(dòng)器已被復(fù)制。D、TheMediaAccessControl(MAC)addresswasstolen

媒體訪問(wèn)控制(MAC)地址被盜答案：C28.InwhatphaseoftheSystemDevelopmentLifeCycle(SDLC)shouldsecuritytrainingforthedevelopmentteambegin?

在系統(tǒng)開(kāi)發(fā)生命周期(SDLC)的哪個(gè)階段，應(yīng)該開(kāi)始對(duì)開(kāi)發(fā)團(tuán)隊(duì)進(jìn)行安全培訓(xùn)？A、Development/Acquisition

開(kāi)發(fā)和獲取B、Initiation

初始C、Implementation/Assessment

實(shí)施/評(píng)估D、Disposal

廢棄答案：A29.WhatistheMOSTmoncauseofRemoteDesktopProtocol(RDP)promise?

遠(yuǎn)程桌面協(xié)議(RDP)妥協(xié)的最常見(jiàn)原因是什么？A、Portscan

端口掃描B、Bruteforceattack

蠻力攻擊C、Remoteexploit

遠(yuǎn)程利用D、Socialengineering

社會(huì)工程答案：B30.Whendealingwithshared,privilegedaccounts,especiallythoseforemergencies,whatistheBESTwaytoassurenon-repudiationoflogs?

當(dāng)處理共享的、有特權(quán)的賬戶，特別是那些在緊急情況下的賬戶時(shí)，確保日志不被注銷的最佳方法是什么？A、Regularitychangethepasswords

更改密碼B、implementpasswordvaultingsolution

實(shí)施密碼保險(xiǎn)存儲(chǔ)解決方案C、Lockpasswordintamperproofenvelopesinasafe

將密碼鎖在安全的防篡改信封中D、Implementastrictaccesscontrolpolicy

實(shí)施嚴(yán)格的訪問(wèn)控制政策答案：B31.WhichofthefollowingMUSTbepartofacontracttosupportelectronicdiscoveryofdatastoredinacloudenvironment?

以下哪一項(xiàng)必須是支持電子發(fā)現(xiàn)存儲(chǔ)在云環(huán)境中的數(shù)據(jù)的合同的一部分？A、Integrationwithorganizationaldirectoryservicesforauthentication

與組織目錄服務(wù)的集成以進(jìn)行身份驗(yàn)證B、Tokenizationofdata

數(shù)據(jù)標(biāo)記化C、Acmodationofhybriddeploymentmodels

適應(yīng)混合部署模型D、Identificationofdatalocation

數(shù)據(jù)位置的識(shí)別答案：D32.WhoshouldformulateconclusionsfromaparticulardigitalforeBall,SubmitaToperOfTags,andtheresults?

誰(shuí)應(yīng)該從一個(gè)特定的數(shù)字前球中得出結(jié)論，提交一個(gè)標(biāo)簽的主題，以及結(jié)果？A、Theinformationsecurityprofessional'ssupervisor

信息安全專業(yè)人員的主管B、Legalcounselfortheinformationsecurityprofessional'semployer

信息安全專業(yè)人員的雇主的法律顧問(wèn)C、Theinformationsecurityprofessionalwhoconductedtheanalysis

進(jìn)行分析的信息安全專業(yè)人員D、Apeerrevieweroftheinformationsecurityprofessional

信息安全專業(yè)人員的同行評(píng)審員答案：B33.AninternationalorganizationhasdecidedtouseaSoftwareasaService(SaaS)solutiontosupportitsbusinessoperations.Whichofthefollowingpliancestandardsshouldtheorganizationusetoassesstheinternationalcodesecurityanddataprivacyofthesolution?

一個(gè)國(guó)際組織已經(jīng)決定使用軟件即服務(wù)(SaaS)解決方案來(lái)支持其業(yè)務(wù)運(yùn)營(yíng)。組織應(yīng)使用以下哪些合規(guī)標(biāo)準(zhǔn)來(lái)評(píng)估解決方案的國(guó)際代碼安全性和數(shù)據(jù)隱私？A、HealthInsurancePortabilityandAccountabilityAct(HIPAA)

健康保險(xiǎn)可攜性和責(zé)任法案(HIPAA)B、ServiceOrganizationControl(SOC)2

服務(wù)組織控制(SOC)2C、PaymentCardIndustry(PCI)

支付卡行業(yè)(PCI)D、InformationAssuranceTechnicalFramework(IATF)

信息保障技術(shù)框架(IATF)答案：B34.WhichofthefollowingistheMOSTeffectivemethodofmitigatingdatatheftfromanactiveuserworkstation?

以下哪一種是減輕活動(dòng)用戶工作站數(shù)據(jù)盜竊的最有效方法？A、Implementfull-diskencryption

實(shí)現(xiàn)全磁盤加密B、Enablemultifactorauthentication

啟用多因素身份驗(yàn)證C、Deployfileintegritycheckers

部署文件完整性檢查程序D、Disableuseofportabledevices

禁止使用便攜式設(shè)備答案：D35.Whatisstaticanalysisintendedtodowhenanalyzinganexecutablefile?

在分析可執(zhí)行文件時(shí)，靜態(tài)分析是要做什么？A、Collectevidenceoftheexecutablefile'susage,includingdatesofcreationandlastuse.

收集可執(zhí)行文件使用情況的證據(jù)，包括創(chuàng)建日期和最后一次使用的日期B、Searchthedocumentsandfilesassociatedwiththeexecutablefile.

搜索與該可執(zhí)行文件關(guān)聯(lián)的文檔和文件C、Analyzethepositionofthefileinthefilesystemandtheexecutablefile'slibraries.

分析文件在文件系統(tǒng)和可執(zhí)行文件庫(kù)中的位置D、Disassemblethefiletogatherinformationabouttheexecutablefile'sfunction.

拆解該文件以收集有關(guān)可執(zhí)行文件的功能的信息答案：D36.WhichisMOSTimportantwhennegotiatinganInternetserviceprovider(ISP)service-levelagreement(SLA)byanorganizationthatsolelyprovidesVoiceoverInternetProtocol(VoIP)services?

在與僅提供互聯(lián)網(wǎng)語(yǔ)音協(xié)議(VoIP)服務(wù)的組織協(xié)商互聯(lián)網(wǎng)服務(wù)提供商(ISP)服務(wù)級(jí)別協(xié)議(SLA)時(shí)，哪一點(diǎn)最重要？A、Meantimetorepair(MTTR)

平均修復(fù)時(shí)間(MTTR)B、QualityofService(QoS)betweenapplications

應(yīng)用程序之間的服務(wù)質(zhì)量(QoS)C、Availabilityofnetworkservices

網(wǎng)絡(luò)服務(wù)的可用性D、Financialpenaltiesincaseofdisruption

發(fā)生中斷時(shí)的經(jīng)濟(jì)處罰答案：B37.WhichofthefollowingistheMOSTeffectivepracticeinmanaginguseraccountswhenanemployeeisterminated?

以下員工被解雇時(shí)管理用戶賬戶最有效的做法？A、Implementprocessesforautomatedremovalofaccessforterminatedemployees.

實(shí)施自動(dòng)刪除被終止員工的訪問(wèn)權(quán)限的流程B、DeleteemployeenetworkandsystemIDsupontermination.

在終止時(shí)刪除員工網(wǎng)絡(luò)和系統(tǒng)IDC、Manuallyremoveterminatedemployeeuser-accesstoallsystemsandapplications.

手動(dòng)刪除被終止的員工用戶對(duì)所有系統(tǒng)和應(yīng)用程序的訪問(wèn)權(quán)限D(zhuǎn)、DisableterminatedemployeenetworkIDtoremoveallaccess.

禁用已終止的員工網(wǎng)絡(luò)ID，以刪除所有訪問(wèn)權(quán)限答案：B38.Whichofthefollowingstandards/guidelinesrequiresanInformationSecurityManagementSystem(ISMS)tobedefined?

以下哪些標(biāo)準(zhǔn)/指南需要定義信息安全管理系統(tǒng)(ISMS)？A、InternationalOrganizationforStandardization(ISO)27000family

國(guó)際標(biāo)準(zhǔn)化組織(ISO)27000系列B、InformationTechnologyInfrastructureLibrary(ITIL)

信息技術(shù)基礎(chǔ)設(shè)施庫(kù)(ITIL)C、PaymentCardIndustryDataSecurityStandard(PCIDSS)

支付卡行業(yè)數(shù)據(jù)安全標(biāo)準(zhǔn)(PCIDSS)D、ISO/IEC20000答案：A39.HowdoesEncapsulatingSecurityPayload(ESP)intransportmodeaffecttheInternetProtocol(IP)?

在傳輸模式下封裝安全有效負(fù)載(ESP)如何影響互聯(lián)網(wǎng)協(xié)議(IP)？A、EncryptsandoptionallyauthenticatestheIPheader,butNOTtheIPpayload

加密并可選地驗(yàn)證IP標(biāo)頭，但不驗(yàn)證IP有效負(fù)載B、EncryptsandoptionallyauthenticatestheIPpayload,butNOTtheIPheader

加密并可選地驗(yàn)證IP有效負(fù)載，但不驗(yàn)證IP報(bào)頭C、AuthenticatestheIPpayloadandselectedportionsoftheIPheader

身份驗(yàn)證IP有效負(fù)載和IP報(bào)頭的選定部分D、EncryptsandoptionallyauthenticatesthepleteIPpacket

對(duì)完整的IP數(shù)據(jù)包進(jìn)行加密并可選擇進(jìn)行認(rèn)證.答案：B40.MandatoryAccessControls(MAC)arebasedon:

強(qiáng)制訪問(wèn)控制(MAC)基于A、securityclassificationandsecurityclearance

安全分類和安全許可B、datasegmentationanddataclassification

數(shù)據(jù)分割和數(shù)據(jù)分類C、datalabelsanduseraccesspermissions

數(shù)據(jù)標(biāo)簽和用戶訪問(wèn)權(quán)限D(zhuǎn)、userrolesanddataencryption

用戶角色和數(shù)據(jù)加密答案：A41.AtaMINIMUM,auditsofpermissionstoindividualorgroupaccountsshouldbescheduled

至少，應(yīng)該對(duì)個(gè)人或組帳戶的權(quán)限進(jìn)行審計(jì)A、annually

每年B、tocorrespondwithstaffpromotions

配合員工晉升C、tocorrespondwithterminations

與終端相對(duì)應(yīng)D、continually

持續(xù)地答案：A42.Whatisthetermusedtodefinewheredataisgeographicallystoredinthecloud?

有什么術(shù)語(yǔ)可以用來(lái)定義數(shù)據(jù)在云中存儲(chǔ)的地理位置？A、Datawarehouse

數(shù)據(jù)倉(cāng)庫(kù)B、Dataprivacyrights

數(shù)據(jù)隱私權(quán)C、Datasubjectrights

數(shù)據(jù)主題權(quán)限D(zhuǎn)、Datasovereignty

數(shù)據(jù)主權(quán)答案：D43.Whichofthefollowingisthekeyrequirementfortestresultswhenimplementingforensicprocedures?

在實(shí)施取證程序時(shí)，以下哪一個(gè)是測(cè)試結(jié)果的關(guān)鍵要求？A、Thetestresultsmustbecost-effective.

測(cè)試結(jié)果必須具有成本效益B、Thetestresultmustbeauthorized.

測(cè)試結(jié)果必須得到授權(quán)C、Thetestresultsmustbequantifiable.

測(cè)試結(jié)果必須是可量化的D、Thetestresultsmustbereproducible.

測(cè)試結(jié)果必須具有可重復(fù)性答案：B44.Knowingthelanguageinwhichanencryptedmessagewasoriginallyproducedmighthelpacryptanalysttoperforma

了解加密消息最初產(chǎn)生的語(yǔ)言可能有助于密碼分析人員執(zhí)行一個(gè)A、clear-textattack.

明文攻擊B、Knowncipherattack.

已知密碼攻擊C、frequencyanalysis.

頻率分析D、stochasticassessment.

隨機(jī)評(píng)估答案：C45.WhatistheprocessofremovingsensitivedatafromasystemorstoragedevicewiththeintentthatthedatacannotbereconstructedbyanyKnowntechnique?

從系統(tǒng)或存儲(chǔ)設(shè)備中刪除敏感數(shù)據(jù)，以使數(shù)據(jù)不能通過(guò)任何已知的技術(shù)進(jìn)行重建？A、Purging

清除B、Encryption

加密C、Destruction

破壞D、Clearing

空地答案：A46.Aspartofanapplicationpenetrationtestingprocess,sessionhijackingcanBESTbeachievedbywhichofthefollowing?

作為應(yīng)用程序滲透測(cè)試過(guò)程的一部分，會(huì)話劫持可以通過(guò)以下哪一個(gè)來(lái)實(shí)現(xiàn)最好的效果？A、Known-plaintextattack

已知明文攻擊B、DenialofService(DoS)

拒絕服務(wù)(DoS)C、Cookiemanipulation

Cookie操控D、StructuredQueryLanguage(SQL)injection

結(jié)構(gòu)化查詢語(yǔ)言(SQL)注入答案：C47.WhichofthefollowingmethodsprovidestheMOSTprotectionforusercredentials?

以下哪些方法為用戶憑據(jù)提供了最大的保護(hù)？A、Forms-basedauthentication

基于表單的身份驗(yàn)證B、Digestauthentication

摘要式身份驗(yàn)證C、Basicauthentication

基本身份驗(yàn)證D、Self-registration

自注冊(cè)答案：B48.WhichofthefollowingisthePRIMARYsecurityconsiderationforhowanorganizationshouldhandleInformationTechnology(IT)assets?

以下哪項(xiàng)是組織如何處理信息技術(shù)(IT)資產(chǎn)的主要安全考慮？A、Themonetaryvalueoftheasset

該資產(chǎn)的貨幣價(jià)值B、Thecontrolsimplementedontheasset

對(duì)該資產(chǎn)實(shí)施的控制措施C、Thephysicalformfactoroftheasset

資產(chǎn)的物理形式因素D、Theclassificationofthedataontheasset

對(duì)資產(chǎn)上的數(shù)據(jù)的分類答案：D49.WhichlayeroftheOpensystemsInterconnection(OSI)modelisbeingtargetedintheeventofaSynchronization(SYN)floodattack?

在發(fā)生同步(SYN)洪水攻擊時(shí)，開(kāi)放系統(tǒng)互連(OSI)模型的目標(biāo)是哪個(gè)層？A、Session

會(huì)話層B、Transport

傳輸層C、Network

網(wǎng)絡(luò)層D、Presentation

表示層答案：B50.Whichofthefollowingisincludedinchangemanagement?

變更管理中包含以下哪一項(xiàng)？A、Businesscontinuitytesting

業(yè)務(wù)連續(xù)性測(cè)試B、UserAcceptanceTesting(UAT)beforeimplementation

實(shí)施前的用戶驗(yàn)收測(cè)試（UAT）C、Technicalreviewbybusinessowner

企業(yè)主的技術(shù)審查D、Cost-benefit(CBA)afterimplementation

實(shí)施后的成本效益（CBA）答案：A51.WhatbalanceMUSTbeconsideredwhenwebapplicationdevelopersdeterminehowinformativeapplicationerrormessagesshouldbeconstructed?

當(dāng)web應(yīng)用程序開(kāi)發(fā)人員確定應(yīng)該如何構(gòu)建信息豐富的應(yīng)用程序錯(cuò)誤消息時(shí)，必須考慮什么平衡呢？A、Riskversusbenefit

風(fēng)險(xiǎn)與利益B、Availabilityversusauditability

可用性與可審核性C、Confidentialityversusintegrity

保密性與完整性D、Performanceversususersatisfaction

性能與用戶滿意度的比較答案：A52.DisasterRecoveryPlan(DRP)trainingmaterialshouldbe

災(zāi)難恢復(fù)計(jì)劃(DRP)的培訓(xùn)材料應(yīng)該是A、consistentsothatallaudiencesreceivethesametraining.

一致，使所有觀眾接受相同的培訓(xùn)B、storedinafireproofsafetoensureavailabilitywhenneeded.

儲(chǔ)存在防火保險(xiǎn)箱中，以確保在需要時(shí)的可用性。C、onlydeliveredinpaperformat.

僅以紙質(zhì)形式交付。D、presentedinaprofessionallookingmanner.

以專業(yè)的方式呈現(xiàn)答案：A53.WhattypeofattacksendsInternetControlMessageProtocol(ICMP)echorequeststothetargetmachinewithalargerpayloadthanthetargetcanhandle?

什么類型的攻擊向目標(biāo)機(jī)器發(fā)送互聯(lián)網(wǎng)控制消息協(xié)議(ICMP)回波請(qǐng)求，其有效負(fù)載大于目標(biāo)機(jī)器能夠處理的大??？A、Man-in-the-Middle(MITM)

中間人(MITM)B、DenialofService(DoS)

拒絕服務(wù)(DoS)C、DomainNameServer(DNS)poisoning

域名服務(wù)器(DNS)中毒D、Bufferoverflow

緩存溢出錯(cuò)誤答案：B54.Whichofthefollowingtypesofbusinesscontinuitytestsincludesassessmentofresiliencetointernalandexternalriskswithoutendangeringliveoperations?

以下哪一種業(yè)務(wù)連續(xù)性測(cè)試包括在不危及實(shí)際運(yùn)營(yíng)的情況下對(duì)內(nèi)部和外部風(fēng)險(xiǎn)的彈性評(píng)估？A、Walkthrough

預(yù)排B、Simulation

模仿C、Parallel

平行D、Whitebox

白盒答案：C55.AsecuritymanagerhasNoticedaninconsistentapplicationofserversecuritycontrolsresultinginvulnerabilitiesoncriticalsystems.WhatistheMOSTlikelycauseofthisissue?

安全管理器注意到服務(wù)器安全控制的應(yīng)用不一致，導(dǎo)致關(guān)鍵系統(tǒng)上的漏洞。造成這個(gè)問(wèn)題的最可能的原因是什么？A、Alackofbaselinestandards

缺乏基線標(biāo)準(zhǔn)B、Improperdocumentationofsecurityguidelines

安全指南的文檔編制不當(dāng)C、Apoorlydesignedsecuritypolicymunicationprogram

一個(gè)設(shè)計(jì)不良的安全策略通信程序D、Host-basedIntrusionPreventionSystem(HIPS)policiesareineffective

基于主機(jī)的入侵預(yù)防系統(tǒng)(HIPS)策略無(wú)效答案：A56.Whichofthefollowingroutingprotocolsisusedtoexchangerouteinformationbetweenpublicautonomoussystems?

以下哪些路由協(xié)議用于在公共自治系統(tǒng)之間交換路由信息？A、OSPFB、BGPC、EIGRPD、RIP答案：B57.Amalicioususergainsaccesstounprotecteddirectoriesonawebserver.WhichofthefollowingisMOSTlikelythecauseforthisinformationdisclosure?

惡意用戶可以訪問(wèn)Web服務(wù)器上不受保護(hù)的目錄。以下哪一個(gè)最有可能是該信息披露的原因？A、Securitymisconfiguration

安全配置錯(cuò)誤B、Cross-siterequestforgery(CSRF)

跨站點(diǎn)請(qǐng)求偽造(CSRF)C、StructuredQueryLanguageinjection(SQLi)

結(jié)構(gòu)化查詢語(yǔ)言注入(SQLi)D、Brokenauthenticationmanagement

認(rèn)證管理中斷答案：A58.Whichofthefollowingisaresponsibilityoftheinformationowner?

以下哪一項(xiàng)是信息所有者的責(zé)任？A、EnsurethatusersandpersonnelpletetherequiredsecuritytrainingtoaccesstheInformationSystem(IS)

確保用戶和人員完成所需的安全培訓(xùn)B、DefiningproperaccesstotheInformationSystem(IS),includingprivilegesoraccessrights.

定義對(duì)信息系統(tǒng)(IS)的正確訪問(wèn)權(quán)限，包括訪問(wèn)權(quán)限或訪問(wèn)權(quán)限C、Managingidentification,implementation,andassessmentofmonsecuritycontrols.

管理通用安全控制的識(shí)別、實(shí)施和評(píng)估D、EnsuringtheInformationSystem(IS)isoperatedaccordingtoagreeduponsecurityrequirements.

確保信息系統(tǒng)(IS)按照約定的安全要求運(yùn)行答案：C59.WhatshouldbeusedimmediatelyafteraBusinessContinuityPlan(BCP)hasbeeninvoked?

在調(diào)用業(yè)務(wù)連續(xù)性計(jì)劃(BCP)后，應(yīng)立即使用什么？A、ResumptionproceduresdescribingtheactionstobetakentoreturntoNormalbusinessoperations.

恢復(fù)程序，描述為恢復(fù)正常業(yè)務(wù)運(yùn)作所要采取的操作B、Emergencyproceduresdescribingthenecessaryactionstobetakenfollowinganincidentjeopardizesbusinessoperations.

描述危及業(yè)務(wù)運(yùn)作后采取必要的行動(dòng)的緊急程序C、Fallbackproceduresdescribingwhatactionaretobetakentomoreessentialbusinessactivitiestoalternativetemporarylocations.

描述對(duì)替代臨時(shí)地點(diǎn)的更重要的商業(yè)活動(dòng)應(yīng)采取什么行動(dòng)的后退程序D、Maintainschedulehowandtheplanwillbetestedandtheprocessformaintainingtheplan.

維護(hù)計(jì)劃的測(cè)試方式和計(jì)劃，以及維護(hù)計(jì)劃的過(guò)程答案：B60.Anorganizationallowspingtrafficintoandoutoftheirnetwork.Anattackerhasinstalledaprogramonthenetworkthatusesthepayloadportionofthepingpackettomovedataintoandoutofthenetwork.Whattypeofattackhastheorganizationexperienced?

一個(gè)組織允許ping流量進(jìn)出他們的網(wǎng)絡(luò)。攻擊者已經(jīng)在網(wǎng)絡(luò)上安裝了一個(gè)程序，該程序使用

Ping數(shù)據(jù)包的有效負(fù)載部分將數(shù)據(jù)移動(dòng)到進(jìn)出網(wǎng)絡(luò)。該組織經(jīng)歷過(guò)什么類型的攻擊？A、Dataleakage

數(shù)據(jù)泄密B、Unfilteredchannel

未經(jīng)過(guò)濾的通道C、Dataemanation

數(shù)據(jù)發(fā)出D、Covertchannel

233/隱蔽信道答案：A61.Duringanaudit,theauditorfindsevidenceofpotentiallyillegalactivity.WhichofthefollowingistheMOSTappropriateactiontotake?

在審計(jì)期間，審計(jì)員發(fā)現(xiàn)潛在非法活動(dòng)的證據(jù)。以下哪一個(gè)是最合適的行動(dòng)？A、Immediatelycallthepolice立即報(bào)警B、Workwiththeclienttoresolvetheissueinternally

與客戶一起在內(nèi)部解決這個(gè)問(wèn)題C、Advisethepersonperformingtheillegalactivitytoceaseanddesist

建議從事非法活動(dòng)的人停止和從事非法活動(dòng)D、Workwiththeclienttoreporttheactivitytotheappropriateauthority

與客戶機(jī)合作，向相關(guān)主管部門報(bào)告該活動(dòng)答案：D62.WhichofthefollowingprovideseffectivemanagementassuranceforaWirelessLocalAreaNetwork(WLAN)?

以下哪一項(xiàng)為無(wú)線局域網(wǎng)(WLAN)提供了有效的管理保證？A、MaintaininganinventoryofauthorizedAccessPoints(AP)andconnectingdevices

維護(hù)授權(quán)接入點(diǎn)(AP)和連接設(shè)備的清單B、Settingtheradiofrequencytotheminimumrangerequired

將無(wú)線電頻率設(shè)置為所需的最小范圍C、EstablishingaVirtualPrivateNetwork(VPN)tunnelbetweentheWLANclientdeviceandaVPNconcentrator

在WLAN客戶端設(shè)備和VPN集中器之間建立虛擬專用網(wǎng)(VPN)隧道D、Verifyingthatalldefaultpasswordshavebeenchanged

正在驗(yàn)證所有默認(rèn)密碼是否都已被更改答案：A63.Anattackerisabletoremainindefinitelyloggedintoaexploitingtoremainonthewebservice?

攻擊者能夠無(wú)限期地登錄到利用以留在web服務(wù)上？A、Alertmanagement

警報(bào)管理B、Passwordmanagement

口令管理C、Sessionmanagement

對(duì)話管理D、Identitymanagement(IM)

身份管理(IM)答案：C64.WhatisthethreatmodelingorderusingprocessforAttacksimu-lationandthreatanalysis(PASTA)?

使用攻擊模擬和威脅分析（PASTA）過(guò)程的威脅建模順序是什么？A、Applicationdeposition,threatanalysis,vulnerabilitydetection,attackenumeration,risk/impactanalysis

應(yīng)用程序分解、威脅分析、漏洞檢測(cè)、攻擊枚舉、風(fēng)險(xiǎn)/影響分析B、Threatanalysis,vulnerabilitydetection,applicationdeposition,attackenumeration,risk/Impactanalysis

威脅分析、漏洞檢測(cè)、應(yīng)用程序分解、攻擊枚舉、風(fēng)險(xiǎn)/影響分析C、Risk/impactanalysis,applicationdeposition,threatanalysis,vulnerabilitydetection,attackenumeration

風(fēng)險(xiǎn)/影響分析、應(yīng)用程序分解、威脅分析、漏洞檢測(cè)、攻擊枚舉D、Applicationdeposition,threatanalysis,risk/impactanalysis,vulnerabilitydetection,attackenumeration

應(yīng)用程序分解、威脅分析、風(fēng)險(xiǎn)/影響分析、漏洞檢測(cè)、攻擊枚舉答案：A65.WhichofthefollowingistheMOSTeffectivecorrectivecontroltominimizetheeffectsofaphysicalintrusion?

以下哪一種是最有效的糾正控制，以盡量減少物理入侵的影響？A、Automaticvideotapingofapossibleintrusion

對(duì)可能發(fā)生的入侵行為的自動(dòng)錄像B、Rapidresponsebyguardsorpolicetoapprehendapossibleintruder

警衛(wèi)或警察迅速反應(yīng)逮捕可能的入侵者C、Activatingbrightlightingtofrightenawayapossibleintruder

激活明亮的燈光來(lái)嚇跑一個(gè)可能的入侵者D、Soundingaloudalarmtofrightenawayapossibleintruder

發(fā)出一個(gè)巨大的警報(bào)，以嚇跑一個(gè)可能的入侵者答案：C66.InanIDEALencryptionsystem,whohassoleaccesstothedecryptionkey?

在一個(gè)理想的加密系統(tǒng)中，誰(shuí)能唯一地訪問(wèn)解密密鑰？A、Systemowner

系統(tǒng)所有者B、Dataowner

數(shù)據(jù)所有者C、Datacustodian

數(shù)據(jù)托管人D、Systemadministrator

系統(tǒng)管理員答案：B67.WhichofthefollowingsecuritytestingstrategiesisBESTsuitedforpanieswithlowtomoderatesecuritymaturity?

以下哪種安全測(cè)試策略最適合安全成熟度高低的公司？A、LoadTesting

負(fù)載測(cè)試B、White-boxtesting

白盒測(cè)試C、Black-boxtesting

黑盒測(cè)試D、Performancetesting

性能試驗(yàn)答案：B68.Anetworkadministratorisconfiguringadatabaseserverandwouldliketoensurethedatabaseengineislisteningonacertainport.Whichofthefollowingmandsshouldtheadministratorusetoacplishthisgoal?

網(wǎng)絡(luò)管理員正在配置一個(gè)數(shù)據(jù)庫(kù)服務(wù)器，并希望確保數(shù)據(jù)庫(kù)引擎正在監(jiān)聽(tīng)某個(gè)端口。管理員應(yīng)該使用以下哪些命令來(lái)實(shí)現(xiàn)此目標(biāo)？A、nslookupB、netstat-aC、ipeonfig/aD、arp-a答案：B69.ASecurityOperationsCenter(SOC)receivesanincidentresponseNotificationonaserverwithanactiveintruderwhohasplantedabackdoor.InitialNotificationsaresentandmunicationsareestablished.WhatMUSTbeconsideredorevaluatedbeforeperformingthenextstep?

安全操作中心(SOC)在服務(wù)器上收到一個(gè)事件響應(yīng)通知，其中有一個(gè)活躍的入侵者已經(jīng)設(shè)置了一個(gè)后門。發(fā)送初始通知并建立通信關(guān)系在執(zhí)行下一步之前，必須考慮或評(píng)估什么？A、Notifyinglawenforcementiscrucialbeforehashingthecontentsoftheserverharddrive

在散列服務(wù)器硬盤上的內(nèi)容之前，通知執(zhí)法部門是至關(guān)重要的B、Identifyingwhoexecutedtheincidentismoreimportantthanhowtheincidenthappened

確定誰(shuí)執(zhí)行了事件比事件如何發(fā)生更重要C、Removingtheserverfromthenetworkmaypreventcatchingtheintruder

從網(wǎng)絡(luò)中移除服務(wù)器可能會(huì)防止捕獲入侵者D、Copyingthecontentsoftheharddrivetoanotherstoragedevicemaydamagetheevidence

將硬盤上的內(nèi)容復(fù)制到另一個(gè)存儲(chǔ)設(shè)備上可能會(huì)損壞證據(jù)答案：D70.Theoverallgoalofapenetrationtestistodetermineasystem's

滲透測(cè)試的總體目標(biāo)是確定一個(gè)系統(tǒng)的測(cè)試A、abilitytowithstandanattack

抵御攻擊的能力。B、capacitymanagement

容量管理。C、errorrecoverycapabilities

錯(cuò)誤恢復(fù)功能D、reliabilityunderstress

壓力下的可靠性答案：A71.WhichofthefollowingexamplesisBESTtominimizetheattacksurfaceforacustomer'sprivateinformation?

以下哪些例子最適合最小化客戶私人信息的攻擊面？A、Obfuscation

混淆B、Collectionlimitation

收款限制C、Authentication

認(rèn)證D、Datamasking

數(shù)據(jù)掩蔽答案：A72.Acloudserviceproviderrequiresitscustomerorganizationstoenablemaximumauditloggingforitsdatastorageserviceandtoretainthelogsfortheperiodofthreemonths.Theauditlogginggeneratesextremelyhighamountoflogs.WhatistheMOSTappropriatestrategyforthelogretention?

云服務(wù)提供商要求其客戶組織為其數(shù)據(jù)存儲(chǔ)服務(wù)啟用最大限度的審計(jì)日志記錄，并保留這些日志，為期三個(gè)月。審計(jì)日志記錄生成非常大量的日志。對(duì)于日志保留，最合適的策略是什么？A、Keeplastweek'slogsinanonlinestorageandtherestinanear-linestorage.

將上周的日志保存在在線存儲(chǔ)中，其余的保存在近線存儲(chǔ)中B、Keepalllogsinanonlinestorage.

將所有日志保存在一個(gè)在線存儲(chǔ)器中C、Keepalllogsinanofflinestorage.

將所有日志保存在脫機(jī)存儲(chǔ)器中D、Keeplastweek'slogsinanonlinestorageandtherestinanofflinestorage.

將上周的日志保存在在線存儲(chǔ)中，其余的保存在離線存儲(chǔ)中答案：D73.WhatshouldbeusedtodeterminetherisksassociatedwithusingSoftwareasaService(SaaS)forcollaborationandemail?

應(yīng)該使用什么來(lái)確定與使用軟件即服務(wù)(SaaS)進(jìn)行協(xié)作和電子郵件相關(guān)的風(fēng)險(xiǎn)？A、Cloudaccesssecuritybroker(CASB)

云訪問(wèn)安全代理(CASB)B、OpenWebApplicationSecurityProject(OWASP)

打開(kāi)Web應(yīng)用程序安全項(xiàng)目(OWASP)C、ProcessforAttackSimulationandThreatAnalysis(PASTA)

攻擊模擬和威脅分析過(guò)程（PASTA）D、monSecurityFramework(CSF)

通用安全框架（CSF）答案：A74.AsecurityprofessionalhasreviewedarecentsiteassessmentandhasNotedthataserverroomonthesecondfloorofabuildinghasHeating,Ventilation,andAirConditioning(HVAC)intakesonthegroundlevelthathaveultravioletlightfiltersinstalled,Aero-KFiresuppressionintheserverroom,andpre-actionfiresuppressiononfloorsabovetheserverroom.Whichofthefollowingchangescanthesecurityprofessionalremendtoreduceriskassociatedwiththeseconditions?

一位安全專業(yè)人員回顧了最近的現(xiàn)場(chǎng)評(píng)估，并指出，建筑二樓的服務(wù)器室有供暖、通風(fēng)和空調(diào)(HVAC)進(jìn)氣口，地面上安裝了紫外線過(guò)濾器，服務(wù)器室安裝了Aero-K滅火，服務(wù)器室上方的樓層有預(yù)行動(dòng)滅火。安全專業(yè)人員可以建議使用以下哪些更改來(lái)降低與這些情況相關(guān)的風(fēng)險(xiǎn)？A、RemovetheultravioletlightfiltersontheHVACintakeandreplacethefiresuppressionsystemontheupperfloorswithadrysystem

拆卸暖通空調(diào)進(jìn)氣口的紫外線濾光器，用干燥系統(tǒng)更換上層的滅火系統(tǒng)B、AddadditionalultravioletlightfilterstotheHVACintakesupplyandreturnductsandchangeserverroomfiresuppressiontoFM-200

在暖通空調(diào)進(jìn)氣口和回水管中添加額外的紫外線濾鏡，并將服務(wù)器室滅火更改為FM-200C、ApplyadditionalphysicalsecurityaroundtheHVACintakesandupdateupperfloorfiresuppressiontoFM-200.

在暖通空調(diào)進(jìn)氣口周圍應(yīng)用額外的物理安全措施，并將上層的滅火措施更新為FM-200D、ElevatetheHVACintakebyconstructingaplenumorexternalshaftoveritandconverttheserverroomfiresuppressiontoapre-actionsystem

通過(guò)在其上建造一個(gè)通風(fēng)室或外部軸來(lái)提升暖通空調(diào)進(jìn)氣口，并將服務(wù)器室的滅火轉(zhuǎn)換為一

個(gè)預(yù)行動(dòng)系統(tǒng)答案：C75.Whyislexicalobfuscationinsoftwaredevelopmentdiscouragedbymanyorganizations?

為什么許多組織都不鼓勵(lì)使用軟件開(kāi)發(fā)中的詞匯混淆？A、Problemswritingtestcases

編寫測(cè)試用例時(shí)出現(xiàn)的問(wèn)題B、Problemsrecoveringsystemsafterdisaster

災(zāi)難發(fā)生后恢復(fù)系統(tǒng)的問(wèn)題C、Problemspilingthecode

編譯代碼時(shí)出現(xiàn)問(wèn)題D、Problemsmaintainingdataconnections

在維護(hù)數(shù)據(jù)連接時(shí)出現(xiàn)的問(wèn)題答案：C76.AChiefInformationOfficer(CIO)hasdelegatedresponsibilityoftheirsystemsecuritytotheheadoftheinformationtechnology(IT)department.WhilecorporatepolicydictatesthatonlytheCIOcanmakedecisionsonthelevelofdataprotectionrequired,technicalimplementationdecisionsaredonebytheheadoftheITdepartment.WhichofthefollowingBESTdescribesthesecurityrolefilledbytheheadoftheITdepartment?

首席信息官(CIO)已將其系統(tǒng)安全的職責(zé)委派給信息技術(shù)(IT)部門的負(fù)責(zé)人。雖然公司政策規(guī)定，只有CIO才能對(duì)所需的數(shù)據(jù)保護(hù)級(jí)別做出決策，技術(shù)實(shí)施決策是由IT部門的負(fù)責(zé)人來(lái)完成。以下哪一最佳描述了由