安全管理習(xí)題講解

安全管理習(xí)題講解第1頁/共54頁QUIZ2Accordingtogovernmentaldataclassificationlevels,howwouldanswerstotestsandhealthcareinformationbeclassified?AConfidentialBSensitivebutunclassifiedCPrivateDUnclassifiedB第2頁/共54頁第3頁/共54頁QUIZ3.Accordingtoprivatesectordataclassificationlevels,howwouldsalarylevelsandmedicalinformationbeclassified?AConfidentialBPublicCPrivateDSensitiveC第4頁/共54頁QUIZ4Whichofthenextarestepsofacommondevelopmentprocessofcreatingasecuritypolicy,standardsandprocedures?Adesign,development,publication,coding,testingBdesign,evaluation,approval,publication,implementationCinitialandevaluation,development,approval,publication,implementation,maintenanceDfeasibility,development,approval,implementation,integrationC第5頁/共54頁5Whatisthemainpurposeofasecuritypolicy?AtotransfertheresponsibilityfortheinformationsecuritytoallusersoftheorganizationBtoprovidedetailedstepsforperformingspecificactionsCtoprovideacommonframeworkforalldevelopmentactivitiesDtoprovidethemanagementdirectionandsupportforinformationsecurityD第6頁/共54頁6Whichofthefollowingdepartmentmanagerswouldbebestsuitedtooverseethedevelopmentofaninformationsecuritypolicy?ASecurityadministrationBHumanresourcesCBusinessoperationsDInformationsystemsC第7頁/共54頁7Whichofthefollowingisnotaresponsibilityofaninformationowner?ARunningregularbackupsandperiodicallytestingthevalidityofthebackupdata.BDelegatetheresponsibilityofdataprotectiontodatacustodians.CPeriodicallyreviewtheclassificationassignmentsagainstbusinessneeds.DDeterminewhatlevelofclassificationtheinformationrequires.A第8頁/共54頁8Whichofthefollowingisnotagoalofintegrity?APreventionofthemodificationofinformationbyunauthorizedusers.BPreventionoftheunauthorizedorunintentionalmodificationofinformationbyauthorizedusers.CPreventionofthemodificationofinformationbyauthorizedusers.DPreservationoftheinternalandexternalconsistency.C第9頁/共54頁9Whydomanyorganizationsrequireeveryemployeetotakeamandatoryvacationofaweekormore?AToleadtogreaterproductivitythroughabetterqualityoflifefortheemployee.BToreducetheopportunityforanemployeetocommitanimproperorillegalact.CToprovidepropercrosstrainingforanotheremployee.DToallowmoreemployeestohaveabetterunderstandingoftheoverallsystem.B第10頁/共54頁10Whichofthefollowingwouldbestrelatetoresourcesbeingusedonlyforintendedpurposes?AAvailabilityBIntegrityCReliabilityDConfidentialityA第11頁/共54頁11Securityofcomputer-basedinformationsystemsiswhichofthefollowing?AtechnicalissueBmanagementissueCtrainingissueDoperationalissueB第12頁/共54頁12Whichofthefollowingwouldbethefirststepinestablishinganinformationsecurityprogram?ADevelopmentandimplementationofaninformationsecuritystandardsmanual.BDevelopmentofasecurityawareness-trainingprogramforemployees.CPurchaseofsecurityaccesscontrolsoftware.DAdoptionofacorporateinformationsecuritypolicystatement.D第13頁/共54頁13Whichofthefollowingtasksmaybeperformedbythesamepersoninawell-controlledinformationprocessingfacility/computercenter?AComputeroperationsandsystemdevelopmentBSystemdevelopmentandchangemanagementCSystemdevelopmentandsystemsmaintenanceDSecurityadministrationandchangemanagementC第14頁/共54頁14Computersecurityshouldnot:ACoverallidentifiedrisks.BBecost-effective.CBeexaminedinbothmonetaryandnon-monetaryterms.DBeproportionatetothevalueofITsystems.A第15頁/共54頁15Whichofthefollowingismostconcernedwithpersonnelsecurity?AManagementcontrolsBHumanresourcescontrolsCTechnicalcontrolsDOperationalcontrolsD第16頁/共54頁16Whichofthefollowingismostlikelygiventheresponsibilityofthemaintenanceandprotectionofthedata?ASecurityadministratorBUserCDatacustodianDDataowner

C第17頁/共54頁17Whoisresponsibleforprovidingreportstotheseniormanagementontheeffectivenessofthesecuritycontrols?AInformationsystemssecurityprofessionalsBDataownersCDatacustodiansDInformationsystemsauditorsD第18頁/共54頁18Riskmitigationandriskreductioncontrolscanbeofwhichofthefollowingtypes?Apreventive,detective,orcorrectiveBAdministrative,operationalorlogicalCdetective,correctiveDpreventive,correctiveandadministrativeA第19頁/共54頁19Whichofthefollowingwouldbestclassifyasamanagementcontrol?AReviewofsecuritycontrolsBDocumentationCPersonnelsecurityDPhysicalandenvironmentalprotectionA第20頁/共54頁20WhatisthegoaloftheMaintenancephaseinacommondevelopmentprocessofasecuritypolicy?AtopresentdocumenttoapprovingbodyBtowriteproposaltomanagementthatstatestheobjectivesofthepolicyCpublicationwithintheorganizationDtoreviewofthedocumentonthespecifiedreviewdateD第21頁/共54頁21Whichapproachtoasecurityprogrammakessurethatthepeopleactuallyresponsibleforprotectingthecompany'sassetsaredrivingtheprogram?AThetop-downapproachBThebottom-upapproachCThetechnologyapproachDTheDelphiapproachA第22頁/共54頁22ThepreliminarystepstosecurityplanningincludeallofthefollowingEXCEPTwhichofthefollowing?ADeterminealternatecoursesofactionBEstablishasecurityauditfunction.CEstablishobjectives.DListplanningassumptions.B第23頁/共54頁23ITsecuritymeasuresshould:ABetailoredtomeetorganizationalsecuritygoals.BMakesurethateveryassetoftheorganizationiswellprotected.CNotbedevelopedinalayeredfashion.DBecomplexA第24頁/共54頁24Whichofthefollowingembodiesallthedetailedactionsthatpersonnelarerequiredtofollow?ABaselinesBProceduresCGuidelinesDStandardsB第25頁/共54頁25WhichofthefollowingshouldNOTbeaddressedbyemployeeterminationpractices?ADeletionofassignedlogon-IDandpasswordstoprohibitsystemaccess.BReturnofaccessbadges.CEmployeebondingtoprotectagainstlossesduetotheft.DRemovaloftheemployeefromactivepayrollfiles.C第26頁/共54頁26Preservationofconfidentialityinformationsystemsrequiresthattheinformationisnotdisclosedto:AAuthorizedpersonsandprocessesBUnauthorizedpersons.CUnauthorizedpersonsorprocesses.DAuthorizedpersonC第27頁/共54頁27Whichofthefollowingstatementspertainingtoquantitativeriskanalysisisfalse?AItrequiresahighvolumeofinformationBItinvolvescomplexcalculationsCItcanbeautomatedDItinvolvesalotofguessworkD第28頁/共54頁28Allexceptwhichofthefollowarenotusedtoensureintegrity?AcompliancemonitoringservicesBintrusiondetectionservicesCcommunicationssecuritymanagementDfirewallservicesA第29頁/共54頁29WhichofthefollowingwouldviolatetheDueCareconcept?ALatestsecuritypatchesforserversonlybeinginstalledonceaweekBNetworkadministratornottakingmandatorytwo-weekvacationasplannedCSecuritypolicybeingoutdatedDDataownersnotlayingoutthefoundationofdataprotectionD第30頁/共54頁30Whatdoes"residualrisk"mean?AWeaknessofanassetswhichcanbeexploitedbyathreatBRiskthatremainsafterriskanalysishashasbeenperformedCTheresultofunwantedincidentDThesecurityriskthatremainsaftercontrolshavebeenimplementedD第31頁/共54頁31Whichofthefollowingquestionsshouldanyusernotbeabletoanswerregardingtheirorganization'sinformationsecuritypolicy?AWhereistheorganization'ssecuritypolicydefined?BWhoisinvolvedinestablishingthesecuritypolicy?CWhataretheactionsthatneedtobeperformedincaseofadisaster?DWhoisresponsibleformonitoringcompliancetotheorganization'ssecuritypolicy?C第32頁/共54頁32Inaproperlysegregatedenvironment,whichofthefollowingtasksiscompatiblewiththetaskofsecurityadministrator?ADataentryBSystemsprogrammingCQualityassuranceDApplicationsprogrammingC第33頁/共54頁33Themajorobjectiveofsystemconfigurationmanagementiswhichofthefollowing?AsystemmaintenanceBsystemtrackingCsystemstabilityDsystemoperationsC第34頁/共54頁34Inanorganization,anInformationTechnologysecurityfunctionshould:ABeindependentbutreporttotheInformationSystemsfunction.BBeleadbyaChiefSecurityOfficerandreportdirectlytotheCEO.CReportdirectlytoaspecializedbusinessunitsuchaslegal,corporatesecurityorinsurance.DBeafunctionwithintheinformationsystemsfunctionofanorganization.B第35頁/共54頁35Whoshouldmeasuretheeffectivenessofsecurityrelatedcontrolsinanorganization?AthecentralsecuritymanagerBthelocalsecurityspecialistCthesystemsauditorDthebusinessmanagerC第36頁/共54頁36WhatisadifferencebetweenQuantitativeandQualitativeRiskAnalysis?Afullyqualitativeanalysisisnotpossible,whilequantitativeisBquantitativeprovidesformalcost/benefitanalysisandqualitativenotCthereisnodifferencebetweenqualitativeandquantitativeanalysisDqualitativeusesstrongmathematicalformulasandquantitativenotB第37頁/共54頁37HowisAnnualizedLossExpectancy(ALE)derivedfromatreat?AAROx(SLE-EF)BSLExAROCSLE/EFDAVxEFB第38頁/共54頁38Onepurposeofasecurityawarenessprogramistomodify:Aattitudesofemployeeswithsensitivedata.Bcorporateattitudesaboutsafeguardingdata.Cemployee'sattitudesandbehaviors.Dmanagement'sapproach.C第39頁/共54頁39Controlsareimplementedto:AeliminateriskandreducethepotentialforlossBmitigateriskandeliminatethepotentialforlossCeliminateriskandeliminatethepotentialforlossDmitigateriskandreducethepotentialforlossD第40頁/共54頁40Whoshoulddecidehowacompanyshouldapproachsecurityandwhatsecuritymeasuresshouldbeimplemented?ATheinformationsecurityspecialistBAuditorCSeniormanagementDDataownerC第41頁/共54頁41Whichofthefollowingistheweakestlinkinasecuritysystem?APeopleBCommunicationsCHardwareDSoftwareA第42頁/共54頁42ISO17799isastandardfor:AInformationSecurityManagementBImplementationandcertificationofbasicsecuritymeasuresCCertificationofpublickeyinfrastructuresDEvaluationcriteriaforthevalidationofcryptographicalgorithmsA第43頁/共54頁43Whoofthefollowingisresponsibleforensuringthatpropercontrolsareinplacetoaddressintegrity,confidentiality,andavailabilityofITsystemsanddata?ABusinessandfunctionalmanagersBChiefinformationofficerCITSecuritypractitionersDSystemandinformationownersD第44頁/共54頁44Relatedtoinformationsecurity,theguaranteethatthemessagesentisthemessagereceivedisanexampleofwhichofthefollowing?AintegrityBidentityCavailabilityDconfidentialityA第45頁/共54頁45WhichoneofthefollowingrepresentsanALEcalculation?AassetvaluexlossexpectancyBactualreplacementcost-proceedsofsalvageCgrosslossexpectancyxlossfrequencyDsinglelossexpectancyxannualizedrateofoccurrenceD第46頁/共54頁46WhichofthefollowingchoicesisNOTpartofasecuritypolicy?AdescriptionofspecifictechnologiesusedinthefieldofinformationsecurityBdefinitionofoverallstepsofinformationsecurityandtheimportanceofsecurityCstatementofmanagementintend,supportingthegoalsandprinciplesofinformationsecurityDdefinitionofgeneralandspecificresponsibilitiesforinformationsecuritymanagementA第47頁/共54頁47Whichofthefollowingstatementspertainingtoasecuritypolicyisincorrect?AItmustbeflexibletothechangingenvironment.BItsmainpurposeistoinformtheusers,administratorsandmanagersoftheirobligatoryrequirementsforprotectingtechnologyandinformationas