CBK Flashcards
1. Alice has some data that is extremely valuable. She backs it up from her computer to a flash stick, and she puts the flash stick in a safe deposit box(保險櫃). Which two principles s of the CIA triad does this address? A. Confidentiality and integrity B. Confidentiality and availability C. Integrity and availability D. Availability and nonrepudiation
The correct answer is B. Alice is ensuring a form of availability by having a backup; if her laptop is lost, stolen, or malfunctions, she does not She is also providing a form of confidentiality by locking up the flash stick this practice deters the ability of others to access the flash stick. (Note this ONLY provides confidentiality for the Flash stick; we have no idea she is also providing confidentiality to the data while it is live on her laptop) The question does not describe any practice that could measure integrity protection, and the CIA triad do Es not deal with nonrepudiation.
6. To comply with the payment card industry data security standard (PCI DSS), what data element must not be stored for any length of time beyond the transaction? A. Cardholder's name B. Social Security number C. IP address D.Card verification value (CVV)
The correct answer is D. PCI DSS prohibits(禁止) storage of the CVV for any time beyond the transaction.
- Which of the following describes a personnel security tool that should not require the employee’s signature? A. Nondisclosure agreement (NDA)
B. Personnel security policy
C. Acceptable use policy (AUP)
D. Contract
The correct answer is B. The organization’s security policy Is promulgated(頒布) by senior management, and all personnel must comply with it; the employee does not need to sign it. All the other answers are tools that should include the employee’s signature.
- What is the correct order of the asset lifecycle phases?
A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive , and destroy
D. Create, share, archive, use, store, and destroy
The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store, use, share, archive, and destroy. This is According to the Securosis Blog. Asset classification, therefore, needs to be able to protect assets in whatever phase they are in.
- Which of the following is the BEST definition of defensible destruction?
A. The destruction of assets using defense approved methods
B. The destruction of assets using a controlled, legally defensible, and compliant way
C. The destruction of assets without the opportunity of The recovery of those assets
D. The destruction of assets using a method that may not allow attackers to recover data
The correct answer is B. The perfect definition of legally defensible destruction of assets, which should end the asset lifecycle, is eliminated data using a Controlled, legally defensible, and regulatory compliant way.
4. In an environment where asset classification has been implemented to address the requirements of privacy protection, who in the following list is considered to be the "owner" and, therefore, has t accountability to ensure that the requirements for protection and compliance are addressed properly? A.Data processor B. Data subject C. Data controller D. Data steward
The correct answer is C. In specific privacy legislation, the roles for accountability of protection of subject’s personal privacy information is assigned to the data controller. The “owner” and, therefore have the accountability to protect based on requirements legislative and legal requirements.
5. Which of the following is NOT an Organization for Economic Cooperation and Development (OECD) principle of privacy protection? A. Collection Limitation Principle B. Right to be Forgotten Principle C. Use Limitation Principle D. Accountability Principle
The correct answer is B. The right to be forgotten principle is not principle addressed in the OECD guidelines for privacy protection. It has been introduced and is part of the privacy legislation in Europe and Argentina since 2006 and is part of the new General Data Protection Regulation (GDPR) to take effect in Europe. #Collection Limitation Principle#Data Quality Principle#Purpose Specification#Use Limitation Principle#Security Safeguards Principle#Openness Principle#Individual Participation Principle#Accountability Principle
- Which of the following is not an objective of baseline security controls used in protecting assets?
A. Specific steps that must be executed
B. Minimum level of security controls
C. May be associated with specific architectures and systems
D. A consistent reference point
The correct answer is A. Specific steps required to be executed are actually examples of procedures, not baseline. A baseline is a minimun level of security that must be achieved so that they can be consistently referenced and may be specific to certain architectures and systems.
- Which of the following is the BEST definition of “scoping”?
A. Altering baselines to apply specifically more
B. Modifying assumptions based on previous learned behavior
C. Limiting general baseline recommendations by removing those that do not apply goals and objectives
D. Responsible protection of assets based on
The correct answer is C. Limiting recommendations by removing those that do not apply is “scoping.” You are apply in the environments that you are trying to understand fully, from the perspective of protecting assets.
1. Requirements definition, design, implementation, and operation examples of what type of System and Security Engineering processes? A. Technology processes B. Acquisition processes C. Design processes D.Technical processes
The correct answer is D. A is incorrect terminology. B And C are specific processes, not types of processes.
2. One security model includes a set of rules that can has already accessed in order to prevent any potential conflict of interest. This model is known as the: A.Biba model B. Brewer /Nash model C.Graham-Denning model D. Harrison, Ruzzo, Ullman model
The correct answer is B. A, C, and D are models that describe an information system’s rules for operation, but those rules are universally. The Brewer/Nash Model is the only model that explicitly addressed conflicts of interest.
- Select the best answer. Inheritable or “common” security controls are characterized as:
A. Controls that are passed down from older systems to new systems through code sharing
B. Introduces unacceptable risk in most systems
C. Controls that are never assessed in an operational environment
D Controls that are provided from one system to another in an operational environment
The correct answer is D. D is the correct definition of the term. A, B. and C are not types of controls. All controls must be assessed whether inherited or not And while inheritable controls may introduce risk if not operating properly, they do not generally introduce unacceptable risk, which makes D a better answer
- Three common types of industrial control systems include:
A. Supervisory control and data acquisition, distributed control systems, programmable logic controllers
B. Supervisory control and data anonymization, distributed control systems, programmable logic capability
C. Supervisory control and data anonymization(匿名), distributed chip systems, programmable Logic controllers
D. Supervisory control and data acquisition, distributed chip systems, programmable logic capability
The correct answer is A. Items B, C, and D compliant incorrect terminology. #Programmable Logic Controllers (PLC)#Distributed Control System (DCS)#Supervisory Control and Data Acquisition (SCADA)
- The tour most common types of sprinkler systems are:
A. Soaking, wet pipe, dry pipe, and pre-action
B. Wet pipe, dry pipe, deluge, and pre-action
C. Wet pipe, dry pipe, soaking And hybrid
D. Dry pipe, soaking, deluge, and hybrid
The correct answer is B. Items A, C, and D each contain at least a worst element #背起來
- You have inherited a version 1 Simple Network Management Protocol (SNMP) system. What is the primary risk associated with utilizing this version?
A. Unencrypted traffic
B. Routers rejecting “gets”
C. Switches rejecting “not”
D. Connecting to systems without Authentication
The correct answer is D. A rogue user can simply connect to an SNMPv1 system by means of a public or private community string without need for authentication.