CBK

Question 1

1. Alice has some data that is extremely valuable. She backs it up from her computer to a flash stick, and she puts the flash stick in a safe deposit box(保險櫃). Which two principles s of the CIA triad does this address?
A. Confidentiality and integrity
B. Confidentiality and availability
C. Integrity and availability
D. Availability and nonrepudiation

Answer 1

The correct answer is B. Alice is ensuring a form of availability by having a backup; if her laptop is lost, stolen, or malfunctions, she does not She is also providing a form of confidentiality by locking up the flash stick this practice deters the ability of others to access the flash stick. (Note this ONLY provides confidentiality for the Flash stick; we have no idea she is also providing confidentiality to the data while it is live on her laptop) The question does not describe any practice that could measure integrity protection, and the CIA triad do Es not deal with nonrepudiation.

Question 2

6. To comply with the payment card industry data security standard (PCI DSS), what data element must not be stored for any length of time beyond the transaction? 
A. Cardholder's name 
B. Social Security number 
C. IP address 
D.Card verification value  (CVV)

Answer 2

The correct answer is D. PCI DSS prohibits(禁止) storage of the CVV for any time beyond the transaction.

Question 3

9. Which of the following describes a personnel security tool that should not require the employee’s signature? A. Nondisclosure agreement (NDA)
   B. Personnel security policy
   C. Acceptable use policy (AUP)
   D. Contract

Answer 3

The correct answer is B. The organization’s security policy Is promulgated(頒布) by senior management, and all personnel must comply with it; the employee does not need to sign it. All the other answers are tools that should include the employee’s signature.

Question 4

2. What is the correct order of the asset lifecycle phases?
   A. Create, use, share, store, archive, and destroy
   B. Create, share, use, archive, store, and destroy
   C. Create, store, use, share, archive , and destroy
   D. Create, share, archive, use, store, and destroy

Answer 4

The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store, use, share, archive, and destroy. This is According to the Securosis Blog. Asset classification, therefore, needs to be able to protect assets in whatever phase they are in.

Question 5

3. Which of the following is the BEST definition of defensible destruction?
   A. The destruction of assets using defense approved methods
   B. The destruction of assets using a controlled, legally defensible, and compliant way
   C. The destruction of assets without the opportunity of The recovery of those assets
   D. The destruction of assets using a method that may not allow attackers to recover data

Answer 5

The correct answer is B. The perfect definition of legally defensible destruction of assets, which should end the asset lifecycle, is eliminated data using a Controlled, legally defensible, and regulatory compliant way.

Question 6

4. In an environment where asset classification has been implemented to address the requirements of privacy protection, who in the following list is considered to be the "owner" and, therefore, has t accountability to ensure that the requirements for protection and compliance are addressed  properly?
A.Data processor 
B. Data subject 
C. Data controller 
D. Data steward

Answer 6

The correct answer is C. In specific privacy legislation, the roles for accountability of protection of subject’s personal privacy information is assigned to the data controller. The “owner” and, therefore have the accountability to protect based on requirements legislative and legal requirements.

Question 7

5. Which of the following is NOT an Organization for Economic Cooperation and Development (OECD) principle of privacy protection? 
A. Collection Limitation Principle 
B. Right to be Forgotten Principle 
C. Use Limitation Principle 
D. Accountability Principle

Answer 7

The correct answer is B.  The right to be forgotten principle is not principle addressed in the OECD guidelines for privacy protection. It has been introduced and is part of the privacy legislation in Europe and Argentina since 2006 and is part of the new General Data Protection Regulation (GDPR) to take effect  in Europe.
#Collection Limitation Principle#Data Quality Principle#Purpose Specification#Use Limitation Principle#Security Safeguards Principle#Openness Principle#Individual Participation Principle#Accountability Principle

Question 8

7. Which of the following is not an objective of baseline security controls used in protecting assets?
   A. Specific steps that must be executed
   B. Minimum level of security controls
   C. May be associated with specific architectures and systems
   D. A consistent reference point

Answer 8

The correct answer is A. Specific steps required to be executed are actually examples of procedures, not baseline. A baseline is a minimun level of security that must be achieved so that they can be consistently referenced and may be specific to certain architectures and systems.

Question 9

8. Which of the following is the BEST definition of “scoping”?
   A. Altering baselines to apply specifically more
   B. Modifying assumptions based on previous learned behavior
   C. Limiting general baseline recommendations by removing those that do not apply goals and objectives
   D. Responsible protection of assets based on

Answer 9

The correct answer is C. Limiting recommendations by removing those that do not apply is “scoping.” You are apply in the environments that you are trying to understand fully, from the perspective of protecting assets.

Question 10

1. Requirements definition, design, implementation, and operation examples of what type of System and Security Engineering processes? 
A. Technology processes 
B. Acquisition processes 
C. Design processes 
D.Technical processes

Answer 10

The correct answer is D. A is incorrect terminology. B And C are specific processes, not types of processes.

Question 11

2. One security model includes a set of rules that can has already accessed in order to prevent any potential conflict of interest. This model is known as the: 
A.Biba model 
B. Brewer  /Nash model 
C.Graham-Denning model 
D. Harrison, Ruzzo, Ullman model

Answer 11

The correct answer is B. A, C, and D are models that describe an information system’s rules for operation, but those rules are universally. The Brewer/Nash Model is the only model that explicitly addressed conflicts of interest.

Question 12

3. Select the best answer. Inheritable or “common” security controls are characterized as:
   A. Controls that are passed down from older systems to new systems through code sharing
   B. Introduces unacceptable risk in most systems
   C. Controls that are never assessed in an operational environment
   D Controls that are provided from one system to another in an operational environment

Answer 12

The correct answer is D. D is the correct definition of the term. A, B. and C are not types of controls. All controls must be assessed whether inherited or not And while inheritable controls may introduce risk if not operating properly, they do not generally introduce unacceptable risk, which makes D a better answer

Question 13

4. Three common types of industrial control systems include:
   A. Supervisory control and data acquisition, distributed control systems, programmable logic controllers
   B. Supervisory control and data anonymization, distributed control systems, programmable logic capability
   C. Supervisory control and data anonymization(匿名), distributed chip systems, programmable Logic controllers
   D. Supervisory control and data acquisition, distributed chip systems, programmable logic capability

Answer 13

The correct answer is A. Items B, C, and D compliant incorrect terminology.
#Programmable Logic Controllers (PLC)#Distributed Control System (DCS)#Supervisory Control and Data Acquisition (SCADA)

Question 14

5. The tour most common types of sprinkler systems are:
   A. Soaking, wet pipe, dry pipe, and pre-action
   B. Wet pipe, dry pipe, deluge, and pre-action
   C. Wet pipe, dry pipe, soaking And hybrid
   D. Dry pipe, soaking, deluge, and hybrid

Answer 14

The correct answer is B. Items A, C, and D each contain at least a worst element #背起來

Question 15

5. You have inherited a version 1 Simple Network Management Protocol (SNMP) system. What is the primary risk associated with utilizing this version?
   A. Unencrypted traffic
   B. Routers rejecting “gets”
   C. Switches rejecting “not”
   D. Connecting to systems without Authentication

Answer 15

The correct answer is D. A rogue user can simply connect to an SNMPv1 system by means of a public or private community string without need for authentication.

Question 16

10. At. what plane can you locate routers and switches in software defined network (SDN)? 
A. Data-link and network plane 
B. Data plane 
C. Control plane 
D. Application plane

Answer 16

The correct answer is B. Routers and switches are in the data plne.

Question 17

1. What are the two primary types of access control systems, and what in one way that access control systems are maintained?
   A. Physical and network; due diligence
   B. Deterrent and corrective; due care and due diligence as much security
   C. Integrity and availability; by applied as can be safelly
   D.Logical and physical; central administration of access contro systems

Answer 17

The correct answer is D. NIST SP 800-53 defines two primary access control systems, logical and physical, and both are maintained by administration And security policy. Due diligence and care are overarching organizational postures and actions that aid in avoiding the accusation of negligence and liability. Using as much security as can be safely applied is not a prudent approach to security and doesn’t the question. Integrity and Availability information security. overarching tenants of information security.

Question 18

2. What actions specify enrolling(注冊) and the opposite of enrolling user IDs within an organization? 
A. Identity creation and disposition 
B. Disposition only 
C.Creation only 
D. Provisioning and deprovisioning

Answer 18

The correct answer is D. Identity creation is an activity that would be included in provisioning, But the only correct answer is provisioning and deprovisioning.

Question 19

3. What are the three roles within Security Assertion Markup Language (SAML)?
   A. Identity provider, relying party, service provider
   B. Identity provider, relying party, user
   C Identity provider, service provider, relative token
   D.Attributes, principal, bindings

Answer 19

The Correct answer is B. Attributes and bindings are components of SAML. Relative token is a distractor. Relying party is an alternate term for a service provider.
#SPML:Client/PSP/PST
#SAML:Identity provider, relying party, user
#OpenID: End user/Relying party/OpenID provider
#OAuth: Client/Resource server/Authorization server/Resource owner
ref:http://lab.hiiir.com/wp-content/uploads/2016/10/OAuth.pdf

Question 20

4. Name two roles related to Open Authorization (OAuth).
   A. Resource provider, resource server
   B. Resource provider, resource relying party
   C. Authorization server, resource server
   D. Authorization server, authorization owner

Answer 20

The correct answer is C. There isn’t a resource provider owner in OAuth, but there is a resource owner and server. There is also no authorization owner.

Question 21

5. If an organization demanded that an enrolling party or claimant needed to present themselves in person at an onrolling agent to authenticate their assertion to their identity, what level of assurance would they be providing according to NIST SP 800-63-3?
   A. IAL1
   B. IAL 2
   C. IAL 3
   D.None of the above in-person authentication

Answer 21

The correct answer is B. IAL2 is remote or of an identity. IAL 1 is self-assertion. IAL 3 is assertion verified by a credential service provider.

Question 22

8. Special Publications 800-53r4 defines physical as an automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based access control on (a). 
A. Audit and assurance 
B. Scoping and tailoring  
C. Guidelines and tailoring 
D.Set of authorization rules

Answer 22

The correct answer is D. Tailoring and scoping are used to apply set of controls within an environment that fit the internal requirement utilizing specific controls. Auditing the controls would provide assurance about the effectiveness of the controls. 工三小

Question 23

1. If an organization’s security assessment and testing plans include both internal and external testing, in what order should the test be performed?
   A. Always choose the order based upon cost/benefit analysis
   B. Internal testing
   C. External testing
   D. Internal and external testing should be performed simultaneous

Answer 23

The correct answer is C. External testing is performed first so as not to provide leakage from insider information to outsider environments. Internal and external testing would not be done done simulataneously otherwise the indentification of valunerabilities sources could be misconstrued. Cost/benefit analysis would not be a primary justification for choosing which testing should be accomplished first.

Question 24

2. This type of testing would inform an organization of the vulnerabilities that could be exposed by a bad actor with little  Or information about the organization's systems. 
A. Internal testing 
B. Nocturnal testing 
C. External testing 
D. White-box testing

Answer 24

The correct answer is C. External testing is done to emulate an attacker that is outside of the organization’s perimeter. Nocturnal testing doesn’t exist. External testing by its definition doesn’t have insider Information that would be identified with white-box testing.

Question 25

Scenario Questions 3-6:
Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.

3. What report would be most appropriate to answer the needs the potential client? 
A. SOC 2 Type II 
B. SOC 2 Type I 
C. SOC 1 Type II 
D  .SOC 1 Type I

Answer 25

The correct answer is A. SOC 2 Type Il is a report on technology security controls within an organization. Type II proves design fectiveness. SOC 2 Type I would only confirm t SOC 1 is for reviewing financial controls.

Question 26

Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
4. What report would be good for attracting additional clients yet unknown to your business?
A. SOC 5 Type II
B. SOC 3
C. SOC 5 Type II New Client
D. SOC 5 Type I Existing Client

Answer 26

The correct answer is B. SOC 3 is an executive summary that can be used as a web seal to advertise a summary opinion of technical Controls. The summary can be posted to a website to advertise for potential customers. There are no SOC 5 reports.

Question 27

Scenario Questions 3-6:
Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
5. What is the difference between a Type I and a Type II SOC report?
A. Type I is developed over a time period; Type II is a snapshot.
B. There are no Type I or II reports.
C. Type I is longer than Type I is concerned with control effectiveness;
D. Type I is concerned with control design; Type II is concerned with control effectiveness.

Answer 27

The correct answer is D. Type I is concerned with control design; Type II is concerned with control effectiveness.

Question 28

Your organization develops security-as-a-service (SECaas) software ohat is consumed via your private cloud. You employ 50 developers ghat practice agile discipline in releasing tools to market. A potential client approaches your organization with the Intent to acquire your services. Before the potential client commits to a Contractual agreement, they have informed your organization that they need to be provided with the highest degree of assurance possible that risks to your operational effectiveness are well contained or mitigated, and they will receive your services delivered in the same operable from they were created in without being changed.
6. For the potential client to understand the probability That your department of 50 developers remain properly compensated and incentivized to continue to support the security-as-a-service that they wish to consume, what report might they consider?
A. SOC 2 Type II
B. SOC 2 Type I
C. SOC 1 Type II
D.SOC 1 Type I

Answer 28

The correct answer is C. A SOC 1 Type | report would be appropriate since it would reflect what the effectiveness of the internal.controls over financial reporting is. Special attention could be associated with benef management. SOC 1 is for reviewing financial controls. Typ SOC 1 Type I is proof of the design of the financial control alone. SOC 2 Type II&I are reports on technology security controls within an organization.

Question 29

8. According to ISO 27002 a backup policy should define
   A. How many times a tape has been used
   B. Retention and protection requirements
   C. All the information that can be used in business requirements
   D. Technical training for all backup administrators

Answer 29

The correct answer is B ISO 27002 states that a backup policy should define retention and protection requirements. None of the other statements are true concerning what is stated in ISO 27002.

Question 30

9. What statement is true of key risk indicators (KRIs)?
   A. Aid in monitoring emerging Risk
   B. Aid in understanding if goals have been met
   C. Aid in shedding light on performance metrics
   D. Aid in alerting when team metrics haven’t been met

Answer 30

The correct answer is A. KRIS are designed to monitor risk to take proactive action. B , C, and D are all key performance indicator KPI) markers.

Question 31

2. Which of the following is paramount(最重要的) in all emergeney actions/responses? 
A. Asset protection 
B. Health and human safety 
C. Regulatory compliance 
D. Confidentiality

Answer 31

The correct answer is B. Health and human safety is always the most important aspect of security.

Question 32

3. A duress code should  be \_\_\_\_\_\_\_
A. reusable 
B. immediately recognizable 
C. covert 
D. complex

Answer 32

The correct answer is C. The duress code should be something eubtle and unrecognizable to anyone outside the organization, to remember in times of stress, and of limited simple duration duration.

Question 33

4. The organization should provide specific BCDR plan training to _____
   A. all members of the security team
   B. critical personnel and response team members
   C. all stakeholders
   D. members of external first response teams (fire, police, medical, etc.)

Answer 33

The Correct answer is B. Organizational personnel who will be involved in an actual BCDR response should receive specific training from the organization. External responders will be trained by their agencies. Not all members of the security team will be involved in BCDR actions.

Question 34

5. Honeypots/  Honeynets are intended to attackers. 
A. deter #威懾
B. attract 
C. distract   #分散注意力
D. prevent

Answer 34

The correct answer is C. A honeypot/honeynet is meant to occupy the attacker’s time, attention, and efforts while the organization collects information about the attack. /honeynets will not deter or prevent attacks and should not be examples as attractive.

Question 35

8.Which of the following is true about evidence?
A. Evidence useless if the original version has been changed in any way
B. Evidence can expire
C.Electronic evidence is inadmissible
D.Evidence should be believable

Answer 35

The correct answer is D. Evidence is material supporting Argument; it must be believable to be effective.

Question 36

1.The Software Engineering Institute's Capability Maturity Model (CMM) Integration focuses on: 
A. Software development methodologies 
B. Systems integration 
C. Process management 
D. Software testing and evaluation

Answer 36

The correct answer is C. CMMis a process improvement methodolog) To allow organizations to mature to better levels in relation to pracess improvement.

Question 37

5. Copies of essential application programs, documentation, and electronic data should be: 
A. Stored with the computer system 
B. Licensed by the users 
C. Maintained by the developers 
D. Stored at a backup site

Answer 37

The correct answer is D. Key word in the question is the word “copies” or even the word “essential” that tells us that we need to provide redundancy. None of the other answers really make sense in relation to “essential” valuable assets.

Question 38

8. The purpose of polyinstantiation is to prevent:
   A. Low-level users from inferring the existence of higher level data Domai
   B. Low-level users from inferring the existence of data in other databases
   C. Low-level users from accessing low- Level data
   D. High-level users from inferring the existence of data at lower levels

Answer 38

The correct answer is A. Polyinstantiation allows different versions of the same information to exist at different classification levels to prevent inference of more sensitive information that exists at higher levels.