ISC 1week Flashcards
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
·Focuses on integrating IT solutions into business processes.
·Manages capacity, organizational changes, and IT assets.
COBIT 2019 - Build, Acquire, and Implement (BAI)
Managed knowledge, managed organizational change, and managed availability and capacity
管理知識、管理組織變革,以及管理可用性和能力
changes
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
·Directly related to managing security services and ensuring continuity.
COBIT 2019 - Deliver, Service, and Support (DSS)
·Focuses on IT service delivery, security, and support.
Covers IT security (DSS05), business process controls (DSS06), and business continuity (DSS04).
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
·Involves internal control management but does NOT specifically address IT security, business process controls, or business continuity.
COBIT 2019 - Monitor, Evaluate, and Assess (MEA)
-專注於評估 IT 績效,並確保與目標一致。
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
·Focuses on evaluating IT performance and ensuring alignment with targets.
COBIT 2019 - Monitor, Evaluate, and Assess (MEA)
-專注於評估 IT 績效,並確保與目標一致。
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
·Focuses on IT strategy, governance, and planning.
·Supports core functions like HR, budgeting, and risk management.
COBIT 2019 - Align, Plan, and Organize (APO)
planing
根據COBIT 2019中不同管理目標的具體內容,以下應該是哪個目標
ensured stakeholder management, ensured resource optimization, and ensured benefits delivery
Evaluate, Direct, and Monitor (EDM)
EDM
Ensured governance framework setting and maintenance, ensured benefits delivery, ensured risk optimization, ensured resource optimization, and ensured stakeholder engagement.
包括五個目標:確保管治架構的設定與維護、確保效益交付、確保風險最佳化、確保資源最佳化、確保利害關係人參與。
stakeholder
Inheritance controls
controls implemented at the organizational level and adopted/inherited by information systems.
“繼承控制”是指在組織層面上實施的控制措施,這些措施可以被信息系統採用或繼承。這類控制措施通常適用於整個組織的多個系統,因此單個系統不需要各自實施相同的控制,而是直接繼承組織層面的控制。
例子:
安全策略:組織在全公司範圍內實施了一套網絡安全策略,所有的IT系統都必須遵守這些策略。這樣,個別系統不需要為自己制定安全策略,而是繼承了組織層級的安全控制。
Baseline controls
Baseline controls are required to be in conformance to the control family. Baseline controls do not enhance existing controls.
基線控制是指必須符合控制家族(即一組相關聯的安全控制措施)的基本控制措施。基線控制通常是最低要求的控制,旨在確保系統的安全性達到基本標準,但它們不會增強現有的控制措施。
例子:
訪問控制:組織要求每個系統都至少使用密碼保護用戶帳戶,這是基線控制的一部分。這是一個基本的安全措施,確保每個系統的訪問控制達到最低標準,但它不會進一步增強(如多因素認證則屬於增強控制)。
which control?
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Control 01: Inventory and Control of Enterprise Assets
涉及主動管理(清單、跟蹤和修正)所有企業資產,包括實體和虛擬基礎設施,準確了解需要監控和保護的資產,並識別未經授權的資產。
which control?
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Control 02: Inventory and Control of Software Assets
專注於管理和控制軟體,以防止未經授權的應用程式執行。
which control?
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Control 03: Data Protection
開發過程和技術控制以識別、分類、安全處理、保留和處理數據
which control?
Establish and maintain the secure configuration of both software and assets within the enterprise
Control 04: Secure Configuration of Enterprise Assets and Software
涉及建立和維護企業資產和軟件的安全配置,包括終端用戶設備、網絡設備、物聯網設備和伺服器。
which control?
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
Control 05: Account Management
專注於管理與各種帳戶綁定的憑證授權(用戶驗證身份之後可以做什麼,例如管理員帳戶和一般帳戶)。
which control?
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Control 06: Access Control Management
使用流程和工具來建立、指派、管理和撤銷企業資產和軟體的使用者、管理員和服務帳號的存取憑證和權限。
專注於管理各種帳戶的存取憑證(帳號密碼)和權限。
which control?
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Control 07: Continuous Vulnerability Management
涉及制定計劃,持續評估和跟踪所有企業資產上的漏洞,以減少攻擊機會,並監控行業來源的新威脅信息。
which control?
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Control 08: Audit Log Management
專注於蒐集和管理稽核記錄,以偵測和回應安全事件。
which control?
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Control 09: Email and Web Browser Protections
改善對來自電子郵件和網頁瀏覽器的威脅的保護和檢測,這些是攻擊者通過直接接觸來操縱人類行為的機會。
which control?
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Control 10: Malware Defenses
which control?
the recommendation to establish and maintain practices relevant to data sufficient to restore in-scope enterprise assets to a pre-incident and trusted state
Control 11: Data Recovery
protecting recovery data and performing automated backups.
涉及保護恢復數據和執行自動化備份。
which control?
Establish, implement, and actively manage (track, report, correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points.
Control 12: Network Infrastructure Management
包括安全管理網絡基礎設施、確保網絡組件更新及建立和維護安全的網絡架構。
securely managing the network, ensuring the network components are up-to-date, and establishing and maintaining a secure network architecture
Control 12 強調網絡設備的主動管理和配置,防止攻擊者利用基礎設施中的漏洞。(未發生)
which control?
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
collecting network traffic flow logs, managing access controls for remote assets, and centralizing security event alerting.
Control 13: Network Monitoring and Defense
包括收集網絡流量日誌、管理遠程資產的訪問控制及集中安全事件警報。
Control 13 強調監控和防禦,以便及時發現和應對已經發生的安全威脅。(偵測和控制)
which control?
establishing and maintaining a security awareness program, training workforce members to recognize social engineering attacks, and training workforce members on authentication best practices.
Control 14: Security Awareness and Skills Training
涉及建立和維護安全意識計劃、訓練員工識別社會工程攻擊及最佳身份驗證實踐。
which control?
Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Control 15: Service Provider Management
制定一套程序,以評估持有敏感資料或負責企業關鍵 IT 平台或程序的服務供應商,確保這些供應商適當地保護這些平台和資料。
which control?
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Control 16: Application Software Security
涉及管理自家開發、托管或購買的軟件的安全生命週期,以防止、檢測和修補安全漏洞,防止其影響企業。
which control?
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Control 17: Incident Response Management
涉及建立並維護一個應急響應計劃,包括政策、計劃、程序、角色定義、培訓和通信,以準備、檢測並快速回應攻擊。
which control?
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Control 18: Penetration Testing
滲透測試
涉及測試企業資產的有效性和韌性,通過識別和利用控制中的弱點來模擬攻擊者的行為。
simulate 模擬攻擊
NIST Privacy Framework Core Functions
最符合以下描述的隱私框架核心功能
ventory and mapping, business environment, risk assessment, and data processing ecosystem risk management
Identify (ID): Understand the business context, resources, and related cybersecurity risks to establish an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
瞭解業務背景、資源和相關的網路安全風險,以建立組織瞭解,管理系統、員工、資產、資料和能力的網路安全風險。
——————————-
記憶關鍵:identify- mapping
NIST Privacy Framework Core Functions
最符合以下描述的隱私框架核心功能
risk management strategy, awareness and training, and monitoring review
govern
In the NIST Privacy Framework Core Functions, the govern function has four categories including
1. governance policies, process, and procedures;
2. risk management strategy;
3. awareness and training;
4. and monitoring review.
記憶關鍵:
govern-政策,戰略,意識,監視
最符合以下描述的隱私框架核心功能
protection policies, processes, and procedures; identity management, authentication, and access control; data security; maintenance; and protective technology
Protect (PR): Develop and implement safeguards to ensure delivery of critical services.
「Identity Management and Access Control」(身份管理與存取控制)、「Awareness and Training」(意識與培訓)、「Data Security」(數據安全) 和「Protective Technology」(保護技術) 都與保護個人數據免受未經授權的訪問、洩露或損壞有關。
制定並實施保障措施,以確保提供關鍵服務。
monitor主要針對已發生的情況,而不是預防和保護措施
記憶關鍵:
protect-Data Security
最符合以下描述的隱私框架核心功能
Anomalies and Events, Security Continuous Monitoring, and Detection Processes
Detect (DE): Implement activities to identify the occurrence of a cybersecurity event.
執行識別網路安全事件發生的活動。
記憶關鍵:
detect-event
最符合以下描述的隱私框架核心功能
Response Planning, Communications, Analysis, Mitigation, and Improvements categories.
Respond (RS): Take action regarding a detected cybersecurity incident.
針對偵測到的網路安全事件採取行動。
記憶關鍵:
response
最符合以下描述的隱私框架核心功能
Recovery Planning, Improvements, and Communications.
Recover (RC): Maintain plans for resilience and restore capabilities or services impaired due to a cybersecurity incident.
維持復原計劃,並恢復因網路安全事件而受損的能力或服務。
記憶關鍵:
recovery
最符合以下描述的隱私框架核心功能
data processing policies, processes, and procedures; data processing management; and disassociated processing.
control function
控制功能分為三個類別,包括資料處理政策、流程和程序;資料處理管理;以及不相關的處理。
以下屬於哪個NIST框架实施层级
When incident management not integrated into organizational processes and is often ad hoc
Tier 1 (partial) implementation tier.
當事件管理並未整合至組織流程中,而且往往是臨時性質時
以下屬於哪個NIST框架实施层级
Risk management practices are approved by management but might not be established as organizational-wide policy.
Tier 2 (risk informed)
第 2 層 (風險資訊) 的實施涉及組織其他成員的網路安全意識,但不涉及安全管理。
以下屬於哪個NIST框架实施层级
an organizational risk approach to cybersecurity where it is integrated into planning and regularly communicated among senior leadership
Tier 3 (repeatable)
第 3 級 (可重複) 實作涉及組織網路安全風險方法,將其納入規劃中,並定期在高階領導層之間溝通。
以下屬於哪個NIST框架实施层级
prioritization of managing cyber risks similar to other forms of organizational risks
Tier 4 (adaptive)
第 4 層 (適應性) 實作涉及管理網路風險的優先順序,類似於其他形式的組織風險。
the function is belong to which transaction cycle?
Pays employees, records payroll, reports to managers.
Human Resources and Payroll
the function is belong to which transaction cycle?
Records sales transactions, remits payments from customers, and interacts with external entities like banks.
Revenue and Cash Collections
the function is belong to which transaction cycle?
Records transactions, investment activity, and cash-related activities.
General Ledger and Reporting
investment earning 因為不是主要的收入,所以不是revenue而是general ledger
the function is belong to which transaction cycle?
Manages cash flow, processes loan payments, and handles investments.
Treasury
注意:
loan payment還債=財仔treasury
approving or denying a loan based on their credit history因為主要目的是收取account receivable,所以屬於Sales and cash collection cycles
the function is belong to which transaction cycle?
Records inventory and fixed assets, manages production orders and invoices.
Production and Fixed Assets
the function is belong to which transaction cycle?
Submits purchase orders, handles payments to vendors, and manages procurement.
Purchasing and Disbursement
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Exercises Board Risk Oversight
Governance & Culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Establishes Operating Structures
Governance & Culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Defines Desired Culture
Governance & Culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Demonstrates Commitment to Core Values
Governance & Culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Attracts, Develops, and Retains Capable Individuals
Governance & Culture
1. Exercises Board Risk Oversight
2. Establishes Operating Structures
3. Defines Desired Culture
4. Demonstrates Commitment to Core Values
5. Attracts, Develops, and Retains Capable Individuals
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Analyzes Business Context
Strategy & Objective-Setting
6. Analyzes Business Context
7. Defines Risk Appetite
8. Evaluates Alternative Strategies
9. Formulates Business Objectives
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Defines Risk Appetite
Strategy & Objective-Setting
6. Analyzes Business Context (分析業務環境):企業在確定戰略和目標時,應該考慮內部和外部的業務環境,如市場變化、競爭、法規等,這有助於理解風險和機會。 7. Defines Risk Appetite (定義風險偏好):組織需要明確它能夠承受的風險類型和程度,以確保風險管理與組織的戰略方向一致。 8. Evaluates Alternative Strategies (評估替代戰略):組織應該根據風險管理的框架,評估多種可選的戰略,並考慮這些戰略如何影響風險和回報。 9. Formulates Business Objectives (制定業務目標):在戰略確定後,組織應該設立具體的業務目標,這些目標應能夠促進戰略的實現,同時考慮風險因素。
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Evaluates Alternative Strategies
Strategy & Objective-Setting
6. Analyzes Business Context
7. Defines Risk Appetite
8. Evaluates Alternative Strategies
9. Formulates Business Objectives
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Formulates Business Objectives
Strategy & Objective-Setting
6. Analyzes Business Context
7. Defines Risk Appetite
8. Evaluates Alternative Strategies
9. Formulates Business Objectives
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Identifies Risk
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses
14. Develops Portfolio View
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Assesses Severity of Risk
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses
14. Develops Portfolio View
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Prioritizes Risks
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses
14. Develops Portfolio View
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Implements Risk Responses
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses執行風險回應,因為有執行兩字,所以是performance
14. Develops Portfolio View
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Develops Portfolio View
Performance
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritizes Risks
13. Implements Risk Responses
14. Develops Portfolio View
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Assesses Substantial Change
Review & Revision
15. Assesses Substantial Change
16. Reviews Risk and Performance
17. Pursues Improvement in Enterprise Risk Management
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Reviews Risk and Performance
Review & Revision
15. Assesses Substantial Change
16. Reviews Risk and Performance
17. Pursues Improvement in Enterprise Risk Management
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Pursues Improvement in Enterprise Risk Management
Review & Revision
15. Assesses Substantial Change
16. Reviews Risk and Performance
17. Pursues Improvement in Enterprise Risk Management追求企業風險管理的改善,improvement–>修訂revision
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Leverages Information and Technology
Information, Communication, & Reporting
18. Leverages Information and Technology擅用信息技術
19. Communicates Risk Information
20. Reports on Risk, Culture, and Performance
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Communicates Risk Information
Information, Communication, & Reporting
18. Leverages Information and Technology
19. Communicates Risk Information
20. Reports on Risk, Culture, and Performance
以下屬於COSO企業風險管理框架(ERM)的哪一部分?
Reports on Risk, Culture, and Performance
Information, Communication, & Reporting
18. Leverages Information and Technology
19. Communicates Risk Information
20. Reports on Risk, Culture, and Performance
Application Design, Tools, and Data 由Cloud service provider提供的是什麼服務?
IaaS(基礎設施即服務)
PaaS (平台即服務)
SaaS(軟體即服務)
SaaS。
I和P都是由組織管理
Environment Runtime(up time)由組織提供的是什麼服務?
IaaS(基礎設施即服務)
PaaS (平台即服務)
SaaS(軟體即服務)
IaaS(基礎設施即服務)
P和S都是由第三方提供Cloud service provider
Virtual Management由組織提供的是什麼服務?
IaaS(基礎設施即服務)
PaaS (平台即服務)
SaaS(軟體即服務)
IaaS(基礎設施即服務)
P和S都是由第三方提供Cloud service provider
Firewalls & Cybersecurity由組織提供的是什麼服務?
IaaS(基礎設施即服務)
PaaS (平台即服務)
SaaS(軟體即服務)
IaaS(基礎設施即服務)
P和S都是由第三方提供Cloud service provider
Operating Systems由組織提供的是什麼服務?
IaaS(基礎設施即服務)
PaaS (平台即服務)
SaaS(軟體即服務)
IaaS(基礎設施即服務)
P和S都是由第三方提供Cloud service provider
divide one connection into multiple connections.
a piece of hardware that connect devices and networks by relaying a signal or splitting that signal into multiple paths.
switch
選擇題的一個選項:将一个连接分成多个连接。
通过中继信号或将信号分成多路来连接设备和网络的硬件。
a device that directs traffic in a network to take the most efficient path, assign IP addresses
router
見到trafic就選router(road)
想像一個公司有好幾棟辦公樓,且每棟樓內有自己的內部電話分機系統(類似各部門的 LAN)。
如果樓內的員工要互相打電話(例如部門內部的溝通),可以直接用分機聯絡(LAN 內部溝通)。
但是,如果一棟樓內的員工要聯絡另一棟樓的員工(跨 LAN 通訊),需要透過「總機(類似 Router)」來接通這些跨樓層的電話。
這樣,「總機」就像路由器一樣,負責根據目的地(目標分機號碼),將電話(資料包)轉接到正確的辦公樓(LAN)。
a hardware or a software solution that protects an organization’s network by filtering the data and analyzing it for potential threats
firewall
Which network devices assign IP addresses?
firewalls
注意:這是當選項中沒有router時可以選擇的。
路由器:負責管理內部網路設備的 IP 地址,並通過 DHCP 分配 IP。
防火牆(帶有 NAT 功能):負責將內部 IP 地址轉換為公共 IP 地址,以進行內外網路間的安全通信。
Devices that have a primary function of enabling other machines in a network to share an IP address so that identities may be hidden are referred to as:
Network address translation firewalls.
網路位址轉換防火牆可讓專用網路上的機器共用單一公用位址,以遮掩其真正的私人位址。
A piece of hardware that connects devices within a network by reading and converting protocols so that traffic can be transmitted across those devices
intermediary among different networks
Gateway
machines or software that provide services or share data with other machines on a network, known as clients.
coordinate programs, data, and other computers so that the network can operate.
Servers
提供服務或與網路中其他機器 (稱為用戶端) 共用資料的機器或軟體。
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer1
物理层 (Layer 1):
功能:负责网络设备之间的物理连接,包括电缆、网线、光纤等。它处理比特流的传输和接收。
示例:网络适配器、集线器(hub)、网线、光纤、无线信号。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
responsible for formatting data packets for transmission across specific hardware within a network so that they reach the correct device
数据链路层 (Layer 2):
功能:负责将数据封装为帧,并处理错误检测和纠正。它确保数据在局域网(LAN)内部的可靠传输。
示例:交换机(switch)、桥接器(bridge)、MAC地址。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer3
网络层 (Layer 3):
功能:负责数据包的路由和转发。它处理逻辑地址(如IP地址)的分配,并决定数据包的传输路径。
示例:路由器(router)、IP地址、ICMP协议。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer4
传输层 (Layer 4):
功能:提供端到端的通信服务,包括流量控制、数据完整性和错误恢复。它确保数据从源主机到达目标主机。
示例:传输控制协议(TCP)、用户数据报协议(UDP)。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer5
会话层 (Layer 5 session layer):
功能:负责建立、管理和终止会话或连接。它允许不同应用程序之间的通信会话。
示例:会话管理协议(如NetBIOS、RPC)。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer6
表示层 (Layer 6):
功能:处理数据的表示和格式化,包括数据加密和解密、数据压缩等。它确保应用层数据的格式可以被接收端理解。
示例:加密协议(如SSL/TLS)、数据转换(如JPEG、MPEG)。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
OSI模型(开放系统互联模型)将网络通信分为七个层次,从物理层到应用层,每一层负责不同的网络功能。
Layer7
应用层 (Layer 7):
功能:直接与用户应用程序交互,提供网络服务和应用程序接口。它定义了应用程序之间的通信协议和数据格式。
示例:HTTP、FTP、SMTP、DNS。
假設我們使用快遞服務將一份禮物寄給朋友,這個過程可以對應到 OSI 模型的每一層:
快遞運輸的物理過程(用什麼交通工具) → 物理層
包裹的完整性檢查 → 數據鏈路層
選擇最佳路線 → 網路層
包裹拆分與重組 → 傳輸層
安排交付會話 → 會話層
包裝與加密 → 表示層
打開包裹 → 應用層
Waterfall method as a way to:
A. Increase productivity so that engineers will be engaged at every point in the process. B. Focus on testing and change review. C. Shorten the time it takes to collect customer input to enhance design features in the new software. D. Realize the benefits of the new system at each stage of completion.
【B】
Waterfall method的特點簡短總結如下:
- 線性工作流程:各階段依次進行,前一階段完成後才開始下一階段。
- 有明確的階段:包括設計、測試、部署、變更審查、和維護。
- 變更困難:在後期階段不易進行變更。
- 沒有客戶參與:開發過程中不涉及持續的客戶反饋。
- 效益延遲:系統的效益在項目全部完成後才會實現。
解釋
deployment
Deployment 部署是將系統供預期使用者和其他程式使用的過程。部署並不涉及設定系統參數以滿足公司的需求。此階段是在配置完成並全面測試之後。
Setting system parameters to meet a company’s needs during an enterprise resource planning system implementation is known as:
Configuration配置是修改預設系統參數以滿足公司需求的過程。配置應根據實施路線圖和已核准的系統變更執行。
Simplified Question:
A CPA is working with an IT administrator to ensure the company can quickly recover from a system incident. The IT administrator’s focus on rapid recovery best describes which concept?
Options:
A. Business resiliency
B. Crisis management
C. Incident response
D. Availability controls
A. Business Resiliency:
- 範圍: 涵蓋整個業務運營的連續性,不僅限於單一事件。業務彈性關注企業在面對各種威脅或中斷(例如系統故障、災難或其他業務中斷)時,如何持續運營並快速恢復到正常狀態。
- 目標: 建立強大的系統和流程,確保即使發生災難,企業的核心運營也能快速恢復,並且這種恢復能力是持續的。
- 重點: 整體業務持續性和恢復能力,包括對各種威脅的識別和應對計劃的建立。
C. Incident Response:
- 範圍: 更具針對性,專注於對具體事件的應對和恢復。事件響應的目的是在事件發生後採取具體措施來遏制、解決問題,並使系統恢復正常運行。
- 目標: 在特定的安全事件(例如網絡攻擊、停電或自然災害)發生後,快速應對並最小化損害。
- 重點: 具體事件的應對流程,確保系統或業務的恢復,而不是整體業務的連續性。
A business impact analysis (BIA) generally have the following steps:
1) establish the BIA approach,
2) identify critical resources,
3) define disruption impacts,
4) ,
5) ,
6) create the BIA report, and
7) implement BIA recommendations.
4) estimate losses,
5) establish recovery priorities: determining the optimal maximum tolerable downtime (MTD) and the mean time to repair (MTTR)
以下描述是什麼數據庫的特點?
summarize information about the data in a database to make it easier to work with the data and understand how it can be used
data dictionary/metadata
數據的總結和解釋功能更適合用來描述「數據字典」或「元數據」(metadata),這些元數據能幫助我們理解數據的使用方式
以下描述是什麼數據庫的特點?
assist with the goal that all data required for a business process is included within the data set.
relational database
關聯式資料庫通過「標準化」(normalization)的方式來確保所有與業務流程相關的數據都包含在資料集中。
The four benefits of relational databases include
1.completeness,
2.no redundancy,
3.business rules enforcement,業務規則的執行,
4.communication and integration of business processes.業務流程的溝通與整合。
Which of the following statements about a data warehouse is correct?
A. It provides data to operational databases. B. It is created from a data mart for a special purpose. C. It is contained within an operational database. D. It must be continuously updated to remain relevant.
正確答案是選項 D。數據倉庫是非常大的集中式數據存儲庫,主要用於報告和分析,而不是用於交易。由於數據倉庫通常是用於數據報告和分析的來源,因此需要持續更新以保持其相關性。這是因為數據倉庫中存儲的數據需要反映最新的業務活動和情況,才能提供有用的分析和報告。
其他選項的錯誤解釋如下:
選項 A 錯誤:運營數據庫(operational database)是為數據倉庫提供數據的,而不是數據倉庫向運營數據庫提供數據。數據倉庫接收來自運營系統或數據存儲的數據,並集中存儲以供分析和報告使用。
選項 B 錯誤:數據集市(data mart)是數據倉庫的一個子集,用於特定業務需求或特定部門的分析,因此數據倉庫不是從數據集市中創建的,恰恰相反,數據集市是從數據倉庫中創建出來的。
選項 C 錯誤:數據倉庫並不是包含在運營數據庫中,實際上數據倉庫是從多個運營數據庫中提取和存儲數據的集中存儲庫。運營數據庫是支持日常業務操作的,而數據倉庫則是用於更長期的數據分析和報告
SQL中指令
【WHERE】是什麼意思?
【SELECT】是什麼意思?
【WHERE】是根據條件選擇
【SELECT】是find
以下是關於什麼數據收集方式的描述
When data already exists, the data must be pulled from its original source, adjusted into useful information, and transferred into the tool needed for analysis.
ETL(Extract, Transform, and Load)提取、轉換和加載
當數據已經存在(無論是內部還是外部),需要將其從原始來源提取出來,轉換成有用的信息,並加載到分析工具中。ETL 專注於收集現有數據以回答特定的數據分析問題。
————————————————————-
數據處理總共有3種方式,其餘兩種:
主動數據收集(Active Data Collection)
當需要從員工、客戶或用戶那裡收集新數據時,通常會通過調查或訪談等方式直接與他們進行互動,主動請求數據。
被動數據收集(Passive Data Collection)
隨著用戶和公司之間的互動變得更加緊密,公司可以通過物聯網和人工智能等技術,無需用戶直接許可,通過例如 cookies 或時間戳等手段來收集用戶行為數據。
First Normal Form (1NF)
關鍵詞
‘the key’
Key Requirement: Each table cell must contain a single value, and each record must be uniquely identified by a primary key (PK).
Example: A table where each order has one item and one customer, and each row represents a unique order.
Second Normal Form (2NF)
關鍵詞
the whole key
Key Requirement: The table must be in 1NF, and all non-key attributes must depend on the entire primary key, not just part of it.
2NF:重點是消除非鍵屬性對複合主鍵部分的依賴,確保非鍵屬性完全依賴於整個主鍵。
Example: In a table with a composite primary key (e.g., Order ID + Inventory ID), the attribute “Quantity Ordered” passes the 2NF test, as it depends on both keys. However, an attribute like “Inventory Name” does not, as it only depends on “Inventory ID.”
Third Normal Form (3NF):
關鍵詞
‘nothing but the key’
Key Requirement: The table must be in 2NF, and no non-key attributes should depend on another non-key attribute (i.e., no transitive dependencies).
3NF:重點是消除傳遞依賴,即非鍵屬性不能依賴於其他非鍵屬性,它們必須直接依賴於主鍵。
Example: Department(系別)依賴於 StudentName(學生名字),而 StudentName 本身依賴於 StudentID。這就產生了傳遞依賴,即 Department 並不是直接依賴於主鍵 StudentID,而是通過 StudentName 來依賴主鍵,這違反了3NF。
which security assessment engagement procedures?
the process of analyzing, observing, and reviewing one or moreassessment objects (job roles, security specifications, security activities, or relevantoperational activities).
examination
Testing is the process of testing assessment objects that reflect how the object performs in its current state compared to a target or expected rate.
examination 更全面,強調對所有證據的檢查和評估,並且通常涉及更高層次的管理或報告審查。
Testing 更具體和實際,強調對樣本或流程的測試,通常是檢查某一特定控制或交易的有效性。
which security assessment engagement procedures?
the process of testing assessment objects that reflect how theobject performs in its current state compared to a target or expected state.
testing
In the attack, the analyst tries to exploit the company’s network by forcing certain operations to execute out of order. This is an example of which of the following types of cyberattacks?
Race conditions
Which phase of threat modeling is best described as the identification of resources that need to be protected against threats?
A. Perform a reduction analysis. B. Identify assets. C. Identify threats. D. Analyze the impact of an attack.
[B]
phase of threat modeling
/identify assets
/identify threats: This includes identifying the threat types and characteristics, such asintent, targeting, and potential method of attack. Realistic threat scenarios should also bediscussed and used for planning
/perform reduction analysis:
involves decomposing the asset being protected from the threat
/analyze impact of an attack
/develop countermeasures(對策) and controls
/review and evaluate
evaluating different components of an IT asset within her organization and the way each component interacts with a given cybersecurity threat.
This is a phase of threat modeling known as:
a reduction analysis.
Kaizen method
It focuses more on continuous improvement through small improvements over time rather than short sprints that have a finite life.
它更著重於透過長時間的小改善來持續改進,而不是只有有限壽命的短期衝刺。
Critical path method
The critical path method is a form of project management approach that identifies the longest sequence of dependent events in a project to determine the earliest point at which a project can be completed.
關鍵路徑法是一種專案管理方法,可找出專案中依賴事件的最長順序,以決定專案最早可完成的時間點。
【最長順序,最早完成】
Owen was unable to access a directory of sensitive files at his workplace. What control potentially stopped Owen?
A. Filesystem ACL B. Networking access control list (ACL)
【A】
文件系統的訪問控制列表(ACL)是用來控制用戶對特定文件、資料夾或目錄的訪問權限的。ACL 定義了誰可以讀取、寫入或執行這些文件,這就像是給每個文件設置了不同的“鎖”,只有擁有相應“鑰匙”的人才能打開。因此,Owen 無法進入目錄很可能是因為 ACL 限制了他的權限。
形象的例子:想像一個文件櫃,每個抽屜上都有不同的鎖,只有經理有權打開所有抽屜,而普通員工只能打開某些特定的抽屜。這些鎖的配置就像文件系統的 ACL,決定誰可以訪問哪些文件。
網絡訪問控制列表(Networking ACL):是用來控制網絡上的數據流,比如防止某些IP地址訪問公司網絡。
這就像是保安員決定誰能通過公司入口,但無法控制進入公司後誰能打開文件櫃。
以下是什麼access control的方式?
nondiscretionary controls that allow administratorsto centrally manage and enforce rules consistently across an environment.
公司規模?
成長速度?
mandatory access controls
相比之下,強制性存取控制為非自由裁量的控制,可讓管理員集中管理並在整個環境中一致地執行規則。這表示存取並非基於身分,而是基於管轄整個系統的一般規則。雖然自由裁量系統可能比較容易管理,但其有限的規則集使其在自訂方面不夠靈活。
使用規模: 大型企業、政府機構,安全需求高
靈活性:低
成長速度影響:靈活性差,成長速度快的企業適應力不足
以下是什麼access control的方式?
A high-growth, mid-sized organization that previously used rule-based access controls is seeking additional flexibility to allow for analysis of theoretical privileges based on actual privileges.
Policy-based access control (PBAC)
適用規模:適合中型至大型企業,特別是快速成長的組織。
靈活性:極高。通過動態策略根據使用者身份、角色、風險等因素自動調整權限,能快速適應變化的業務需求。
成長速度影響:隨著組織擴展,PBAC 可以保持一致性和有效的授權管理,無需頻繁的手動更新,因而適合快速增長的企業。
以下是什麼access control的方式?
based on a user’s job role instead of individuallyassigning permissions.
公司規模?
成長速度?
Role-based
基於角色的存取控制根據使用者的工作角色來管理存取權限,而非個別分配權限。工作角色被分門別類,與特定的存取權限或特權等級相對應。如果使用者變更職位,則會根據該工作角色的現有規則修改存取等級。
適用規模:中型至大型,角色明確
靈活性:中等。
成長速度影響:需手動更新角色與權限,成長時效率下降
以下是什麼access control的方式?
manages access to areas, devices, or databases according to apredetermined set of rules or access permissions independent of the user’s role or positionwithin the organization.
公司規模?
成長速度?
A rule-based access control
以規則為基礎的存取控制,是根據一套既定的規則或存取權限來管理區域、裝置或資料庫的存取,而與使用者在組織中的角色或位置無關。管理員的任務是設定安全權限,以允許基於已定義標準的存取。
使用規模:小型至中型,需求穩定
靈活性:中
成長速度: 成長後規則管理變得複雜且效率降低
記憶法:U比O先,所以rUle適合中小企,rOle適合中大企
以下是什麼access control的方式?
a decentralized control that allows data owners,custodians, or creators to manage their own access to the data or object they own or created.
公司規模?
成長速度?
A discretionary access control (DAC) 自由裁量存取控制 (DAC) 是一種分散式控制,允許資料擁有者、保管人或創造者管理他們自己對所擁有或創造的資料或物件的存取。
適用規模:小型或靜態
靈活性:較低
成長速度影響:成長以後難以管理,已造成混亂
Centralized Incident Response Team和Coordinating Team的區別
集中式事件回應小組 (Centralized Incident Response Team)
描述:一個單一的事件回應小組負責整個組織內的事件管理。這個小組擁有完整的管理權限,處理所有安全事件,並負責執行解決方案。這種模式通常適合規模較小或地理上集中化的組織。
例子:假設一家公司只有一個辦公室,所有的IT系統都集中在總部。這家公司的集中式事件回應小組負責監控、偵測和回應所有的網絡安全事件。無論事件發生在哪個部門,這個小組都會直接處理。
—————————————————————
協調式小組 (Coordinating Team)
描述:協調式小組負責協調其他事件回應小組,但不擁有直接管理權限。協調小組的作用是確保不同的回應小組之間的溝通和合作,幫助其他小組協調解決問題,但不會親自執行事件處理。這種模式適合規模較大且分布在不同地理位置的組織。
例子:如果一家公司有多個分支機構,每個分支機構都有自己的事件回應小組,協調式小組會負責在各個小組之間進行溝通和協作,確保信息傳遞順暢,但具體的事件處理由分支機構的事件回應小組負責執行。
The phase in an incident response plan (IRP) where a threat is removed and systems, files, and other IT assets are restored is known as?
eradication
generally include the following seven steps: preparation, detection, containment, eradication, reporting, recovery, and learning
The recovery step is the phase in which an organization returns to a normal, functional state of operations after an interruption. This step occurs after eradication and reporting.
The phase in an incident response plan (IRP) where an organization returns to a normal, functional state of operations after an interruption is known as
recovery
Eradication, which is the fourth step, occurs after any deviation from normal operations has been identified and classified. The eradication phase is when a threat is extracted, and systems, files, and other IT assets are restored.
hypothetical cybersecurity incident是什麼?
通常採取什麼回應?
假設性網絡安全事件
採取tabletop exercise
When a service auditor performs an engagement on controls at a service organization, the service auditor is
1. 需要對誰獨立?
2. 如果不獨立會怎樣?
- subservice organization
- 如果具有獨立性可以採取inclusive method,否則要採取carve-out method
哪些項目可以在disclaim意見報告中省略?
參考的標準:報告仍需提到服務審計師所依據的專業標準(如 SSAE)。
修改原因:需要清楚描述導致意見被拒的原因。
範圍限制描述:必須說明哪些證據不足,導致無法形成意見。
應省略的資訊:
證據的充分性與適當性:因為拒絕表示意見的核心原因就是證據不足,因此不能聲明「取得了足夠且適當的證據」。
檢查性聲明:無法完整進行檢查時,不能聲明其檢查符合 SSAE 的所有要求。
意見聲明相關敘述:不應對內部控制的設計或運行效果提供任何保證。
以下內容應該省略
An answer on what is required by the professional standards of the service auditor,
a statement that sufficient and appropriate evidence was obtained,
and a statement describing the nature of an examination engagement
who should be responsible for implementing complementary user entity controls?
User entities
想象你(使用者实体验证 / User Entity)租了一间公寓(服务组织 / Service Organization),这间公寓有一些内建的安全措施,比如门锁和监控系统(服务组织的控制 / Service Organization Controls)。不过,房东告诉你,为了保证房子的安全,除了这些内建的安全措施之外,你还需要自己安装一个防盗警报器(补充的使用者实体控制 / Complementary User Entity Controls (CUECs)),这样才能更好地保护你的财产。
大於,小於或等於?
1. data mart VS data warehouse
2. data warehouse VS operational database
A data mart is a 「subset 」of a data warehouse
A data warehouse can be considered the 「downstream 」repository of operational databases.
注意⚠️
只是比較大概的大小,而不是表示從屬關係
operational databases>data warehouse> data mart
只有一個location,mirror和replication應該選哪個?
mirroring
鏡像(mirroring):在同一個地點內,將資料庫複製到另一台機器上,以提供冗餘保護。如果主系統失效,備用系統可以立即接管。因此,鏡像主要是針對單一位置的資料冗餘。
複製(replication):則涉及將數據傳輸到不同地點的資料庫上,這意味著必須有一個次要的地點來承載複製的資料庫。由於題目明確指出 Sunriss Corp. 只有一個地點,複製的選項就不可行。
Which Center for Internet Security (CIS) Control principle was designed to have all recommendations be practical?
A. Measurable D. Feasible
選擇 “D “是正確的。可行是 CIS 控制的原則,所有建議都應該是實際可行的。
選擇「A」錯誤。可衡量是 CIS 控制原則,控制應該簡單且可衡量,避免含糊不清的語言。
Which of the following is not a risk it should consider when using cloud service providers (CSPs)
A. Whether other pharma companies use the same CSP.
B. Whether other pharma companies are adopting CSPs.
C. How easy it is to switch CSPs.
D. The physical location of Brown Co. relative to the CSP.
選項 D:「公司與 CSP 的物理位置」:
解釋:這個選項不應被視為風險,因為現代雲計算依賴於高效的網絡連接,而不受物理距離的限制。無論 Brown Co. 和 CSP 的物理位置相距多遠,雲服務的性能不會受到顯著影響。這正是雲計算被大多數企業認為可行的原因。由於現代互聯網的速度和虛擬機運行效率足夠高,物理位置在選擇 CSP 時並不是關鍵風險因素,因此選項 D 是正確答案。
選項 A:「其他製藥公司是否使用同一個 CSP」:
解釋:這應該被考慮為風險,因為若與競爭對手共用相同的 CSP,可能會引發敏感數據泄漏或競爭信息曝光的風險。共用基礎設施可能導致潛在的安全問題。
選項 B:「其他製藥公司是否在採用 CSP」:
解釋:這也是一個需要考慮的風險。如果競爭對手通過採用 CSP 獲得了競爭優勢,Brown Co. 可能也需要考慮採用類似的雲服務,以免在市場中失去競爭力。
選項 C:「切換 CSP 的難易度」:
解釋:這也是一個實際的風險。當公司依賴於某個 CSP 時,未來若需切換到其他服務商,可能會因為技術、契約或成本的原因變得困難,這就是所謂的「供應商鎖定」問題。因此,考慮切換 CSP 的可行性是非常重要的。
A system that transforms economic events into journal entries and disseminates information that supports daily operations is
A transaction processing system
交易處理系統 (TPS) 是自動化資訊系統的三個主要子系統之一。TPS 根據各交易週期中發生的經濟事件建立交易或日誌分錄。
a subsystem of an AIS that helps managers make daily operational decisions by supplying them with internal financial data like cost-volume-profit analysis and variance analysis
A management reporting system (MRS)
AIS 的子系統,透過提供內部財務資料(如成本-價值-利潤分析和差異分析)協助管理人員制定日常營運決策
a subsystem of an AIS which gathers daily data from the TPS as well as other sources so that financial reporting and regulatory compliance needs can be met.
A financial reporting system (FRS)
AIS 的子系統,可從 TPS 及其他來源收集每日資料,以滿足財務報告與法規遵循的需求。
Within the data life cycle,
what is generally considered the first step of the life cycle defining what data a business needs and where to capture or retrieve such data?
Definition
定義是資料生命週期的第一步。它定義了企業需要哪些資料,以及在何處擷取或檢索這些資料。這有助於提高所選資料與組織的資料收集目標相關的可能性。
Within the data life cycle,
a step in the data life cycle where the prepared data may be shared with external users, such as sending monthly statements to clients, publishing financial statements, and sending quotes to customers.
Publication
發佈是資料生命週期中的一個步驟,在這個步驟中,準備好的資料可能會與外部使用者分享,例如傳送月結單給客 戶、發佈財務報表,以及傳送報價給客戶。
Within the data life cycle,
a step that bridges preparation with usage. This involves the creation of calculated fields to prepare the data for quicker usage and analysis.
Synthesis
合成是連接準備與使用的步驟。這包括建立計算欄位,以準備資料供快速使用和分析。
從多個數據點中推導出新的結論。
通過計算或分析生成新的資料(例如衍生變數)。
重點在於創造新的資訊,而不是單純的複製、提取或可視化。
Within the data life cycle,
the step in the data life cycle where the data is determined to be complete, clean, current, encrypted, and user-friendly. This step is done after definition and capture/creation.
Preparation
準備是資料生命週期中的一個步驟,在此步驟中,資料被確定為完整、乾淨、最新、已加密且對使用者友善。此步驟會在定義與擷取/建立之後完成。
Six principles for a government system
describes how governance systems should create value for the company’s stakeholders by balancing benefits, risks, and resources. This should be accomplished through a well-designed governance system with an actionable strategy.
- provide stakeholder value
Six principles for a government system
A governance system should integrate various components to form a comprehensive, unified model for the organization.
2.Holistic Approach:
整體方法:管理系統應該整合各個組成部分,形成一個全面、統一的組織模式。
Six principles for a government system
describes the consideration of impact on all others when a change in one governance system occurs so the system continues to meet the demands of the organization.
3.dynamic governance system
動態治理系統:治理應具有適應性,考慮變化對系統所有部分的影響,以確保其保持相關性和有效性。
Six principles for a government system
Governance and management must be clearly differentiated, as they serve distinct roles and functions.
- Governance Distinct From Management
治理有別於管理:管治與管理必須清楚區分,因為兩者的角色和功能截然不同。
Six principles for a government system
explains that governance models should be customized to the needs of each company.
- tailored to enterprise needs
根據企業需求量身打造:治理模式應該是客製化的,以符合企業的獨特需求和優先順序。
Six principles for a government system
explains that all processes within the organization involving information and technology should be factored into a governance system.
- end-to-end governance system
端對端治理系統:系統應涵蓋組織內的所有程序,而不僅僅是 IT,以提供完整的、整個組織的治理方法。
the system relevant to the SOC 2® engagement would include:多選
the software application,
the internal employees,
the subcontractors,
the clients
The system definition would include the software application, the internal employees, and the subcontractors.
A service commitment OR A system requirement
a specification about how the system should function to meet the service organization’s service commitment to privacy and confidentiality
A system requirement
系統需求是關於系統應如何運作以符合服務組織對隱私權和機密性的服務承諾的規格。使用者存取敏感員工資訊的控制措施就是系統需求。
A service commitment OR A system requirement
a declaration made by service organization management to user entities and others about the system used to provide the service.
A service commitment
服務承諾是服務組織管理階層向使用者實體及其他方就用來提供服務的系統所做的聲明。服務承諾可以書面個別化協議、標準化合約、服務等級協議或公開聲明(例如,在安全實務聲明中)來傳達。
WHO is responsible for identifying the nature, extent, and timing of system incidents in the service organization’s system description.
management
以下是針對什麼風險採取的行動?
Management would develop alternative courses of action for risk response, evaluate alternative courses of action, consider appropriate actions consistent with risk tolerance, and implement risk responses based on selected courses of action.
這一選項描述的是「回應風險」(respond to risk)的步驟,其中包括制定替代行動方案、評估這些方案、考慮風險容忍度並實施選擇的風險回應
關鍵詞:alternative,action
以下是針對什麼風險採取的行動?
Management would determine the ongoing effectiveness of risk responses, identify risk-impacting changes to systems and environments, and verify that planned responses are implemented.
monitor risk
階段: 監控風險是在風險應對措施實施後的持續監控階段。
目標: 監控風險的目的是隨時間變化持續跟蹤風險情況,檢查風險應對措施的效果,並確保風險管理措施能夠適應變化的風險環境。
關鍵詞:
持續監控(Ongoing monitoring)
風險變化(Risk-impacting changes)
應對措施的有效性(Effectiveness of risk responses)
確保應對措施執行(Verify implementation)
以下是針對什麼風險採取的行動?
Management would identify threats, vulnerabilities, potential harm to the organization, and the corresponding likelihood that harm would occur.
「評估風險」(assess risk)
階段: 風險評估是風險管理的早期階段,專注於識別和評估風險。
目標: 這一階段的目的是識別公司內外部的漏洞和潛在威脅,並衡量這些風險的影響和可能性。它為後續的風險應對策略提供依據。
關鍵詞:
識別漏洞(Identify vulnerabilities)
評估風險(Evaluate risks)
內外部風險(Internal and external risks)
以下是針對什麼風險採取的行動?
Management would define the environment in which risk-based decisions are made to help form an appropriate strategy.
這一選項描述的是「風險框架」(risk framework)部分,其主要工作是定義風險決策的環境,幫助形成適當的風險管理策略
關鍵詞: strategy
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization demonstrates a commitment to integrity and ethical values.
Control Environment(控制環境)
Principle 1: The organization demonstrates a commitment to integrity and ethical values.
(組織展現對誠信與倫理價值的承諾)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Control Environment(控制環境)
Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
(董事會展現對管理層的獨立性,並對內部控制的發展和執行進行監督)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities.
Control Environment(控制環境)
Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities.
(管理層在董事會的監督下建立結構、報告線路以及適當的權限和責任
事例可能會出現的關鍵詞:realign responsibilities重新調整責任
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization demonstrates a commitment to attract, develop, and retain competent individuals.
Control Environment(控制環境)
Principle 4: The organization demonstrates a commitment to attract, develop, and retain competent individuals.
(組織展現吸引、發展和留住能勝任個體的承諾)
事例:公司董事會的審計委員會負責審查關鍵財務報告高層管理的角色和責任。為此,審計委員會主席每年與人力資源總監、首席審計官、法律顧問會面,審查各管理者的角色、責任和績效,重點在於使管理者的職責與公司的組織架構保持一致,並評估管理者在履行職責時的專業知識和經驗。
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization holds individuals accountable for their internal control responsibilities.
Control Environment(控制環境)
Principle 5: The organization holds individuals accountable for their internal control responsibilities.
(組織對個體的內部控制責任進行問責)
事例可能會出現的關鍵詞:relate to the core values–>幫助公司評估管理層是否實踐了公司核心價值,進一步體現了問責機制,因為員工的意見將直接影響管理層的獎勵和評價。
鼓勵員工提交改善內部控制的建議:這展示了公司希望員工在內部控制方面承擔責任,並積極參與改進過程,這符合原則5中強調的「使員工對內部控制負責」的理念。
獎勵員工的建議:提供公司獎項或現金獎勵,展示了公司通過激勵機制促進員工對內部控制的參與,這也是原則5的重點之一。
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks.
Risk Assessment(風險評估)
Principle 6: The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks.
(組織明確目標,以便識別和評估風險)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
Risk Assessment(風險評估)
Principle 7: The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
(組織識別影響其目標實現的風險,並分析這些風險以確定如何進行管理)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization considers the potential for fraud in assessing risks.
Risk Assessment(風險評估)
Principle 8: The organization considers the potential for fraud in assessing risks.
(組織在評估風險時考慮欺詐的可能性)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization identifies and assesses changes that could significantly impact the system of internal control.
Risk Assessment(風險評估)
Principle 9: The organization identifies and assesses changes that could significantly impact the system of internal control.
(組織識別和評估可能對內部控制系統產生重大影響的變化)
identify和assess都只在分析層面,所以不是control activities
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分? The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Control Activities(控制活動)
Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
(組織通過政策來部署控制活動,確立期望並將政策轉化為具體行動)
不是environment而是activity的原因,首先control activity,再者into action表示不光是理論層面
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization selects and develops general control activities over technology to support the achievement of objectives.
Control Activities(控制活動)
Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives.
(組織選擇並開發對技術的通用控制活動,以支持目標的實現)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization selects and develops control activities that contribute to the mitigation of risks.
Control Activities(控制活動)
Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks.
(組織選擇並開發有助於減少風險的控制活動)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
Information and Communication(信息與溝通)
Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
(組織獲取或生成並使用相關的高質量信息來支持內部控制的運作)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
Information and Communication(信息與溝通)
Principle 14: The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
(組織在內部溝通信息,包括內部控制的目標和責任,來支持內部控制的運作)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization communicates with external parties regarding matters affecting the functioning of internal control.
Information and Communication(信息與溝通)
Principle 15: The organization communicates with external parties regarding matters affecting the functioning of internal control.
(組織與外部各方溝通有關內部控制運作的事項)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
Monitoring Activities(監控活動)
Principle 16: The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
(組織選擇、開發並執行持續或單獨的評估,以確保內部控制的組成部分存在並正常運作)
以下屬於COSO內部控制框架(Internal Control – Integrated Framework)的哪個部分?
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action.
Monitoring Activities(監控活動)
inciple 17: The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action.
(組織及時評估並傳達內部控制的缺陷給負責採取糾正措施的相關方)
hybrid management issues通常指什麼?
various cloud-based solutions
混合管理問題通常發生在公司同時使用多種基於雲端的解決方案和部分內部IT基礎設施時,這會使得整合和監控不同環境變得困難,從而增加檢測網絡攻擊的難度。
A threat actor leveraged a target firm’s smart refrigerator as an entry point for access into their connected network. What relevant cyber threat did the threat actor employ?
Escalated cyberattacks
or
Device spoofing
Escalated cyberattacks
升級的網絡攻擊
物聯網設備可以作為攻擊的基地,用來感染更多的機器,或者作為進入連接網絡的入口。因此,升級的網絡攻擊也是物聯網相關的網絡安全風險
Which of the following is a common document found in the human resources and payroll cycle?
A. Voucher B. Receipt C. Production schedule D. Earnings statement
選項D(工資單)是正確的,因為工資單是薪酬和人力資源週期中的一個常見文件,這份文件通常隨工資發放,詳細說明員工的當期收入和扣款情況,以及累計總額。
選項A(憑單)是錯誤的,因為憑單屬於採購和支付週期,用於記錄和批准付款。
選項B(收據)是錯誤的,因為收據屬於收入週期,用來記錄銷售或收到的款項。
選項C(生產計劃表)是錯誤的,因為生產計劃表屬於生產週期,與生產運營和資源安排有關。
Which of the GDPR principles to follow when processing data is best defined as what is relevant, adequate, and limited to what is necessary for the applicable purpose?
Data minimization
根據 GDPR,資料最小化原則要求資料處理必須相關、充分,並限於目的所需的範圍內。其他五項原則包括目的限制、準確性、完整性和機密性、儲存限制,以及合法性、公平性和透明度。
which GDPR is the principle where data must be processed for specified, explicit, and legitimate purposes?
Purpose limitation
根據 GDPR,目的限制是一項原則,在此原則下,資料處理必須用於特定、明確且合法的目的。為了公共利益存檔、科學或歷史研究或統計目的,允許進一步處理超出目的的資料。
Firmware
Firmware is software that is locally installed on a machine such as a printer or hard drive to perform functions specific to that device.
Firmware 是嵌入在硬體設備中的特殊軟體,負責控制設備的基本操作和功能。它不像應用軟體那樣可以輕易更新或修改,而是緊密結合在硬體上,提供穩定和低層次的控制。以下是一些常見的 firmware 例子:
路由器的固件:家用或辦公室的無線路由器內部有固件,用來控制網路流量、管理連接設備以及設定無線網路安全性。當路由器運行時,它的固件負責分配IP地址、管理網路流量和加密數據。
智慧型手機的固件:手機內有一層低層次的固件,負責控制硬體如相機、觸控屏幕、無線通信(如Wi-Fi、藍牙)等。手機廠商會定期推出固件更新來修復漏洞、提高性能或添加新功能。
The NIST SP 800-53 control family that covers
How does the organization manage application and resource access?
AC–Access Control
AC–訪問控制:組織如何管理應用程序和資源的訪問?
關鍵詞:assess
The NIST SP 800-53 control family that covers
How should the company deliver training on information security risk?
AT–Awareness and Training
AT–意識和培訓:公司應如何提供有關信息安全風險的培訓?
The NIST SP 800-53 control family that covers
How does the company evaluate information security controls?
AU–Audit and Accountability
AU–審計與問責:公司如何評估信息安全控制措施?
The NIST SP 800-53 control family that covers
How does the organization collect information security telemetry and use it to hunt for threats?
CA–Assessment, Authorization, and Monitoring:
CA–評估、授權與監控:組織如何收集信息安全數據並用於尋找威脅?
The NIST SP 800-53 control family that covers
How are assets and software configured securely?
CM–Configuration Management
CM–配置管理:資產和軟件如何進行安全配置?
The NIST SP 800-53 control family that covers
How is the company prepared for downtime and outages?
CP–Contingency Planning:
CP–應急計劃:公司如何為停機和中斷做準備?
The NIST SP 800-53 control family that covers
How is identification and authentication managed?
IA–Identity and Authentication:
IA–身份識別與驗證:身份識別和驗證是如何管理的?
The NIST SP 800-53 control family that covers
How is the organization prepared for information security and events?
IR–Incident Response:
IR–事件響應:組織如何為信息安全事件做好準備?
The NIST SP 800-53 control family that covers
How does the company ensure secure maintenance of infrastructure?
MA–Maintenance
MA–維護:公司如何確保基礎設施的安全維護?
The NIST SP 800-53 control family that covers
How is information on physical media managed?
MP–Media Protection
MP–媒體保護:物理媒體上的信息如何管理?
The NIST SP 800-53 control family that covers
How does the organization manage information security planning?
PL–Planning:
PL–計劃:組織如何管理信息安全規劃?
The NIST SP 800-53 control family that covers
How are facilities secured from intrusion or harm?
Physical and Environmental Protection
PE–物理與環境保護:設施如何免受入侵或損害的保護?
The NIST SP 800-53 control family that covers
How are employees evaluated for potential compromise?
PS–Personnel Security
PS–人員安全:員工如何評估潛在的風險?
The NIST SP 800-53 control family that covers
How is personally identifiable information (PII) managed (this family is new to NIST 800-53 Rev. 5)?
PT–PII Processing and Transparency:
PT–個人識別信息處理與透明性:個人識別信息 (PII) 如何管理(這一類別是 NIST 800-53 第 5 版的新內容)?
The NIST SP 800-53 control family that covers
How is environmental risk evaluated?
RA–Risk Assessment
RA–風險評估:環境風險如何評估?
The NIST SP 800-53 control family that covers
How are systems securely evaluated and acquired?
SA–System and Services Acquisition:
SA–系統與服務採購:系統如何安全地進行評估和採購?
The NIST SP 800-53 control family that covers
How is data securely transmitted digitally?
SC–System and Communications Protection:
SC–系統與通信保護:數據如何安全地進行數字傳輸?
The NIST SP 800-53 control family that covers
How is the integrity of data in company systems maintained and evaluated?
SI–System and Information Integrity:
SI–系統與信息完整性:公司系統中的數據完整性如何維護和評估?
The NIST SP 800-53 control family that covers
How does the company secure its supply chain (new to NIST 800-53 Rev. 5)?
SR–Supply Chain Risk Management:
SR–供應鏈風險管理:公司如何保護其供應鏈(這是 NIST 800-53 第 5 版的新內容)?
哪個是對的?
- Verify that a patch has been deployed
- test it in a non-production environment.
補丁應先在非生產環境中進行測試,確認測試成功後再部署,而不是先部署再測試。
During the payment clearing process, which is likely be used about credit card transactions?
tokenization
在付款結算過程中,哪種方式可能用於信用卡交易?
swaps a part of the data with other data so that the original identifying characteristics are disguised, or masked, while maintaining a similar structure to the unmodified data set.
masking
將部分資料與其他資料交換,使原本的識別特徵被偽裝或遮蔽,同時維持與未修改資料集相似的結構。
是什麼數據處理的方法
removes production data and replaces it with a surrogate value, in which the data is transformed using mathematical algorithms
tokenization
Interpreter
Interpreter (直譯器):
生活例子:想像你去國外旅遊,不懂當地語言,於是你請了一位隨行翻譯。每當有人說一句話,翻譯立即把那句話翻譯成你能理解的語言,讓你立刻明白意思。直譯器就像這位翻譯,它逐行地解釋程式碼並立即執行。
Language processors
Language processors (語言處理器):
生活例子:這類工具可以比喻成語言學校裡的老師,他們教你如何理解和使用多種語言。老師教你如何理解不同語言的結構,這樣你可以在不同情境下靈活應用。語言處理器包括直譯器、編譯器等,它們處理不同的程式語言,幫助系統理解並運行。
A program that edits a group of source language statements for syntax errors and translates the statements into an object program is a (n)
Compiler (編譯器):
生活例子:這可以比喻成你寫了一篇文章,然後交給出版商。出版商會將你的文章從手稿轉換為印刷書,讓每個人都能讀懂並使用。編譯器會把高級程式語言的原始碼轉換成機器可以理解的指令,讓程式能夠執行。
BASIC, FORTRAN, and COBOL are all examples of
Procedural languages (程序式語言):
以比喻成食譜。想像你在家做飯,食譜告訴你一系列步驟,從準備材料到烹調過程,每一步都有明確的指示。你需要按照這些步驟來完成最終的菜餚,這正如程序式語言一樣,通過定義一系列步驟來完成特定任務。
Language processors (語言處理器) 則可以比喻成食譜翻譯員。假設食譜是用一個你不懂的語言寫的,你需要一位翻譯員來將這些指令轉換成你能理解的語言,這樣你才能做出菜餚。語言處理器就是這位翻譯員,它把程序式語言的“食譜”轉換成電腦能理解的機器碼。
以下是什麼的步驟
Acquisition, storage, inventory control and distribution
棚卸資産管理のプロセス
以下是什麼的步驟
Marketing, sales, customer service and data analytics.
顧客関係管理(customer relationship management; CRM)のプロセスを表している。
以下是什麼的步驟
Procurement, manufacturing, warehouse and distribution.
サプライ・チェーン・マネジメント(supply chain management; SCM)
具体的には原材料の仕入(procurement)、製造(manufacturing)、倉庫(warehouse)、流通(distribution)の各プロセスを一つの流れとしてとらえ、最適な製造・在庫・流通を決定する手法をいう。
以下是什麼的步驟
Procurement, sales, inventory control and financial reporting.
これは財務(finance)のプロセスを表している
business impact analysis; BIA
disaster recovery planning; DRP
哪個更把焦點放在ITsystem?
DRP
DRP比BIA幾個字母更接近IT的T
In a SOC 2® engagement, which of the following factors would result in management’s determination that a vendor is not considered a subservice organization?
B. The vendor is a subsidiary of the service organization. C. The controls at the subservice organization are not necessary to provide reasonable assurance that service commitments and system requirements are met.
【C】
選項C是正確的,因為若供應商的控制措施並不必要,則該供應商不會被認為是子服務組織。
選項B(供應商是服務組織的子公司)不正確。子服務組織可以是相關實體,例如服務組織的母公司或子公司,並不排除其作為子服務組織的可能性。
need to know
least privilege
which is perform and which is access?
Need-to-know focuses on the data that is needed to perform the job,
least privilege focuses on the access needed to perform the job.
記法:
privilege像vilege,用來assess訪問的
A cloud service provider’s vision is to provide reliable and consistent network connectivity for all customers. Part of its corporate strategy for achieving that is heavily reliant on all of the following except:
A. Utilizing a community cloud deployment model. D. Having all IT personnel on the company payroll.
選項A:利用社區雲部署模型(Utilizing a community cloud deployment model)
解釋:社區雲是一種由多個組織共同使用的雲環境,這些組織通常具有相似的需求和目標。對於CSP來說,使用社區雲可能會降低對基礎設施的控制,因為資源是與其他組織共享的。這可能導致在可靠性和一致性方面的挑戰,因此不利於CSP實現其願景。因此,這不是CSP策略中依賴的方法。
選項D:所有IT人員都在公司薪資內(Having all IT personnel on the company payroll)
解釋:擁有內部IT人員意味著CSP能夠更快地響應和解決技術問題,並進行持續的維護和優化工作。內部團隊對公司系統和需求有更深入的理解,有助於提升服務質量和穩定性,符合其提供一致連接的目標。因此,這也是CSP策略中依賴的重要方法。
使用過時的OS導致override,會影響系統的
1. availability
2. process integrity
2
“override” 是指繞過或覆蓋系統的標準控制或規則,通常是指用戶能夠在不經過適當授權或控制程序的情況下更改數據或操作系統功能。
這通常會導致安全性或合規性問題,因為它削弱了內部控制,讓系統容易受到未經授權的更改或潛在的惡意行為的影響。
The company’s director of internal audit reports functionally to WHO
and administratively to WHO
audit committee
CFO
公司的內部稽核主管在職能上向稽核委員會報告,在行政上則向財務長報告。
System interface diagram
Data flow diagram
最大的區別是什麼
System interface diagram涉及物理層面上的連接和交互。physical connections exist
屬於preventive/detective/corrective control的哪一個?
The processing log recorded in the accounting system is regularly reviewed to confirm that data has been processed correctly.
detective
關鍵詞: audit log
detective control:在錯誤、不規則或違規事件發生後,可辨識錯誤、不規則或違規事件的措施,以便及時偵測。
屬於preventive/detective/corrective control的哪一個?
Discretionary access controls and software hardening
preventive
屬於preventive/detective/corrective control的哪一個?
系統設定單元格必須輸入少於100的數字,當輸入200時提示錯誤。
preventive
屬於preventive/detective/corrective control的哪一個?
Reconfigurations
corrective
屬於preventive/detective/corrective control的哪一個?
corrective
屬於preventive/detective/corrective control的哪一個?
Upgrades and patches
preventive
屬於preventive/detective/corrective control的哪一個?
updating employee training manuals
corrective
屬於preventive/detective/corrective control的哪一個?
log analysis
detective
As part of the business continuity planning, each database administrator is authorized to secure backup data, as necessary.
符合職責分離原則嗎?
不符合,管理員任意備份資料會造成資料外洩風險。正確應該是
設定負責備份的人員,並在執行備份時取得適當的授權。
資料應由資料庫管理員備份。
什麼是call back?
屬於什麼控制措施
Callback的工作流程:
用戶發起請求(例如:變更密碼或執行某些敏感操作)。
系統或服務要求用戶提供聯絡信息(如手機號碼)。
系統向該聯絡信息發送確認碼或進行電話確認。
用戶在系統中輸入確認碼,以完成驗證。
Callback屬於邏輯控制(Logical Controls),因為它主要是通過技術手段來加強身份驗證和數據安全性。這種控制措施可以有效防止未經授權的訪問,降低社會工程攻擊的風險。
什麼是echo check?
屬於什麼控制措施
當資料在雙方之間傳送或接收時,接收者會將接收到的資料回傳給發送者,以檢查資料在傳輸過程中是否發生了錯誤。
是一種錯誤檢測的手段,而不是logical access cotnrols限制存取的手段。
什麼是Menu-driven program?
屬於什麼控制措施
Menu-driven program 是一種用戶介面設計,允許用戶通過選擇菜單中的選項來進行操作,而不是通過命令行或直接輸入命令。
Menu-driven program 通常被視為邏輯控制(Logical Controls)的一種,因為它利用技術手段來改善用戶交互的安全性和有效性。
什麼是Parity check?
屬於什麼控制措施
Parity check 是一種基本的錯誤檢測技術,主要用於數據傳輸和存儲系統中,以確保數據的完整性。它通過在數據塊中增加一位額外的位元(稱為奇偶位或 parity bit)來工作。這個奇偶位用來表示數據中 1 的個數的奇偶性(即,偶數或奇數)。
Parity check 屬於邏輯控制(Logical Controls)
Salami fraud
Salami fraud 是一種金融詐騙手法,該手法的核心特點是通過系統性地從大量交易中抽取極小的金額,這些金額對於個別交易者來說可能微不足道,但累積起來卻會形成相當大的數額。這種詐騙通常發生在電子交易系統、銀行、或者與資金處理相關的系統中。
關鍵詞:rounding errors
In which section of the service auditor’s SOC 1® Type 2 report would you find the statement that the examination did not extend to such complementary user entity controls and the service auditor did not evaluate the suitability of the design or operating effectiveness of complementary user entity controls?
A. This statement would be included in the service auditor's responsibility section. B. This statement would be included in the scope section. C. This statement would be included in the inherent limitations section. D. This statement would not be included in the service auditor's report.
【B】
在服務稽核人員的 SOC 1® 第 2 類報告的哪一節中,您可以找到「檢查並未延伸至此類補充使用者實體控管,且服務稽核人員未評估補充使用者實體控管的設計或運作效能的適用性」的聲明?
為伸延至…表示範圍
Replacement costs for information systems
Incident response costs
区別
Replacement costs for information systems設計軟件硬件兩方面。
事件響應費用(Incident response costs)指的是恢復丟失或被竊數據的費用,例如支付給外部 IT 專家的費用,也與硬體或軟體的替換無關。
Port Scanning Attack
Port Scanning Attack(端口掃描攻擊)是一種網路偵察技術,攻擊者透過掃描目標設備的網路端口來識別哪些端口是開啟的,進而瞭解系統上運行的服務。每個開放的端口對應一個特定的網路服務(例如,HTTP 通常使用端口 80),這使攻擊者能推測設備上運行的應用程式或操作系統。
Brute Force Attack
Brute Force Attack(暴力破解攻擊)是一種試圖透過反覆嘗試不同的密碼或密鑰組合來強行破解帳戶、加密系統或其他保護措施的攻擊方式。攻擊者會不斷嘗試各種可能的組合,直到找到正確的密碼或密鑰。
網絡攻擊Gaining access之後的步驟是什麼
偵察(Reconnaissance)
攻擊的第一步,攻擊者收集信息,了解目標系統的結構和漏洞。這可以通過社會工程學、公開資料、網路掃描等手段進行。
掃描(Scanning)
在收集到足夠的基本信息後,攻擊者會用技術手段對目標系統進行掃描,找出具體的漏洞或弱點。
取得系統訪問權限(Gaining access)
攻擊者利用已識別的漏洞,嘗試突破系統安全措施,獲得訪問權限。
提權(Escalation of privileges)
攻擊者在取得訪問後,進一步嘗試提升自己在系統中的權限,從而對系統有更多的控制權限。
維持訪問(Maintaining access)
攻擊者設置後門或其他方式,確保未來可以再次進入系統。
覆蓋蹤跡(Covering tracks)
攻擊者清除系統中的證據,防止其行為被發現。
什麼是Exploiting攻擊
Exploiting 攻擊(漏洞利用攻擊)是指攻擊者利用系統、軟件或應用程序中的漏洞或弱點,來實施未經授權的行為,例如取得訪問權限、執行惡意代碼或篡改數據。
什麼是cross site scripting attack?
The primary goal of an XSS attack is to steal sensitive data. In an XSS attack, thehacker attempts to insert an HTML script in the code of an otherwise trusted website to stealsensitive data from website users. An XSS attack is an attack against the users of the site.
neural network和logistics regression的區別
神經網絡(A) :關鍵詞input layer,output layer,hidden layer
是一種深度學習模型,具有多層結構,包括輸入層、隱藏層和輸出層。在這些層中,數據經過加權處理,最終得出預測或建議。這種結構適合處理複雜的數據模式,並且廣泛應用於推薦引擎等場景。
例子:像Netflix或YouTube的推薦系統就是基於神經網絡,根據用戶的觀看歷史、偏好等數據推薦內容。
邏輯回歸(D) 是一種線性模型,通常用於二元分類問題。例如,它可以用來預測某件事情會不會發生(如某個用戶是否會點擊某個廣告),但它並不處理多層次的數據結構,也不適合用來進行推薦。
例子:在電子商務中,邏輯回歸可以用來預測用戶是否會購買某個商品,但對於更複雜的推薦系統則不夠用。
An attacker sends data that exceeds temporary data storage capacity to overwrite adjacent memory locations.
buffer over
DOS–>
An attacker overloads network resources to prevent intended users from accessing the resources.
an essential element of the audit trail in an electronic data interchange (EDI) system?
在 EDI 系統中,審計軌跡的主要功能是確保以下幾點:
所有交易都被正確記錄。
交易過程中的錯誤(如失敗的交易)能被追踪。
支持內部和外部審計,滿足合規要求。
Packet Sniffing
Packet sniffing(封包嗅探)是一種監控和攔截網絡通信中數據封包的技術。它通常用於捕捉經過網絡的數據包,分析其中的內容,並查看網絡中傳輸的資料。這些數據包可能包含從一台設備傳送到另一台設備的各種信息,例如網站請求、電子郵件、登錄憑證等。
Recovery Time Objective=
系統每天需要 6 小時執行完整備份,備份窗口是晚上 11:00 到早上 5:00。如果一次完整的系統崩潰需要 2 小時恢復數據,企業的 RTO 是多少?
解題思路:
備份窗口(Backup Window):6小時。
恢復時間(Recovery Time):2小時。
RTO = 備份窗口 + 恢復時間 = 6 + 2 = 8 小時。
