ISC3 Flashcards

1
Q

Which of the following types of layered security mechanisms is best described as the process of enforcing separation either physically or logically?
A. Segmentation
B. Concealment
C. Masking
D. Abstraction

A

這題問及哪種層級安全機制最能描述為強制進行物理或邏輯分隔的過程。

選項解析

A. 分割(Segmentation):這是正確答案。分割是透過硬體物理上或軟體邏輯上的方式來實施分隔,以防止不同部分之間的直接互動或侵入。

B. 隱藏(Concealment):隱藏的焦點在於隱藏數據,而不是強制進行物理或邏輯分隔。

C. 屏蔽(Masking):屏蔽是一種數據混淆技術,通常用於保護敏感信息,但不是層級安全的方法。

D. 抽象化(Abstraction):抽象化是隱藏某些複雜性層次的過程,專注於將特定的信息隱藏起來,以避免不必要的曝露,與物理或邏輯分隔無關。

因此,通過選項 A,分割最能描述為強制進行物理或邏輯分隔的層級安全機制。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NIST SP 800-53 the approach that implements controls at the organizational level is referred to as the:
A. Audit and Accountability approach.
B. Common approach.
C. System-Specific approach.
D. Hybrid approach.

A

【B】
共用方法(Common approach)–organizational level
特定系統方法(System-Specific approach)–information system level
混合方法(Hybrid approach)–混合方法將控制措施部分在組織層面實施,部分在信息系統層面實施,適用於特定組織需要的情況。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The description should include information on the cybersecurity control processes and the suitability of the design and operating effectiveness of the controls.

T or F?

A

F

The description should include information on the cybersecurity control processes, but the effectiveness of the controls processes should be included in management’s assertion (not the description itself).

说明应包括网络安全控制流程的信息,但控制流程的有效性应包含在管理层的论断中(而不是说明本身)。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the GDPR principles to follow when processing data is best defined as what is relevant, adequate, and limited to what is necessary for the applicable purpose?

A. Accuracy
B. Purpose limitation
C. Data minimization
D. Integrity and confidentiality

A

這道題目探討了在處理數據時應遵循的 GDPR(通用数据保护条例)原则,並要求辨別其中哪一项原则最好地被定义为相关、充分且限于必要的目的。讓我們來解析一下:

選項 A:准确性(Accuracy)。根据 GDPR,数据必须准确并保持更新。
選項 B:目的限制(Purpose limitation)。根据 GDPR,数据必须为特定的、明确的和合法的目的处理。超出该目的的进一步处理在公共利益档案、科学或历史研究或统计目的下是允许的。
選項 C:数据最小化(Data minimization)。根据 GDPR,数据最小化原则要求数据处理必须是相关的、充分的,并且限于必要的目的。

選項 D:完整性和保密性(Integrity and confidentiality)。根据 GDPR,数据必须安全处理并防止未经授权或非法处理、意外丢失、破坏或损坏。。

因此,選項 C(数据最小化)是正确的,因为它最好地定义了 “相关、充分且限于必要的目的”。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

General controls in an information system include each of the following, except:
A. Software acquisition.
B. Logic tests.
C. Information technology infrastructure.
D. Security management.

A

选择 “B “是正确的。一般控制可确保组织的控制环境得到良好管理并保持稳定。邏輯測試(logic tests)屬於應用控制(application controls)的一部分。這些控制措施通常包括數據輸入檢查、處理檢查、輸出檢查等。

选择 “A “不正确。软件采购以及开发、运行和维护控制都属于一般控制。

选择 “C “不正确。信息技术基础设施当然是一般控制的关键组成部分。

选择 “D “不正确。安全管理控制属于一般控制的范畴。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In all SOC engagements, risk assessment primarily focuses on:
A. Inherent risk.
B. Sampling risk.
C. Detection risk.
D. IT risk.

A

【A】
在所有的SOC(服務組織控制)審計中,風險評估主要關注固有風險(inherent risk)。固有風險是指在考慮控制措施之前所存在的風險,它影響系統描述的準備以及服務組織控制的有效性。因此,SOC審計的風險評估重點是確定並評估在沒有任何控制措施的情況下,可能會導致重大錯報或偏差的風險。

sampling risk–樣本不能代表總體的風險
detection risk–審計未能發現錯報和偏差的風險

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When complementary user entity controls are identified, the scope section of the service auditor’s SOC 1® Type 2 report will be amended to include which of the following?

A. A statement that the engagement includes the evaluation of suitability of the design and operating effectiveness of the complementary user entity controls.
D. A statement that the service auditor did not evaluate the suitability of the design or operating effectiveness of the complementary user entity controls.

A

正確答案
選項 “D” 是正確的。範圍部分會包括一個聲明,指出補充性使用者實體控制的設計適當性和運行有效性未被納入本次審計範圍內進行評估。

解釋
補充性使用者實體控制:這些控制是指用戶實體需要實施以補充服務組織的控制,從而確保服務系統的有效性。
範圍聲明:在 SOC 1® Type 2 報告中,服務審計師需要明確表示補充性使用者實體控制未被納入審計範圍,這是因為這些控制通常由用戶實體自行管理和實施,而不是由服務組織控制。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of software quarantining?
B. Monitoring and filtering traffic based on predefined rules to prevent unauthorized network access.
C. Automatically isolating actual or suspected viruses from the rest of the company’s network, either through antivirus software or manual review of system logs.

A

选项 C 正确。病毒隔离涉及隔离病毒,以消除公司网络中的威胁,通常通过防病毒软件自动完成,或在查看系统日志后手动完成。

选项 B 不正确。它描述的是防火墙功能,而不是病毒隔离。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which database schema, commonly used for dimensional modeling, is best described as one where data is organized into a central fact table with associated dimension tables surrounding it?
A. Flat model
B. Snowflake schema
C. Hierarchical model
D. Star schema

A

star
+———+
| Fact |
| Table |
+—-+—-+
|
+——-+——–+
| Dim1 (Table) |
+—————-+
| Dim2 (Table) |
+—————-+
| Dim3 (Table) |
+—————-+

snowflake
+———+
| Fact |
| Table |
+—-+—-+
|
+——-+——–+
| Dim1 |
| +————-+
| | Dim1_Part1 |
| +————-+
| | Dim1_Part2 |
+—————-+
| Dim2 |
| +————-+
| | Dim2_Part1 |
| +————-+
| | Dim2_Part2 |
+—————-+
| Dim3 (Table) |
+—————-+

在雪花模式图中,维度被进一步规范化为多个相关表(Dim1_Part1、Dim1_Part2 等),导致查询更复杂,性能可能比星形模式更慢。因此,对于优先考虑简单性和查询性能的维度建模,星形模式(选项 D)通常优于雪花模式(选项 B)。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

the purpose of obtaining written representations in a SOC engagement?
C. To confirm the responsibility of the service auditor around the subject matter and assertions related to the engagement
D. To confirm representations given to the service auditor during the engagement and reduce the possibility of a misunderstanding between the service auditor and management

A

選項D正確指出,管理層的書面表示可以幫助確認在審計過程中所做的陳述,並減少因為理解上的不同而導致的誤解。這些書面表示具有法律和法規意義,有助於明確管理層的責任和服務審計師的角色。

選項C是錯誤的,因為管理層的書面表示不涉及審計師對未糾正錯誤陳述的重要性的信念,也不是用來確認服務審計師的主題事項和斷言的責任。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

holistic approach governance system

Governance systems for IT can comprise diverse components.

A

全面治理系統:信息技术的治理系统可以由不同的部分组成。

COBIT 2019治理系統原則:

1.多樣的組件:治理系統可以包括多樣的組件,以綜合管理信息和技術。

2.企業定制:治理模型應根據企業的具體需求進行定制,以確保最大效益。

3.全面的視角:治理系統應涵蓋組織內所有涉及信息和技術的流程,實現全面的管理和控制。

4.治理與管理的區分:明確區分管理活動和治理系統的職責和功能,確保有效的治理和運營分離。

5.企業價值:治理系統應該通過設計要素優先考慮並定制以確保企業價值最大化。

6.全面的結構:治理系統應該包括所有涉及信息和技術的流程,以便綜合管理和控制。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Devices that have a primary function of enabling other machines in a network to share an IP address so that identities may be hidden are referred to as:
A. Circuit-level gateways.
B. Software-defined wide-area network (SD-WAN) devices.
C. Network address translation firewalls.
D. Application-level gateways.

A

C. 網絡地址轉換防火牆(Network Address Translation Firewalls)。

解釋:網絡地址轉換防火牆允許私有網絡中的多台設備共享單個公共地址,從而隱藏它們真實的私有地址。這些設備的主要功能是通過將內部私有地址轉換為單個公共地址,使得從外部來看,所有設備都似乎是從同一個地址訪問網絡,從而增強了網絡的安全性和隱私性。

A. 電路級網關(Circuit-level gateways):這種防火牆主要驗證在其網絡中傳輸的數據包的來源
B. 軟件定義廣域網(Software-defined Wide-area Network,SD-WAN)設備:這是一種通過軟件優化來實現的網絡
D. 應用級網關(Application-level gateways):這些設備檢查數據包

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which category best describes an information resource that an organization can work around for several days, but eventual restoration is necessary for ongoing operations?

A. High impact (H)

B. Medium impact (M)

C. Low impact (L)

D. No impact

A

【B】
high impact –
if the organization cannot operate without the information resource for even a short period of time.
low impact –
if the organization could operate without the information resource for an extended period of tim

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

All of the following are considered requirements by the Payment Card Industry Data Security Standard (PCI DSS) except which of the following?
C. Applying secure configurations to all system components

D. Enhancing accessibility of stored cardholder data by utilizing shared storage drives between banks, retailers, and customers

A

选择 “D “是正确的。使用共享存储驱动器供多方访问持卡人数据不是 PCI DSS 的要求。相反,遵守 PCI DSS 的机构必须保护存储的持卡人数据。

C–PCI DSS 要求企业对所有系统组件进行安全配置。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The IT Director at Sunriss Finance Corp. wants to reduce the unnecessary use of sensitive customer data across departments while still meeting operational needs. How can this be achieved?

Options:

A. Speeding up the data deletion process

B. Using shared folders to store confidential information

C. Implementing pseudonymization for data in transit and at rest

D. Preventing confidential information from being captured in the accounting system

A

C. 对传输中和静态数据实施化名处理
選項C是正確的。假名化可以對傳輸中的數據和靜態數據進行處理,這樣即使數據在內部傳輸,也可以提高機密性控制,減少敏感信息泄露或無意暴露的風險。假名化是對數據進行去識別化處理,將非必要的識別信息替換為假名(例如將客戶替換為客戶Z或供應商100)。這樣可以確保只有與業務部門相關的數據點被傳遞,從而最小化不必要的客戶數據在公司內部的傳播。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

As an employee at Company X, you are tasked with designing a data storage system. Company X handles a large volume of structured data, and data quality is a critical concern. Which data storage method would you recommend, and why?
A. Storing data in a relational database for data quality, integrity, and enforcing business rules.
D. Combining both flat files and relational databases for flexibility of use.

A

选择 “A “是正确的。数据存储是一种专门用于保存信息的技术,有助于授权用户有效、高效地执行业务活动。常见的数据存储类型包括操作数据存储(ODS)、数据仓库、数据集市和数据湖。将数据存储在关系数据库中可确保数据质量、完整性和业务规则的执行,满足组织处理结构化数据的需求。

选择 “D “不正确。将平面文件和关系数据库结合起来以获得灵活性,并不能直接解决使用关系数据库来确保数据质量、完整性和执行业务规则的重点问题,而这些在企业处理结构化数据时至关重要。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Port-scanning attack

A

A. Port-scanning attack(端口掃描攻擊)
說明:攻擊者掃描系統的開放端口以查找潛在的弱點。
例子:攻擊者使用工具掃描目標伺服器的端口,發現某個端口開放,並試圖利用該端口的漏洞進行攻擊。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The Mitchell & Wilson law firm needs the defendant organization to provide records of command-line entries and DNS queries. Which CIS Control helps with collecting and archiving these records?

A. Control 08: Audit Log Management
B. Control 03: Data Protection
C. Control 05: Account Management
D. Control 06: Access Control Management

A

Domain name system (DNS)
题目逻辑解释:

题目涉及的是 Mitchell & Wilson 律师事务所在诉讼的 eDiscovery 阶段,要求被告组织提供 命令行输入DNS 查询 的记录。这要求被告组织能够提供详细的日志记录,以便法律调查和要求。

选项 A(控制点 08: 审计日志管理) 涵盖了记录和管理系统活动日志的最佳实践。这包括:

  • 记录系统事件(如命令行输入和DNS查询):审计日志管理确保组织能够详细记录用户在系统上的操作,例如输入命令和查询域名。
  • 日志存档和管理:这个控制点帮助确保日志数据被妥善保存和管理,以满足法律和合规要求,特别是在eDiscovery过程中需要提供这些记录时。

其他选项与记录和归档日志的最佳实践不直接相关:

  • 选项 B(控制点 03: 数据保护) 主要关注如何保护数据而非日志记录。
  • 选项 C(控制点 05: 账户管理) 关注用户账户和凭证的管理。
  • 选项 D(控制点 06: 访问控制管理) 关注用户访问权限的管理。

因此,选项 A 是最相关的,因为它专注于审计日志管理,确保可以满足记录收集和存档的要求。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Brute-force attack(暴力破解攻擊)

A

說明:攻擊者使用自動化工具反覆嘗試各種密碼組合以破解用戶帳號。
例子:攻擊者使用軟體工具對某個用戶帳號進行大量的密碼嘗試,直到猜中正確的密碼並獲得未授權的訪問。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

An expanded footprint

A

B. An expanded footprint(擴展的足跡)
說明:組織的業務或網絡範圍增加,包括更多設備或地點。
例子:一家原本只在國內運營的公司開始在多個國家設立辦事處,導致其網絡基礎設施變得更為複雜。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Escalated cyberattacks

A

A. Escalated cyberattacks(升級的網絡攻擊)
說明:攻擊者對系統或網絡進行更具破壞性或複雜的攻擊。
例子:一家公司在經歷了多次釣魚攻擊後,遭到更大規模的分佈式拒絕服務(DDoS)攻擊,使其網站無法訪問。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Device spoofing(設備欺騙)

A

C. Device spoofing(設備欺騙)
說明:攻擊者偽造設備的身份以獲得未授權訪問或欺騙系統。
例子:攻擊者偽造一個合法用戶的智能手機,繞過身份驗證系統,進入受保護的網絡。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

An organization relied heavily on e-commerce for its transactions. Evidence of the organization’s security awareness manual would be an example of which of the following types of controls?

A. Detective.
B. Preventive.
C. Compliance.
D. Corrective.

A

选择 “B “是正确的。预防控制是旨在防止潜在问题发生的控制措施。一个严重依赖电子商务的组织可能需要尽可能多的预防性控制措施,因为事后纠正错误可能很困难,甚至不可能。
选择 “A “不正确。一个严重依赖电子商务的组织可能需要尽可能多的预防性控制措施,因为事后纠正错误可能很困难或不可能。当然,也不能忽视侦查控制,因为很难防止所有的错误。
选择 “C “不正确。合规控制似乎是一个杜撰的术语。

选择 “D “不正确。一个严重依赖电子商务的组织可能需要尽可能多的预防性控制,因为事后纠正错误可能很困难或不可能。当然,纠正控制也不容忽视,因为一旦发现错误,就必须妥善纠正。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Each of the following represents a risk or challenge of e-commerce and Web commerce, except:

A. Maintaining privacy and confidentiality of information.
B. An inability to authenticate the identity of buyers and sellers.
C. Incompatible encryption systems resulting in faulty orders.
D. Effecting a secure exchange of money for goods and services provided.

A

【C】
A.维护信息的隐私性和保密性。
B.无法验证买卖双方的身份。
C.加密系统不兼容导致订单错误。
D.为所提供的商品和服务实现安全的货币交换。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A head developer implements a security measure that hides certain pieces of code so programmers only see what’s relevant to their job. This practice is an example of which type of layered security mechanism?

A. Abstraction
B. Concealment
C. Isolation
D. Segmentation

A

选择 “A “是正确的。分层安全技术采用了一套多样化的安全措施,包括多种形式的保护工具,从而使一次网络攻击无法危及整个系统。这种多管齐下的方法通常将管理控制与逻辑控制、技术控制和物理访问控制结合起来。

使用分层安全还能实现冗余,这样,如果一种保护措施失效,另一种保护措施也能保护相同的资源。促进冗余和多样化的一种常见做法是抽象化。抽象化是在任务中隐藏某些复杂程度的过程,以便只向执行任务的人员显示执行工作所需的相关信息。
选择 “B “不正确。对于隐藏,重点是隐藏数据,而不是去除潜在的细节和复杂性,以便只显示执行任务所需的关键信息。

选择 “C “不正确。隔离是使用物理或逻辑控制对流程进行分割,使这些流程单独运行,互不影响。它不涉及删除不必要的细节,使员工只能看到其工作所需的信息。

选择 “D “不正确。分段是指在硬件上或在软件逻辑上实施分离的过程。它与去除复杂性或细节以便只显示执行员工工作职能所需的相关信息无关。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Rulert Corp.’s IT department holds annual meetings to discuss cybersecurity trends and policies. Which COSO framework component do these meetings fall under?

A. Risk assessment
B. Control environment
C. Information and communication
D. Control activities

A

【C】
该框架的信息和沟通部分侧重于使用一致、相关的语言,并以支持内部和外部利益相关者内部控制的方式进行共享。Rulert 的年度会议是向员工通报最新网络安全政策的一种方式,这就是属于 COSO 信息与沟通部分的实践范例。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

The Director of Finance wants the lead IT manager to centrally manage access based on a threat ranking for systems. Which two access control models should be used?

A. Mandatory access control; rule-based access control
B. Mandatory access control; risk-based access control
C. Discretionary access control; policy-based access control
D. Discretionary access control; role-based access control

A

這道題目描述了Ensista Inc.的財務總監希望IT經理根據系統的威脅等級來集中管理訪問控制權限。具體來說,對於不太重要的系統,威脅等級較低;對於可能嚴重影響業務的系統,威脅等級較高。根據這些要求,她應該採用哪兩種訪問控制授權模型?

選項:

A. 強制訪問控制;基於規則的訪問控制
B. 強制訪問控制;基於風險的訪問控制
C. 自由訪問控制;基於策略的訪問控制
D. 自由訪問控制;基於角色的訪問控制

解釋:

選擇 “B” 是正確的。授權模型用於管理對系統的邏輯訪問,以及對IT設備和其他公司資源的物理訪問。一些常見的授權模型包括自由訪問控制(DAC)、非自由訪問控制(強制訪問控制)、基於角色的訪問控制、基於規則的訪問控制、基於策略的訪問控制(PBAC)和基於風險的訪問控制。

非自由(強制)訪問控制允許管理員在整個公司範圍內集中管理規則。基於風險的訪問控制根據訪問資產或應用的風險級別來應用控制。這兩種控制的結合將允許IT經理集中管理訪問權限,並根據每個資產的威脅等級分配權限。

選擇 “A” 是不正確的。基於規則的訪問控制可能會被使用,但在這種情況下,重點是資產的威脅等級。基於規則的訪問控制範圍更廣,可以根據員工類型、設備類型、IP地址或其他多種因素設置規則,而不僅僅是威脅等級。

選擇 “C” 是不正確的。基於策略的訪問控制(PBAC)使用用戶角色和策略的組合,使PBAC具有靈活性,類似於一個框架。雖然可以從中得出適合該場景的解決方案,但控制的重點實際上是資產的威脅等級,而不是廣泛的策略範圍。

選擇 “D” 是不正確的。自由訪問控制是一種去中心化的控制形式,允許公司內的數據擁有者或管理者授予他們管理或控制的數據的訪問權限。這個場景描述的是希望控制權集中,而不是去中心化。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is an appropriate combination of delivery methods and job roles for communicating security training and awareness to an organization?

A. Biannual on-demand simulations on labor regulation changes for software engineers
B. Annual live case studies on best practices for VPN connections for security engineers
C. Live sessions on disaster recovery protocols for all new hires
D. On-demand course on executing a phishing simulation campaign for senior management

A

选项 “B” 是正确的。现场年度案例研究对安全工程师来说是合适的,因为它们提供了关于VPN连接最佳实践的深入知识,并且可以在现场环境中讨论相关问题,增加互动性和学习效果。
A. 针对软件工程师的劳动法规变化的按需模拟,每半年一次
解释:按需模拟的频率和传递方式可能合适,但劳动法规变化与软件工程师的工作无关,更适合人力资源或行政部门。

C. 针对所有新员工的执行灾难恢复协议的现场课程
解释:灾难恢复是与IT安全分析师或工程师相关的专题,针对所有新员工的培训范围过于宽泛,现场课程可能导致更多问题,且成本较高。

D. 针对高层管理人员的按需课程,内容是执行钓鱼模拟活动
解释:高层管理人员可能从战略角度评估钓鱼活动,但不需要具体执行细节的培训,因此这个课程内容不适合他们。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Sunriss Productions wants a SOC report about Precision Business Advisors’ controls over customer personal information and protection against unauthorized access. Which trust services criteria would be most useful?

A. Processing integrity and availability

B. Privacy and security

C. Security and processing integrity

D. Availability and confidentiality

A

选择 “B “是正确的。隐私涉及个人信息的处理,安全涉及防止未经授权的访问。这符合 Sunriss Productions 的需求。

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Types of services provided, system functionality, and control objectives would be explained in detail within which component of a SOC report?

A.	 The independent service auditor's report

B.	 Management's controls and results of tests

C.	 Management's assertion

D.	 Management's description of the system
A

解释:

选择“D”是正确的。管理层对系统的描述包括这些组件以及所有其他必要信息,以使报告用户能够了解系统和数据流。

选择“A”是不正确的。独立服务审计师的报告包含审计师对系统描述和相关控制的意见,而不是有关服务类型、系统功能或控制目标的详细信息。

选择“B”是不正确的。SOC报告包括服务审计师(而非管理层)的控制测试描述及相关结果。

选择“C”是不正确的。管理层的声明是关于描述的公允性、相关控制的设计和相关控制的操作有效性的声明(类型2),而不是有关服务类型、系统功能或控制目标的详细信息。

32
Q

A service organization promises 99.7% system availability during business hours and uses automated procedures to monitor system functionality. These monitoring procedures are an example of which of the following?

Options:

A. Service commitments

B. System requirements

C. Service requirements

D. System commitments

A

说明:

选择 “B “是正确的。系统要求是关于系统应如何运作以履行服务组织承诺的规格。

选择 “A “不正确。服务承诺是服务机构作出的承诺,而不是系统规格。

选择 “C “不正确。”服务要求 “不是 SOC 报告中使用的术语。

选择 “D “不正确。”系统承诺 “不是 SOC 报告中使用的术语。

33
Q

Oter Accounting Group is preparing a SOC 1® Type 2 report for Creataw Premium Corp. In the prior year, a SOC 1® Type 1 report was prepared. What additional section will need to be included in the current year SOC report?

Options:

A. The applicable trust services criteria

B. Management’s assertion

C. The auditor’s tests of controls and results of tests

D. Management’s description of the system

A

说明:

选择 “C “是正确的。第二类 SOC 报告包括一个附加部分,详细说明审计员对控制措施的测试和结果。

选择 “A “不正确。信托服务标准与 SOC 1® 委托无关。

选择 “B “不正确。第 1 类和第 2 类 SOC 1® 报告都包括管理层声明部分。

选择 “D “不正确。1 类和 2 类 SOC 1® 报告都包括管理层对系统的描述部分。

34
Q

as the service auditor in a SOC 2® Type 1 engagement. They tested controls and noted no deviations. Which should be included in the tests of controls and results section of the report?

A. No information related to the tests of controls and results should be included in the report.

B. Management’s assessment of the performance of the controls.

C. The controls that were tested, along with the number and nature of any deviations.

D. The controls that were tested and information on whether the items tested represent all or a selection of the items in a population.

A

【A】

【管理层的系统描述(两者都有):】
描述系统的结构、设计、流程和控制。
【管理层声明(两者都有):】
对系统描述的准确性和控制设计与操作有效性的声明。
【服务审计师的意见:】
Type 1:只包括对系统描述的准确性和控制设计有效性的意见。
Type 2:包括对系统描述的准确性、控制设计有效性和控制操作有效性的意见。
【控制测试和测试结果:】
Type 1:不包含此部分内容。
Type 2:包含对控制的测试方法、测试范围、测试样本和测试结果的详细描述。

35
Q

Which of the following best describes the primary purpose of risk assessment procedures performed by a service organization in a Type 2 engagement?
A. To streamline the number of controls required to meet control objectives.
B. To eradicate inherent risks associated with control objectives.
C. To provide a basis for designing and executing procedures that address risks.
D. To evaluate the types, likelihood, and impact of risks affecting the system’s description, control design suitability, and operational effectiveness.

A

服务组织在 Type 2 评估中的风险评估

选择 “D “是正确的。在 SOC 业务约定中,服务机构必须识别和评估风险的类型、可能性和影响,这些风险会影响描述的编写、控制设计的适宜性以及系统内控制(第 2 类)的运行有效性。

36
Q

A service organization states to its customers that the payroll system used to provide services will have less than 1 percent downtime during business hours. This is an example of which of the following?

A. Service commitment
B. Trust services criteria
C. System requirement
D. System commitment

A

选择 “A “是正确的。服务承诺是服务组织管理层就用于提供服务的系统向用户实体和其他方作出的声明。

选择 “B “不正确。信任服务标准是为帮助评估与安全性、可用性、处理完整性、保密性和隐私有关的控制措施的设计和运行有效性的适宜性而制定的一套标准。

选择 “C “不正确。系统要求是对系统应如何运作以满足服务机构在系统可用时间方面的服务承诺的说明。

选择 “D “不正确。系统承诺不是 SOC 报告中使用的术语。

37
Q

Unified Auditing Solutions has hired an internal software developer to oversee the processing integrity of customer data. Which category of system components does the software developer represent?

A. Procedures
B. People
C. Confidentiality
D. Infrastructure

A

选择 “B “是正确的。系统组件的类别包括基础设施、软件、人员、数据和程序。软件开发人员属于系统组件中的人员类别。

选择 “A “不正确。系统的程序组件包括与所提供的服务和产品有关的自动或手动业务程序,包括启动、授权、执行、交付和报告这些程序的活动。

选择 “C “不正确。保密性是五项信任服务标准之一,而不是系统组件的一个类别。

选择 “D “不正确。系统的基础设施部分包括支持服务机构环境的物理和虚拟资源。例如建筑物、服务器和监控设备。

38
Q

Each of the following describes how the NIST Privacy Framework would not help organizations manage privacy ?
B. Considering privacy best practices as they design and deploy systems, products, and services that affect individuals
D. Reducing personal information gathered to the minimum necessary for critical business functions

A

【D】
減少個人資料收集確實是一個有利於保護機密性和個人可識別信息(PII)的步驟,但這不在NIST Privacy Framework的主要目標範圍內。

NIST 隐私框架
【目的】帮助组织管理隐私风险
【方法】在设计和部署影响个人的系统、产品和服务时考虑隐私最佳实践,向组织其他部门传达隐私实践,并鼓励与用户隐私和 IT 安全有关的跨组织员工协作。

39
Q

agreed service time (AST), a minimal amount of downtime (DT), and the mean time to repair (MTTR) a damaged device. This is referred to as a:

A. Crisis management plan.
B. Business impact analysis.
C. Service level agreement.
D. Business continuity plan.

A

服務水平協議(SLA):

SLA 是服務組織與其客戶之間的協議,其中規定了性能期望和服務標準。
SLA 列出了服務組織必須滿足的具體條款,作為其合同協議的一部分,以服務客戶。
SLA 通常與客戶的業務模式或其向客戶做出的承諾相關聯。

40
Q

After testing and debugging a new product prototype, which environment is used for the final evaluation before deployment?

Options:
A. Development
B. Testing
C. Staging
D. Production

A

選項 C:預備環境 (Staging)

正確原因:預備環境是一個類似於生產環境的環境,組織在這裡進行最終測試,以確保應用程序在實際部署前沒有問題。這個階段發生在測試環境之後和生產環境之前,是進行最終驗證的理想場所。

41
Q

When an adverse opinion is issued in a SOC 2® engagement, which section of the service auditor’s report should include the matter(s) giving rise to the adverse opinion?
A. The scope section
D. The adverse opinion section in a separate paragraph before the opinion paragraph

A

【D】
包含內容:當發表否定意見時,具體描述導致否定意見的事項,這部分應在意見段落之前的單獨段落中。
記住方法:這部分是重點,告訴讀者為什麼審計師給出否定意見,就像診斷報告中的關鍵病情描述。

A–審計的邊界

42
Q

Offshore Operations
VS
Outsourcing

A

Offshore Operations: Outsourcing + a different country.

Outsourcing: Outsourcing + same/ different country.

43
Q

synthesis stage

A

綜述合併階段,並非必須

必須:
capture/creation– preparation–(synthesis)–usage–archiving– purging

44
Q

Why should a company consider switching to cloud computing?
A. Lower upfront costs for equipment and maintenance.
B. Best way to secure sensitive corporate information.
C. Better program modification options.
D. Accessible only from within the company on its Intranet.

A

【A】

云计算涉及互联网上的虚拟服务器。前期投入和维护成本通常比内部安装的特定软件解决方案便宜得多。云计算是一种具有成本效益的使用、维护和升级方法。
选择 “C “不正确。使用云计算,程序修改将取决于服务提供商,其响应速度和灵活性可能不如内部资源。

45
Q

System requirements may be made about one or more of the trust services categories addressed by management’s system description, and such declarations may result in specific service commitments.

錯在哪

A

System requirements may result from the service organization’s commitments related to one or more of the trust services categories.
系统要求可能源于服务机构对一个或多个信托服务类别的承诺。

46
Q

An enterprise resource planning system is designed to:
A. Present executives with the information needed to make strategic plans.
D. Integrate data from all business functions across departments.

A

【D】

A– executive information system

47
Q

The trust services categories include:
A
C
P
P
S

A

Availability,可用
confidentiality, 保密
privacy, 隱私
processing integrity, 過程完整性
and security.

48
Q

Why is it important to disclose relevant complementary user entity controls in a SOC engagement?

B. To show controls that the user entity must implement with the service organization’s controls to meet control objectives.

D. To show controls at a subservice organization needed with the service organization’s controls to meet control objectives.

A

【B】
选项 B 侧重于用户实体(客户)需要实施的补充控制措施。
选项 D 侧重于与主服务组织合作的次级服务组织(第三方提供商)所需的补充控制措施。

49
Q

Which control family under NIST SP 800-53 is best described as how the company should deliver instructional material on information security risk?
A. Awareness and training
B. Personnel security
C. Risk assessment
D. Planning

A

“material”材料
“materiality” 重要性

【A】

50
Q

System hardening是什麼?
與什麼是配套的?

A

系統加固
a network security method

  1. impair with 【network hardening】
    网络加固的重点是加强连接企业网络所有设备的基础设施。这包括移除未使用的物理或虚拟端口,使潜在攻击者无法利用这些端口绕过安全措施。
51
Q

trail balance

A

include all transactions for the period can only be posted after all journal entries have been recorded. Preparing trial balances for a period prior to a transaction being recorded for that period would result in incomplete balances.

只有在记录了所有日记账分录后,才能发布该期间的所有交易。在记录某一期间的交易之前编制该期间的试算表会导致余额不完整。

52
Q

Which method is Graham least likely to document in the security assessment report for Elige Co.?
A. Graham analyzed, observed, and reviewed IT security specifications.

B. Graham tested current password management against expected password management activities.

C. Graham had discussions with network administrators.

D. Graham reviewed documentation on a control deficiency in manual inventory observation provided by external auditors.

A

选择 D 涉及的是手动财务报告相关的控制,与 IT 安全无关,因此是最不可能记录在安全评估报告中的方法。其余选项 A、B、C 都是常见的、安全评估中使用的方法,与 IT 安全密切相关。

53
Q

1.Sales and cash collection cycles

2.Treasury cycles
區別

A

销售和现金收款周期(Sales and Cash Collection Cycle)
订单处理(Order Processing):涉及客户下单和订单确认。
发货(Shipping):组织和执行货物的发运。
开票(Invoicing):向客户发出发票。
收款(Collections):从客户那里收取款项。
应收账款(Accounts Receivable):管理未收到的客户付款。
Peame Mobile sells smartphones, tablets, and other supportive devices directly to consumers via its online marketplace and in-store retail locations.
屬於第一項,從對方處收錢

财务周期(Treasury Cycle)
现金管理(Cash Management):监控和控制现金流动。
投资管理(Investment Management):管理公司的投资活动。
融资(Financing):筹集资金的活动,如贷款或发行债券。
贷款偿还(Loan Repayment):管理和偿还债务。
Loan payments for retail locations are handled in the Treasury Cycle.
屬於第二項,付錢給對方

54
Q

Which of the following models would the database administrator require the details of when needing to fine-tune performance issues related to a foreign key and column data type?
A. Abstract data model
B. Physical data model
C. Logical data model
D. Conceptual data model

A

选择 B 是正确的。数据模型描述了信息系统中数据结构的高层次设计,包括概念模型、逻辑模型和物理模型。这些模型通常是逐步创建的,从概念模型(最简单)开始,经过逻辑模型,最终到物理模型(最详细)。物理数据模型是最详细的数据结构表示,管理员可以看到外键和列的数据类型。

A–抽象數據模型,指數據結構和關係
C–邏輯數據模型,比概念模型詳細的數據結構,但是不能提供外箭和列的數據類型
D–概念數據模型,比抽象數據模型具體。

55
Q

The COSO Enterprise Risk Management for Cloud Computing publication provides guidance for organizations trying to decide whether to avoid, reduce, accept, or share risk in which of the following components?

A. Control Activities
B. Risk Assessment
C. Event Identification
D. Risk Response

A

【D】
控制活动(Control Activities) 组件涉及的是如何在云计算环境中修改传统的控制措施,不涉及具体的风险响应策略。

风险评估(Risk Assessment) 组件帮助管理层理解不同云计算策略可能带来的风险,但不具体指导如何响应这些风险。

事件识别(Event Identification) 组件关注的是识别可能影响组织的事件或风险,但不涉及如何对这些风险进行管理。

风险响应(Risk Response) 组件则明确提供了关于如何应对风险的具体指导,包括避开、减少、分担或接受风险。

56
Q

Which of the following would be included in management’s system description when a SOC 2® report is being prepared using the carve-out method?
A. The nature of services provided, the complementary subservice organization controls, and the relevant aspects of a subservice organization system, including infrastructure, software, people, procedures, and data.
C. The nature of services provided, the types of complementary subservice organization controls, and the applicable trust services criteria that are intended to be met by the complementary subservice organization controls.

A

[C]
使用“分割法”时,管理层的系统描述应包括提供的服务性质、补充子服务组织控制的类型,以及这些控制旨在满足的相关信托服务标准。补充子服务组织控制(complementary subservice organization controls)与服务组织的控制一起工作,以确保服务承诺和系统要求能够实现。

A–inclusive method
有关子服务组织的信息(如基础设施、软件、人员、程序和数据)通常会在使用“包容法”(inclusive method)时包含在 SOC 2® 报告中,而不是“分割法”。

57
Q

Which of the following best describes a repository of transactional data from multiple sources and is often an interim area between a data source and data warehouse?
A. Data mart
B. Data lake
C. Operational data store (ODS)
D. Strategic data store

A

[C]
ODS 是来自多个数据源的事务数据存储库,通常是数据源和数据仓库之间的临时区域。ODS 数据集较小,在修改、处理和报告事务时经常被覆盖。

58
Q

Management may determine that the carve-out method is preferred for reporting in a SOC engagement when:

A.	 The services and types of controls necessary at the subservice organization are complex.

C. A Type 1 or Type 2 service auditor’s report on the subservice organization is readily available.

A

选择 “C “是正确的。如果有第 1 类或第 2 类服务审计员关于次级服务组织的符合用户需求的报告,则可优先选择 “分割 “法,因为该报告包含有用信息,可与服务组织的报告一并考虑。

选择 “A “不正确。当子服务组织的服务和必要控制类型复杂时,可以优先选择包含法,因为使用分割法对服务组织系统的描述可能非常有限,不可能对报告用户有用。

59
Q

Disabling autorun and autoplay for removable media is a tactic that is supported by which of the following Center for Internet Security (CIS) Controls?
A. Control 13: Network Monitoring and Defense
D. Control 10: Malware Defenses

A

选择 “D “是正确的。

使用可移动媒体时禁用自动运行和自动播放不仅是一种防御策略,也是控制 10:恶意软件防御的一个子类别。这一预防措施可在插入 USB 驱动器、内存驱动器或其他可移动媒体时阻止自动执行恶意软件。相反,它需要用户干预,以便在启动或执行脚本或程序之前对内容进行审查。

选择 “A “不正确。控制措施 13:网络监控和防御是一套基于网络的保障措施,旨在防止潜在威胁和检测正在进行的攻击或以前的违规行为,而不是一种可配置为防止程序自动执行的策略或设置。

60
Q

Which of the following is an additional criterion for processing integrity?

A. The entity manages and evaluates its processing capacity to meet objectives.

B. The entity obtains consent when collecting personal data.

C. The entity disposes of confidential information properly.

D. The entity has policies for system inputs to ensure accurate products and reporting.

A

解释:
选项 D 正确。该标准的重点是确保系统输入能产生准确的产品和报告,这与处理的完整性有关。

选择 A 涉及管理处理能力,与可用性有关。

61
Q

Under HIPAA, which of the following does not require further authorization after PHI has been collected?

A. Making an unredacted data set publicly available for research.

B. Sending PHI to a hospital treating similar conditions.

C. Treatment or processing payment.

D. Processing payment and disclosing health results to family.

A

解释:
选择 C 正确。根据 HIPAA,使用 PHI 进行治疗或处理付款无需进一步授权。

选择 A 不正确,因为公开未经编辑的数据需要进一步授权。

选择 B 不正确,因为将 PHI 发送到另一家医院进行治疗不需要额外授权,但其他用途可能需要授权。

选择 D 不正确,因为虽然处理付款不需要进一步授权,但向家人披露健康结果需要授权。

62
Q

Adding relevant content to a governance framework but not removing irrelevant content violates which one of the COBIT 2019 governance framework principles?
A. Open and Flexible
B. Holistic Approach

A

【A】
治理框架的三项原则是1) 基于概念模型,2) 开放灵活,3) 与主要标准保持一致。开放灵活是指框架应具有更改、添加相关内容和删除无关内容的能力。因此,不能删除内容将违反开放和灵活原则。

选择 “B “不正确。整体方法是一项治理系统原则,而不是治理框架原则。它指出,IT 治理系统应提供一个整体模式,同时保留不同的组成部分。

63
Q

A reduction in corporate liability

A

減輕企業責任。liability可以翻譯成責任

64
Q

Alexandra is assessing how different parts of an IT asset interact with cybersecurity threats. This stage in threat modeling is known as:

Options:

A. Identifying threats

B. Performing a reduction analysis

C. Analyzing the impact of an attack

D. Developing countermeasures

A

说明
选择 “B “是正确的。威胁建模是对组织的 IT 基础设施、系统和应用程序的网络安全威胁进行识别、分析和缓解。威胁建模一般分为以下几个阶段:识别资产、识别威胁、进行减少分析、分析攻击的影响、制定对策和控制措施,以及审查和评估威胁模型。

进行还原分析涉及分解受保护的资产,目的是更深入地了解这些资产如何与潜在的网络安全威胁相互作用。这一分解过程有助于组织了解现有的安全许可、与信任和安全变化有关的政策以及数据在组织中的流动方式。

选择 “A “不正确。威胁建模涉及识别威胁类型、威胁特征和潜在攻击方法。

选择 “C “不正确。分析攻击的影响要求公司评估潜在威胁影响的金额,帮助确定解决方案的优先级。

选择 “D “不正确。制定对策和控制措施是实施入侵检测系统、应急计划和安全协议等安全控制的阶段。

65
Q

Which of the following is the step where the intended recipient converts the cipher text into plain text?
A. Decryption or decipherment.
B. PKI.
C. Encryption.
D. Digital certificates.

A

将密码文本转换为纯文本?
A. 解密或破译。
B. PKI–公钥基础设施(PKI)是指用于签发和管理非对称密钥和数字证书的系统和程序。
C. 加密。
D. 数字证书–数字证书是另一种形式的数据安全。它在网络世界中的表现与驾照、护照和其他可信文件在网络世界之外的表现一样。

66
Q

哪個是inclusive method哪個事carve-out method?
A. The nature of the services provided by the subservice organization and the types of controls expected to be performed at the subservice organization that are necessary, in combination with controls at the service organization, to meet control objectives.

C. The nature of the services provided by the subservice organization and the components of the subservice organization’s system used to provide services to the service organization.

A

A carve-out
C inclusive

选项A 提到的“types of controls expected to be performed” 是分离法中的要求,强调控制的类型而非具体系统组件。

选项C 提到的“nature of the services provided” 和 “components of the subservice organization’s system” 是包含法的关键要求。包含法要求对子服务组织的服务性质和系统组件进行详细描述。

67
Q

Where in a Security Assessment Report (SAR) would you find the description of the management information system and the techniques used for the assessment?
A. Assessment methodology and system overview

B. Summary of findings and security assessment findings

C. Recommendations and summary of findings

D. System overview and security assessment findings

A

解释:

选项 A 正确。评估方法部分详细介绍了评估所使用的技术,而系统概述则介绍了管理信息系统。

选项 B 不正确。这些部分总结了评估结果,并没有描述系统或技术。

选项 C 不正确。建议针对的是改进措施,而研究结果概述则是对发现的概述。

选项 D 不正确。虽然系统概述是正确的,但安全评估结果的重点是差距,而不是方法或系统描述。

68
Q

primary purpose of the risk assessment procedures performed by a service auditor?
B. To provide a basis for designing and performing procedures that are responsive to the risks
C. To identify and assess the types, likelihood, and impact of risks that affect the controls

A

【B】
服务审计员的风险评估
目的:服务审计员进行的风险评估程序的主要目的是:

B. 提供一个基础,用于设计和执行响应于风险的程序。

69
Q

focusing on a quick return from system outage
This plan addresses which concept related to system availability?

A. Change management

B. Business continuity

C. Business resiliency

D. Disaster recovery

A

【C】業務回覆能力

70
Q

Which of the following classifications of security controls includes smoke detectors, generators, security guards, and ID badges?
C. Administrative.
D. Physical.

A

说明
选择 “D “是正确的。使用烟雾探测器、发电机、保安人员和身份卡都是实体安全控制的例子。

选择 “C “不正确。行政安全控制可能包括员工职责分离、业务连续性计划和适当的雇用实践。问题中提到的控制是物理安全控制。

71
Q

Which of the following activities would fall within the Performance component of the COSO Integrating with Strategy and Performance Framework?

A. Defining risk appetite
B. Prioritizing risk
C. Reviewing risk and performance
D. Reporting on risk

A

【B】绩效部分建议各组织在确保实现业务目标的同时,根据各自的风险偏好确定风险的轻重缓急

COSO框架五个组件的简短关键字总结:
【Governance and Culture:】
Governance(治理)
Culture(文化)
Context(背景)

【Strategy and Objective-setting:】
Alignment(对齐)
Objectives(目标)

【Performance:】
Impact(影响)
Management(管理)

【Review and Revision:】
Monitoring(监控)
Improvement(改进)

【Information, Communication, and Reporting:】
Information(信息)
Communication(沟通)
Reporting(报告)

72
Q

Investment earnings would be recorded in what cycle?

A

general ledger and reporting cycle with a journal entry.

73
Q

Which of the following control families in NIST SP 800-53 addresses the way data is securely transmitted when being sent digitally?

A.	 System and Communications Protection

B.	 PII Processing and Transparency

C.	 Assessment, Authorization, and Monitoring

D.	 Media Protection
A

以下哪个 NIST SP 800-53 控制家族涉及数据在数字传输时的安全?

选项:
A. 系统和通信保护(System and Communications Protection)
B. 个人身份信息处理和透明度(PII Processing and Transparency)
C. 评估、授权和监控(Assessment, Authorization, and Monitoring)
D. 媒体保护(Media Protection)

解释:

选项 A 是正确的。NIST SP 800-53 是一套旨在保护组织免受复杂威胁的安全和隐私控制。它分为 20 个控制家族,每个家族都与组织风险相关。

74
Q

Jerry is looking to take a cost-effective, repeatable approach to develop a program that identifies, assesses, and manages cybersecurity risks. which can be used to assist with Jerry’s goal?
C.
Framework Core

D.	 Framework Profile
A

【C】
Framework Core 是通用的、安全控制和实践的集合。如识别、保护、检测、响应和恢复。

Framework Profile 它是基于 Framework Core 的定制配置,专门针对组织的特定需求、风险和业务环境。

75
Q

estimate the loss expressed as a percentage of the asset’s value refers to ?

A

Exposure factor (EF)
EF 是一种度量,表示当特定事件发生时,资产的损失会占资产总价值的百分比。例如,如果某个事件的 EF 为 20%,这意味着在这种事件发生时,资产的损失将是其总价值的 20%。
EF 的计算公式通常是:EF = (损失的资产价值 / 总资产价值) × 100%。
举例:假设一台机器的总价值为 $100,000,而由于系统故障,其损失为 $20,000。那么,这种事件的 EF = ($20,000 / $100,000) × 100% = 20%。

76
Q

Which of the following best describes what an analyst does when formatting all zip codes to ensure each data point contains five digits?

A.	 Cleaning data.

B.	 Ensuring completeness of the data.

C.	 Encrypting data.

D.	 Integrating data sources.
A

选择 “A “是正确的。数据生命周期可概括为八个步骤:definition, capture, preparation, synthesis, analytics and usage, publication, archival, and purging. 定义、捕获、准备、综合、分析和使用、发布、存档和清除。
将邮政编码格式化为长度一致的五位数是一项数据清理任务。数据清理包括纠正不一致、规范格式和确保数据质量等任务。

选择 “B “不正确。确保完整性指的是与验证数据是否丢失或是否包含所有预期数据有关的任务。
选择 “C “不正确。加密数据涉及对数据进行编码,以防止未经授权的访问。

选择 “D “不正确。数据整合涉及将多个来源的数据合并为统一格式。