try Flashcards
Which overview explanation best summarizes CIS Control 13: Network Monitoring and Defense?
A. Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable
network services and access points.
B. Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly
respond to an attack.
C. Operate processes and tooling to establish and maintain comprehensive network and monitoring defense against
security threats across the enterprise’s network infrastructure and user base.
D. Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and
remediate security weaknesses before they can impact the enterprise
<3>
Choice “A” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 12: Network
Infrastructure Management.
Choice “B” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 17: Incident
Response Management.
Choice “D” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 16: Application
Which Center for Internet Security (CIS) Control principle was designed to have all recommendations be practical?
A. Measurable
B. Align
C. Focus
D. Feasible
<4>
A. Measurable–>simple and measurable, avoiding vague language.含糊不清的语言
C. Focus–> map to other top cybersecurity standards
D. Feasible–>prioritize ,resolving 有助于确定最关键问题的优先次序,避免解决所有网络安全问题。避免解决所有网络安全问题。
其他选项如 “Measurable”、”Align” 和 “Focus” 虽然也是重要的原则,但它们并不直接关注建议的实用性或可行性。”Measurable” 强调的是控制措施的可测量性,”Align” 与确保控制措施与业务目标和需求保持一致有关,而 “Focus” 则关注于将资源和努力集中在最重要的安全控制上。因此,”Feasible” 是最直接体现建议必须实际可行的原则。
Which of the following components of the NIST CS Framework Core describes the function that outlines how a company should notify
all affected parties while containing a cybersecurity event?
A. Recover
B. Respond
C. Detect
D. Protect
<2>
3–> Identify the tools and resources needed to detect active cybersecurity attacks.
4–> Safeguards and access as well as regular updates
When conducting an audit of a service organization’s network infrastructure, a service auditor finds a device that acts as the network’s central hub and is therefore a potential single point of failure if it quits working. Which topology is least likely to result in a potential single point of failure?
A. Mesh topology
B. Ring topology
C. Star topology
D.Bus topology
<1>
在对服务机构的网络基础架构进行审计时,服务审计员发现一台设备充当了网络的中枢。
因此,如果它停止工作,就有可能成为单点故障。哪种拓扑最不可能导致潜在的单点故障?
3–>有一个中央集线器,所有数据都通过它传递到其他外围设备。
4–>所有设备共享一条通信线路或总线;数据广播到所有设备,但只有目标接收者接受并处理数据。
Which CIS Control best describes the recommendation to establish and maintain practices relevant to data sufficient to restore in-
scope enterprise assets to a pre-incident and trusted state?
A. Control 11: Data Recovery
B. Control 10: Malware Defenses
C. Control 15: Service Provider Management
D. Control 16: Application Software Security
<1>
1–>建立和维护数据建立和维护足以将范围内的企业资产恢复到事故前可信状态的数据恢复措施。
选择 “B “不正确。防止或控制
防止或控制在企业资产上安装、传播和执行恶意应用程序、代码或脚本。
选择 “C “不正确。 制定一个流程,以制定一个流程,评估持有敏感数据或负责企业关键 IT 平台或流程的服务提供商,以确保
确保这些提供商适当保护这些平台和数据。
选择 “D “不正确。管理安全生命周期管理内部开发、托管或购置的软件的安全生命周期,以防止、检测和修复安全弱 点,避免其对企业造成影响。
A system that transforms economic events into journal entries and disseminates information that supports daily operations is:
A. An enterprise resource planning system.
B. A transaction processing system.
C. A management reporting system.
D.A financial reporting system.
<2>
選項B與D的關係是,交易處理系統(TPS)提供了記錄每日交易的基本功能,而這些交易的數據被財務報告系統(FRS)用於生成公司對外報告的財務狀況和業績的正式文檔。
Which of the following is least likely to be an example of an administrative safeguard required for an organization considered a covered
entity under HIPAA guidance in relation to its administrative functions?
A. Information access management
B. Security awareness and training
C. Facility access controls
D. Contingency plans
<3>
设施访问控制被视为 HIPAA 要求的物理保障措施,不属于行政保障措施。
Within the data life cycle, what is generally considered the first step of the life cycle defining what data a business needs and where to
capture or retrieve such data?
A. Publication
B. Synthesis
C. Definition
D. Preparation
<3>
数据生命周期从以下步骤开始:
定义:这一初始阶段包括确定业务的数据需求–确定需要哪些数据以及应从何处获取数据。
Capture/Creation:捕获/创建:在定义数据需求后,将采集或创建实际数据。
prepare准备:一旦收集到数据,就需要对其进行准备,以确保数据完整、干净、最新且方便用户使用。这可能涉及加密和其他处理,以使数据可随时使用。
Synthesis合成:这包括创建计算字段和组织数据,以方便快速使用和分析。not neccessary
Usage使用:然后将数据用于预期目的,如决策或操作任务。
Publication发布:最后,数据可能会被共享或发布,供外部使用,如向客户发送报表或发布报告。
Which of the following framework functions in the Privacy Framework Core best describes the function that would include categories
such as risk management strategy, awareness and training, and monitoring review?
A. Control
B. Govern
C. Protect
D. Identify
<2>
Explanation
Choice “B” is correct. the govern function
–>
governance policies, process, and procedures;
risk management strategy;
awareness and training;
and monitoring review.
Choice “A” is incorrect.
the control function–>
data processing policies, processes, and procedures;
data processing management;
and disassociated processing.
Choice “C” is incorrect. the protect function–>
data protection policies, processes, and procedures;
identity management, authentication, and access control;
data security; maintenance;
and protective technology.
Choice “D” is incorrect. the identify function –>
inventory and mapping,
business environment,
risk assessment,
and data processing ecosystem risk management.
BeanCard Corporation is a financial institution that processes credit card payments, coordinating with retailers, banks, and customers.
In order for BeanCard Corporation to comply with the Payment Card Industry Data Security Standard (PCI DSS) in relation to the goal of
protecting cardholder data, which of the following actions would Bean Card Corporation most likely take?
A. Encrypt the transmission of cardholder data across open, public networks.
B. Regularly test security systems and processes.
C. Restrict physical access to cardholder data.
D. Maintain a policy that addresses information security for all personnel.
1
为了达到保护持卡人数据的目标,Bean Card 公司最有可能采取以下哪种措施?
A. 在开放的公共网络上加密传输持卡人数据。
B. 定期测试安全系统和流程。
選項B(定期測試安全系統和流程)也是PCI DSS的一部分,但當提到保護持卡人數據這一特定目標時,加密數據傳輸通常被視為更直接和關鍵的措施。這是因為加密可以直接防止未授權人員在數據傳輸過程中訪問敏感信息。而定期測試安全系統和流程,雖然是重要的安全措施,但它更多地被視為一種確保整體安全態勢有效性的方法,而不是直接針對保護特定數據(如持卡人數據)的措施。
Which of the following is a common document found in the revenue cycle?
A. Packing slip
B. Voucher
C.Bill of materials
D.Bank statement
【A》
收入週期 (Revenue Cycle)
常見文件: 裝箱單 (Packing Slip)
描述: 詳細列出發貨物品及其數量的文件,用於發貨時核對。
採購和支付週期 (Purchasing and Disbursement Cycle)
常見文件: 憑證 (Voucher)
描述: 用於記錄採購交易詳情和付款授權的文件。
製造週期 (Manufacturing Cycle)
常見文件: 物料清單 (Bill of Materials)
描述: 列出製造特定產品所需的所有原材料、部件和組件的清單。
財務和報告週期 (Finance and Reporting Cycle)
常見文件: 銀行對賬單 (Bank Statement)
描述: 由銀行提供的文件,列出了特定時間段內賬戶的所有交易記錄和結餘。
Sunriss Corp. is trying to minimize its system availability risk by enhancing database redundancy. Lacker only has one location, so it
most likely will employ which of the following practices?
A. Mirroring
B. Network security controls
C. Replication
D.Infrastructure capacity monitoring
【1》
复制和镜像主要从存储角度解决冗余问题,因为它们会将数据库复制到备用数据库中。
它们将数据库复制到备用机器上。
虽然复制和镜像都支持数据库冗余,但它们实现冗余的方法不同。镜像涉及将数据库复制到同一站点的不同机器上,而复制还涉及将数据传输到辅助站点的不同数据库中。
Which governance system principle under COBIT 2019 is best described as the creation of value for the company’s key groups and key
parties by balancing benefits, risks, and resources?
A. End-to-end governance system
B. Tailored to enterprise needs
C. Dynamic governance system
D. Provide stakeholder value
<4>
选择 “D “是正确的。COBIT 2019 的第一条原则 “为利益相关者提供价值 “描述了治理系统应如何通过平衡利益、风险和资源为公司利益相关者创造价值。这应通过精心设计的治理系统与可操作的战略来实现。
选择 “A “不正确。COBIT 2019 的第六项原则 “端到端治理系统 “解释说,组织内涉及信息和技术的所有流程都应组织内涉及信息和技术的所有流程都应纳入治理系统。
Shoe-ify Inc. is a new platform that lets companies design shoes based on their customers’ foot shapes and running pronation patterns.
The platform serves as an online marketplace that allows companies’ customers to design shoes, which the company then builds and
sells to the customer. Shoe-ify also provides other turn-key functions such as built-in direct marketing services, payment processing,
and logistics services. This is an example of what type of cloud service provider?
A.Business-Process-as-a-Service
B. Software-as-a-Service
C. Platform-as-a-Service
D. Infrastructure-as-a-Service
<2>
用户的主要目的是应用程序本身,而不是开发、管理和维护应用程序的平台。
A. Business-Process-as-a-Service (BPaaS):
代表性例子: ADP(提供人力資源、薪資處理和稅務服務),Salesforce’s CRM (客戶關係管理)。
特點: 提供特定業務流程服務,如人力資源管理、客戶關係管理或會計服務。
B. Software-as-a-Service (SaaS):
代表性例子: Google Workspace(前稱G Suite,提供雲端辦公室應用)、Dropbox(雲存儲服務)、Zoom(視頻會議)。
特點: 終端用戶直接使用的應用程序,不需要本地安裝或維護。
C. Platform-as-a-Service (PaaS):
代表性例子: Heroku、Microsoft Azure、Google App Engine。
特點: 為開發者提供開發、運行和管理應用程序所需的平台和環境。
D. Infrastructure-as-a-Service (IaaS):
代表性例子: Amazon Web Services (AWS) EC2、Microsoft Azure VM、Google Compute Engine。
特點: 提供基礎設施服務,如服務器、存儲和網絡,用戶可以在其上運行任何軟件,包括操作系統和應用程序。
Which of the following best describes the compliance requirements design factor under COBIT?
A. Compliance demands on the company can be classified as low, medium, or high, where the medium classification indicates that the organization is typical of its industry.
B. Compliance demands on the company can be classified as low, normal, or high, where the normal classification indicates that the organization is typical of its industry.
C. Compliance demands on the company can be classified as one, two, or three, where the three classification indicates that the organization is typical of its industry.
D. Compliance demands on the company can be classified as one, two, or three, where the two classification indicates that the organization is typical of its industry.
<2>
low –>minimal compliance demands,
normal –>typical of its industry,
high –>higher-than-average compliance requirements.
Having an exit strategy for a cloud service provider (CSP) is a response to which of the following risks?
A. CSP violation of service level agreement
B. Unfavorable operational budget variances
C. Favorable regulation changes
D. Lack of application portability (vendor lock-in)
<4>
D.缺乏应用程序可移植性(供应商锁定):当企业使用特定 CSP 的服务和基础设施时,就有可能过于依赖该供应商的技术和标准,从而难以转而使用其他供应商的服务或将服务带回企业内部。退出战略对于降低这种风险至关重要,它可以确保企业在必要时从 CSP 转型,而不会造成重大干扰或成本增加。
其他选择的相关性:
A.CSP 违反服务水平协议(SLA):虽然退出战略可以是对违反服务级别协议的更广泛应对措施的一部分,但这里的主要问题通常是通过服务级别协议条款和监控来解决的,而不是退出战略。
B.不利的业务预算差异:预算问题可能会促使对 CSP 安排进行审查,但通常与撤出战略的必要性没有直接关系。
C.有利的监管变化:有利的监管变化通常不会使退出战略成为必要。事实上,这些变化可能会使继续使用 CSP 更具吸引力。
A hedge fund, Pearlin, is a U.S.-based investment company that specializes in what is known as quantamental investing, which
makes stock picks based on algorithms that analyze social media posts, news articles, transcripts from earnings calls, and
various other text-based sources. Pearlin uses a group based out of India who created the software and runs the algorithm
multiple times per day and then sends the results to Pearlin for analysis. This type of business process utilizes:
A. Large language models (LLMs) and insourcing.
B. Robotic process automation (RPA) and offshoring.
C. Outsourcing and natural language processing (NLP).
D. Offshoring and K-means clustering.
<3>
Each of the following may be considered a financial implication of a data breach except for which of the following?
A. Litigation expenses to reach resolutions with other impacted parties harmed by the data breach
B. Revenue lost from current and potential customers who will consider competitors due to the negative impact
on the organization’s reputation
C. Communication with vendors temporarily lost due to the data breach, delaying processing of business
activities
D. Regulatory fees imposed on the organization by the government due to the data breach
<3>
operational implication rather than a financial implication, since communication may be restored after temporary
downtime and continue without facing a significant financial impact.
A SOC report would most likely be issued assessing an opinion on the controls of which entity?
A. Independent auditor of the user entity
B. Service auditor
C. Service organization
D. User entity
<3>
C= service provider
SOC 报告旨在对服务机构控制措施的有效性提供评估和意见。这些控制措施与该组织向其用户实体提供的服务有关。服务审计师为服务机构而不是用户实体进行审计并出具《标准业务运营证书》报告。
为什么不是 D(用户实体=user):用户实体是使用服务机构所提供服务的组织。
Which of the following correctly explains independence requirements for a service auditor performing a SOC
engagement?
A. Independence is required for a SOC 1* and SOC 2” engagement but not for a SOC 3* engagement.
B. Independence is required between the service auditor and the service organization.
C. Independence is required between the service auditor and the user entity.
D. Independence is required for a Type 2 engagement but not for a Type 1 engagement.
<2>
The user entity, however, is not part of the SOC audit engagement itself. The service auditor’s independence requirement is in relation to the service organization, not each individual user entity.
service auditor的客戶是service organization而不是user,所以只需要獨立於客戶就可以了
A high-growth, mid-sized organization that previously used rule-based access controls is seeking additional flexibility to
allow for analysis of theoretical privileges based on actual privileges. What authorization model would be best for this
organization?
A. Role-based access control
B. Risk-based access control
C. Policy-based access control (PBAC)
D. Discretionary access control (DAC)
《3》
A. 基於角色的訪問控制 (Role-Based Access Control, RBAC):
例子: 例如,在一家銀行中,柜員和分行經理有不同的訪問權限。柜員可能只能訪問客戶的基本賬戶信息,而分行經理則可以訪問更廣泛的數據和報告。
B. 基於風險的訪問控制 (Risk-Based Access Control):
例子: 例如,訪問敏感財務數據可能需要多因素身份驗證,而訪問普通文檔僅需要密碼。
C. 政策基於的訪問控制 (Policy-Based Access Control, PBAC):
例子: 一家公司可能設定一個政策,允許某些角色的員工在工作時間訪問特定系統,而在非工作時間則受限制。
題目關鍵詞與正確答案的關聯: 題目提到的“分析基於實際權限的理論權限”與PBAC的動態和靈活性相關聯。PBAC能夠基於複雜的條件和規則來決定訪問權限,這為組織提供了所需的靈活性。
D. 自由裁量訪問控制 (Discretionary Access Control, DAC):
例子: 文件的創建者可以決定哪些同事可以查看和編輯該文件。
DAC 更依賴於個別用戶的自由裁量,而 PBAC 則依賴於組織層面預先定義的安全政策。DAC 在某些情況下可能較為靈活,但在保護敏感資料和維護組織級安全標準方面,PBAC 提供了更嚴格和一致的方法。
a weakness of the symmetric encryption method?
A. Symmetric encryption applies an algorithm to transform plaintext into cyphertext.
B. Symmetric encryption limits decoding of cyphertext only by using a key with the mathematically encoded
algorithm to assure that the sender is who they say they are.
C. Symmetric encryption has keys that are generally longer where one is needed for both encryption and
decryption, which impacts speed and operation.
D. Symmetric encryption does not facilitate non-repudiation because any person with the shared key can encrypt
and decrypt messages.
<4>
对称加密最有可能的弱点是它不利于不可抵赖性(即保证任何一方都不能否认他们发送或接收了信息),因为任何拥有共享密钥的人都可以加密和解密信息。
非对称加密法(也称公钥加密法)最有利于实现不可抵赖性。在非对称加密中,使用两个不同但在数学上相关的密钥:公钥和私钥。
A declaration made by a payroll processor that states that all sensitive user entity employee information entered into its
system will be kept private and confidential is an example of a:
A. Complementary user entity control.
B. Trust services criterion.
C. Service commitment.
D. System requirement.
《3》
A.补充用户实体控制:
定义:用户实体(客户)为补充服务机构的控制而必须实施的控制。
举例说明:一家使用云薪资服务的公司实施自己的内部控制,以确保只有授权人员才能访问薪资系统界面。
B.信任服务标准:
定义:用于评估服务机构控制措施的一套专业标准,尤其是在安全性、可用性、处理完整性、保密性和隐私性方面。
举例说明:云存储提供商应确保其数据中心有健全的安全措施,以防止未经授权的访问,这与 “信任服务标准 “的安全标准是一致的。
C.服务承诺:
定义:服务机构就其服务的某些方面做出的承诺或保证,通常与性能、安全或道德实践有关。
举例说明:工资单处理器声明,输入其系统的所有敏感用户实体雇员信息都将保密。
D.系统要求:
定义:系统必须具备的特定功能或特征,以满足业务需求和监管要求。
举例说明:作为确保账户安全的系统要求的一部分,网上银行系统要求使用多因素身份验证来访问用户账户。
Charles works in the marketing department but has an interest in IT and seeks to model appropriate security behaviors.
Which of the following is the best way for Charles to do this?
A. Charles could issue a security assessment report (SAR) to management on behalf of the marketing department.
B. Charles could lead the effort of implementing a security platform or join a full task force to accomplish those
goals.
C. Charles could unmask data as part of the system development life cycle.
D. Charles could perform a walkthrough of the confidentiality and privacy processes.
D. 進行保密性和隱私流程的實地走訪。
這意味著 Charles 將會檢查並確保他和他的部門在處理數據時遵循了安全專業人員設定的最佳實踐和指導方針。這包括了解和遵守公司關於保護敏感信息的政策和程序。
其他選項的簡單解釋:
A. 發布安全評估報告給管理層: 這通常是安全專業人員的工作,而不是市場部門的工作。這涉及到對公司的信息安全狀態進行評估和測試控制。
B. 領導實施安全平台的工作或加入全職小組: 這超出了 Charles 的職責範圍,並且問題中沒有提到 Charles 是否具備實施 IT 安全平台的技能或知識。
C. 對數據進行去遮蔽: 去遮蔽數據通常與數據保護和隱私有關,但這並不是模範安全行為的最佳方式,特別是對於非 IT 專業人員。
Which is not one of the three commonly used methodologies for threat models?
A. Process for Attack Simulation and Threat Analysis (PASTA)
В.Spoofing, Tampering, Repudiation, Information disclosure, Denial-of-services attack, and Elevation of privilege
(STRIDE)
C. Evaluating and Processing Information Control (EPIC)
D. Visual, Agile, and Simple Threat (VAST)
《3》
选择 “C “是正确的。EPIC 不是威胁模型的真正方法。常用的三种方法是
PASTA、VAST 和 STRIDE 威胁模型。
A. 攻击模拟和威胁分析流程 (PASTA)
В.欺骗、篡改、抵赖、信息泄露、拒绝服务攻击和权限提升 (STRIDE)
C. 评估和处理信息控制(EPIC)
D. 视觉、敏捷和简单威胁(VAST)
A service auditor has been engaged to perform a SOC 2* Type 2 engagement by a service organization providing data
storage services. The trust services criteria relevant to the engagement includes security. Management has included
information on a security breach at one location that occurred during the period within its system description. The
service auditor should:
A. Issue an adverse opinion on the SOC engagement as a security breach occurred during the period.
В. Issue an unmodified opinion on the SOC engagement as the security breach is identified.
C. Inquire with management about the controls in place to identify and report a security breach and obtain
evidence.
D. Identify the nature, extent, and timing of the system incident in the service organization’s system description.
《3》
C. 與管理層詢問用於識別和報告安全漏洞的控制措施,並獲取相關證據。
這意味著服務審計員需要了解服務組織報告系統失敗、事件和內部或外部用戶的投訴的流程。審計員應該詢問管理層有關識別和報告安全漏洞的控制措施,並通過審查服務組織的文件和董事會會議紀錄等,來獲取支持所披露事件的證據。
其他選項的簡單解釋:
A. 發出不利的審計意見: 這是不正確的,因為僅憑安全漏洞的發生並不能直接決定審計意見應該是不利的。
B. 發出未修改的審計意見: 這也是不正確的,因為光是識別了安全漏洞並不足以決定審計意見。
D. 確定系統事件的性質、範圍和時間: 這是管理層而不是服務審計員的責任。
Each of the following examples would likely be considered personal identifiable information (PIl) used to identify an
individual, except for which of the following?
A. IP addresses of the individual
B. Biometric data of the individual
C. Passport number of the individual
D. Street address of the individual
《1》
IP 地址不属于 PII,因为它们经常变化(浮动 IP),或者由几个家庭或个人共享。
A company’s board of directors votes to add an executive position for a chief information security officer who will report
directly to the company’s chief executive officer and oversee a team of individuals dedicated to ensuring that company
systems and information are protected against threats. This action to add an executive position dedicated to security
would be a part of which of the COSO framework components?
A. Risk assessment
B. Control environment
C. Monitoring
D. Control activities
《2》
B. 控制環境 (Control Environment):
控制環境是組織內部控制系統的基礎,它包括組織的治理結構、領導態度、員工價值觀和公司文化等元素。這些因素共同形成了組織內部控制的總體氛圍。
在您的情景中,為信息安全創設一個新的高級職位並讓該職位直接向首席執行官匯報,強調了組織對信息安全的重視,這是控制環境的一部分。這顯示了公司高層對於內部控制和信息安全的承諾和重視程度。
D. 控制活動 (Control Activities):
控制活動是指那些具體的政策、程序和機制,用來確保管理層指令得到遵循,並減少風險發生的可能性。這些活動可以包括核准程序、審核、數據驗證和物理或邏輯訪問控制等。
例如,設定系統的定期審計、員工培訓、訪問控制策略的實施等。
The process of background checks on new employees to reduce the risk of fraud.
Which of the following is an example of a distributed denial of service (DDOS) attack?
A.Melissa used her computer to execute a script, sending a large number of requests to a target webpage,
causing the target webpage to become unresponsive.
B. David engaged a botnet to overwhelm XYZ Co’s network with traffic with a large number of requests.
C. Jamal used a fake email address to imitate a legitimate employee request.
D. Jennifer created a false online identity in hopes of tricking lonely men into sending her money and gifts.
<2>
1–>Melissa used a traditional denial of service (DoS) attack because she only used her computer,
rather than multiple devices. As such, this attack is not distributed.
2–> 利用僵尸网络向 XYZ 公司的网络发送大量请求。【distributed》
Which of the following activities would most likely detect computer-related fraud?
A. Reviewing the systems-access log.
B. Using data encryption.
C. Performing validity checks.
D. Conducting fraud-awareness training.
<1>
选择 “A “是正确的。因为与计算机有关的欺诈通常涉及未经授权访问系统和/或数据、
在这些选项中,查看系统访问日志最有可能发现欺诈行为。系统访问日志是一份电子清单,列出谁访问过或试图访问过系统或系统的一部分或数据或数据子集。
Which of the following would likely be considered the biggest risk to confidential information when deleting/purging
confidential information from storage devices?
A. When data is removed, using heat to change the chemical construct of data may restrict use or access to the
storage device.
B. When data is removed, physical destruction of storage devices such as the disassembling or changing the
chemical construct of the data may make the device unusable.
C. When data is removed, a residual magnetic flux or imprint may remain on storage devices where tools can
reverse the effects of wiping.
D.
When data is removed, changing the chemical composition of the data through pressure or shredding may
make the device unusable.
<3>
企业面临的风险是,在删除数据后,存储设备上可能仍然存在印记或残余磁通量。
数据被删除后,存储设备上可能仍然存在印记或残余磁通量。将存储设备保留在身边,未经授权访问机密信息的风险仍然很高。
Which of the following is not a primary cybersecurity risk related to Internet of Things (loT)?
A.
Expanded footprint
B.
Escalated cyberattacks
C. Outdated firmware
D. Hybrid management issues
《4》
D. 混合管理問題 (Hybrid Management Issues):
這個問題與在使用多種雲端環境時的管理挑戰有關,比如當一家公司同時訂閱多種雲基礎解決方案並/或維護一些現場IT結構時,整合和監控多個環境可能會很困難,這可能使檢測網絡攻擊變得困難。然而,這並不是物聯網特有的風險,而是與使用多個雲環境相關的風險。
其他選項的簡單解釋:
A. 擴展足跡 (Expanded Footprint):
物聯網設備連接到其他設備和公司核心網絡,增加了公司監控的設備總數,從而增加了遭受攻擊的點。
B. 升級的網絡攻擊 (Escalated Cyberattacks):
物聯網設備可能被用作攻擊基地來感染更多設備,或作為進入連接網絡的入口點。
C. 過時的固件 (Outdated Firmware):
攻擊者可以攔截物聯網固件更新或利用已知弱點操縱固件,以獲取設備的訪問和控制權。
Which of the following descriptions best describes masking?
A. Masking involves a single shared or private key for encryption and decryption of data within a group where the
key is used by all members in the group.
B. Masking swaps data with other like data so that the original identifying characteristics are disguised while
maintaining a similar structure to the unmodified data set.
C. Masking scrambles unencrypted data using cryptography so that it can generally only be deciphered with a
key.
D. Masking removes production data and replaces it with a surrogate value, in which the data is transformed using mathematical algorithms.
《2》
B. 資料遮蔽是將數據與其他類似數據交換,從而使原始數據的識別特徵被掩蓋,同時保持未修改數據集的類似結構。
這意味著在資料遮蔽過程中,數據的原始形態被改變,以便原始數據的識別信息不再直接可見,但數據的整體結構和格式保持不變。這通常用於保護隱私或敏感數據,例如在測試環境中使用生產數據的情況下。
其他選項的錯誤解釋:
A. 描述的是對稱加密,與資料遮蔽無關。
C. 描述的是加密,也與資料遮蔽無關。
D. 屏蔽法删除生产数据,代之以代用值,在代用值中,数据通过数学算法进行转换。
描述的是代幣化(Tokenization),這是另一種數據保護技術,但不同於資料遮蔽。
Pierc has been asked to change the scope of the SOC 1°
engagement from a Type 2 report to a Type 1 report. Which of the following represents language that should be added to
the auditor’s report because of this change?
* A. In our opinion, in all material respects, based on the criteria described in XYZ service organization’s assertion …
the controls related to the control objectives stated in the description were suitably designed to provide
reasonable assurance that the control objectives would be achieved if the controls operated effectively …
B. We did not perform any procedures regarding the operating effectiveness of controls stated in the description
and, accordingly, do not express an opinion thereon.
C. The specific controls tested and the nature, timing, and results of those tests are listed.
D. This report is not intended to be, and should not be, used by anyone other than the specified parties.
《2》
B. 我們沒有對描述中的控制措施的運行有效性進行任何程序,因此對其運行有效性不表達意見。
這意味著在類型 1 報告中,審計員需要明確指出他們沒有評估控制措施的實際運行效果。類型 1 報告只對控制措施的設計適宜性(在某一特定時間點)給出意見,而不涉及這些控制措施是否有效地運行。
其他選項的解釋:
A. 這種語言適用於類型 1 和類型 2 報告,因為它們都會對控制設計的適宜性發表意見。
C. 控制測試的具體描述只包含在類型 2 報告中,而不包括在類型 1 報告中。
D. 類型 1 和類型 2 的 SOC 1 報告都是限制使用的,因此這種語言適用於兩種類型的報告。
Each of the following examples would be considered a cybersecurity event except for which of the following?
A. A server receiving a request for a web page
B. A user sending an email communication externally to a client
C. An attacker flooding a web server with requests resulting in a site crash
D. A user connecting to a shared file server
《3》
在這些例子中,不被視為網絡安全事件的是:
C. 攻擊者對網絡服務器進行請求洪水攻擊,導致網站崩潰。
這個情況實際上是一種網絡安全事故,因為它涉及到有害的、對企業產生負面影響的行為。這是一種網絡安全事件中的一種:安全事故。
其他選項的解釋:
A. 服務器接收網頁請求: 這是正常的網絡通信,被視為一種網絡安全事件,但通常對企業是無害的。
B. 用戶向客戶發送電子郵件: 同樣,這是正常的網絡通信,被視為網絡安全事件,但通常對企業是無害的。
D. 用戶連接到共享文件服務器: 這也是一種正常的網絡活動,被視為網絡安全事件,但一般情況下對企業是無害的。
Barlings Co. is creating policies and procedures related to data collection. Which of the following options is least likely to be included in these policies and procedures?
A. Incident Response
B. Lifecycle of Personally Identifiable Information (PII)
C. Payroll Best Practices
D. Consequences of Violations
在這種情況下,Barlings Co. 作為一家專門為其他企業提供薪酬服務的組織,希望創建與數據收集相關的政策和程序。當開發全面的政策和程序時,其中不太可能包括的選項是:
C. 薪酬最佳實踐 (Payroll Best Practices)
原因如下:
- 薪酬最佳實踐 通常與具體如何處理薪酬相關,這對 Barlings Co.’s 的客戶來說更為重要。而在開發與數據收集相關的政策和程序時,關注的重點應該是如何安全地收集、存儲和處理數據,特別是個人可識別信息 (PII)。
其他選項的解釋:
- A. 事件響應 (Incident Response): 這包括在數據遭受未經授權訪問或其他安全事件時的應對策略,是數據管理政策和程序的重要組成部分。
- B. 個人可識別信息的生命周期 (Lifecycle of Personal Identifiable Information, PII): 這涉及如何在數據的整個生命周期中管理和保護 PII,對於數據收集政策來說至關重要。
- D. 違規後果 (Consequences of Violations): 這是確保數據收集政策得到有效遵守的重要部分,包括對違反政策的處罰。
因此,選項C是不正確的,因為它與數據收集的政策和程序的開發不直接相關。
Unified Auditing Solutions is conducting a SOC 1 Type 2 engagement for Kidell Global Inc., which provides third-party accounting services. Kidell has implemented controls for their general ledger system but did not include these in the system description. What should the service auditor conclude about the exclusion of these controls from the description?
A. The service auditor will likely conclude that such controls are appropriately excluded as the system description
should focus on describing the services and system but not the controls in place at the service organization.
B. The service auditor will likely conclude that such controls should be included in the system description as all
controls at the service organization must be included for the description to be complete.
C. The service auditor will likely conclude that such controls should be included in the system description as they are
designed to help meet control objectives.
D. The service auditor will likely conclude that such controls are appropriately excluded as the controls in place relate
to the service organization rather than the financial processing and reporting of customer transactions.
答案是 C:
C.服务审计员应得出结论,这些控制措施应包含在系统说明中,因为它们旨在帮助实现控制目标。
答案:C:
在 SOC 1 类型 2 业务约定中,服务机构的系统描述应包括有关控制目标和实现这些目标的控制措施的信息。
由于 Kidell 总分类账系统的控制措施对准确的财务报告和处理至关重要,而财务报告和处理是 Kidell 提供的主要服务,因此应将其纳入系统描述。
如果将这些关键控制措施排除在外,可能会导致对 Kidell 如何实现其控制目标的理解不完整,而这对 SOC 1 报告的用户来说是至关重要的信息。
Analise works in a lab with valuable intellectual property. To access certain data, she must use a desktop browser on a device physically onsite. Remote or mobile access is not allowed as the database recognizes location and means of access. What authentication technique is this?
A. Biometrics
B. Single sign-on (SSO)
C. Asynchronous tokens
D. Context-aware authentication
《4》
A. 生物識別 (Biometrics):
生物識別是利用人體獨特的生物特徵進行身份驗證的技術,如指紋、虹膜掃描、臉部識別等。
例子: 使用指紋掃描器解鎖智能手機。
B. 單一登錄 (Single Sign-On, SSO):
它允許用戶使用一組憑證(如用戶名和密碼)來訪問多個相關的、但獨立的軟件系統或應用程序。SSO的主要好處是提高了方便性和效率,因為用戶無需記住多個憑證或重複登錄不同的系統。
例子: 使用公司的單一登錄憑證來訪問電子郵件、CRM系統和內部網絡。
C. 異步令牌 (Asynchronous Tokens):
異步令牌是一種安全憑證,用於生成一次性使用的密碼或代碼,通常與其他形式的認證一起使用。
例子: 使用銀行發放的安全令牌產生一次性密碼進行網上銀行交易。
D. 情境感知身份驗證 (Context-aware Authentication):
這種身份驗證方法根據用戶的訪問環境(如地點、設備類型、時間等)來決定訪問權限。
例子: 僅允許在辦公室內的特定計算機訪問敏感數據庫。
A critical, high-risk issue related to privilege escalation flaws was identified in a security assessment report (SAR). What
individual or group within the organization is most likely to consider the recommendations in the report and take necessary
actions to remediate them?
A. The centralized incident response team
B. The chief executive officer
C. The General Data Protection Regulation (GDPR) team
D. The Zero Trust Network Architecture team
A. 集中式事件響應團隊 (The Centralized Incident Response Team)
這個團隊作為負責管理整個組織跨部門事件的單一事件響應團隊,負責響應和處理安全事件,包括那些在安全評估報告中識別的事件。
他們通常具備技術專業知識和資源,能夠評估安全威脅的嚴重性,並採取適當的修復和預防措施。
其他選項的解釋:
B. 首席執行官 (The Chief Executive Officer): 通常不直接處理技術性的安全問題。這類問題更可能由具有相關技術知識的團隊處理。
C. 通用數據保護條例(GDPR)團隊: GDPR 團隊專注於數據保護法律的遵守,並不直接處理技術安全問題。
D. 零信任網絡架構團隊 (The Zero Trust Network Architecture Team): 零信任網絡架構是一種安全模型,而不是一個具體的團隊或組織結構。
Which of the following statements is true regarding the privacy and confidentiality trust services criteria?
A. Privacy and confidentiality ensure information and systems are available for operation and use to meet the entity’s
objectives.
B. Privacy relates to the safekeeping of personal information, whereas confidentiality relates to the safekeeping of a
broader category of sensitive information.
C. Confidentiality relates to the safekeeping of personal information, whereas privacy relates to the safekeeping of a
broader category of sensitive information.
D. Neither privacy nor confidentiality are included within the trust services criteria.
B. 隱私涉及個人信息的保護,而保密性則涉及更廣泛類別的敏感信息的保護。
解釋:
隱私 (Privacy): 關注的是個人信息的保護和管理。這包括個人資料的收集、處理、存儲、傳輸和銷毀的方式,以確保個人隱私權不被侵犯。
保密性 (Confidentiality): 涉及保護企業的敏感信息,例如貿易秘密、智慧財產權和商業策略等。這種類型的信息通常不是公開的,並且其披露可能對組織造成損害。
其他選項的錯誤解釋:
A: 說明的是可用性標準,而不是隱私或保密性標準。
C: 說法顛倒了隱私和保密性的定義。
D: 隱私和保密性都是信任服務標準的一部分
When implementing layered security, a company’s systems focus on continuous uptime, which requires more emphasis to be placed on which of the following aspects of its IT environment?
A. Assuring that appropriate patches are implemented.
B. Maintaining appropriate written source documents so the data can be re-entered if it is lost or compromised.
C. Reviewing additional expenses to obtain the required amount of business interruption insurance coverage for the
organization.
D. Establishing redundant systems for instant availability to assure the flow of transactions.
D. 建立冗餘系統以確保交易流的即時可用性。
解釋:
分層安全是通過使用多樣化的網絡安全保護策略來保護組織的做法。這是通過實施冗餘、多樣化實踐或深層防禦方法來實現的,從而提供多層次的保護。
為了提供持續運行,組織需要更加專注於創建和維護冗餘系統。這樣,如果主要應用程序或硬件失效,用戶將擁有不間斷的服務。
其他選項的錯誤解釋:
A: 雖然補丁有助於保持組織的安全,但它們並不是分層安全中用來提供持續運行的策略。
B: 書面源文件對於支持任何 IT 環境都至關重要,但它們並不是實施分層安全的關鍵組成部分。
C: 獲得業務中斷保險可以賠償公司由於服務中斷而造成的收入損失,但它不會支持 IT 環境以便持續運行。
When complementary user entity controls are identified during a SOC engagement, the opinion included in the service
auditor’s report should:
A. Include language indicating that the service auditor performed the procedures to test the suitability of the design
and operating effectiveness of the complementary user entity controls necessary, in conjunction with the controls
at the service organization, to provide reasonable assurance related to the achievement of control objectives.
B. Include a disclaimer of opinion.
C. Include language indicating that the suitability of the design and operating effectiveness of the controls to provide
reasonable assurance related to the achievement of control objectives is based upon the assumption that certain
complementary user entity controls were applied and operated effectively during the specified period.
D. Include no reference to complementary user entity controls in the opinion section.
C. 包含語言,表明控制措施設計的適宜性和運行效果的評估是基於假設,即某些補充用戶組織控制措施在指定期間內得到了適當的應用和有效的運行。
解釋:
服務審計員報告的意見部分應包含這樣的表述,即意見是基於用戶組織控制措施在整個指定期間內被適當應用並有效運行的假設。
這是因為補充用戶組織控制措施是服務組織控制措施的重要補充,它們的有效性對於實現控制目標至關重要。
其他選項的錯誤解釋:
A: 意見部分不應該表明服務審計員對補充用戶組織控制措施的設計適宜性和運行效果進行了測試。
B: 識別補充用戶組織控制措施並不要求發表免責聲明的意見。
D: 意見部分應包含對補充用戶組織控制措施的提及。意見部分應包含表述,即假設用戶組織控制措施在整個指定期間內得到了適當的應用和有效的運行。
Question: In a SOC engagement, Complementary User Entity Controls refer to which of the following?
A. Controls implemented by the service organization’s management.
B. Necessary controls at a user entity that, combined with service organization’s controls, achieve control objectives in the system description.
C. Controls that are independent and unrelated to the service organization’s controls.
D. Controls solely related to the internal operations of the service organization.
Answer: B. Necessary controls at a user entity that, combined with the service organization’s controls, achieve control objectives in the system description.
Key Points:
These controls are vital in combination with the service organization’s controls for meeting specific control objectives.
They are the responsibility of the user entity, not the service organization’s management.
They should be included in the service organization’s system description for clarity and transparency.
In an insurance organization’s actuarial department, what is a risk of using potentially incorrect files manipulated by end users?
A. Management places the same degree of reliance on the manipulated files as they do on files generated directly from its IT system.
B. Management receives limited information for decision making due to a lack of flexibility in end-user files.
C. Management is unable to respond to competitive pressures quickly.
D. Management continues to incur additional cost because it takes more time to do the tasks complying with standard operating procedures.
Correct Answer: A. Management places the same degree of reliance on the manipulated files as they do on files generated directly from its IT system.
Explanation:
The correct choice is A because there is a risk that management may incorrectly attribute the same level of credibility to end-user manipulated files as to system-generated data. This can lead to decisions based on potentially erroneous data.
The other choices (B, C, D) do not directly address the specific risk associated with using end-user manipulated files in terms of data integrity and reliability.
Which assessment method is Graham least likely to document in the security assessment report for Elige Co.?
A. Analyzing, observing, and reviewing IT security specifications.
B. Reviewing documentation from external financial statement auditors regarding a control deficiency.
C. Having discussions with members of the network administrator team.
D. Performing procedures to compare current password management activities with expected activities.
Answer: B
Explanation: Security assessment engagements typically do not evaluate manual financial reporting-related controls, as they are not closely related to IT security.
安全评估业务通常不评估与财务报告相关的人工控制,因为它们与 IT 安全关系不大。
Question: In a SOC engagement using the carve-out method with a subservice organization, what should the service organization’s management exclude from the description of the service organization’s system?
A) The services provided by the subservice organization.
B) The controls in place at the service organization to monitor the effectiveness of the complementary subservice organization controls.
C) The complementary user entity controls necessary.
D) The complementary subservice organization controls.
Correct Answer: D) The complementary subservice organization controls.
Explanation: When using the carve-out method in a SOC engagement, the management of the service organization should exclude the complementary subservice organization controls from the description of the service organization’s system. However, they should still identify the services provided by the subservice organization, the necessary complementary user entity controls, and the controls at the service organization for monitoring the effectiveness of the subservice organization’s controls.
Question: What is the purpose of a system description documented by the management of a service organization in a SOC 2® engagement?
A) The description provides sufficient information to allow a user auditor to understand how the service organization’s system affects the user entity’s financial statements and is to be prepared in accordance with the trust services criteria.
B) The description provides sufficient information to allow a user auditor to understand how the service organization’s system affects the user entity’s financial statements and assess the risk of material misstatement of the user entity’s financial statements.
C) The description enables report users to understand the system, the processing and flow of data throughout and from the system, and the procedures and controls in place to manage risk.
D) The description enables report users to understand the system, the processing and flow of data throughout and from the system, and the procedures and controls in place to remove any risks related to system performance.
Correct Answer: C) The description enables report users to understand the system, the processing and flow of data throughout and from the system, and the procedures and controls in place to manage risk.
Incorrect Answer Explanation:
A) Incorrect. While the description does provide information about the service organization’s system, its primary focus in a SOC 2® engagement is not on how it affects the user entity’s financial statements but rather on the broader aspects of managing risks and processing data.
B) Incorrect. The primary goal of the system description in a SOC 2® engagement is not to assist user auditors in assessing the risk of material misstatement of financial statements but to provide an understanding of the system and its controls.
D) Incorrect. The system description aims to explain the controls in place to manage risk, not to remove all risks related to system performance, which is often not feasible.
