try Flashcards
Which overview explanation best summarizes CIS Control 13: Network Monitoring and Defense?
A. Establish, implement, and actively manage network devices in order to prevent attackers from exploiting vulnerable
network services and access points.
B. Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly
respond to an attack.
C. Operate processes and tooling to establish and maintain comprehensive network and monitoring defense against
security threats across the enterprise’s network infrastructure and user base.
D. Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and
remediate security weaknesses before they can impact the enterprise
<3>
Choice “A” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 12: Network
Infrastructure Management.
Choice “B” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 17: Incident
Response Management.
Choice “D” is incorrect. Under CIS Critical Security Controls Version 8, this explanation best describes Control 16: Application
Which Center for Internet Security (CIS) Control principle was designed to have all recommendations be practical?
A. Measurable
B. Align
C. Focus
D. Feasible
<4>
A. Measurable–>simple and measurable, avoiding vague language.含糊不清的语言
C. Focus–> map to other top cybersecurity standards
D. Feasible–>prioritize ,resolving 有助于确定最关键问题的优先次序,避免解决所有网络安全问题。避免解决所有网络安全问题。
其他选项如 “Measurable”、”Align” 和 “Focus” 虽然也是重要的原则,但它们并不直接关注建议的实用性或可行性。”Measurable” 强调的是控制措施的可测量性,”Align” 与确保控制措施与业务目标和需求保持一致有关,而 “Focus” 则关注于将资源和努力集中在最重要的安全控制上。因此,”Feasible” 是最直接体现建议必须实际可行的原则。
Which of the following components of the NIST CS Framework Core describes the function that outlines how a company should notify
all affected parties while containing a cybersecurity event?
A. Recover
B. Respond
C. Detect
D. Protect
<2>
3–> Identify the tools and resources needed to detect active cybersecurity attacks.
4–> Safeguards and access as well as regular updates
When conducting an audit of a service organization’s network infrastructure, a service auditor finds a device that acts as the network’s central hub and is therefore a potential single point of failure if it quits working. Which topology is least likely to result in a potential single point of failure?
A. Mesh topology
B. Ring topology
C. Star topology
D.Bus topology
<1>
在对服务机构的网络基础架构进行审计时,服务审计员发现一台设备充当了网络的中枢。
因此,如果它停止工作,就有可能成为单点故障。哪种拓扑最不可能导致潜在的单点故障?
3–>有一个中央集线器,所有数据都通过它传递到其他外围设备。
4–>所有设备共享一条通信线路或总线;数据广播到所有设备,但只有目标接收者接受并处理数据。
Which CIS Control best describes the recommendation to establish and maintain practices relevant to data sufficient to restore in-
scope enterprise assets to a pre-incident and trusted state?
A. Control 11: Data Recovery
B. Control 10: Malware Defenses
C. Control 15: Service Provider Management
D. Control 16: Application Software Security
<1>
1–>建立和维护数据建立和维护足以将范围内的企业资产恢复到事故前可信状态的数据恢复措施。
选择 “B “不正确。防止或控制
防止或控制在企业资产上安装、传播和执行恶意应用程序、代码或脚本。
选择 “C “不正确。 制定一个流程,以制定一个流程,评估持有敏感数据或负责企业关键 IT 平台或流程的服务提供商,以确保
确保这些提供商适当保护这些平台和数据。
选择 “D “不正确。管理安全生命周期管理内部开发、托管或购置的软件的安全生命周期,以防止、检测和修复安全弱 点,避免其对企业造成影响。
A system that transforms economic events into journal entries and disseminates information that supports daily operations is:
A. An enterprise resource planning system.
B. A transaction processing system.
C. A management reporting system.
D.A financial reporting system.
<2>
選項B與D的關係是,交易處理系統(TPS)提供了記錄每日交易的基本功能,而這些交易的數據被財務報告系統(FRS)用於生成公司對外報告的財務狀況和業績的正式文檔。
Which of the following is least likely to be an example of an administrative safeguard required for an organization considered a covered
entity under HIPAA guidance in relation to its administrative functions?
A. Information access management
B. Security awareness and training
C. Facility access controls
D. Contingency plans
<3>
设施访问控制被视为 HIPAA 要求的物理保障措施,不属于行政保障措施。
Within the data life cycle, what is generally considered the first step of the life cycle defining what data a business needs and where to
capture or retrieve such data?
A. Publication
B. Synthesis
C. Definition
D. Preparation
<3>
数据生命周期从以下步骤开始:
定义:这一初始阶段包括确定业务的数据需求–确定需要哪些数据以及应从何处获取数据。
Capture/Creation:捕获/创建:在定义数据需求后,将采集或创建实际数据。
prepare准备:一旦收集到数据,就需要对其进行准备,以确保数据完整、干净、最新且方便用户使用。这可能涉及加密和其他处理,以使数据可随时使用。
Synthesis合成:这包括创建计算字段和组织数据,以方便快速使用和分析。not neccessary
Usage使用:然后将数据用于预期目的,如决策或操作任务。
Publication发布:最后,数据可能会被共享或发布,供外部使用,如向客户发送报表或发布报告。
Which of the following framework functions in the Privacy Framework Core best describes the function that would include categories
such as risk management strategy, awareness and training, and monitoring review?
A. Control
B. Govern
C. Protect
D. Identify
<2>
Explanation
Choice “B” is correct. the govern function
–>
governance policies, process, and procedures;
risk management strategy;
awareness and training;
and monitoring review.
Choice “A” is incorrect.
the control function–>
data processing policies, processes, and procedures;
data processing management;
and disassociated processing.
Choice “C” is incorrect. the protect function–>
data protection policies, processes, and procedures;
identity management, authentication, and access control;
data security; maintenance;
and protective technology.
Choice “D” is incorrect. the identify function –>
inventory and mapping,
business environment,
risk assessment,
and data processing ecosystem risk management.
BeanCard Corporation is a financial institution that processes credit card payments, coordinating with retailers, banks, and customers.
In order for BeanCard Corporation to comply with the Payment Card Industry Data Security Standard (PCI DSS) in relation to the goal of
protecting cardholder data, which of the following actions would Bean Card Corporation most likely take?
A. Encrypt the transmission of cardholder data across open, public networks.
B. Regularly test security systems and processes.
C. Restrict physical access to cardholder data.
D. Maintain a policy that addresses information security for all personnel.
1
为了达到保护持卡人数据的目标,Bean Card 公司最有可能采取以下哪种措施?
A. 在开放的公共网络上加密传输持卡人数据。
B. 定期测试安全系统和流程。
選項B(定期測試安全系統和流程)也是PCI DSS的一部分,但當提到保護持卡人數據這一特定目標時,加密數據傳輸通常被視為更直接和關鍵的措施。這是因為加密可以直接防止未授權人員在數據傳輸過程中訪問敏感信息。而定期測試安全系統和流程,雖然是重要的安全措施,但它更多地被視為一種確保整體安全態勢有效性的方法,而不是直接針對保護特定數據(如持卡人數據)的措施。
Which of the following is a common document found in the revenue cycle?
A. Packing slip
B. Voucher
C.Bill of materials
D.Bank statement
【A》
收入週期 (Revenue Cycle)
常見文件: 裝箱單 (Packing Slip)
描述: 詳細列出發貨物品及其數量的文件,用於發貨時核對。
採購和支付週期 (Purchasing and Disbursement Cycle)
常見文件: 憑證 (Voucher)
描述: 用於記錄採購交易詳情和付款授權的文件。
製造週期 (Manufacturing Cycle)
常見文件: 物料清單 (Bill of Materials)
描述: 列出製造特定產品所需的所有原材料、部件和組件的清單。
財務和報告週期 (Finance and Reporting Cycle)
常見文件: 銀行對賬單 (Bank Statement)
描述: 由銀行提供的文件,列出了特定時間段內賬戶的所有交易記錄和結餘。
Sunriss Corp. is trying to minimize its system availability risk by enhancing database redundancy. Lacker only has one location, so it
most likely will employ which of the following practices?
A. Mirroring
B. Network security controls
C. Replication
D.Infrastructure capacity monitoring
【1》
复制和镜像主要从存储角度解决冗余问题,因为它们会将数据库复制到备用数据库中。
它们将数据库复制到备用机器上。
虽然复制和镜像都支持数据库冗余,但它们实现冗余的方法不同。镜像涉及将数据库复制到同一站点的不同机器上,而复制还涉及将数据传输到辅助站点的不同数据库中。
Which governance system principle under COBIT 2019 is best described as the creation of value for the company’s key groups and key
parties by balancing benefits, risks, and resources?
A. End-to-end governance system
B. Tailored to enterprise needs
C. Dynamic governance system
D. Provide stakeholder value
<4>
选择 “D “是正确的。COBIT 2019 的第一条原则 “为利益相关者提供价值 “描述了治理系统应如何通过平衡利益、风险和资源为公司利益相关者创造价值。这应通过精心设计的治理系统与可操作的战略来实现。
选择 “A “不正确。COBIT 2019 的第六项原则 “端到端治理系统 “解释说,组织内涉及信息和技术的所有流程都应组织内涉及信息和技术的所有流程都应纳入治理系统。
Shoe-ify Inc. is a new platform that lets companies design shoes based on their customers’ foot shapes and running pronation patterns.
The platform serves as an online marketplace that allows companies’ customers to design shoes, which the company then builds and
sells to the customer. Shoe-ify also provides other turn-key functions such as built-in direct marketing services, payment processing,
and logistics services. This is an example of what type of cloud service provider?
A.Business-Process-as-a-Service
B. Software-as-a-Service
C. Platform-as-a-Service
D. Infrastructure-as-a-Service
<2>
用户的主要目的是应用程序本身,而不是开发、管理和维护应用程序的平台。
A. Business-Process-as-a-Service (BPaaS):
代表性例子: ADP(提供人力資源、薪資處理和稅務服務),Salesforce’s CRM (客戶關係管理)。
特點: 提供特定業務流程服務,如人力資源管理、客戶關係管理或會計服務。
B. Software-as-a-Service (SaaS):
代表性例子: Google Workspace(前稱G Suite,提供雲端辦公室應用)、Dropbox(雲存儲服務)、Zoom(視頻會議)。
特點: 終端用戶直接使用的應用程序,不需要本地安裝或維護。
C. Platform-as-a-Service (PaaS):
代表性例子: Heroku、Microsoft Azure、Google App Engine。
特點: 為開發者提供開發、運行和管理應用程序所需的平台和環境。
D. Infrastructure-as-a-Service (IaaS):
代表性例子: Amazon Web Services (AWS) EC2、Microsoft Azure VM、Google Compute Engine。
特點: 提供基礎設施服務,如服務器、存儲和網絡,用戶可以在其上運行任何軟件,包括操作系統和應用程序。
Which of the following best describes the compliance requirements design factor under COBIT?
A. Compliance demands on the company can be classified as low, medium, or high, where the medium classification indicates that the organization is typical of its industry.
B. Compliance demands on the company can be classified as low, normal, or high, where the normal classification indicates that the organization is typical of its industry.
C. Compliance demands on the company can be classified as one, two, or three, where the three classification indicates that the organization is typical of its industry.
D. Compliance demands on the company can be classified as one, two, or three, where the two classification indicates that the organization is typical of its industry.
<2>
low –>minimal compliance demands,
normal –>typical of its industry,
high –>higher-than-average compliance requirements.
Having an exit strategy for a cloud service provider (CSP) is a response to which of the following risks?
A. CSP violation of service level agreement
B. Unfavorable operational budget variances
C. Favorable regulation changes
D. Lack of application portability (vendor lock-in)
<4>
D.缺乏应用程序可移植性(供应商锁定):当企业使用特定 CSP 的服务和基础设施时,就有可能过于依赖该供应商的技术和标准,从而难以转而使用其他供应商的服务或将服务带回企业内部。退出战略对于降低这种风险至关重要,它可以确保企业在必要时从 CSP 转型,而不会造成重大干扰或成本增加。
其他选择的相关性:
A.CSP 违反服务水平协议(SLA):虽然退出战略可以是对违反服务级别协议的更广泛应对措施的一部分,但这里的主要问题通常是通过服务级别协议条款和监控来解决的,而不是退出战略。
B.不利的业务预算差异:预算问题可能会促使对 CSP 安排进行审查,但通常与撤出战略的必要性没有直接关系。
C.有利的监管变化:有利的监管变化通常不会使退出战略成为必要。事实上,这些变化可能会使继续使用 CSP 更具吸引力。
A hedge fund, Pearlin, is a U.S.-based investment company that specializes in what is known as quantamental investing, which
makes stock picks based on algorithms that analyze social media posts, news articles, transcripts from earnings calls, and
various other text-based sources. Pearlin uses a group based out of India who created the software and runs the algorithm
multiple times per day and then sends the results to Pearlin for analysis. This type of business process utilizes:
A. Large language models (LLMs) and insourcing.
B. Robotic process automation (RPA) and offshoring.
C. Outsourcing and natural language processing (NLP).
D. Offshoring and K-means clustering.
<3>
Each of the following may be considered a financial implication of a data breach except for which of the following?
A. Litigation expenses to reach resolutions with other impacted parties harmed by the data breach
B. Revenue lost from current and potential customers who will consider competitors due to the negative impact
on the organization’s reputation
C. Communication with vendors temporarily lost due to the data breach, delaying processing of business
activities
D. Regulatory fees imposed on the organization by the government due to the data breach
<3>
operational implication rather than a financial implication, since communication may be restored after temporary
downtime and continue without facing a significant financial impact.
A SOC report would most likely be issued assessing an opinion on the controls of which entity?
A. Independent auditor of the user entity
B. Service auditor
C. Service organization
D. User entity
<3>
C= service provider
SOC 报告旨在对服务机构控制措施的有效性提供评估和意见。这些控制措施与该组织向其用户实体提供的服务有关。服务审计师为服务机构而不是用户实体进行审计并出具《标准业务运营证书》报告。
为什么不是 D(用户实体=user):用户实体是使用服务机构所提供服务的组织。
Which of the following correctly explains independence requirements for a service auditor performing a SOC
engagement?
A. Independence is required for a SOC 1* and SOC 2” engagement but not for a SOC 3* engagement.
B. Independence is required between the service auditor and the service organization.
C. Independence is required between the service auditor and the user entity.
D. Independence is required for a Type 2 engagement but not for a Type 1 engagement.
<2>
The user entity, however, is not part of the SOC audit engagement itself. The service auditor’s independence requirement is in relation to the service organization, not each individual user entity.
service auditor的客戶是service organization而不是user,所以只需要獨立於客戶就可以了
A high-growth, mid-sized organization that previously used rule-based access controls is seeking additional flexibility to
allow for analysis of theoretical privileges based on actual privileges. What authorization model would be best for this
organization?
A. Role-based access control
B. Risk-based access control
C. Policy-based access control (PBAC)
D. Discretionary access control (DAC)
《3》
A. 基於角色的訪問控制 (Role-Based Access Control, RBAC):
例子: 例如,在一家銀行中,柜員和分行經理有不同的訪問權限。柜員可能只能訪問客戶的基本賬戶信息,而分行經理則可以訪問更廣泛的數據和報告。
B. 基於風險的訪問控制 (Risk-Based Access Control):
例子: 例如,訪問敏感財務數據可能需要多因素身份驗證,而訪問普通文檔僅需要密碼。
C. 政策基於的訪問控制 (Policy-Based Access Control, PBAC):
例子: 一家公司可能設定一個政策,允許某些角色的員工在工作時間訪問特定系統,而在非工作時間則受限制。
題目關鍵詞與正確答案的關聯: 題目提到的“分析基於實際權限的理論權限”與PBAC的動態和靈活性相關聯。PBAC能夠基於複雜的條件和規則來決定訪問權限,這為組織提供了所需的靈活性。
D. 自由裁量訪問控制 (Discretionary Access Control, DAC):
例子: 文件的創建者可以決定哪些同事可以查看和編輯該文件。
DAC 更依賴於個別用戶的自由裁量,而 PBAC 則依賴於組織層面預先定義的安全政策。DAC 在某些情況下可能較為靈活,但在保護敏感資料和維護組織級安全標準方面,PBAC 提供了更嚴格和一致的方法。
a weakness of the symmetric encryption method?
A. Symmetric encryption applies an algorithm to transform plaintext into cyphertext.
B. Symmetric encryption limits decoding of cyphertext only by using a key with the mathematically encoded
algorithm to assure that the sender is who they say they are.
C. Symmetric encryption has keys that are generally longer where one is needed for both encryption and
decryption, which impacts speed and operation.
D. Symmetric encryption does not facilitate non-repudiation because any person with the shared key can encrypt
and decrypt messages.
<4>
对称加密最有可能的弱点是它不利于不可抵赖性(即保证任何一方都不能否认他们发送或接收了信息),因为任何拥有共享密钥的人都可以加密和解密信息。
非对称加密法(也称公钥加密法)最有利于实现不可抵赖性。在非对称加密中,使用两个不同但在数学上相关的密钥:公钥和私钥。
A declaration made by a payroll processor that states that all sensitive user entity employee information entered into its
system will be kept private and confidential is an example of a:
A. Complementary user entity control.
B. Trust services criterion.
C. Service commitment.
D. System requirement.
《3》
A.补充用户实体控制:
定义:用户实体(客户)为补充服务机构的控制而必须实施的控制。
举例说明:一家使用云薪资服务的公司实施自己的内部控制,以确保只有授权人员才能访问薪资系统界面。
B.信任服务标准:
定义:用于评估服务机构控制措施的一套专业标准,尤其是在安全性、可用性、处理完整性、保密性和隐私性方面。
举例说明:云存储提供商应确保其数据中心有健全的安全措施,以防止未经授权的访问,这与 “信任服务标准 “的安全标准是一致的。
C.服务承诺:
定义:服务机构就其服务的某些方面做出的承诺或保证,通常与性能、安全或道德实践有关。
举例说明:工资单处理器声明,输入其系统的所有敏感用户实体雇员信息都将保密。
D.系统要求:
定义:系统必须具备的特定功能或特征,以满足业务需求和监管要求。
举例说明:作为确保账户安全的系统要求的一部分,网上银行系统要求使用多因素身份验证来访问用户账户。
Charles works in the marketing department but has an interest in IT and seeks to model appropriate security behaviors.
Which of the following is the best way for Charles to do this?
A. Charles could issue a security assessment report (SAR) to management on behalf of the marketing department.
B. Charles could lead the effort of implementing a security platform or join a full task force to accomplish those
goals.
C. Charles could unmask data as part of the system development life cycle.
D. Charles could perform a walkthrough of the confidentiality and privacy processes.
D. 進行保密性和隱私流程的實地走訪。
這意味著 Charles 將會檢查並確保他和他的部門在處理數據時遵循了安全專業人員設定的最佳實踐和指導方針。這包括了解和遵守公司關於保護敏感信息的政策和程序。
其他選項的簡單解釋:
A. 發布安全評估報告給管理層: 這通常是安全專業人員的工作,而不是市場部門的工作。這涉及到對公司的信息安全狀態進行評估和測試控制。
B. 領導實施安全平台的工作或加入全職小組: 這超出了 Charles 的職責範圍,並且問題中沒有提到 Charles 是否具備實施 IT 安全平台的技能或知識。
C. 對數據進行去遮蔽: 去遮蔽數據通常與數據保護和隱私有關,但這並不是模範安全行為的最佳方式,特別是對於非 IT 專業人員。