CISSP官方模拟测试题Domain.docx

1、CISSP官方模拟测试题Domain1. Angela is an information security architect at a bank and has been assigned to ensure that transactions are secure as they traverse the network. She recommends that all transactions use TLS. What threat is she most likely attempting to stop, and what method is she using to prote

2、ct against it?Angela是一家银行的信息安全架构师，责任是确保交易在通过网络时是安全的。她建议所有交易使用TLS。在这场景中，她最有可能试图阻止什么样的威胁，以及她用什么方法来防范呢？A. Man-in-the-middle, VPN 中间人，VPNB. Packet injection, encryption 数据包注入，加密C. Sniffing, encryption 嗅探，加密D. Sniffing, TEMPEST 嗅探，TEMPESTAnswer: CEncryption is often used to protect traffic like bank tran

3、sactions from sniffing. While packet injection and man-in-the-middle attacks are possible, they are far less likely to occur, and if a VPN were used, it would be used to provide encryption. TEMPEST is a specification for techniques used to prevent spying using electromagnetic emissions and wouldnt b

4、e used to stop attacks at any normal bank.加密通常用于保护流量，如银行交易免受嗅探。虽然数据包注入和中间人攻击是可能的，但它们发生的可能性要小得多，而且如果使用VPN，它将用于提供加密。TEMPEST是用于防止使用电磁辐射进行间谍活动的技术规范，不会用于阻止任何正常银行的攻击。2. COBIT, Control Objectives for Information and Related Technology, is a framework for IT management and governance. Which data management

5、role is most likely to select and apply COBIT to balance the need for security controls against business requirements?COBIT（信息和相关技术的控制目标），是IT管理和治理的框架。哪个数据管理角色最有可能选择和应用COBIT来平衡安全控制对业务需求的需求？A. Business owners 企业所有者B. Data processors 数据处理器C. Data owners 数据所有者D. Data stewards 数据管理员Answer: ABusiness owne

6、rs have to balance the need to provide value with regulatory, security, and other requirements. This makes the adoption of a common framework like COBIT attractive. Data owners are more likely to ask that those responsible for control selection identify a standard to use. Data processors are require

7、d to perform specific actions under regulations like the EU DPD. Finally, in many organizations, data stewards are internal roles that oversee how data is used.企业所有者必须平衡将价值与监管、安全和其他需求相结合的需要。这使得像COBIT这样的通用框架具有吸引力。数据所有者更可能要求负责控制选择的人员确定要使用的标准。数据处理器需要根据欧盟DPD等法规执行具体的行动。最后，在许多组织中，数据管理员是监督数据如何使用的内部角色。3. Wh

8、at term is used to describe a starting point for a minimum-security standard? 用什么术语来描述最低安全标准的出发点？A. Outline大纲B. Baseline基线C. Policy政策（策略）D. Configuration guide配置指南Answer: BA baseline is used to ensure a minimum-security standard. A policy is the foundation that a standard may point to for authority,

9、 and a configuration guide may be built from a baseline to help staff who need to implement it to accomplish their task. An outline is helpful, but outline isnt the term youre looking for here.基线用于确保最低安全标准。策略是标准可能指向权威的基础，可以从基线构建配置指南，帮助需要实施它的人员完成任务。大纲是有帮助的，但大纲不是你在这里寻找的术语。4. When media is labeled base

10、d on the classification of the data it contains, what rule is typically applied regarding labels?当媒体（介质）根据其所包含的数据分类（密级）进行标记时，通常应用了哪些关于标签的规则？A. The data is labeled based on its integrity requirements. 数据根据其完整性要求进行标记B. The media is labeled based on the highest classification level of the data it conta

11、ins. 媒体（介质）根据其包含的数据的最高分类（密级）等级进行标记C. The media is labeled with all levels of classification of the data it contains. 媒体（介质）上标记它所包含数据的所有分类（密级）等级D. The media is labeled with the lowest level of classification of the data it contains. 媒体（介质）标记所含数据的最低分类（密级）等级Answer: BMedia is typically labeled with the

12、highest classification level of data it contains. This prevents the data from being handled or accessible at a lower classification level. Data integrity requirements may be part of a classification process but dont independently drive labeling in a classification scheme.媒体（介质）通常以其所包含的最高分类（密级）等级的数据标

13、记。这可以防止在较低的分类（密级）级别处理或访问数据。数据完整性要求可能是分类（定级）过程的一部分，但不能独立推动分类（定级）方案中的标签。5. The need to protect sensitive data drives what administrative process?保护敏感数据的需求驱动了什么管理性过程？A. Information classification 信息分类（定级）B. Remanence 残留C. Transmitting data 数据传输D. Clearing 清除Answer: AThe need to protect sensitive data d

14、rives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isnt a driver for an administrative proces

15、s to protect sensitive data, and clearing is a technical process for removing data from media.保护敏感数据的需要会驱动信息分类（定级）。这使得组织可以专注于需要保护的数据，而不在不太重要的数据上费力。残留描述了在尝试删除数据后仍遗留在媒体上的数据。数据传输不是保护敏感数据的管理过程的驱动程序，清除是从媒体中删除数据的技术过程。注意数据保留（retention）和数据残留（remanence）的区别，数据保留（retention）是由于价值或审计监管的需求而要存下来，有“挽留”的感觉；数据残留（rema

16、nence）是应消灭但技术上没能删除干净，有“赶不走”的意思。6. How can a data retention policy help to reduce liabilities?数据保留策略如何有助于减少负担？A. By ensuring that unneeded data isnt retained通过确保不需要的数据不被保留B. By ensuring that incriminating data is destroyed确保不合法的数据被销毁C. By ensuring that data is securely wiped so it cannot be restored

17、for legal discovery通过确保数据安全地被擦除，无法合法恢复还原D. By reducing the cost of data storage required by law通过降低法律要求的数据存储成本Answer: AA data retention policy can help to ensure that outdated data is purged, removing potential additional costs for discovery. Many organizations have aggressive retention policies to

18、both reduce the cost of storage and limit the amount of data that is kept on hand and discoverable. Data retention policies are not designed to destroy incriminating data, and legal requirements for data retention must still be met.数据保留策略可以帮助确保过期数据被清除，从而消除潜在的额外发现成本。许多组织都采取积极的保留策略，既可以降低存储成本，又可以限制现有的可

19、发现数据量。数据保留策略的目的不仅是为了销毁不合法数据，还必须符合数据保留的法律要求。7. Staff in an IT department who are delegated responsibility for day-to-day tasks hold what data role?负责日常任务的IT部门工作人员担任什么数据角色？A. Business owner业务所有者B. User用户C. Data processor数据处理器D. Custodian保管人Answer: DCustodians are delegated the role of handling day-to-

20、day tasks by managing and overseeing how data is handled, stored, and protected. Data processors are systems used to process data. Business owners are typically project or system owners who are tasked with making sure systems provide value to their users or customers.通过管理和监督数据如何处理，存储和保护，托管人被赋予处理日常任务

21、的角色。数据处理器是用来处理数据的系统。业务所有者通常是负责确保系统为其用户或客户提供价值的项目或系统的所有者。8. Susan works for an American company that conducts business with customers in the European Union. What is she likely to have to do if she is responsible for handling PII from those customers?Susan在一家与欧盟客户开展业务的美国公司工作。如果她负责处理这些客户的个人身份信息，她可能需要做些

22、什么？A. Encrypt the data at all times. 在任何时候加密数据B. Label and classify the data according to HIPAA. 根据HIPAA标记和分类数据C. Conduct yearly assessments to the EU DPD baseline. 对欧盟DPD基线进行年度评估D. Comply with the US-EU Safe Harbor requirements. 遵守美国-欧盟安全港协议的要求Answer: DSafe Harbor compliance helps US companies meet

23、 the EU Data Protection Directive. Yearly assessments may be useful, but they arent required. HIPAA is a US law that applies specifically to healthcare and related organizations, and encrypting all data all the time is impossible (at least if you want to use the data!).符合安全港协议有助于美国公司达到欧盟数据保护指令。年度评估可

24、能是有用的，但不是必需的。HIPAA是一项专门适用于医疗保健和相关组织的美国法律。另外始终加密所有数据是不可能的（至少如果您要使用这些数据的时候！）。注：美国-欧盟安全港协议目前已被美国-欧盟隐私保护框架替代。9. Ben has been tasked with identifying security controls for systems covered by his organizations information classification system. Why might Ben choose to use a security baseline?Ben的任务是确定其组织信

25、息分类体系所涵盖的系统的安全控制。为什么Ben可以选择使用安全基线？A. It applies in all circumstances, allowing consistent security controls. 它适用于所有情况，允许一致的安全控制B. They are approved by industry standards bodies, preventing liability. 由行业标准机构批准，预防追责C. They provide a good starting point that can be tailored to organizational needs. 他们

26、提供了一个可以根据组织需求量身定制的良好起点D. They ensure that systems are always in a secure state. 他们确保系统始终处于安全状态Answer: CSecurity baselines provide a starting point to scope and tailor security controls to your organizations needs. They arent always appropriate to specific organizational needs, they cannot ensure tha

27、t systems are always in a secure state, nor do they prevent liability.安全基线提供了一个起点，可以根据组织的需求定制安全控制。它们并不总是适合具体的组织需求，它们不能确保系统总是处于安全状态，也不能预防追责。10. What term is used to describe overwriting media to allow for its reuse in an environment operating at the same sensitivity level?哪个术语用来描述覆盖介质，以便在相同敏感级别的环境中重复

28、使用？A. Clearing 清除B. Erasing 擦除C. Purging 消除D. Sanitization 净化Answer: AClearing describes preparing media for reuse. When media is cleared, unclassified data is written over all addressable locations on the media. Once thats completed, the media can be reused. Erasing is the deletion of files or medi

29、a. Purging is a more intensive form of clearing for reuse in lower security areas, and sanitization is a series of processes that removes data from a system or media while ensuring that the data is unrecoverable by any means.清除准备介质重用。当介质被清除时，不涉密的数据被写在介质上的所有可寻址位置上。一旦完成，媒体可以重复使用。擦除是删除文件或媒体。清除是在较低安全区域进

30、行更加密集的重用清理形式，清理是一系列从系统或媒体中删除数据的过程，同时确保数据无法以任何方式恢复。注：1）效果上erasing擦除clearing清除= overwriting复写purging消除degaussing消磁 destruction销毁，但destruction销毁的花费比degaussing消磁要低； 2）erasing擦除、clearing清除、purging消除、degaussing消磁是针对数字介质的，destruction销毁的对象也以数字介质为主，sanitization净化的对象就广泛一些，可以是介质也可以是带存储介质的设备；3）sanitization净化是可能

31、包含purging消除、removing移除、destruction销毁的一系列动作，目的是确保介质或设备中的数据无法被任何手段恢复，常见场景是在物理资产报废（可能丢弃也可能做剩余价值回收resale）时必须摧毁物理资产中存有的数据；4）如果在相同的安全域中重用，clearing清除就够了，但如果介质或包含存储介质的设备需要重用（reuse或resale），又没有承诺保留在原安全域范围内，则要求sanitization净化；5）这一部分术语在中文版考试中的翻译用词不可预测，所以不要只按中文记，考试的时候一定要看英文确认；11. Which of the following classifica

32、tion levels is the US governments classification label for data that could cause damage but wouldnt cause serious or grave damage?以下哪个分类（密级）级别是美国政府的数据分类（密级）标签，代表受侵害后可能会造成损害，但不会造成严重或特别严重的损害？A. Top Secret绝密B. Secret机密C. Confidential秘密D. Classified分类Answer: CThe US government uses the label Confidential for data that could cause damage if it was disclosed without authorization. Exposure of Top Secret data is considered to potentially cause grave damage, while Secret data