CISSP官方模拟测试题-Domain 1.doc

Domain 1：Security and Risk Management 1. What is the final step of a quantitative risk analysis?定量风险分析的最后一步是什么？A. Determine asset value. 确定资产价值B. Assess the annualized rate of occurrence. 评估年发生率C. Derive the annualized loss expectancy. 推导年化期损值D. Conduct a cost/benefit analysis. 进行成本/效益分析Answer: DThe final step of a quantitative risk analysis is conducting a cost/benefit analysis to determine whether the organization should implement proposed countermeasure(s).定量风险分析的最后一步是进行成本/收益分析，以确定组织是否应该实施建议的对策。2. An evil twin attack that broadcasts a legitimate SSID for an unauthorized network is an example of what category of threat?所谓邪恶双胞胎攻击是为一个未经授权的网络广播看上去合法的SSID，这是什么类型的威胁的一个例子？A. Spoofing 欺骗B. Information disclosure 信息披露C. Repudiation 抵赖D. Tampering 篡改Answer: ASpoofing attacks use falsified identities. Spoofing attacks may use false IP addresses, email addresses, names, or, in the case of an evil twin attack, SSIDs.欺骗攻击使用伪造的身份。 欺骗攻击可能使用虚假的IP地址、电子邮件地址、名称等，在邪恶双胞胎攻击中则是SSID。3. Under the Digital Millennium Copyright Act (DMCA), what type of offenses do not require prompt action by an Internet service provider after it receives a notification of infringement claim from a copyright holder?根据“数字千年版权法案”（Digital Millennium Copyright Act，DMCA），什么类型的过错，不要求互联网服务提供商（ISP）在收到版权所有者的侵权索赔通知后，立即采取行动？A. Storage of information by a customer on a providers server 客户在提供商（ISP）的服务器上存储信息B. Caching of information by the provider 由提供商（ISP）缓存信息C. Transmission of information over the providers network by a customer 客户通过提供商（ISP）的网络传输信息D. Caching of information in a provider search engine 在提供商（ISP）的搜索引擎中缓存信息Answer: CThe DMCA states that providers are not responsible for the transitory activities of their users. Transmission of information over a network would qualify for this exemption. The other activities listed are all non-transitory actions that require remediation by the provider.数字千年版权法案规定，服务提供商（ISP）不对其用户的过渡性活动负责。通过网络传输信息将有资格获得这种豁免。列出的其他活动都是需要服务提供商（ISP）进行补救的非暂时性行动。4. FlyAway Travel has offices in both the European Union and the United States and transfers personal information between those offices regularly.FlyAway Travel在欧盟和美国均设有办事处，并定期在这些办事处之间传输个人信息。Which of the seven requirements for processing personal information states that organizations must inform individuals about how the information they collect is used? 处理个人信息的七个原则中，哪一项申明了组织必须告知个人本组织将如何使用收集的信息？A. Notice 通知B. Choice 选择C. Onward Transfer 前转D. Enforcement 执行Answer: AThe Notice principle says that organizations must inform individuals of the information the organization collects about individuals and how the organization will use it. These principles are based upon the Safe Harbor Privacy Principles issued by the US Department of Commerce in 2000 to help US companies comply with EU and Swiss privacy laws when collecting, storing, processing or transmitting data on EU or Swiss citizens.“通知”原则指出，组织必须告知个人组织收集有关个人的信息以及组织如何使用信息。 这些原则基于美国商务部于2000年颁布的“安全港隐私原则”，旨在帮助美国公司在欧盟或瑞士公民收集，存储，处理或传输数据时遵守欧盟和瑞士隐私法。注：“安全港”的七条原则，包括：（1）通知原则；（2）选择原则；（3）前转原则；（4）安全原则；（5）资料完整原则；（6）获取原则；（7）执行原则。安全港协议已被欧盟法院判决为“失效”，继而以欧盟-美国隐私保护框架（EU-U.S. Privacy Shield Framework）替代，继承和发展了以上7项原则。5. Which one of the following is not one of the three common threat modeling techniques?以下哪一项不是三种常见的威胁建模技术之一？A. Focused on assets 专注于资产B. Focused on attackers 专注于攻击者C. Focused on software 专注于软件D. Focused on social engineering 专注于社会工程Answer: DThe three common threat modeling techniques are focused on attackers, software, and assets. Social engineering is a subset of attackers.三种常见的威胁建模技术分别聚焦在攻击者，软件和资产上。社会工程是攻击者的一个子集。6. Which one of the following elements of information is not considered personally identifiable information that would trigger most US state data breach laws?以下哪些信息元素不被视为可触发大多数美国州数据违规法律的个人身份信息？A. Student identification number 学生识别号码B. Social Security number 社会安全号码C. Drivers license number 驾驶执照号码D. Credit card number 信用卡号码Answer: AMost state data breach notification laws are modeled after Californias law, which covers Social Security number, drivers license number, state identification card number, credit/debit card numbers, bank account numbers (in conjunction with a PIN or password), medical records, and health insurance information.大部分州的数据违规通知法都是以加利福尼亚州的法律为参照，其中包括社会安全号码，驾驶证号码，州身份证号码，信用卡/借记卡号码，银行账号（与个人识别码或密码一起），医疗记录，健康保险信息等。7. In 1991, the federal sentencing guidelines formalized a rule that requires senior executives to take personal responsibility for information security matters. What is the name of this rule?1991年，联邦量刑准则正式确定了一项规定，要求高级管理人员对信息安全问题负个人责任。这个规则的名字是什么？A. Due diligence rule尽职尽责规则B. Personal liability rule个人责任规则C. Prudent man rule谨慎人规则D. Due process rule正当程序规则Answer: CThe prudent man rule requires that senior executives take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. The rule originally applied to financial matters, but the Federal Sentencing Guidelines applied them to information security matters in 1991.谨慎人规则要求高级管理人员承担个人责任，确保普通（非专业非职能）、谨慎的个人在相同的情况下能够行使其应尽的关注责任。该规定最初适用于财务事宜，但“联邦量刑指南”于1991年将其应用于信息安全事宜。8. Which one of the following provides an authentication mechanism that would be appropriate for pairing with a password to achieve multifactor authentication?以下哪一项提供了适合与口令配合以实现多因素身份验证的认证机制？A. Username 用户名B. PINC. Security question 安全问题D. Fingerprint scan 指纹扫描Answer: DA fingerprint scan is an example of a “something you are” factor, which would be appropriate for pairing with a “something you know” password to achieve multifactor authentication. A username is not an authentication factor. PINs and security questions are both “something you know,” which would not achieve multifactor authentication when paired with a password because both methods would come from the same category, failing the requirement for multifactor authentication.指纹扫描是“你是什么”因素的一个例子，这将是适合与属于“你知道什么”的口令配对，以实现多因素身份验证。用户名不是认证因素。个人识别码和安全问题都是属于“你知道什么”，当与密码配对时，不会实现多重身份验证，因为这两种方法都来自同一个类别，不符合多因素身份验证的要求。9. What United States government agency is responsible for administering the terms of safe harbor agreements between the European Union and the United States under the EU Data Protection Directive?根据欧盟数据保护指令，哪个美国政府机构负责管理欧盟与美国之间的安全港协议条款？A. Department of Defense国防部B. Department of the Treasury财政部C. State Department国务院D. Department of Commerce商务部Answer: DThe US Department of Commerce is responsible for implementing the EU-US Safe Harbor agreement. The validity of this agreement was in legal question in the wake of the NSA surveillance disclosures.美国商务部负责执行欧盟-美国安全港协议。这个协议的有效性在美国国家安全局的监视项目（即棱镜门）被披露之后是一个法律问题。10. Yolanda is the chief privacy officer for a financial institution and is researching privacy issues related to customer checking accounts. Which one of the following laws is most likely to apply to this situation?Yolanda是一家金融机构的首席隐私官，正在研究与客户账户相关的隐私问题。 下列哪一项法律最可能适用于这种情况？A. GLBA (Gramm-Leach-Bliley Act格雷姆-里奇-比利雷法案)B. SOX (Sarbanes-Oxley Act萨班斯法案)C. HIPAA (Health Insurance Portability and Accountability Act健康保险携带和责任法案)D. FERPA (Family Educational Rights and Privacy Act家庭教育权和隐私法案)Answer: AThe Gramm-Leach-Bliley Act (GLBA) contains provisions regulating the privacy of customer financial information. It applies specifically to financial institutions.Gramm-Leach-Bliley Act（GLBA）包含规定客户财务信息隐私的规定，专门适用于金融机构。11. Tims organization recently received a contract to conduct sponsored research as a government contractor. What law now likely applies to the information systems involved in this contract?Tim的组织最近收到了作为政府承包商进行资助研究的合同。什么法律可能适用于本合同涉及的信息系统？A. FISMA (Federal Information Security Management Act联邦信息安全管理法)B. PCI DSS (Payment Card Industry Data Security Standard支付卡行业数据安全标准)C. HIPAA (Health Insurance Portability and Accountability Act健康保险携带和责任法案)D. GISRA (Government Information Security Reform Act 政府信息安全改革法案)Answer: AThe Federal Information Security Management Act (FISMA) specifically applies to government contractors. The Government Information Security Reform Act (GISRA) was the precursor to FISMA and expired in November 2002. HIPAA and PCI DSS apply to healthcare and credit card information, respectively.联邦信息安全管理法（FISMA）专门适用于政府承包商。 政府信息安全改革法（GISRA）是FISMA的前身，并于2002年11月到期。HIPAA和PCI DSS分别适用于医疗保健和信用卡信息。12. Chris is advising travelers from his organization who will be visiting many different countries overseas. He is concerned about compliance with export control laws. Which of the following technologies is most likely to trigger these regulations?Chris为他的组织中前往海外不同国家的出差人员提供建议。他关注的是遵守出口管制相关法律。以下哪项技术最有可能触发这些管制？A. Memory chips 内存芯片B. Office productivity applications 办公应用C. Hard drives 硬盘D. Encryption software 加密软件Answer: DThe export of encryption software to certain countries is regulated under US export control laws.加密软件出口到某些国家受美国出口管制法律的管制。13. Bobbi is investigating a security incident and discovers that an attacker began with a normal user account but managed to exploit a system vulnerability to provide that account with administrative rights. What type of attack took place under the STRIDE model?Bobbi正在调查一个安全事件，发现攻击者从普通的用户帐户着手，设法利用系统脆弱性为该帐户提供管理权限。按STRIDE威胁建模方法这是什么类型的攻击？A. Spoofing 欺骗B. Repudiation否认（抵赖）C. Tampering 篡改D. Elevation of privilege 特权的提升Answer: DIn an elevation of privilege attack, the attacker transforms a limited user account into an account with greater privileges, powers, and/or access to the system. Spoofing attacks falsify an identity, while repudiation attacks attempt to deny accountability for an action. Tampering attacks attempt to violate the integrity of information or resources.在权限提升攻击中，攻击者将受限的用户帐户转换为对系统具有更大特权、权限和/或访问许可的帐户。欺骗攻击伪造一个身份；而否认攻击试图否认一个行动的责任；篡改攻击试图破坏信息或资源的完整性。注：STRIDE是指： Spoofing(假冒) Tampering(篡改) Repudiation(否认/抵赖) Information Disclosure(信息泄露) Denial of Service(拒绝服务) Elevation of Privilege(提升权限)14. You are completing your business continuity planning effort and have decided that you wish to accept one of the risks. What should you do next?您正在完成您的业务连续性计划工作，并决定要接受其中一项风险。接下来你应该做什么？A. Implement new security controls to reduce the risk level. 实施新的安全控制措施以降低风险水平B. Design a disaster recovery plan. 设计一个灾难恢复计划C. Repeat the business impact assessment. 重复业务影响评估D. Document your decision-making process. 记录你的决策过程Answer: DWhenever you choose to accept a risk, you should maintain detailed documentation of the risk acceptance process to satisfy auditors in the future. This should happen before implementing security controls, designing a disaster recovery plan, or repeating the business impact analysis (BIA).无论何时您选择接受风险，您都应该保留风险接受流程的详细文件，以满足未来审计师的需求。这应该在实施安全控制，设计灾难恢复计划或重复业务影响分析（BIA）之前进行。15. Which one of the following control categories does not accurately describe a fence around a facility?以下哪种控制类别不能准确描述设施周围的栅栏？A. Physical 物理B. Detective 检测C. Deterrent 威慑D. Preventive 预防Answer: BA fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.栅栏不具有检测入侵的能力。但是，它确实有预防和吓阻侵扰的能力。栅栏是一个物理控制的例子。注：Deterrent 应理解为能抵消或抑制不良动机，一般应是显性的，包括增加入侵难度和成本、提升被发现的概率、声明的或已落实的惩罚等。本题栅栏算是增加难度和提升被发现的概率。16. Tony is developing a business continuity plan and is having difficulty prioritizing resources because of the difficulty of combining information about tangible and intangible assets. What would be the most effective risk assessment approach for him to use?Tony正在制定一项业务连续性计划，由于难以合并有形和无形资产的信息，因此难以优先考虑资源。对他来说什么最有效的风险评估方法？A. Quantitative risk assessment 定量风险评估B. Qualitative risk assessment 定性风险评估C. Neither quantitative nor qualitative risk assessment 既非定量也非定性的风险评估D. Combination of quantitative and qualitative risk assessment 结合定量和定性的风险评估Answer: D. Tony would see the best results by combining elements of quantitative and qualitative risk assessment. Quantitative risk assessment excels at analyzing financial risk, while qualitative risk assessment is a good tool for intangible risks. Combining the two techniques provides a well-rounded risk picture.Tony应通过结合定量和定性风险评估的要素，看到最好的结果。定量风险评估擅长分析财务风险，而定性风险评估是一种很好的无形风险工具。结合这两种技术能提供一个全面的风险视图。17. What law provides intellectual property protection to the holders of trade secrets?什么法律为商业秘密持有者提供知识产权保护？A. Copyright Law 版权法B. Lanham Act 兰哈姆法案，即美国商标法C. Glass-Steagall Act 格拉斯-斯蒂格尔法案，也称作1933年银行法D. Economic Espionage Act 经济间谍法案Answer: DThe Economic Espionage Act imposes fines and jail sentences on anyone found guilty of stealing trade secrets from a US corporation. It gives true teeth to the intellectual property rights of trade secret owners. “经济间谍法案”对任何从美国公司窃取商业秘密罪的人判处罚金和监禁。它真正地为商业秘密所有者的知识产权提供了强大有效的保护。18. Which one of the following principles imposes a standard of care upon an individual that is broad and equivalent to what one would expect from a reasonable person under the circumstances?以下哪一项原则对个人提出了一个宽泛的、在同等情况下、对理性自然人的可期待的关注程度标准？A. Due diligence 应尽职责B. Separation of duties 职责分离C. Due care 应尽关注D. Least privilege 最小特权Answer: CThe due care principle states that an individual should react in a situation using the same level of care that would be expected from any reasonable person. It is a very broad standard. The due diligence principle is a more specific component of due care that states that an individual assigned a responsibility should exercise due care to complete it accurately and in a timely manner.应尽关注原则认为，普通个人在某一种情况下做出的反应，应达到任何理性自然人在相同情况下可期待的关注水平相符。这是一个非常广泛的标准。应尽职责原则是应尽关注原则的一个更具体的组成部分，指出责任人应该谨慎行事，准确并及时地完成责任。19. Darcy is designing a fault tolerant system and wants to implement RAID-5 for her system. What is the minimum number of physical hard disks she can use to build this system?Darcy正在设计一个容错系统，并希望为她的系统实现RAID-5，她可以用来构建这个系统的物理硬盘的最小数量是多少？A. OneB. TwoC. ThreeD. FiveAnswer: CRAID level 5, disk striping with parity, requires a minimum of three physical hard disks to operate.RAID-5，带奇偶校验的磁盘条带化，至少需要三个物理硬盘才能运行。20. Which one of the following is an example of an administrative control?以下哪一项是管理控制的例子？A. Intrusion detection system 入侵检测系统B. Security awareness training 安全意识培训C. Firewalls 防火墙D. Security guards 保安Answer: BAwareness training is an example of an administrative control. Firewalls and intrusion detection systems are technical controls. Security guards are physical controls. 意识培训是管理控制的一个例子，防火墙和入侵检测系统是技术控制，保安是物理控制。21. Keenan Systems recently developed a new manufacturing process for microprocessors. The company wants to license the technology to other companies for use but wishes to prevent unauthorized use of the technology. What type of intellectual property protection is best suited for this situation?Keenan Systems最近开发了一种新的微处理器制造工艺。该公司希望将该技术授权给其他公司使用，但希望防止未经授权使用该技术。什么类型的知识产权保护最适合这种情况？A. Patent 专利B. Trade secret 商业秘密C. Copyright 版权D. Trademark 商标Answer: APatents and trade secrets can both protect intellectual property related to a manufacturing process. Trade secrets are appropriate only when the details can be tightly controlled within an organization, so a patent is the appropriate solution in this case.专利和商业秘密既可以保护与制造过程相关的知识产权。商业秘密仅当其细节可以在组织内的严格控制的情况下才适用，所以在这种情况下专利就是合适的解决方案。22. Which one of the following actions might be taken as part of a business continuity plan?下列哪一项行动可以作为业务连续性计划的一部分？A. Restoring from backup tapes 从备份磁带恢复B. Implementing RAID 实施RAIDC. Relocating to a cold site 搬迁到一个冷站D. Restarting business operations 重新启动业务运作Answer: BRAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.RAID技术为硬盘驱动器故障提供容错能力，是业务连续性行动的一个例子。从备份磁带中恢复，重新部署到冷站，以及重新启动业务操作都是灾难恢复操作。23. When developing a business impact analysis, the team should first create a list of assets. What should happen next?A. Identify vulnerabilities in each asset.B. Determine the risks facing the asset.C. Develop a value for each asset.D. Identify threats facing each asset.Answer: CAfter developing a list of assets, the business impact analysis team should assign values to each asset.在开展业务影响分析时，团队会首先创建资产清单，接下来应该做什么？A.确定每个资产的脆弱性。B.确定资产面临的风险。C.为每个资产赋值。D.识别每个资产面临的威胁。答案：C在制定资产清单之后，业务影响分析小组应为每个资产赋值。24. Mike recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. What type of risk management strategy is Mike pursuing?Mike最近实施了一个入侵防御系统，旨在阻止常见的网络攻击影响他的组织。Mike追求什么样的风险管理策略？A. Risk acceptance 风险接受B. Risk avoidance 避免风险C. Risk mitigation 降低风险D. Risk transference 风险转移Answer: CRisk mitigation strategies attempt to lower the probability and/or impact of a risk occurring. Intrusion prevention systems attempt to reduce the probability of a successful attack and are, therefore, examples of risk mitigation.风险缓解策略试图降低风险发生的可能性和/或影响。入侵防御系统试图降低成功攻击的可能性，因此是降低风险的例子。25. Which one of the following is an example of physical infrastructure hardening?以下哪一项是物理基础设施强化的一个例子？A. Antivirus software防病毒软件B. Hardware-based network firewall基于硬件的网络防火墙C. Two-factor authentication 双因素认证D. Fire suppression system 灭火系统Answer: DFire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.灭火系统保护基础设施免受物理损坏。除了不间断电源之外，灭火系统是用来强化物理基础设施的技术的好例子。防病毒软件，硬件防火墙和双因素身份验证都是逻辑（技术）控制的例子。26. Which one of the following is normally used as an authorization tool?以下哪一项通常被用作授权工具？A. ACL 访问控制列表B. Token 令牌C. Username 用户名