1. Alice has some data that is extremely valuable. She backs it up from her computer to a flash stick, and she puts the flash stick in a safe deposit box(保險櫃). Which two principles s of the CIA triad does this address? A. Confidentiality and integrity B. Confidentiality and availability C. Integrity and availability D. Availability and nonrepudiation
The correct answer is B. Alice is ensuring a form of availability by having a backup; if her laptop is lost, stolen, or malfunctions, she does not She is also providing a form of confidentiality by locking up the flash stick this practice deters the ability of others to access the flash stick. (Note this ONLY provides confidentiality for the Flash stick; we have no idea she is also providing confidentiality to the data while it is live on her laptop) The question does not describe any practice that could measure integrity protection, and the CIA triad do Es not deal with nonrepudiation.
6. To comply with the payment card industry data security standard (PCI DSS), what data element must not be stored for any length of time beyond the transaction? A. Cardholder's name B. Social Security number C. IP address D.Card verification value (CVV)
The correct answer is D. PCI DSS prohibits(禁止) storage of the CVV for any time beyond the transaction.
- Which of the following describes a personnel security tool that should not require the employee’s signature? A. Nondisclosure agreement (NDA)
B. Personnel security policy
C. Acceptable use policy (AUP)
D. Contract
The correct answer is B. The organization’s security policy Is promulgated(頒布) by senior management, and all personnel must comply with it; the employee does not need to sign it. All the other answers are tools that should include the employee’s signature.
- What is the correct order of the asset lifecycle phases?
A. Create, use, share, store, archive, and destroy
B. Create, share, use, archive, store, and destroy
C. Create, store, use, share, archive , and destroy
D. Create, share, archive, use, store, and destroy
The correct answer is C. This is the correct order of the lifecycle phases of assets: create, store, use, share, archive, and destroy. This is According to the Securosis Blog. Asset classification, therefore, needs to be able to protect assets in whatever phase they are in.
- Which of the following is the BEST definition of defensible destruction?
A. The destruction of assets using defense approved methods
B. The destruction of assets using a controlled, legally defensible, and compliant way
C. The destruction of assets without the opportunity of The recovery of those assets
D. The destruction of assets using a method that may not allow attackers to recover data
The correct answer is B. The perfect definition of legally defensible destruction of assets, which should end the asset lifecycle, is eliminated data using a Controlled, legally defensible, and regulatory compliant way.
4. In an environment where asset classification has been implemented to address the requirements of privacy protection, who in the following list is considered to be the "owner" and, therefore, has t accountability to ensure that the requirements for protection and compliance are addressed properly? A.Data processor B. Data subject C. Data controller D. Data steward
The correct answer is C. In specific privacy legislation, the roles for accountability of protection of subject’s personal privacy information is assigned to the data controller. The “owner” and, therefore have the accountability to protect based on requirements legislative and legal requirements.
5. Which of the following is NOT an Organization for Economic Cooperation and Development (OECD) principle of privacy protection? A. Collection Limitation Principle B. Right to be Forgotten Principle C. Use Limitation Principle D. Accountability Principle
The correct answer is B. The right to be forgotten principle is not principle addressed in the OECD guidelines for privacy protection. It has been introduced and is part of the privacy legislation in Europe and Argentina since 2006 and is part of the new General Data Protection Regulation (GDPR) to take effect in Europe. #Collection Limitation Principle#Data Quality Principle#Purpose Specification#Use Limitation Principle#Security Safeguards Principle#Openness Principle#Individual Participation Principle#Accountability Principle
- Which of the following is not an objective of baseline security controls used in protecting assets?
A. Specific steps that must be executed
B. Minimum level of security controls
C. May be associated with specific architectures and systems
D. A consistent reference point
The correct answer is A. Specific steps required to be executed are actually examples of procedures, not baseline. A baseline is a minimun level of security that must be achieved so that they can be consistently referenced and may be specific to certain architectures and systems.
- Which of the following is the BEST definition of “scoping”?
A. Altering baselines to apply specifically more
B. Modifying assumptions based on previous learned behavior
C. Limiting general baseline recommendations by removing those that do not apply goals and objectives
D. Responsible protection of assets based on
The correct answer is C. Limiting recommendations by removing those that do not apply is “scoping.” You are apply in the environments that you are trying to understand fully, from the perspective of protecting assets.
1. Requirements definition, design, implementation, and operation examples of what type of System and Security Engineering processes? A. Technology processes B. Acquisition processes C. Design processes D.Technical processes
The correct answer is D. A is incorrect terminology. B And C are specific processes, not types of processes.
2. One security model includes a set of rules that can has already accessed in order to prevent any potential conflict of interest. This model is known as the: A.Biba model B. Brewer /Nash model C.Graham-Denning model D. Harrison, Ruzzo, Ullman model
The correct answer is B. A, C, and D are models that describe an information system’s rules for operation, but those rules are universally. The Brewer/Nash Model is the only model that explicitly addressed conflicts of interest.
- Select the best answer. Inheritable or “common” security controls are characterized as:
A. Controls that are passed down from older systems to new systems through code sharing
B. Introduces unacceptable risk in most systems
C. Controls that are never assessed in an operational environment
D Controls that are provided from one system to another in an operational environment
The correct answer is D. D is the correct definition of the term. A, B. and C are not types of controls. All controls must be assessed whether inherited or not And while inheritable controls may introduce risk if not operating properly, they do not generally introduce unacceptable risk, which makes D a better answer
- Three common types of industrial control systems include:
A. Supervisory control and data acquisition, distributed control systems, programmable logic controllers
B. Supervisory control and data anonymization, distributed control systems, programmable logic capability
C. Supervisory control and data anonymization(匿名), distributed chip systems, programmable Logic controllers
D. Supervisory control and data acquisition, distributed chip systems, programmable logic capability
The correct answer is A. Items B, C, and D compliant incorrect terminology. #Programmable Logic Controllers (PLC)#Distributed Control System (DCS)#Supervisory Control and Data Acquisition (SCADA)
- The tour most common types of sprinkler systems are:
A. Soaking, wet pipe, dry pipe, and pre-action
B. Wet pipe, dry pipe, deluge, and pre-action
C. Wet pipe, dry pipe, soaking And hybrid
D. Dry pipe, soaking, deluge, and hybrid
The correct answer is B. Items A, C, and D each contain at least a worst element #背起來
- You have inherited a version 1 Simple Network Management Protocol (SNMP) system. What is the primary risk associated with utilizing this version?
A. Unencrypted traffic
B. Routers rejecting “gets”
C. Switches rejecting “not”
D. Connecting to systems without Authentication
The correct answer is D. A rogue user can simply connect to an SNMPv1 system by means of a public or private community string without need for authentication.
10. At. what plane can you locate routers and switches in software defined network (SDN)? A. Data-link and network plane B. Data plane C. Control plane D. Application plane
The correct answer is B. Routers and switches are in the data plne.
- What are the two primary types of access control systems, and what in one way that access control systems are maintained?
A. Physical and network; due diligence
B. Deterrent and corrective; due care and due diligence as much security
C. Integrity and availability; by applied as can be safelly
D.Logical and physical; central administration of access contro systems
The correct answer is D. NIST SP 800-53 defines two primary access control systems, logical and physical, and both are maintained by administration And security policy. Due diligence and care are overarching organizational postures and actions that aid in avoiding the accusation of negligence and liability. Using as much security as can be safely applied is not a prudent approach to security and doesn’t the question. Integrity and Availability information security. overarching tenants of information security.
2. What actions specify enrolling(注冊) and the opposite of enrolling user IDs within an organization? A. Identity creation and disposition B. Disposition only C.Creation only D. Provisioning and deprovisioning
The correct answer is D. Identity creation is an activity that would be included in provisioning, But the only correct answer is provisioning and deprovisioning.
- What are the three roles within Security Assertion Markup Language (SAML)?
A. Identity provider, relying party, service provider
B. Identity provider, relying party, user
C Identity provider, service provider, relative token
D.Attributes, principal, bindings
The Correct answer is B. Attributes and bindings are components of SAML. Relative token is a distractor. Relying party is an alternate term for a service provider.
#SPML:Client/PSP/PST
#SAML:Identity provider, relying party, user
#OpenID: End user/Relying party/OpenID provider
#OAuth: Client/Resource server/Authorization server/Resource owner
ref:http://lab.hiiir.com/wp-content/uploads/2016/10/OAuth.pdf
- Name two roles related to Open Authorization (OAuth).
A. Resource provider, resource server
B. Resource provider, resource relying party
C. Authorization server, resource server
D. Authorization server, authorization owner
The correct answer is C. There isn’t a resource provider owner in OAuth, but there is a resource owner and server. There is also no authorization owner.
- If an organization demanded that an enrolling party or claimant needed to present themselves in person at an onrolling agent to authenticate their assertion to their identity, what level of assurance would they be providing according to NIST SP 800-63-3?
A. IAL1
B. IAL 2
C. IAL 3
D.None of the above in-person authentication
The correct answer is B. IAL2 is remote or of an identity. IAL 1 is self-assertion. IAL 3 is assertion verified by a credential service provider.
8. Special Publications 800-53r4 defines physical as an automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based access control on (a). A. Audit and assurance B. Scoping and tailoring C. Guidelines and tailoring D.Set of authorization rules
The correct answer is D. Tailoring and scoping are used to apply set of controls within an environment that fit the internal requirement utilizing specific controls. Auditing the controls would provide assurance about the effectiveness of the controls. 工三小
- If an organization’s security assessment and testing plans include both internal and external testing, in what order should the test be performed?
A. Always choose the order based upon cost/benefit analysis
B. Internal testing
C. External testing
D. Internal and external testing should be performed simultaneous
The correct answer is C. External testing is performed first so as not to provide leakage from insider information to outsider environments. Internal and external testing would not be done done simulataneously otherwise the indentification of valunerabilities sources could be misconstrued. Cost/benefit analysis would not be a primary justification for choosing which testing should be accomplished first.
2. This type of testing would inform an organization of the vulnerabilities that could be exposed by a bad actor with little Or information about the organization's systems. A. Internal testing B. Nocturnal testing C. External testing D. White-box testing
The correct answer is C. External testing is done to emulate an attacker that is outside of the organization’s perimeter. Nocturnal testing doesn’t exist. External testing by its definition doesn’t have insider Information that would be identified with white-box testing.
