第1页 / 共500页
第2页 / 共500页
第3页 / 共500页
第4页 / 共500页
第5页 / 共500页
第6页 / 共500页
第7页 / 共500页
第8页 / 共500页
ISC2.CISSP.Test4prep. 全真英文模拟题715题 (2019 更新 ).pdf
Number: CISSP
Passing Score: 800
Time Limit: 120 min
CISSP.exam.715q
https://www.gratisexam.com/
CISSP
Certified Information Systems Security Professional
Sections
1. Asset Security
2. Security Engineering
3. Communication and Network Security
4.
Identity and Access Management
5. Security Assessment and Testing
6. Security Operations
7. Software Development Security
https://gratisexam.com/
Exam A
QUESTION 1
The owner of a system should have the confidence that the system will behave according to its specifications. This is termed as:
https://www.gratisexam.com/
Integrity
A.
B. Accountability
C. Assurance
D. Availability
Correct Answer: C
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
In a trusted system, all protection mechanisms work together to process sensitive data for many types of uses, and will provide the necessary level of protection per
classification level. Assurance looks at the same issues but in more depth and detail. Systems that provide higher levels of assurance have been tested extensively
and have had their designs thoroughly inspected, their development stages reviewed, and their technical specifications and test plans evaluated.
In the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, the lower assurance level ratings look at a system’s
protection mechanisms and testing results to produce an assurance rating, but the higher assurance level ratings look more at the system design, specifications,
development procedures, supporting documentation, and testing results. The protection mechanisms in the higher assurance level systems may not necessarily be
much different from those in the lower assurance level systems, but the way they were designed and built is under much more scrutiny. With this extra scrutiny
comes higher levels of assurance of the trust that can be put into a system.
Incorrect Answers:
A: Integrity ensures that data is unaltered. This is not what is described in the question.
B: Accountability is a security principle indicating that individuals must be identifiable and must be held responsible for their actions. This is not what is described in
the question.
D: Availability ensures reliability and timely access to data and resources to authorized individuals.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 390-391
https://gratisexam.com/
QUESTION 2
The US department of Health, Education and Welfare developed a list of fair information practices focused on privacy of individually, personal identifiable
information. Which one of the following is incorrect?
A. There must be a way for a person to find out what information about them exists and how it is used.
B. There must be a personal data record-keeping system whose very existence shall be kept secret.
C. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another
purpose without their consent.
D. Any organization creating, maintaining, using, or disseminating records of personal identifiable information must ensure reliability of the data for their intended
use and must make precautions to prevent misuses of that data.
Correct Answer: B
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
Fair Information Practice was first developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). T Fair Information
Practice does not state that there the personal data record-keeping system must be secret.
Incorrect Answers:
A: HEW Fair Information Practices include that there should be mechanisms for individuals to review data about them, to ensure accuracy.
C: HEW Fair Information Practices include
For all data collected there should be a stated purpose
Information collected by an individual cannot be disclosed to other organizations or individuals unless specifically authorized by law or by consent of the
individual
D: HEW Fair Information Practices include
Records kept on an individual should be accurate and up to date
Data should be deleted when it is no longer needed for the stated purpose
References:
https://en.wikipedia.org/wiki/Information_privacy_law
QUESTION 3
The typical computer fraudsters are usually persons with which of the following characteristics?
A. They have had previous contact with law enforcement
B. They conspire with others
C. They hold a position of trust
https://gratisexam.com/
D. They deviate from the accepted norms of society
Correct Answer: C
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
It is easy for people who are placed in position of trust to commit fraud, as they are considered to be trustworthy.
Incorrect Answers:
A: A fraudster might very well have a clean legal record. This in conjunction with a position of trust make him/her hard to detect.
B: It is most typical that a fraudster conspires with other persons as the fraudster usually acts alone.
D: A fraudster can very well follow the accepted norms of society, and this makes him/her harder to detect.
References:
http://www.justice4you.org/fraud-fraudster.php
QUESTION 4
The US-EU Safe Harbor process has been created to address which of the following?
Integrity of data transferred between U.S. and European companies
A.
B. Confidentiality of data transferred between U.S and European companies
C. Protection of personal data transferred between U.S and European companies
D. Confidentiality of data transferred between European and international companies
Correct Answer: C
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
US-EU Safe Harbor process relates to privacy, that is protection of personal data. The Safe Harbor is a construct that outlines how U.S.-based companies can
comply with the EU privacy. The Safe Harbor Privacy Principles states that if a non-European organization wants to do business with a European entity, it will need
to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes
Incorrect Answers:
A: The US-EU Safe Harbor process does not relate to the integrity of the data. It concerns the privacy of the data.
B: The US-EU Safe Harbor process does not relate to the Confidentiality of the data. It concerns the privacy of the data.
D: The US-EU Safe Harbor process does not relate to the Confidentiality of the data. It concerns the privacy of the data.
https://gratisexam.com/
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 992
QUESTION 5
What level of assurance for a digital certificate verifies a user's name, address, social security number, and other information against a credit bureau database?
A. Level 1/Class 1
B. Level 2/Class 2
C. Level 3/Class 3
D. Level 4/Class 4
Correct Answer: B
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
Users can obtain certificates with various levels of assurance.
Level 1/Class 1 certificates verify electronic mail addresses. This is done through the use of a personal information number that a user would supply when asked to
register. This level of certificate may also provide a name as well as an electronic mail address; however, it may or may not be a genuine name (i.e., it could be an
alias). This proves that a human being will reply back if you send an email to that name or email address.
Class 2/Level 2 verify a user’s name, address, social security number, and other information against a credit bureau database.
Class 3/Level 3 certificates are available to companies. This level of certificate provides photo identification to accompany the other items of information provided by
a level 2 certificate.
Incorrect Answers:
A: Level 1/Class 1 certificates verify electronic mail addresses. They do not verify a user's name, address, social security number, and other information against a
credit bureau database.
C: Level 3/Class 3 certificates provide photo identification to accompany the other items of information provided by a level 2 certificate. They do not verify a user's
name, address, social security number, and other information against a credit bureau database.
D: Level 4/Class 4 certificates do not verify a user's name, address, social security number, and other information against a credit bureau database.
QUESTION 6
According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a requirement to “protect stored cardholder data.” Which of
the following items cannot be stored by the merchant?
A. Primary Account Number
B. Cardholder Name
https://gratisexam.com/
C. Expiration Date
D. The Card Validation Code (CVV2)
Correct Answer: D
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to “protect stored cardholder data.” The public assumes merchants and
financial institutions will protect data on payment cards to thwart theft and prevent unauthorized use.
Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having
eliminated a key target for data thieves.
For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and
what measures they must take to protect those data. To prevent unauthorized storage, only council certified PIN entry devices and payment applications may be
used.
PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI Security Standards Council: American Express,
Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
PCI DSS Requirement 3
It details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount
and retention time to that which is required for business, legal, and/or regulatory purposes.
Sensitive authentication data must never be stored after authorization – even if this data is encrypted.
Never store full contents of any track from the card’s magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required
for business purposes, the cardholder’s name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS
requirements.
Never store the card-validation code (CVV) or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present
transactions).
Never store the personal identification number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The first six and last four digits are the
maximum number of digits that may be displayed. This requirement does not apply to those authorized with a specific need to see the full PAN, nor does it
supersede stricter requirements in place for displays of cardholder data such as in a point-of-sale receipt.
Incorrect Answers:
A: The Primary Account Number can be stored by the merchant according to the PCI Data Storage Guidelines.
B: The Cardholder Name can be stored by the merchant according to the PCI Data Storage Guidelines.
C: The Expiration Date can be stored by the merchant according to the PCI Data Storage Guidelines.
References:
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
QUESTION 7
Which of the following is NOT a proper component of Media Viability Controls?
https://gratisexam.com/
A. Storage
B. Writing
C. Handling
D. Marking
Correct Answer: B
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
Writing is not a component of media viability controls.
Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system
after a failure.
Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and
transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process:
Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log
serial numbers or bar codes for retrieval during a system recovery.
Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical
damage to the media during transportation to the archive sites.
Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment
should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust.
Incorrect Answers:
A: Storage is a media viability control used to protect the viability of data storage media.
C: Handling is a media viability control used to protect the viability of data storage media.
D: Marking is a media viability control used to protect the viability of data storage media.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP Prep Guide: Mastering the CISSP and ISSEP Exams, 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.
324
QUESTION 8
Degaussing is used to clear data from all of the following media except:
A. Floppy Disks
B. Read-Only Media
C. Video Tapes
D. Magnetic Hard Disks
https://gratisexam.com/
Correct Answer: B
Section: Asset Security
Explanation
Explanation/Reference:
Explanation:
Atoms and Data
Shon Harris says: "A device that performs degaussing generates a coercive magnetic force that reduces the magnetic flux density of the storage media to zero.
This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing
changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original flux (magnetic alignment). "
Degaussing is achieved by passing the magnetic media through a powerful magnet field to rearrange the metallic particles, completely removing any resemblance
of the previously recorded signal. Therefore, degaussing will work on any electronic based media such as floppy disks, or hard disks - all of these are examples of
electronic storage. However, "read-only media" includes items such as paper printouts and CD-ROM which do not store data in an electronic form or is not
magnetic storage. Passing them through a magnet field has no effect on them.
Not all clearing/ purging methods are applicable to all media— for example, optical media is not susceptible to degaussing, and overwriting may not be effective
against Flash devices. The degree to which information may be recoverable by a sufficiently motivated and capable adversary must not be underestimated or
guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military classification rules, read and follow the rules
and standards.
Incorrect Answers:
A: Floppy Disks can be erased by degaussing.
C: Video Tapes can be erased by degaussing.
D: Magnetic Hard Disks can be erased by degaussing.
References:
http://www.degausser.co.uk/degauss/degabout.htm
http://www.degaussing.net/
http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm
QUESTION 9
What is the main issue with media reuse?
A. Degaussing
B. Data remanence
C. Media destruction
D. Purging
Correct Answer: B
https://gratisexam.com/
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
