最新安全习题讲解ppt课件.ppt

《最新安全习题讲解ppt课件.ppt》由会员分享，可在线阅读，更多相关《最新安全习题讲解ppt课件.ppt（54页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、安全管理习题讲解安全管理习题讲解每每时时每刻每刻 可信安全可信安全 QUIZ2 According to governmental data classification levels,how would answers to tests and health care information be classified?A ConfidentialB Sensitive but unclassifiedC Private D UnclassifiedB每每时时每刻每刻 可信安全可信安全每每时时每刻每刻 可信安全可信安全每每时时每刻每刻 可信安全可信安全每每时时每刻每刻 可信安全可信安全每每时

2、时每刻每刻 可信安全可信安全每每时时每刻每刻 可信安全可信安全每每时时每刻每刻 可信安全可信安全8 Which of the following is not a goal of integrity?A Prevention of the modification of information by unauthorized users.B Prevention of the unauthorized or unintentional modification of information by authorized users.C Prevention of the modification

3、 of information by authorized users.D Preservation of the internal and external consistency.C每每时时每刻每刻 可信安全可信安全9 Why do many organizations require every employee to take a mandatory vacation of a week or more?A To lead to greater productivity through a better quality of life for the employee.B To red

4、uce the opportunity for an employee to commit an improper or illegal act.C To provide proper cross training for another employee.D To allow more employees to have a better understanding of the overall system.B每每时时每刻每刻 可信安全可信安全10 Which of the following would best relate to resources being used only f

5、or intended purposes?A AvailabilityB IntegrityC ReliabilityD ConfidentialityA每每时时每刻每刻 可信安全可信安全11 Security of computer-based information systems is which of the following?A technical issue B management issue C training issue D operational issueB每每时时每刻每刻 可信安全可信安全12 Which of the following would be the

6、first step in establishing an information security program?A Development and implementation of an information security standards manual.B Development of a security awareness-training program for employees.C Purchase of security access control software.D Adoption of a corporate information security p

7、olicy statement.D每每时时每刻每刻 可信安全可信安全13 Which of the following tasks may be performed by the same person in a well-controlled information processing facility/computer center?A Computer operations and system development B System development and change management C System development and systems maintena

8、nce D Security administration and change managementC每每时时每刻每刻 可信安全可信安全14 Computer security should not:A Cover all identified risks.B Be cost-effective.C Be examined in both monetary and non-monetary terms.D Be proportionate to the value of IT systems.A每每时时每刻每刻 可信安全可信安全15 Which of the following is mos

9、t concerned with personnel security?A Management controls B Human resources controls C Technical controls D Operational controlsD每每时时每刻每刻 可信安全可信安全16 Which of the following is most likely given the responsibility of the maintenance and protection of the data?A Security administrator B User C Data cus

10、todian D Data owner C每每时时每刻每刻 可信安全可信安全17 Who is responsible for providing reports to the senior management on the effectiveness of the security controls?A Information systems security professionals B Data owners C Data custodians D Information systems auditorsD每每时时每刻每刻 可信安全可信安全18 Risk mitigation and

11、 risk reduction controls can be of which of the following types?A preventive,detective,or correctiveB Administrative,operational or logicalC detective,correctiveD preventive,corrective and administrativeA每每时时每刻每刻 可信安全可信安全19 Which of the following would best classify as a management control?A Review

12、of security controls B Documentation C Personnel security D Physical and environmental protectionA每每时时每刻每刻 可信安全可信安全20 What is the goal of the Maintenance phase in a common development process of a security policy?A to present document to approving body B to write proposal to management that states t

13、he objectives of the policy C publication within the organization D to review of the document on the specified review dateD每每时时每刻每刻 可信安全可信安全21 Which approach to a security program makes sure that the people actually responsible for protecting the companys assets are driving the program?A The top-dow

14、n approach B The bottom-up approach C The technology approach D The Delphi approachA每每时时每刻每刻 可信安全可信安全22 The preliminary steps to security planning include all of the following EXCEPT which of the following?A Determine alternate courses of action B Establish a security audit function.C Establish obje

15、ctives.D List planning assumptions.B每每时时每刻每刻 可信安全可信安全23IT security measures should:A Be tailored to meet organizational security goals.B Make sure that every asset of the organization is well protected.C Not be developed in a layered fashion.D Be complexA每每时时每刻每刻 可信安全可信安全24 Which of the following em

16、bodies all the detailed actions that personnel are required to follow?A Baselines B Procedures C Guidelines D StandardsB每每时时每刻每刻 可信安全可信安全25 Which of the following should NOT be addressed by employee termination practices?A Deletion of assigned logon-ID and passwords to prohibit system access.B Retur

17、n of access badges.C Employee bonding to protect against losses due to theft.D Removal of the employee from active payroll files.C每每时时每刻每刻 可信安全可信安全26 Preservation of confidentiality information systems requires that the information is not disclosed to:A Authorized persons and processes B Unauthorize

18、d persons.C Unauthorized persons or processes.D Authorized personC每每时时每刻每刻 可信安全可信安全27 Which of the following statements pertaining to quantitative risk analysis is false?A It requires a high volume of informationB It involves complex calculationsC It can be automatedD It involves a lot of guessworkD

19、每每时时每刻每刻 可信安全可信安全28 All except which of the follow are not used to ensure integrity?A compliance monitoring services B intrusion detection services C communications security management D firewall servicesA每每时时每刻每刻 可信安全可信安全29 Which of the following would violate the Due Care concept?A Latest security

20、 patches for servers only being installed once a week B Network administrator not taking mandatory two-week vacation as planned C Security policy being outdated D Data owners not laying out the foundation of data protectionD每每时时每刻每刻 可信安全可信安全30 What does residual risk mean?A Weakness of an assets whi

21、ch can be exploited by a threat B Risk that remains after risk analysis has has been performed C The result of unwanted incident D The security risk that remains after controls have been implementedD每每时时每刻每刻 可信安全可信安全31 Which of the following questions should any user not be able to answer regarding

22、their organizations information security policy?A Where is the organizations security policy defined?B Who is involved in establishing the security policy?C What are the actions that need to be performed in case of a disaster?D Who is responsible for monitoring compliance to the organizations securi

23、ty policy?C每每时时每刻每刻 可信安全可信安全32 In a properly segregated environment,which of the following tasks is compatible with the task of security administrator?A Data entry B Systems programming C Quality assurance D Applications programmingC每每时时每刻每刻 可信安全可信安全33 The major objective of system configuration man

24、agement is which of the following?A system maintenanceB system trackingC system stabilityD system operationsC每每时时每刻每刻 可信安全可信安全34 In an organization,an Information Technology security function should:A Be independent but report to the Information Systems function.B Be lead by a Chief Security Officer

25、 and report directly to the CEO.C Report directly to a specialized business unit such as legal,corporate security or insurance.D Be a function within the information systems function of an organization.B每每时时每刻每刻 可信安全可信安全35 Who should measure the effectiveness of security related controls in an organ

26、ization?A the central security manager B the local security specialist C the systems auditor D the business managerC每每时时每刻每刻 可信安全可信安全36 What is a difference between Quantitative and Qualitative Risk Analysis?A fully qualitative analysis is not possible,while quantitative is B quantitative provides f

27、ormal cost/benefit analysis and qualitative not C there is no difference between qualitative and quantitative analysis D qualitative uses strong mathematical formulas and quantitative notB每每时时每刻每刻 可信安全可信安全37 How is Annualized Loss Expectancy(ALE)derived from a treat?A ARO x(SLE-EF)B SLE x ARO C SLE/

28、EF D AV x EFB每每时时每刻每刻 可信安全可信安全38 One purpose of a security awareness program is to modify:A attitudes of employees with sensitive data.B corporate attitudes about safeguarding data.C employees attitudes and behaviors.D managements approach.C每每时时每刻每刻 可信安全可信安全39 Controls are implemented to:A eliminate

29、 risk and reduce the potential for loss B mitigate risk and eliminate the potential for loss C eliminate risk and eliminate the potential for loss D mitigate risk and reduce the potential for lossD每每时时每刻每刻 可信安全可信安全40 Who should decide how a company should approach security and what security measures

30、 should be implemented?A The information security specialistB AuditorC Senior managementD Data ownerC每每时时每刻每刻 可信安全可信安全41 Which of the following is the weakest link in a security system?A People B Communications C Hardware D SoftwareA每每时时每刻每刻 可信安全可信安全42 ISO 17799 is a standard for:A Information Secur

31、ity ManagementB Implementation and certification of basic security measuresC Certification of public key infrastructuresD Evaluation criteria for the validation of cryptographic algorithmsA每每时时每刻每刻 可信安全可信安全43Who of the following is responsible for ensuring that proper controls are in place to addres

32、s integrity,confidentiality,and availability of IT systems and data?A Business and functional managersB Chief information officerC IT Security practitionersD System and information ownersD每每时时每刻每刻 可信安全可信安全44 Related to information security,the guarantee that the message sent is the message received

33、is an example of which of the following?A integrityB identityC availabilityD confidentialityA每每时时每刻每刻 可信安全可信安全45 Which one of the following represents an ALE calculation?A asset value x loss expectancy B actual replacement cost-proceeds of salvage C gross loss expectancy x loss frequency D single lo

34、ss expectancy x annualized rate of occurrenceD每每时时每刻每刻 可信安全可信安全46 Which of the following choices is NOT part of a security policy?A description of specific technologies used in the field of information securityB definition of overall steps of information security and the importance of securityC stat

35、ement of management intend,supporting the goals and principles of information securityD definition of general and specific responsibilities for information security managementA每每时时每刻每刻 可信安全可信安全47 Which of the following statements pertaining to a security policy is incorrect?A It must be flexible to

36、the changing environment.B Its main purpose is to inform the users,administrators and managers of their obligatory requirements for protecting technology and information assets.C It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appr

37、opriate and effective.D It specifies how hardware and software should be used throughout the organization.D每每时时每刻每刻 可信安全可信安全48 Which of the following could be defined as the likelihood of a threat agent taking advantage of a vulnerability?A A risk B A countermeasure C An exposure D A residual riskA每

38、每时时每刻每刻 可信安全可信安全49 Which of the following should be given technical security training?A Senior managers,functional managers and business unit managersB Security practitioners and information systems auditorsC IT support personnel and system administratorsD OperatorsC每每时时每刻每刻 可信安全可信安全50 Related to in

39、formation security,availability is the opposite of which of the following?A distribution B destruction C documentation D delegationB每每时时每刻每刻 可信安全可信安全51 Which must bear the primary responsibility for determining the level of protection needed for information systems resources?A Seniors security analystsB systems auditorsC Senior ManagementD IS security specialistsC每每时时每刻每刻 可信安全可信安全52 What would best define risk management?A The process of eliminating the riskB The process of reducing risk to an acceptable levelC The process of assessing the risksD The process of transferring riskB