Questionmark Perception

Introduction

考试说明

本试卷是EXIN Information Security Foundation based on ISO/IEC 27001 (ISFS.CH)模拟考试。 EXIN考试准则适用于该考试。

本试卷由40 道单项选择题组成。每道选择题有多个选项，但这些选项中只有一个是正确答案。

本试卷的总分是40分。每道题的分数是1分。您需要获得26分或以上通过考试。

考试时间为60分钟。

祝您好运!

Copyright © EXIN Holding B.V. 2021. All rights reserved.
EXIN® is a registered trademark.

Question

1 of 40

为了投保消防保险，组织必须确定所管理数据的价值。

对于确定组织的数据价值，哪个因素是不重要的？

In order to take out a fire insurance, an organization must determine the value of the data that it manages.

Which factor is not important for determining the value of data for an organization?

	数据所需的存储量 The amount of storage required for the data
	丢失数据可恢复的程度 The degree to which missing data can be recovered
	数据对业务流程的不可或缺性 The indispensability of data for the business processes
	使用数据的流程的重要性 The importance of the processes that use the data

Question

2 of 40

除了完整性和机密性，哪项是信息可靠性的第三个方面？

Besides integrity and confidentiality, what is the third reliability aspect of information?

	准确性 Accuracy
	可用性 Availability
	完备性 Completeness
	价值 Value

Question

3 of 40

某单位在公司的楼道里放有一台网络打印机。很多员工没有立即拿走打印出来的文件，而是把文件留在打印机上。

这种行为对信息的可靠性有什么影响？

An organization has a network printer in the hallway of the company. Many employees do not pick up their printouts immediately and leave them on the printer.

What is the consequence of this to the reliability of the information?

	信息的可用性不再得到保证。 The availability of the information is no longer guaranteed.
	信息的机密性不再得到保证。 The confidentiality of the information is no longer guaranteed.
	信息的完整性不再得到保证。 The integrity of the information is no longer guaranteed.

Question

4 of 40

某数据库包含了一个电话公司的数百万笔交易。刚为某个客户生成并发送了一份发票。

对该客户而言，这份发票包含什么？

A database contains a few million transactions of a phone company. An invoice for a customer has been generated and sent.

What does this invoice contain for the customer?

	数据 Data
	信息 Information
	数据与信息 Data and information

Question

5 of 40

以下哪一项最贴切地描述了关于信息管理所关注的重点？

What is the best description of the focus of information management?

	允许业务活动和流程不中断地继续进行 Allowing business activities and processes to continue without interruption
	确保识别和利用信息的价值 Ensuring that the value of information is identified and exploited
	防止未经授权的人访问自动化系统 Preventing unauthorized persons from having access to automated systems
	了解信息如何在一个组织中流动 Understanding how information flows through an organization

Question

6 of 40

某数据库系统因未打上最新的安全补丁，遭到了黑客入侵。黑客能够访问数据和删除数据。

哪个信息安全概念描述了缺失安全补丁程序的情况？

A database system has not had the latest security patches applied to it and was hacked. The hackers were able to access the data and delete it.

What information security concept describes the lack of security patching?

	影响 Impact
	风险 Risk
	威胁 Threat
	脆弱性 Vulnerability

Question

7 of 40

某行政办公室正在确定所面临的危险。

可能对信息的可靠性产生破坏性影响的事件叫什么？

An administration office is determining the dangers to which it is exposed.

What is a possible event that can have a disruptive effect on the reliability of information called?

	依赖 A dependency
	风险 A risk
	威胁 A threat
	脆弱性 A vulnerability

Question

8 of 40

风险管理的目的是什么？

What is a purpose of risk management?

	确定某种风险发生的概率 To determine the probability that a certain risk will occur
	指导和控制组织的风险 To direct and control an organization with regard to risk
	调查可能发生的安全事件造成的损害 To investigate the damage caused by possible security incidents
	概述IT资源面临的威胁 To outline the threats to which IT resources are exposed

Question

9 of 40

哪项是人为威胁？

Which is a human threat?

	漏电导致电源故障。 A leak causes a failure of the electricity supply.
	U盘将病毒传到网络上。 A USB stick passes on a virus to a network.
	服务器机房内灰尘过多。 There is too much dust in the server room.

Question

10 of 40

执行到位的风险分析可以提供大量有用的信息。风险分析有四个主要目标。

哪项不属于风险分析的四个主要目标？

A well-executed risk analysis provides a great deal of useful information. A risk analysis has four main objectives.

What is not one of the four main objectives of a risk analysis?

	确定相关的脆弱性和威胁 Determine relevant vulnerabilities and threats
	在事件成本与措施成本之间建立平衡 Establish a balance between the costs of an incident and the costs of a measure
	识别资产及其价值 Identify assets and their value
	实施措施和控制 Implement measures and controls

Question

11 of 40

Midwest Insurance公司某分支机构发生火灾。消防部门迅速赶到现场，顺利在火势蔓延、烧毁整个场所前将大火扑灭。但是，服务器却被大火烧毁。保存在另一个房间的备份磁带已经熔化，还有许多文件也丢失了。

此次火灾造成了哪种间接损害？

There was a fire in a branch of the company Midwest Insurance. The fire department quickly arrived at the scene and could extinguish the fire before it spread and burned down the entire premises. The server, however, was destroyed in the fire. The backup tapes kept in another room had melted and many other documents were lost.

What indirect damage is caused by this fire?

	烧毁的计算机系统 Burned computer systems
	烧毁的文件 Burned documents
	熔化的备份磁带 Melted back-up tapes
	灭火用水所造成的损害 Water damage

Question

12 of 40

某办公室位于工业区。办公室旁边的公司从事易燃材料相关的工作。

火灾威胁与火灾风险之间有什么关系?

An office is situated in an industrial area. The company next to the office works with flammable materials.

What is the relationship between the threat of fire and the risk of fire?

	火灾的威胁来自于办公室旁边的公司，在脆弱的工业区从事易燃材料相关工作，可能会引起火灾。 The threat of fire comes from the company next to the office, which poses a risk of fire by working with flammable materials in a vulnerable industrial area.
	火灾的威胁来自于易燃材料，如果办公室存在不防火的脆弱性，会给办公室带来火灾风险。 The threat of fire comes from the flammable materials, which poses a risk of fire to the office if the office has the vulnerability of not being fire-proof.
	火灾的威胁来自于办公室可能遭受损害，原因是易燃材料存在火灾风险。 The threat of fire comes from the probability that the office will suffer damage because of the risk of fire the flammable materials pose.
	火灾的威胁来自于工业区脆弱的办公室，其附近存在一家有火灾风险的公司。 The threat of fire comes from the vulnerable office in the industrial area, which is working close to a company that poses a risk of fire.

Question

13 of 40

一家医疗保险公司的分公司发生了火灾。员工被转移到邻近的分支机构继续工作。

在事件周期的哪个阶段会转向备用安排？

A fire breaks out in a branch office of a health insurance company. The employees are transferred to neighboring branches to continue their work.

Where in the incident cycle is moving to a stand-by arrangement found?

	损害阶段与恢复阶段之间 Between the damage and recovery stages
	事件阶段与损害阶段之间 Between the incident and damage stages
	恢复阶段与威胁阶段之间 Between the recovery and threat stages
	威胁阶段与事件阶段之间 Between the threat and incident stages

Question

14 of 40

哪项描述最符合信息安全方针的目的？

How is the purpose of information security policy best described?

	信息安全方针记录了风险分析和寻找对策。 An information security policy documents the analysis of risks and the search for countermeasures.
	信息安全方针为组织提供有关信息安全的指导和支持。 An information security policy gives direction and support to the organization regarding information security.
	信息安全方针提供必要的细节，使安全计划具体化。 An information security policy makes the security plan concrete by providing it with the necessary details.
	信息安全方针可以让人深入了解各种威胁和可能的后果。 An information security policy provides insight into threats and the possible consequences.

Question

15 of 40

某保险公司的员工发现保单的到期日在他不知情的情况下被更改，而他是唯一有权更改的人。他将此安全事件报告给服务台。服务台工作人员记录了以下此事件相关信息：
-日期和时间
-事件说明
-事件的可能后果

以上缺少了事件的哪项重要信息？

An employee from an insurance company discovers that the expiration date of a policy has been changed without his knowledge. He is the only person authorized to do this. He reports this security incident to the helpdesk. The helpdesk worker records the following information regarding this incident:
- date and time
- description of the incident
- possible consequences of the incident

What important information about the incident is missing here?

	事件报告者的姓名 The name of the person reporting the incident
	软件包名称 The name of the software package
	被通知人姓名 The names of the informed people
	PC编号 The PC number

Question

16 of 40

Juliana是一家快递公司老板。她雇用了几个人，他们在等待送货期间可以完成其他任务。但她注意到，他们利用这段时间收发私人邮件和上网。

在法律上，哪种方法可以最有效地管控上网和收发邮件？

Juliana is the owner of a courier company. She employs a few people who, while waiting to make a delivery, can carry out other tasks. She notices, however, that they use this time to send and read their private e-mail and surf the internet.

In legal terms, in which way can the use of the internet and e-mail best be regulated?

	屏蔽所有网站 By blocking all websites
	拟定行为准则 By drafting a code of conduct
	实施隐私规章 By implementing privacy regulations
	安装病毒扫描程序 By installing a virus scanner

Question

17 of 40

哪种体系能保证组织中信息安全的一致性？

Which system guarantees the coherence of information security in the organization?

	信息安全管理体系（ISMS） Information Security Management System (ISMS)
	入侵检测系统（IDS） Intrusion detection system (IDS)
	根工具箱（Rootkit） Rootkit
	特殊信息的安全规章 Security regulations for special information

Question

18 of 40

某服务台工作人员收到了一起关于网络服务器的安全事件报告。他的同事在网络服务器方面更有经验，所以他把这个案子转给了她。

最符合这种行为的是哪个术语？

A security incident regarding a webserver is reported to a help desk employee. His colleague has more experience with webservers, so he transfers the case to her.

Which term describes this transfer?

	职能性升级 Functional escalation
	层次性升级 Hierarchical escalation
	特权升级 Privilege escalation

Question

19 of 40

谁负责将业务策略和目标转化为安全策略和目标？

Who is responsible for the translation of the business strategy and objectives to security strategy and objectives?

	首席信息安全官（CISO） Chief information security officer (CISO)
	总经理 General management
	信息安全官（ISO） Information security officer (ISO)
	信息安全方针官 Information security policy officer

Question

20 of 40

哪项是发生火灾时的遏制措施？

What is a repressive measure in case of a fire?

	在发现火灾后进行扑救 Putting out a fire after it has been detected
	修复火灾造成的损害 Repairing damage caused by the fire
	投保火灾保险 Taking out a fire insurance

Question

21 of 40

信息分级的目的是什么？

What is the goal of classification of information?

	贴上标签，使信息更容易识别 Applying labels to make the information easier to recognize
	制作关于如何处理移动设备的手册 Creating a manual on how to handle mobile devices
	根据信息的敏感度安排信息的结构 Structuring information according to its sensitivity

Question

22 of 40

缺少物理措施会引发哪种威胁？

Which threat can occur as a result of the absence of a physical measure?

	机密文件留在打印机中。 A confidential document is left in the printer.
	服务器因过热而关机。 A server shuts down because of overheating.
	用户可以查看属于其他用户的文件。 A user can view the files belonging to another user.
	黑客可以自由进入计算机网络。 Hackers can freely enter the computer network.

Question

23 of 40

机房装有通行证读卡器。只有系统管理部门持有通行证。

以上属于什么类型的安全措施？

A computer room is protected by a pass reader. Only the system management department has a pass.

What type of security measure is this?

	纠正安全措施 A corrective security measure
	物理安全措施 A physical security measure
	逻辑安全措施 A logical security measure
	遏制安全措施 A repressive security measure

Question

24 of 40

中心服务器的备份与服务器保存在同一个上锁的房间里。

组织最可能面临哪种风险？

The back-ups of the central server are kept in the same locked room as the server.

What risk does the organization most likely face?

	如果服务器崩溃，将需要很长时间才能再次运行。 If the server crashes, it will take a long time before the server is operational again.
	一旦发生火灾，系统无法恢复到以前的状态。 In the event of a fire, it is impossible to get the system back to its former state.
	没有人对这些备份负责。 No one is responsible for these back-ups.
	未经授权的人可以轻松接触到备份。 Unauthorized persons have easy access to the back-ups.

Question

25 of 40

“确定某人的身份是否正确”是指什么？

What is 'establishing whether someone’s identity is correct' called?

	身份验证 Authentication
	授权 Authorization
	身份标识 Identification

Question

26 of 40

公钥基础设施（PKI）能提供何种安全？

What sort of security does a public key infrastructure (PKI) offer?

	PKI验证哪个人或哪个系统属于特定的公钥。 A PKI verifies which person or system belongs to a specific public key.
	PKI确保了定期备份公司数据。 A PKI ensures that backups of company data are made on a regular basis.
	PKI向客户表明基于网络的业务是安全的。 A PKI shows customers that a web-based business is secure.

Question

27 of 40

在一家中型公司的IT部门，机密信息曾多次落入本不应该访问的人之手。这件事损害了该公司的形象。因此，该公司正在研究保护公司笔记本电脑的组织安全措施。

首先应做什么？

In the IT department of a medium-sized company, confidential information has come into the wrong hands several times. This has hurt the image of the company. Therefore, the company is looking into organizational security measures to protect laptops at the company.

What is the first step that should be taken?

	任命更多的保安人员 Appoint additional security employees
	加密存储设备和笔记本电脑的硬盘 Encrypt storage devices and hard disks of laptops
	制定关于移动设备的方针 Formulate a policy regarding mobile devices
	制定访问控制方针 Set up an access control policy

Question

28 of 40

实行职责分离的最重要原因是什么？

What is the most important reason for applying segregation of duties?

	让全体员工共同为自己所犯错误共同承担责任 To create joint responsibility by all employees for the mistakes they make
	确保员工在同一时间做同样的工作 To ensure that employees do the same work at the same time
	明确谁负责哪些任务和活动 To make clear who is responsible for what tasks and activities
	最大限度减少企业资产被滥用，或发生未经授权或意外变更的可能 To minimize the misuse of business assets or the chance of unauthorized or unintended changes

Question

29 of 40

哪一项措施属于预防措施？

Which measure is a preventive measure?

	安装日志系统，使系统中的变更能够被识别 Installing a logging system that enables changes in a system to be recognized
	下班后将所有敏感信息存入保险箱 Putting all sensitive information in a safe after working hours
	在黑客进入公司系统后，关闭所有网络流量 Shutting down all internet traffic after a hacker has gained access to the company systems

Question

30 of 40

哪种类型的恶意软件会建立一个受污染的计算机网络？

Which type of malware builds a network of contaminated computers?

	逻辑炸弹 Logic bomb
	间谍软件 Spyware
	蠕虫 Worm
	木马 Trojan

Question

31 of 40

某组织的安全官发现一名员工的工作站感染了恶意软件。该恶意软件是因针对性网络钓鱼攻击而安装上的。

哪一项举措最有利于防止今后发生类似事件？

Within an organization the security officer detects that a workstation of an employee is infected with malicious software. The malicious software was installed due to a targeted phishing attack.

Which action is the most beneficial to prevent such incidents in the future?

	实施强制访问控制（MAC）技术 Implement mandatory access control (MAC) technology
	启动安全意识计划 Start a security awareness program
	更新防火墙规则 Update the firewall rules
	更新垃圾邮件过滤器的签名 Update the signatures of the spam filter

Question

32 of 40

灾难恢复计划（DRP）的目的是什么？

What is the purpose of a disaster recovery plan (DRP)?

	识别灾难背后的脆弱性 To identify the vulnerability underlying a disaster
	尽量减少灾难发生时的后果 To minimize the consequences in case of a disaster
	降低灾难发生的可能性 To reduce the possibility of a disaster to occur
	将情况恢复到灾难前的状态 To restore the situation back to how this was before the disaster

Question

33 of 40

在物理安全中，可以应用多个保护环，并采取不同的措施。

哪一项不属于保护环？

In physical security, multiple protection rings can be applied in which different measures can be taken.

What is not a protection ring?

	建筑环 Building ring
	中环 Middle ring
	对象环 Object ring
	外环 Outer ring

Question

34 of 40

为保护信息系统不受攻击而采取的措施。

以上是对哪个概念的定义？

Measures taken to safeguard an information system from attacks.

Of which concept is this the definition?

	风险分析 Risk analysis
	风险管理 Risk management
	安全控制 Security controls

Question

35 of 40

哪项是安全措施的特征？

What is a characteristic of a security measure?

	它描述了处理事件的过程。 It describes a process for handling incidents.
	它使组织遭受可能的损害。 It exposes an organization to possible damage.
	它是为了减轻潜在的风险而实施的。 It is put in place to mitigate against a potential risk.
	它表明不确定性对目标的影响。 It indicates the effect of uncertainty on objectives.

Question

36 of 40

某数据中心使用不间断电源（UPS），但未配备发电机。

这种配置对数据中心的可用性有什么相关的风险？

A data center uses an uninterruptible power supply (UPS) but has no power generator.

What is the risk associated with this setup for the availability of the data center?

	主电源在恢复后可能不会再自动触发，因为触发主电源需要发电机。 The main power may not come up again automatically when restored, because this needs a power generator.
	主电源断电可能超过几分钟或几个小时，这种情况将导致电源不可用。 The main power outage may last for longer than a few minutes or hours, which will cause unavailability of power.
	UPS可能会在几天后用完柴油而停止工作，所以它的使用寿命是有限的。 The UPS may run out of diesel and stop functioning after a couple of days, so its lifespan is limited.
	UPS必须在几小时后由发电机供电，所以只能提供有限的保护。 The UPS must be powered by the power generator after a few hours, so only provides limited protection.

Question

37 of 40

在什么情况下，雇主可以检查工作场所的网络和电子邮件服务是否被用于私事？

Under which condition is an employer permitted to check if internet and e-mail services in the workplace are being used for private purposes?

	如果还安装了防火墙 If a firewall is also installed
	如果每次检查后都通知员工 If the employee is informed after each instance of checking
	如果员工知情 If the employee is aware that this could happen

Question

38 of 40

哪项标准或法规又被称为“信息安全控制实践指南”？

Which standard or regulation is also known as the ’code of practice for information security controls’?

	ISO/IEC 27001 ISO/IEC 27001
	ISO/IEC 27002 ISO/IEC 27002
	支付卡行业（PCI）合规 Payment Card Industry (PCI) compliance
	萨班斯-奥克斯利法案 Sarbanes-Oxley act

Question

39 of 40

法律规章对于组织内部使用的信息的可靠性非常重要。

组织要合规必须先做什么？

Legislation and regulations are important for the reliability of the information used within the organization.

What is the first step that an organization must take to become compliant?

	进行风险分析，找出适用的法律规章 Conducting a risk analysis to find out which legislation and regulations apply
	制定可接受的使用方针，使员工了解自己必须做什么 Creating an acceptable use policy to make personnel aware of what they must do
	根据PDCA循环提前规划合规性审计 Planning the compliance audits in advance in accordance with the PDCA cycle
	制定方针，指出必须遵守的当地法律规章 Writing a policy that indicates which local laws and regulations must be followed

Question

40 of 40

哪项法律可能会对所有与欧盟（EU）居民打交道的公司的信息安全要求产生影响？

Which legislation may have an impact on information security requirements for all companies dealing with European Union (EU) residents?

	欧洲人权公约（ECHR） European Convention on Human Rights (ECHR)
	ISO/IEC 27001 ISO/IEC 27001
	NIST网络安全框架 NIST Cybersecurity Framework
	支付卡行业数据安全标准（PCI-DSS） Payment Card Industry Data Security Standard (PCI-DSS)