Questionmark Perception
Oct 28 2021 |
Logged in as : candidate
Change font size

Introduction

考试说明

本试卷是EXIN Information Security Management Professional based on ISO/IEC 27001 (ISMP.CH)模拟考试。 EXIN考试准则适用于该考试。

本试卷由30 道单项选择题组成。每道选择题有多个选项,但这些选项中只有一个是正确答案。

本试卷的总分是30分。每道题的分数是1分。您需要获得20分或以上通过考试。

考试时间为90分钟。

祝您好运!





Copyright © EXIN Holding B.V. 2021. All rights reserved.
EXIN® is a registered trademark.

Question

1  of 30
什么是安全战略发展的关键要素?

Which is a key element of security strategy development?

Question

2  of 30
对于一个相当保守的组织而言,IT安全经理所面临的挑战之一是要教导IT管理层,为了给组织提供有效的信息安全程序,有必要改变对IT安全定义及其所包含内容的看法。

IT安全经理要教导管理层什么?

One of the challenges of the IT security manager for a rather conservative organization is to teach IT management that in order to provide an effective information security program for the organization a change in thought as to what IT security is and what it encompasses is necessary.

What is the IT security manager trying to teach management?

Question

3  of 30
一位业务经理十分担忧,任何形式的IT安全程序会对企业的持续发展和创新造成太大干扰。

应该告知这位经理以下哪一项?

One of the business managers is really concerned that any sort of IT security program is going to be too intrusive for the business to continue to thrive and be innovative.

Which statement best describes what should be told to the manager?

Question

4  of 30
安全经理负责确定公司的安全控制。公司正在选择一个供应商来托管面向网络的订购系统。

安全经理需要考量的重要的方面是什么?

The security manager is responsible for defining the security controls for a company. The company is selecting a supplier to host the web-facing ordering system.

What should be the most important aspect the security manager looks for?

Question

5  of 30
安全控制根据数据元素的安全分级确定。

由谁负责数据元素的安全分级?

Security controls are defined based on the security classification of a data element.

Who is responsible for the security classification of a data element?

Question

6  of 30
哪种风险评估方法用类别而不是实际数字确定风险?

Which risk assessment approach uses categories instead of actual numbers to determine risks?

Question

7  of 30
目前,“Internet Booksellers”公司正在实施信息安全管理。信息安全项目的项目负责人了解到,风险识别流程需要他列出按重要性排列的组织资产清单,他正在与财务经理共同制作这份清单。重要性的权重依据以下标准:对收入的影响(30%)、对利润的影响(40%)、对公众形象的影响(30%)。

财务经理提出了四个重要的信息资产:
- 供应商订单(流出)
- 通过SSL的客户订单(流入)
- 供应商履约建议(流入)
- 通过电子邮件的客户服务请求(流入)

根据影响标准,哪项资产排名最高?

Information security management is currently being implemented in the company “Internet Booksellers”. The project leader for the information security project understands that the risk identification process requires him to list organizational assets arranged in order of importance and he is working with the financial manager to develop this list. The weight of importance is based on the following criteria: impact on revenue (30%), impact on profitability (40%) and impact on public image (30%).

The Financial manager has come up with four important information assets:
- Supplier orders (outbound)
- Customer order via SSL (inbound)
- Supplier fulfillment advice (inbound)
- Customer service request via e-mail (inbound)

What asset ranks the highest based on the impact criteria?

Question

8  of 30
在考虑风险处理之前,需要确定什么?

What needs to be decided prior to considering the treatment of risks?

Question

9  of 30
某大型运输公司采用了信息安全标准(ISO/IEC 27001:2013),需要针对其将外包的软件开发部门制定控制。公司已经任命了一位外部顾问,确保在新的外包情况下,在软件开发的整个供应链上实施符合规范的安全控制。

如果供应链中的一个合作伙伴倒闭,应采取什么控制来保证源代码的可用性?

A large transportation company has adopted the standard for information security (ISO/IEC 27001:2013) and needs to set up controls for its software development department which they will outsource. An external consultant has been appointed to make sure that security controls consistent with the code of practice will be implemented over the complete supply chain for software development in the new outsourced situation.

What control should be put in place to guarantee availability of the source code should one of the partners in the supply chain go out of business?

Question

10  of 30
某公司安全经理刚被委以重任,负责领导组织的第一次风险评估工作。该安全经理正在实施控制,缓解已识别的风险。根据组织目标和适用的法律法规,她考虑了组织可行性和政治可行性。

在考虑操作可行性时,还需要考虑哪一项?

The security manager for a company has just been tasked with leading the organization’s first ever risk assessment effort. The security manager is in the process of implementing controls to mitigate the identified risks. She has taken into account the organizational feasibility and the political feasibility using the organizational objectives and applicable legislation and regulations.

Which item also needs to be accounted for when taking into account the operational feasibility?

Question

11  of 30
风险管理的范围不仅仅局限于组织流程,还应将风险管理嵌入项目管理方法中。例如,应在每个项目的早期阶段进行信息安全风险评估。在实施项目风险管理时,考虑项目的范围十分必要。

标准项目的项目风险管理范围应包括哪些内容?

The scope of risk management is not limited to the organizational processes alone. It should also be embedded in the project management methodology. An information security risk assessment, for example, should be conducted at an early stage of each project. When implementing project risk management, it is necessary to consider the scope of this project.

What should be included in the scope of project risk management for standard projects?

Question

12  of 30
ISO/IEC 15408 安全架构模型的俗称是什么?

What is the popular name of the ISO/IEC 15408 about security architecture models?

Question

13  of 30
某运营经理希望得到一些关于开设第二个数据中心作为热备用站点的建议。

信息安全官会建议她做什么?

An operations manager wants some advice about opening a second datacenter as a hot standby location.

What would the information security officer advise her to do?

Question

14  of 30
某安全小组刚刚完成了一次组织风险评估,现在正在讨论缓解风险的控制措施。其中,他们已经考虑了程序和技术控制。

需要考虑的第三类访问控制是什么?

A security team has just finished an organizational risk assessment and is now discussing controls to mitigate the risks. As part of that effort, programs and technical controls have been considered.

What is the third category of access controls that needs to be considered?

Question

15  of 30
在做完风险评估并建立一套符合组织风险偏好的适当控制后,顾问的工作差不多已经完成。顾问明白,现实中没有一套控制可以实现完全安全。

为了进一步加强安全,需要完成哪些工作?

After doing a risk assessment and establishing a proper set of controls that comply with an organization’s risk appetite, a consultant's job is just about complete. The consultant understands that the reality is that no set of controls can achieve complete security.

What needs to be completed in order to strengthen security even more?

Question

16  of 30
公司的信息安全官刚刚接到通知,要对信息安全方针进行管理评审。

什么是此次管理评审的输入?

The information security officer of the company has just been notified of a pending management review of the information security policy.

What is an input to this management review?

Question

17  of 30
某全球公司的信息安全官刚刚接受了信息安全方针的管理评审工作。

评审输出应包括哪些内容?

The information security officer for a global company has just received a management review of the information security policy.

What should this output include?

Question

18  of 30
信息安全程序的维护是一个持续的过程,需要许多不同的影响其成功的因素的输入。

以下哪项是需要流程改变的输入影响因素?

The maintenance of an information security program requires a continuous process. This requires inputs from the many different factors that will influence its success.

Which is an input influence that would require the process to change?

Question

19  of 30
信息安全团队的一大部分职责是监控和检测事件。

指明事件的最强指标是什么?

A large part of an information security team’s responsibility is to monitor and detect incidents.

What is the strongest indicator of an incident?

Question

20  of 30
协调组织的安全意识活动是谁的责任?

Whose responsibility is it to coordinate an organization’s security awareness campaign?

Question

21  of 30
去年,某组织对员工的安全控制更加严格。在实施额外控制之前,信息安全官希望了解员工对信息安全控制的心态。

如何快速掌握印象?

Last year an organization became stricter regarding security controls for its employees. Before implementing additional controls, the information security officer wants to know the mindset of the employees towards information security controls.

How does she get an impression quickly?

Question

22  of 30
使用安全架构开放设计的主要优点是什么?

What is the main advantage of using an open design of the security architecture?

Question

23  of 30
哪个安全项目是为了收集可以表明遭到拒绝服务攻击的大量网络相关流量而设计的?

Which security item is designed to take large collections of network-related traffic that can indicate a denial-of-service attack?

Question

24  of 30
某公司CEO开始使用自己的平板电脑,想要安全经理帮她在平板电脑上使用公司邮箱和日历。安全经理理解这种要求,考虑允许自带设备办公(BYOD)的可能性。

安全经理应提出哪项控制(意识培训除外),防止个人设备被盗或丢失导致数据丢失?

The CEO of a company started using her tablet pc and wants the security manager to facilitate her in using business mail and calendar on the tablet. The security manager understands this desire to allow the possibility to Bring Your Own Device (BYOD).

What controls (besides an awareness training) should the security manager propose to prevent data loss in case of theft or loss of the personal device?

Question

25  of 30
以下哪项关于安全架构的说法是正确的?

Which statement about security architecture is most correct?

Question

26  of 30
分区是将安全级别不同的物理区域分隔的一种安全控制。安全等级较高的分区可以通过更多的控制来保证安全。某酒店的安全经理负责安全工作,正在考虑为酒店设置分区。

哪种业务功能组合应合并为一个安全分区?

Zoning is a security control to separate physical areas with different security levels. Zones with higher security levels can be secured by more controls. The security manager of a hotel is responsible for security and is considering different zones for the hotel.

What combination of business functions should be combined into one security zone?

Question

27  of 30
鉴于物理安全控制是信息安全程序中非常重要的一环,要求信息安全小组为正在建立一些新数据系统的部门设计并实施一个安全边界。

根据ISO/IEC 27001,在建立这个边界时需要考虑的重要准则是什么?

Knowing that physical security controls are a very important part of an information security program, the information security team is asked to design and then implement a security perimeter for a department that is setting up some new data systems.

According to ISO/IEC 27001, which is the most important guideline that needs to be considered when establishing this perimeter?

Question

28  of 30
某组织人力资源经理询问,在雇佣和招聘方面,如何做才能快速有效地帮助组织按照ISO/IEC 27001加强数据安全程序。

应给予什么样的建议?

The human resource manager for an organization asked what she could do as a quick win in the area of employment and hiring to help strengthen the organization’s data security program according to ISO/IEC 27001.

What should the advice be?

Question

29  of 30
业务连续性经理要求为应急计划提供输入。

哪一项应是他开展的第一项活动?

The business continuity manager asks for input for the contingency plan.

Which should be his first activity?

Question

30  of 30
纳入组织信息安全程序的一个关键要素是稳健的业务连续性程序。为了支持这一点,某安全顾问被要求列出此类程序的关键信息安全要求。

从信息安全的角度来看,他在业务连续性管理(BCM)中的首要关注点是什么?

One key component to integrate into an organization’s information security program is a robust business continuity program. In support of this, a security consultant has been asked to list out the key information security requirements for such a program.

What is his first concern in business continuity management (BCM) from an information security point of view?