Читаем CISSP Practice полностью

3. Controls such as locked doors, intrusion detection devices, and security guards address which of the following risks?

a. Heat failure

b. Fraud or theft

c. Power failure

d. Equipment failure

3. b. Locked doors, intrusion detection devices, and security guards that restrict physical access are important preventive measures to control sabotage, riots, fraud, or theft. Sabotage can be caused by a disgruntled employee and by outsiders. Personnel policies should require the immediate termination and removal from the premise of any employee considered a threat. Restricting access to information that may be altered reduces fraud or theft exposures. Power failure can be controlled by an uninterruptible power supply. Heat failure may cause an inconvenience to employees. Equipment failure may result in extended processing delays. Performance of preventive maintenance enhances system reliability and should be extended to all supporting equipment, such as temperature and humidity control systems and alarm or detecting devices.

4. Which of the following security controls is simple to implement with the least amount of delay?

a. Operating system security controls

b. Network security controls

c. Physical security controls

d. Application system security controls

4. c. Physical security is achieved through the use of locks, guards, and administratively controlled procedures such as visitor badges. It also protects the structures housing the computer and related equipment against damage from accident, fire, and environmental hazards, thus ensuring the protection of their contents. Physical security measures are the first line of defense against the risks that stem from the uncertainties in the environment and from the unpredictability of human behavior. Frequently, they are the simplest safeguards to implement and can be put into practice with the least delay. The controls listed in the other three choices take a long time to implement and are not simple to install.

5. Which of the following is not a technical security measure?

a. Hardware

b. Software

c. Firmware

d. Physical control

5. d. A major part of the security of an IT system can often be achieved through nontechnical measures, such as organizational, personnel, physical, and administrative controls. However, there is a growing tendency and need to employ technical IT security measures implemented in hardware, software, and firmware.

6. Which of the following security safeguards is ineffective in an online application system serving multiple users at multiple locations?

a. Procedural controls

b. Physical controls

c. Hardware controls

d. Software controls

6. b. An online application system serving multiple users at multiple locations assumes that a network is in place. With a network there is often no centralized computer room with physical security controls that can be implemented. Therefore, physical controls are ineffective. Examples of physical controls include locked doors, intrusion detection devices, security guards, and magnetic badge readers that restrict physical access. Procedural controls are incorrect because they include instructions to request a user profile, add and delete users, instructions to request database views, and so on. Hardware controls are incorrect because they include fault-tolerance devices such as disk mirroring and disk duplexing, smart card processing, encryption, parity checks, and switched ports. Software controls are incorrect because they include user IDs and passwords, smart card processing, encryption, check digits, and message authentication.

7. What is the most effective control in handling potential terrorist attacks, especially bombing?

a. Use simulation software.

b. Examine all letters and parcels coming into a building.

c. Hire security guards.

d. Keep motor vehicles away from the building.

7. c. There is no substitute for vigilant and resourceful security guards protecting the buildings. Simulation software is available that can assess the vulnerability of a structure to explosive blasts by simulating the detonation of devices at various design points. Security can be improved by simply keeping vehicles away from near proximity to the structure. It also makes sense to examine all letters and parcels coming into a building for explosives.

Sources and References