单选题 Barry has just been hired as the company security officer at an international financial institution. He has reviewed the company"s data protection policies and procedures. He sees that the company stores its sensitive data within a secured database. The database is located in a network segment all by itself, which is monitored by a network-based intrusion detection system. The database is hosted on a server kept within a server room, which can only be accessed by personnel with the correct PIN value and smart card. Barry finds that the sensitive data backups are not being properly secured and requests that the company implement a secure courier service that moves backup tapes to a secured location. His management states that this option is too expensive, so Barry implements a local hierarchy storage management system that properly protects the sensitive data.

A、 Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical detective controls are the physical location of the database and PIN and smart card access controls.
B、 Administrative preventive controls are the policies. Technical preventive controls are securing the system and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.
C、 Administrative corrective controls are the policies and procedures. Technical preventive controls are securing the system, network segmentation, and intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.
D、 Administrative preventive controls are the policies and procedures. Technical preventive controls are securing the system and network segmentation. The technical detective control is the intrusion detection system. Physical preventive controls are the physical location of the database and PIN and smart card access controls.

【正确答案】 D

【答案解析】[解析] D正确。行政预防控制指的是政策和过程。技术预防控制是为了确保系统和网络部门的安全。技术检测控制指的是入侵检测系统，物理预防控制指的是数据库、PIN和智能卡访问控制的物理位置。
A不正确。因为入侵检测系统不是一种预防控制，这是一个检测控制的例子。保证恰当的预防控制和检测控制至关重要。
B不正确。因为这个选项是一个行政防御控制，它没有提到过程。这个答案也错误地将入侵检测系统描述为预防控制，而不是检测控制。
C不正确。因为这个答案错误地将入侵检测系统描述为一组预防控制，而不是检测控制。这个答案也描述了政策和过程是矫正控制，但是它们是预防控制。

A、 Administrative control
B、 Compensating control
C、 Physical control
D、 Confidentiality control

【正确答案】 B

【答案解析】[解析] B正确。补偿性控制是一种分时控制。与快递服务不同，该公司实施的是内部存储管理系统。补偿性控制本质上可以是行政型控制，物理性控制或技术性控制。
A不正确。因为存储管理系统不是行政控制，而是一种技术补偿性控制。
C不正确。因为存储管理系统不是物理控制，而是一种技术补偿性控制。
D不正确。不正确并且是一个干扰选项。因为控制的主要分类有行政控制、技术控制和物理控制。这些控制可以提供很多不同类型的服务和保护——保密性也属于一种类型的保护。

A、 Defense-in-depth is required, and the current controls only provide one protection layer.
B、 Primary control costs too much or negatively affects business operations.
C、 Confidentiality is the highest concern in a situation where defense-in-depth is required.
D、 Availability is the highest concern in a situation where defense-in-depth is required.

【正确答案】 B

【答案解析】[解析] B正确。之所以实施补偿控制，是因为提议的主要控制太昂贵了但仍然是必需的。所以需要确定和实施能提供相同类型的保护但较为便宜一点的控制。需要补偿控制的另一种情况就是主要控制会负面影响业务运营。
A不正确。因为尽管补偿控制可以提供深度防御，但它并不是这种类型的控制加以实施的原因。
C不正确。因为补偿控制可能会也可能不会提供保密性。但是控制提供的保密性方面的服务并不是实施补偿控制的原因。补偿控制是一种替换控制类型。
D不正确。因为补偿控制可能会也可能不会提供可用性。但是控制提供的可用性方面的服务并不是实施补偿控制的原因。补偿控制是一种替换控制类型。