CISM 完整備考筆記 — All 76 Topics

Information Security Governance — 治理

考試佔比 17% · 9 HOT + 5 MED + 2 LOW = 16 topics

Business alignmentSenior mgmtSteering committeeData ownerPolicy hierarchyCost-benefitComplianceMetrics

🔴 HOT — 必考高頻 9 topics

PRIMARY goal / purpose / objective of information security

→

Support / align to BUSINESS OBJECTIVES

▶

唔係 compliance，唔係 technical protection。Security 嘅存在意義係幫 business achieve objectives。

「ensure compliance」睇落似答案，但 compliance 係 requirement，唔係 primary goal。

Q27

The PRIMARY goal of developing an information security strategy is to:

Aestablish security metrics and performance monitoring.

Beducate business process owners regarding their duties.

Censure that legal and regulatory requirements are met.

Dsupport the business objectives of the enterprise.

廣東話拆解任何問 primary goal/purpose of security → 答 business objectives。A、B、C 全係手段或 requirements。

FIRST step — developing information security management PROGRAM

→

ESTABLISH THE NEED for creating the program

▶

唔係 identify risk，唔係 assign responsibility，唔係 assess controls。先確立為何需要呢個 program，先能做其他步驟。

直覺話「identify risk first」→ 錯，FIRST = establish the need。

Q57

The FIRST step in developing an information security management program is to:

Aidentify business risk that affects the enterprise.

Bestablish the need for creating the program.

Cassign responsibility for the program.

Dassess adequacy of existing controls.

廣東話拆解Program development 順序：Establish need → Define scope → Risk assessment → Strategy → Policy。

BEST indicator of effective governance

→

Steering committee APPROVES all security projects

▶

Governance = accountability + oversight，唔係 training。Steering committee 有 approval power = 有人問責。

Training 類答案（managers / employees / intranet）——training ≠ governance indicator。

Which would be the BEST indicator of effective information security governance?

AThe steering committee approves security projects.

BSecurity policy training is provided to all managers.

CSecurity training is available on the intranet.

DIT personnel are trained in applying patches.

廣東話拆解B、C、D 全係 training 類——「training 陷阱」。Governance = approval power = accountability。

Get senior management SUPPORT / COMMITMENT

→

Tie security risk to KEY BUSINESS OBJECTIVES

▶

Senior management 唔理技術語言，要用 business language：business impact、business risk、business objectives。

「explain the technical risk」→ 唔係高層想聽嘅。

Senior management commitment can BEST be obtained through presentations that:

Ause illustrative examples of successful attacks.

Bexplain the technical risk to the enterprise.

Cevaluate the enterprise against good security practices.

Dtie security risk to key business objectives.

廣東話拆解高層聽業務語言，唔聽技術語言。A = fear tactics；B = 技術；C = benchmarking；D = business language = 正確。

Who classifies data / responsible for data CLASSIFICATION

→

DATA OWNER (business side)

▶

Data Owner（業務方）= 負責分類 + 決定 access rights。IT = Custodian（執行），唔係 owner。Security Manager = 定義分類框架。

Database administrator / IT manager → 係 custodian，唔負責分類。

Q48

Who in an enterprise has the responsibility for classifying information?

AData custodian

BDatabase administrator

CInformation security officer

DData owner

廣東話拆解Data owner = business side，負責分類。IT = custodian，負責執行。唔好混淆。

PRIMARY role of security manager — data classification

→

DEFINING AND RATIFYING the enterprise's classification structure

▶

Security manager 係設計同批准分類框架，唔係做分類（data owner 做），唔係執行（IT custodian 做）。

「assigning classification levels to assets」→ 係 data owner 做，唔係 security manager。

Q49

What is the PRIMARY role of the information security manager related to data classification?

ADefining and ratifying the enterprise's data classification structure

BAssigning the classification levels to the information assets

CSecuring information assets in accordance with their classification

DConfirming that information assets have been properly classified

廣東話拆解Security manager = 設計框架；Data owner = 分類；IT custodian = 執行保護。三個角色唔同。

Senior management MOST appropriate role

→

Approval of POLICY STATEMENTS and FUNDING

▶

Senior management 批准 policy、撥款。唔係做 vendor evaluation 或 risk assessment（呢啲係 security manager 做）。

「conducting risk assessments」→ 係 security manager 嘅工作，唔係 senior management。

The MOST appropriate role for senior management in supporting information security is:

AEvaluating vendor proposals for security services

BConducting risk assessments

CDeveloping security standards

DApproval of policy statements and funding

廣東話拆解Senior management = approve + fund。唔係做技術工作。

Ultimately accountable for enterprise information / legal liability

→

BOARD OF DIRECTORS / Senior management

▶

Board = 最終問責。唔係 CISO，唔係 security manager，唔係 legal counsel。

「CISO」→ CISO 係 operational responsibility，board 係 ultimate accountability。

Q51

Who is ultimately responsible for an enterprise's information?

AData custodian

BChief information security officer

CThe employees

DBoard of directors

廣東話拆解Ultimate accountability = Board of directors。CISO = 管理安全運作，但最終責任係 board。

Security investment / budget decisions based on

→

VALUE ANALYSIS / COST-BENEFIT analysis

▶

要有 business justification + ROI。唔係 vulnerability assessments 或 audit recommendations alone。Cost of control should NOT exceed asset value。

「vulnerability assessment results」→ 只係 one input，唔係 basis for investment decision。

Investments in information security technologies should be based on:

Avulnerability assessments and risk reduction

Bvalue analysis

Cgeneral business climate

Dtechnical capabilities

廣東話拆解Security investment = business case + ROI。唔係因為技術先進或 audit 要求。

🟡 MED — 中頻必知 5 topics

Policy vs Standard vs Procedure vs Guideline — hierarchy

→

Policy → Standard → Procedure → Guideline（Guideline 係非強制）

▶

Policy = 強制，最高層，board 批准，最穩定（唔因技術改變）。Guideline = 建議性，員工可選擇唔跟。

「which is discretionary」→ Guideline。見到「policy is updated because of」→ Management intent change，唔係 technology change。

Q672

Which of the following is MOST likely to be discretionary?

APolicies

BProcedures

CGuidelines

DStandards

廣東話拆解Guidelines = 建議，非強制。Policies = 強制 management intent。Procedures = 操作步驟（更新最頻繁）。

Noncompliance with standards — MOST effective resolution

→

Regular reports to AUDIT COMMITTEE

▶

Audit committee = 最高 enforcement power。Periodic audits 識別問題但冇 escalation；training 唔能 enforce。

「periodic audits」→ 識別問題，但冇 escalation 冇 action。

Which is the MOST effective way to ensure noncompliance is resolved?

APeriodic audits of noncompliant areas

BVulnerability scanning program

CAnnual security awareness training

DRegular reports to the audit committee

廣東話拆解Audit committee = enforcement power。Audits、training、scanning = 識別問題，但唔係 resolution mechanism。

Privacy policy PRIMARY content / PRIMARY concern

→

NOTIFICATIONS — what company will do with collected information

▶

Most privacy laws require disclosure on how info will be used。Privacy policy primary concern = legislative and regulatory requirements。

「business requirements」→ 唔係 primary，要 comply with legal requirements 先。

Q47

The PRIMARY concern when documenting a formal data retention policy is:

Agenerally accepted industry good practices

Bbusiness requirements

Clegislative and regulatory requirements

Dstorage availability

廣東話拆解Data retention + privacy = legal requirements first。Business requirements 要符合 legal，唔係反過來。

Best INDICATOR of governance state / maturity

→

DEFINED MATURITY LEVEL (not just having strategy or policies)

▶

Maturity level = overall indicator。Having strategy = first step。Complete policies = just one part。

「developed strategy」→ 係 first step，唔係 best indicator of governance state。

Q112

Which is the BEST indicator of the state of information security governance?

AA defined maturity level

BA developed security strategy

CComplete policies and standards

DLow numbers of incidents

廣東話拆解Maturity level = holistic governance indicator。Strategy、policies = components，唔係 overall indicator。

Centralized vs decentralized — key characteristics

→

Centralized = better adherence / uniform
Decentralized = better alignment with business unit needs

▶

Centralized = 統一、易管理、policy compliance 好。Decentralized = 更貼合各業務單位需要，靈活。

「centralized saves cost」→ 唔係 characteristic，係 benefit。

Q23

Which is characteristic of decentralized information security management?

AMore uniformity in quality of service

BBetter adherence to policies

CBetter alignment with business unit needs

DMore savings in total operating costs

廣東話拆解Decentralized = better business alignment；Centralized = better uniformity + policy adherence。

🟢 LOW — 低頻補充 2 topics

Security architecture & frameworks BEST approach

→

Adopt a FRAMEWORK (ISO 27001/COBIT) as structure

▶

Framework = skeleton，提供 structure + guidance，唔係完整 solution。Processes = part of implementation。

「framework provides detailed process steps」→ 錯，framework 係 structure，唔係 prescriptive steps。

Q130

The BEST approach to developing an information security program is to use a:

Aprocess

Bframework

Creference model

Dchecklist

廣東話拆解Framework (ISO/COBIT) = best practice structure。唔係 detailed processes 或 reference model alone。

Governance framework development — BEST contributor

→

CONTINUOUS analysis, monitoring and feedback

▶

持續改善 governance = continuous analysis + monitoring + feedback loop。唔係 ROSI 或 risk reduction alone。

「continuous risk reduction」→ 係 outcome，唔係 contributor to framework development。

Q74

Which BEST contributes to the development of an information security governance framework?

AContinuous analysis, monitoring and feedback

BContinuous monitoring of return on security investment

CContinuous risk reduction

DKey risk indicator setup

廣東話拆解持續分析 + 監控 + 反饋 = governance 改善嘅根基。唔係 ROSI 或 risk reduction。

Information Security Risk Management — 風險管理

考試佔比 20% · 12 HOT + 2 MED + 1 LOW = 15 topics

Acceptable levelAsset inventory first4 treatment optionsLikelihood+ImpactRisk appetiteThird partySDLC feasibilityKRI predictive

🔴 HOT — 必考高頻 12 topics

PRIMARY objective / goal of risk management

→

Achieve / reduce risk to ACCEPTABLE LEVEL

▶

CISM 最強 signal（4.5x）。唔係 minimize，唔係 eliminate，唔係 implement controls——係 acceptable level。

「Eliminate business risk」= 即刻排除。「Zero risk / 100% secure」= 唔可能。

Q230

What is the PRIMARY objective of a risk management program?

AMinimize inherent risk

BEliminate business risk

CImplement effective controls

DAchieve acceptable risk

廣東話拆解Acceptable risk = CISM 核心語言。B = eliminate 唔可能；A = minimize 唔係目標；C = 手段。

FIRST step of risk assessment / analysis

→

Identify / inventory ASSETS

▶

唔知有咩資產，點知要保護咩。順序：Asset inventory → Threats → Vulnerabilities → Likelihood/Impact → Controls。

「identify threats first」→ 錯，assets 先。

Q232

What is the FIRST step of performing an information risk analysis?

AEstablish the ownership of assets

BEvaluate the risk to the assets

CTake an asset inventory

DCategorize the assets

廣東話拆解資產先，威脅後。冇 asset inventory，點知邊啲資產有風險。

2 ESSENTIAL elements of risk

→

LIKELIHOOD and IMPACT (probability + consequence)

▶

Risk = combination of probability of event AND its impact。缺一不可。

「threat and vulnerability」→ 係 risk 嘅 components，但唔係 essential elements。

Q336

What are the essential elements of risk?

AThreat and vulnerability

BLikelihood and impact

CExposure and probability

DThreat and exposure

廣東話拆解Risk = Likelihood × Impact。Threat + vulnerability = incomplete；exposure = 唔係 essential element。

Risk treatment options (4個)

→

Accept · Mitigate · Transfer · Avoid

▶

Insurance = Transfer（唔係 eliminate）。Stop activity = Avoid。Add controls = Mitigate。Do nothing = Accept。外判唔 = transfer risk，enterprise 仍係 risk owner。

「insurance eliminates risk」→ 錯，係 Transfer。外判唔轉移 accountability。

Q295

The use of insurance is an example of which of the following?

ARisk sharing

BRisk acceptance

CRisk avoidance

DRisk transfer

廣東話拆解Insurance = Risk Transfer。唔係 eliminate，唔係 share（insurance 係正式轉移）。

Risk appetite / acceptable risk determined by

→

STEERING COMMITTEE / Senior management

▶

唔係 security manager 或 CIO 自己話事。Acceptable risk = business decision，由 management 決定。

「security management」→ 唔係 authority to determine acceptable risk。

Q213

Acceptable levels of information security risk should be determined by:

ALegal counsel

BSecurity management

CBusiness operations

DThe steering committee

廣東話拆解Risk appetite = management decision，唔係 security team 話事。Steering committee 代表 senior management。

Threat identification analysis — PRIMARY reason to study threats

→

Establish a THREAT ANALYSIS (understand threat landscape)

▶

主要目的係了解企業係 threat landscape 嘅位置，唔係 build threat library 或 update controls alone。

「update threat library」→ 係 output，唔係 primary reason。

Q406

What is the PRIMARY reason an enterprise would study cybersecurity threats?

Aestablish a threat library

Bestablish a control baseline

Cestablish incident response playbooks

Destablish a threat analysis

廣東話拆解Threat analysis = understand position in threat landscape。Library、baselines = outputs，唔係 primary reason。

Vulnerability assessment PRIMARY objective

→

Provide ASSURANCE TO MANAGEMENT

▶

Vulnerability assessment = 識別弱點 → 向 management 提供保證。唔係直接 reduce risk（係間接），唔係 ensure compliance（係 one use）。

「reduce risk to the business」→ 係間接效果，唔係 primary objective。

Q380

The PRIMARY objective of a vulnerability assessment is to:

Areduce risk to the business

Bensure compliance with security policies

Cprovide assurance to management

Dmeasure efficiency of services

廣東話拆解Vulnerability assessment = identify + provide assurance。Actual risk reduction 係 subsequent actions 做到嘅。

Risk assessment FIRST introduced in SDLC — which phase

→

FEASIBILITY phase (earliest possible)

▶

Risk should be addressed as early as possible。Feasibility = first formal phase。等到 specification 或 design 太遲，改動成本高。

「requirements specification」→ 係第二位，feasibility 先。

Q240

In which phase of the development process should risk assessment be FIRST introduced?

AProgramming

BSpecification

CUser testing

DFeasibility

廣東話拆解Feasibility = 最早。越早引入 security，成本越低，改動越易。等到 design 或 testing = 太遲。

Regulatory compliance requirements — treat as

→

JUST ANOTHER RISK (probability + consequences)

▶

Regulations = treated as any other risk，按 probability + consequences 評估 priority。唔係所有 regulations 都要 100% comply。

「an organizational mandate — must comply」→ 錯，CISM 視 compliance 為 risk management decision。

Q324

The information security manager should treat regulatory compliance requirements as:

Aan organizational mandate

Ba risk management priority

Ca purely operational issue

Djust another risk

廣東話拆解Regulation = just another risk。Priority 按 likelihood + impact 決定，唔係所有都要 100% comply。

Asset value for risk management — physical asset

→

Based on REPLACEMENT COST

▶

Replacement cost = 真實需要嘅金額。Original cost = 可能過時。Net cash flow / NPV = 唔係 asset protection value。

「original cost」→ 可能好舊，唔反映真實 replacement 需要。

Q205

For risk management purposes, the value of a physical asset should be based on:

Aoriginal cost

Bnet cash flow

Cnet present value

Dreplacement cost

廣東話拆解Replacement cost = 真實損失金額。Original cost 可能過時。NPV = finance tool，唔係 risk value。

New outsourcing / third party situation — FIRST step

→

Perform INTERNAL RISK ASSESSMENT

▶

外判唔代表轉移責任，enterprise 仍係 risk owner。先做 internal risk assessment 了解自己嘅 risk exposure。

「audit third party first」→ 唔係 FIRST，先了解自己嘅 risk。

Q257

An enterprise plans to outsource its CRM. What is the FIRST step?

APerform a background check on the service provider

BPerform an internal risk assessment to determine needed controls

CIdentify the audit objectives for the service provider

DRequest security certifications from the provider

廣東話拆解先了解自己嘅 risk exposure，才能決定要向第三方要求乜嘢 controls。

Residual risk — next step after determining

→

VALIDATE that it is ACCEPTABLE

▶

Residual risk 唔一定要繼續 mitigate。先確認係咪 acceptable，係就 accept，唔係就繼續處理或 transfer。

「implement more controls」→ 唔一定，先要 validate acceptable。

Q296

After residual risk has been determined, the enterprise should NEXT:

Atransfer the risk

Bacquire insurance

Cvalidate that the residual risk is acceptable

Dimplement more security controls

廣東話拆解Residual risk → validate acceptable → 係就 accept，唔係就繼續 treat。唔係自動再加 controls。

🟡 MED — 中頻必知 2 topics

Qualitative vs Quantitative risk assessment

→

Qualitative = INTANGIBLE (reputation, confidence)
Quantitative = FINANCIAL (ALE = ARO × SLE)

▶

客戶信心下跌、聲譽損失 = qualitative（無法量化）。財務損失、設備費用 = quantitative（可以計數字）。

「customer confidence decline → quantitative」→ 錯，confidence 係 intangible = qualitative。

Q212

Which risk scenario would BEST be assessed using qualitative risk assessment?

ATheft of software

BPower outages

CPermanent decline in customer confidence

DAnnual cost of security controls

廣東話拆解A、B、D = 可以計數字 = quantitative。C = 客戶信心 = intangible = qualitative。

KRI — MOST essential attribute

→

PREDICTIVE of a risk event (early warning signal)

▶

KRI = 前向指標，預測 developing risk。KPI = 後向，measure 現有 performance。

「accurate and reliable」→ 係重要屬性，但唔係 MOST essential。

Q208

What is the MOST essential attribute of an effective KRI?

AIs accurate and reliable

BProvides quantitative metrics

CIndicates required action

DIs predictive of a risk event

廣東話拆解KRI = early warning。KPI = current performance measure。KRI 預測，KPI 量度。

🟢 LOW — 低頻補充 1 topics

Risk register — MOST effective use

→

Facilitate THOROUGH REVIEW of all IT risk periodically

▶

Risk register = comprehensive documentation tool，唔係 just a list。用嚟確保所有 risk 定期被審閱同更新。

「identify risk and assign responsibilities」→ 係 elements，唔係 MOST effective use。

Q281

The MOST effective use of a risk register is to:

Aidentify risk and assign mitigation roles

Bidentify threats and probabilities

Cfacilitate thorough review of all IT-related risk periodically

Drecord annualized financial losses

廣東話拆解Risk register = living document for comprehensive risk tracking，唔係 static list。

Information Security Program Management — 安全計劃

考試佔比 33% ★ · 17 HOT + 7 MED + 2 LOW = 26 topics

Biz alignment firstChange vs PatchRBACAwareness=behaviourDMZPKIBaselinesBYODApp SDLCSoD

🔴 HOT — 必考高頻 17 topics

New security tool recommended — FIRST step

→

Assess ALIGNMENT WITH BUSINESS GOALS & OBJECTIVES

▶

任何新工具，第一步唔係 implement，唔係 budget，唔係組隊。先 assess 同 business goals 嘅關聯。就算係 audit director 推薦。

「obtain pricing」/ 「form project team」→ 假設已決定購買，但未 justify。

Q751

The director of auditing recommended a monitoring solution. What should security manager do FIRST?

AObtain comparative pricing bids

BAdd the purchase to budget

CPerform an assessment to determine correlation with business goals

DForm a project team to plan implementation

廣東話拆解就算 audit director 推薦，FIRST = assess business alignment。唔係量，係 justify。

Prevent weaknesses INTRODUCED into production systems

→

CHANGE MANAGEMENT

▶

Change management = 控制改變過程，防止新問題引入。關鍵字：'introduced / unauthorized changes'。

「patch management」→ patch = 修正已知，唔係防止 introduced。呢兩條考試可能連續出！

Q512

Which is MOST effective in preventing weaknesses from being introduced into existing production systems?

APatch management

BChange management

CSecurity baselines

DVirus detection

廣東話拆解Introduced = Change management。Known OS weaknesses = Patch management。兩條答案相反！

Fix KNOWN weaknesses in OS / existing systems

→

PATCH MANAGEMENT

▶

Patch = 修正已發現嘅弱點。Patch FIRST step = validate authenticity（就算係 emergency）。

「change management」→ change = 防止引入新問題，唔係修正已知。

Q513

Which is MOST effective in preventing security weaknesses in operating systems?

APatch management

BChange management

CSecurity baselines

DConfiguration management

廣東話拆解OS weaknesses = Patch management。Introduced = Change management。背呢兩個關鍵字！

MOST cost-effective access control type

→

ROLE-BASED Access Control (RBAC)

▶

按 job role 分配權限，大減 admin overhead。最適合大型 user communities（500+ users）。

「mandatory access control」→ 最嚴格，但唔係 most cost-effective。

Q504

Which of the following is the MOST cost-effective type of access control?

ACentralized access control

BMandatory access control

CRole-based access control

DDecentralized access control

廣東話拆解RBAC = cost-effective。Mandatory = 最嚴格（classified environment）。Discretionary = 最靈活但最不安全。

Privileged access exceeds job requirements — FIRST action

→

Meet DATA OWNERS to understand BUSINESS NEEDS

▶

可能有 legitimate business reason。先了解情況，唔係急住 revoke。CISM manager = understand before act。

「revoke access immediately」→ 可能影響業務，未了解情況先唔能行動。

Q658

Privileged users have access beyond job requirements. What should be done FIRST?

ARevoke the privileged access immediately

BReport to senior management

CMeet with data owners to understand business needs

DConduct a risk assessment

廣東話拆解可能有 business justification。先 meet data owners，了解 business needs，先決定下一步。

PRIMARY objective of security awareness

→

INFLUENCE EMPLOYEE BEHAVIOUR

▶

唔係 pass tests，唔係 understand policies，唔係 compliance。知道 ≠ 做到，目標係 behavior change。

「ensure employees understand policies」→ knowledge ≠ behavior change。

Q620

What is the PRIMARY objective of security awareness?

AEnsure that policies are read and understood

BInfluence employee behavior

CMeet legal and regulatory requirements

DEnsure employees pass security tests

廣東話拆解Awareness = behaviour change。Knowledge transfer 係手段，唔係目標。

BEST metric — awareness effectiveness

→

Number of REPORTED INCIDENTS (increases first, then decreases)

▶

成效好 → 員工更積極識別同報告可疑事件。唔係 test scores，唔係 policy acknowledgement count。

「decrease in incidents」→ 短期 awareness 好，reported incidents 先升（更多人識得舉報），後降。

Q598

Which is the BEST indicator that security awareness training has been effective?

AFewer employees acknowledging the security policy

BMore incidents are being reported

CReduction in policy violation reports

DNumber of individuals trained

廣東話拆解More reported = 員工更警覺。唔係 fewer incidents（太短視）。先升後降係正常。

Prevent SOCIAL ENGINEERING / PHISHING — MOST effective

→

Security AWARENESS TRAINING

▶

Social engineering = 利用人嘅弱點，唔係技術漏洞。技術控制無效。此係少數 training 係正確答案嘅情況。

「firewall rules」/ 「spam filter」→ 唔係最有效 against social engineering。

Q593

Which will MOST likely reduce unauthorized access via social engineering?

APerforming reviews of password resets

BConducting security awareness programs

CIncreasing frequency of password changes

DImplementing automatic password checking

廣東話拆解Social engineering = 人嘅問題 = 人嘅解決方案（training）。技術控制對 social engineering 無效。

Where to place PUBLIC-FACING servers (web / extranet / IDS)

→

DMZ / SCREENED SUBNET

▶

Public servers 唔能直接連接 internal network。DMZ = 隔離區，對外可訪問，唔直接暴露內部。Firewall → domain boundary。

「internal network」→ 太危險。「Internet side of firewall」→ 唔係 controlled。

Q517

Which of the following devices should be placed within a demilitarized zone?

ASwitch

BWeb server

CDatabase server

DRouter

廣東話拆解Web server = DMZ。Intranet server = internal network。Database server = never DMZ（太敏感）。

PRIMARY prerequisite to implementing data classification

→

IDENTIFY DATA OWNERS first

▶

冇 data owner，根本冇人負責做分類。先識別 owner，才能讓他們分類。

「define classification levels」→ 係第二步，先要有 owner 先能做分類。

Q849

Which is the PRIMARY prerequisite to implementing data classification?

ADefining job roles

BIdentifying data owners

CPerforming a risk assessment

DAssigning data labels

廣東話拆解Data owner = prerequisite。冇 owner，冇人負責分類，其他步驟都做唔到。

PKI preferred model for LARGE number of users — why

→

More SCALABLE than symmetric key

▶

Symmetric key = 每對用戶需要一把 key，用戶多 = key 數量爆炸（n×(n-1)/2）。PKI = public key infrastructure，scalable。

「computationally more efficient」→ 錯，PKI 計算成本更高。「stronger encryption」→ 唔係 primary advantage。

Q818

Why is PKI the preferred model for a large number of users?

AComputationally more efficient

BIt is more scalable than a symmetric key

CLess costly to maintain

DProvides greater encryption strength

廣東話拆解PKI scalability = 唔需要每對用戶一把 key。Symmetric = n×(n-1)/2 keys 唔實際。

BEST ensures NONREPUDIATION

→

DIGITAL SIGNATURES

▶

Digital signatures = private + public key pair，驗證雙方身份 + 確保 content integrity。Sender 無法否認。

「strong passwords」→ authentication only，無法 nonrepudiation。「digital hash」→ integrity only，無法 nonrepudiation。

Q581

Which of the following BEST ensures nonrepudiation?

AStrong passwords

BA digital hash

CSymmetric encryption

DDigital signatures

廣東話拆解Nonrepudiation = digital signatures（private key sign，public key verify）。Hash = integrity only。Password = authentication only。

Security BASELINE — why important

→

Defines MINIMUM ACCEPTABLE SECURITY to be implemented

▶

Baseline = 最低安全標準，確保所有系統達到最低要求。唔係最高標準，係 minimum。

「defines required physical and logical access controls」→ 唔係定義，係 baseline 嘅 content之一。

Q553

Why is it important to develop an information security baseline?

Aidentify critical information resources

Bestablish a security policy

Cdefine the minimum acceptable security

Didentify required access controls

廣東話拆解Baseline = minimum acceptable security。所有系統要達到呢個最低要求。唔係 maximum，係 minimum。

Application security — WHEN should security be involved in SDLC

→

REQUIREMENTS GATHERING AND ANALYSIS phase (earliest for in-house development)

▶

越早引入 security，成本越低。Requirements phase = 最早能定義 security requirements 嘅正式階段。

「system design phase」→ 係第二位，requirements 先。「user acceptance testing」→ 太遲。

Q794

Which phase of the application development lifecycle should information security be involved from?

ASystem design

BUser acceptance testing and sign-off

CRequirements gathering and analysis

DImplementation

廣東話拆解Requirements = 最早。越早 security = 越低修改成本。Feasibility (D2) 係整個 SDLC，Requirements (D3) 係 in-house development 具體嘅最早階段。

BYOD decision already made — information security manager FIRST action

→

Determine information security STRATEGY for BYOD

▶

企業已決定 implement BYOD，security manager 唔係 advise against（決定已定），FIRST = determine strategy。

「advise against implementing BYOD」→ 決定已定，呢個選項唔 relevant。

Q815

Enterprise decides to implement BYOD. What should information security manager do FIRST?

AAdvise against BYOD because of security risk

BPreparing a business case for new security tools

CUpdating security awareness program

DDetermining an information security strategy for BYOD

廣東話拆解決定已定，唔係 argue against。FIRST = determine strategy，睇現有 strategy 能否 accommodate，如唔能則更新。

PRIMARY purpose of SEGREGATION OF DUTIES (SoD)

→

FRAUD PREVENTION

▶

SoD = 防止任何一個人可以 authorize + execute + conceal 同一個 transaction。Primary purpose = fraud prevention。

「improve oversight」→ 係 benefit，唔係 primary purpose。

Q872

What is the PRIMARY purpose of segregation of duties?

Amonitoring

Bfraud prevention

Csupervision reduction

Defficiency

廣東話拆解SoD = 防止一個人控制整個 transaction cycle = fraud prevention。

Physical security — MOST effective prevention of TAILGATING

→

AWARENESS TRAINING

▶

Tailgating = 人跟人進入，技術控制（card lock、biometric）無法 100% 防。Awareness training = 其他員工識得 challenge 入侵者。

「card key door locks」→ tailgating 係跟著合法人入，card lock 無效。「biometric scanners」→ 係驗身份，唔係防 tailgating。

Q653

Which is MOST effective in preventing physical access tailgating?

ACard key door locks

BPhoto identification

CAwareness training

DBiometric scanners

廣東話拆解Tailgating = 人嘅問題（唔識 challenge）= 人嘅解決方案（awareness training）。技術控制對 tailgating 無效。

🟡 MED — 中頻必知 7 topics

SoD — BEST approach to implement in business-critical applications

→

Implement ROLE-BASED access control in the application

▶

RBAC = define roles with appropriate access，best implementation of SoD。Manual procedures = 唔可靠。

「manual procedures ensuring separation」→ 唔可靠，RBAC 係 better control。

Q654

What is the BEST approach to implement adequate SoD in business-critical applications?

AEnsure access to individual functions

BImplement role-based access control

CEnforce manual procedures

DCreate service accounts

廣東話拆解RBAC = best SoD implementation。Manual = 唔可靠。Service accounts = 唔 solve SoD。

SoD MOST seriously compromised when

→

Access privileges ACCUMULATED based on previous job functions

▶

員工轉職，舊 access 冇被 remove。呢個 creeping privileges 問題係 SoD 最大威脅。

「terminated users still active」→ 係問題，但唔係 MOST seriously compromised SoD。

Q668

The effectiveness of SoD may be MOST seriously compromised when:

Auser IDs of terminated staff remain active

Baccess privileges are accumulated based on previous job functions

Crole-based access deviates from organizational hierarchy

Drole mining tools are used

廣東話拆解Creeping privileges = 舊 access 唔 remove = SoD 失效。解決方法：定期 review + remove old access upon role change。

SSO / password sync FAILS — FIRST automatic action

→

Fall back to NONSYNCHRONIZED / individual login mode

▶

唔係 block all logins（影響 availability）。Fallback = balance security + availability，業務唔能停。

「block all new logins」→ 影響 availability，業務中斷。

Q541

Which should automatically occur FIRST when SSO system fails?

ABlock all inbound traffic

BBlock all new logins

CFall back to nonsynchronized mode

DLog all user activity

廣東話拆解SSO fail → individual login fallback。唔係 block（業務唔能停）。Security + availability 要 balance。

Wireless security — STRONGEST combination

→

WPA2 + 802.1x authentication

▶

WPA2 = 最強 encryption protocol。802.1x = enterprise authentication（唔係 pre-shared key）。兩者結合 = strongest。

「WEP with 128-bit」→ WEP 已知 broken，唔能用。「TKIP-MIC」→ 唔夠強。

Q779

Which offers the STRONGEST encryption and authentication for wireless?

AWEP with 128-bit PSK

BTKIP-MIC with WPA

CWPA2 with PSK

DWPA2 and 802.1x authentication

廣東話拆解WPA2 + 802.1x = strongest。WEP = broken。PSK = weaker than 802.1x enterprise。

Control types — preventive / detective / corrective

→

Preventive = prevent occurrence
Detective = identify/detect
Corrective = restore/mitigate after incident

▶

Change management = preventive。IDS = detective。Backup/recovery = corrective。Awareness = preventive + detective。

「IDS = preventive」→ 錯，IDS = detective（detect，唔係 prevent）。IPS = preventive。

Q660

For which type of control is notification of a network intrusion an example?

APreventative

BCorrective

CDetective

DDeterrent

廣東話拆解IDS notification = Detective。IPS = Preventive。Backup = Corrective。Firewall = Preventive。

Cloud security PRIMARY concern (SaaS)

→

Possibility of DISCLOSURE of sensitive data in TRANSIT or STORAGE

▶

SaaS = data leaves enterprise boundary。Primary concern = data disclosure（confidentiality）。Network failure = availability（secondary）。

「network failure and loss of availability」→ 唔係 primary，係 secondary concern。

Q850

When implementing SaaS, what is the PRIMARY security concern?

AUnclear regulations about data storage

BTraining users for the new technology

CRisk of network failure and application unavailability

DPossibility of disclosure of sensitive data in transit or storage

廣東話拆解SaaS = data outside enterprise = disclosure risk = primary concern。Availability = secondary。

Security program metrics — framework shows development based on

→

RISK ASSESSMENT and CONTROL OBJECTIVES

▶

Security program development = identify gap between existing controls (risk assessment) and required controls (control objectives)。

「policy development」→ 係 component，唔係 basis for program development。

Q648

Standard frameworks show security program development is based on:

Apolicy development and process implementation

Binternal audit and remediation

Ca risk assessment and control objectives

Dresource identification and budgetary requirements

廣東話拆解Program = close gap between current state (risk assessment) and desired state (control objectives)。

🟢 LOW — 低頻補充 2 topics

SIEM — MOST effective way to reduce FALSE POSITIVE alerts

→

Building USE CASES

▶

Use cases = 定義 SIEM 應該 alert 嘅具體場景，減少 false positives。Network traffic analysis 唔夠 specific。

「network traffic analysis」→ 唔夠 targeted，唔能有效減少 false positives。

Q1001

Which MOST effectively reduces false-positive alerts from a SIEM?

ABuilding use cases

BConducting a network traffic analysis

CPerforming a risk assessment

DImproving quality of logs

廣東話拆解SIEM use cases = 定義 what should trigger alerts。唔係 generic monitoring。

Monitoring solution — PRIMARY concern for security manager

→

Assess correlation with BUSINESS GOALS first

▶

即使係 monitoring，都係先 assess business alignment，唔係直接 deploy。

「deploy immediately after purchase approval」→ 跳步，未 assess business alignment。

Q751

Best first action for recommended monitoring solution:

AObtain pricing

BAdd to budget

CAssess correlation with business goals

DForm project team

廣東話拆解同 Rule 1 一樣原則：任何新 solution → 先 assess business alignment。

Information Security Incident Management — 事件管理

考試佔比 30% ★ · 18 HOT + 7 MED + 2 LOW = 27 topics

Confirm vs ContainChain of custodyBIA→RTO/RPOPost-incident improveDR testingRansomwareTriageEradication

🔴 HOT — 必考高頻 18 topics

Incident response FULL ORDER

→

Confirm → Contain → Eradicate → Recover → Lessons Learned

▶

背到出口。每一步嘅關鍵字都係可能嘅考題答案。Document throughout。

唔好以為 Contain 係第一步——如果係 'reported'，先要 Confirm！

Q890

What is the FIRST priority when responding to a major security incident?

ADocumentation

BMonitoring

CRestoration

DContainment

廣東話拆解'Responding to' = 已確認。此時 FIRST = Containment。唔係 documentation（之後），唔係 restoration（清除後）。

Breach 'REPORTED' / IDS alert → FIRST step

→

CONFIRM / VALIDATE it's a real incident

▶

'Reported' = 未確認。False positive 好常見（admin maintenance 可觸發 IDS alert）。先 confirm，才能做後續。

「start containment」→ 最常見錯誤！Reported ≠ confirmed。先要 confirm！

Q932

A customer credit card database has been REPORTED as breached. What is the FIRST step?

AConfirm the incident

BNotify senior management

CStart containment

DNotify law enforcement

廣東話拆解關鍵詞 'reported'——未確認。先 Confirm（A），才 Contain（C）。好多人揀 C，係錯！

Laptop stolen / device missing — FIRST action

→

Initiate INCIDENT RESPONSE PROCEDURES

▶

唔係直接 disable account（雖係重要步驟）。先啟動 IR procedures，按流程做所有後續步驟。

「disable user account immediately」→ 係重要步驟，但唔係 FIRST——先要啟動流程。

Q925

What is the FIRST action when a company laptop is reported stolen?

AEvaluate the impact of information loss

BUpdate corporate laptop inventory

CInitiate appropriate incident response procedures

DDisable the user account immediately

廣東話拆解IR procedures 包含所有後續步驟（包括 disable account）。先啟動流程，唔係直接跳到某個步驟。

Control tested but compromise STILL occurred — FIRST action

→

Perform ROOT CAUSE ANALYSIS

▶

先了解點解發生，先能知係咪 control 唔夠定係有其他原因。唔係 repeat the test。

「repeat the control test」→ 唔係 FIRST，先搞清楚原因。

Q891

Although controls were recently tested, a serious compromise occurred. FIRST step:

AEvaluate control objectives

BDevelop more stringent controls

CPerform a root cause analysis

DRepeat the control test

廣東話拆解先 root cause，才能決定係咪需要 more controls。唔係盲目加 controls 或 repeat test。

Forensic investigation — FIRST step

→

Establish CHAIN OF CUSTODY log

▶

Chain of custody = 記錄每個人接觸過證據、做咗咩、幾時做。確保法庭證據有效。冇 CoC，其他步驟無效。

write blocker（第2步）/ cryptographic hash（第3步）→ 係正確步驟，但唔係 FIRST。

Q971

When creating a forensic image of a hard drive, which should be the FIRST step?

AIdentify a recognized forensics software tool

BEstablish a chain of custody log

CConnect the hard drive to a write blocker

DGenerate a cryptographic hash

廣東話拆解Chain of custody FIRST。C（write blocker）第2步。D（hash）第3步。先有 CoC，先有法律效力。

Analyze suspect media / hard drive

→

Create BIT-FOR-BIT copy; analyze the COPY (never original)

▶

直接分析原件 = 破壞原始證據。Bit-for-bit = 保留 100% 數據（包括 deleted files、slack space）。

「standard backup」→ 唔夠，backup 唔包含 deleted files 或 slack space。

Q966

In forensic examination, data on suspect media should be:

AAnalyzed directly from original media

BCopied as bit-for-bit image then the copy analyzed

CBacked up using standard backup software

DEncrypted and stored securely

廣東話拆解永遠唔用原件。Bit-for-bit = forensically sound copy。Standard backup = 唔夠完整。

FIRST step in BCP / DRP planning

→

Business Impact Analysis (BIA)

▶

BIA → 決定 RTO / RPO / 恢復優先次序 → 選 DR site。冇 BIA，唔知恢復要幾耐，唔知邊個系統最緊要。

「risk assessment」→ BIA 先，risk assessment 係 BIA 嘅 input 之一。

Q943

Which process is critical for deciding prioritization of actions in BCP?

ABusiness impact analysis

BRisk assessment

CVulnerability assessment

DBusiness process mapping

廣東話拆解BIA = FIRST step in BCP/DRP。BIA → RTO/RPO → DR site type。Risk assessment ≠ BIA。

Who should CALCULATE BIA results

→

BUSINESS PROCESS OWNERS (not IT)

▶

BIA 係業務影響，只有業務方最了解中斷嘅後果。IT 知技術，唔知業務 impact。

「IT management」→ 知技術，唔知業務 impact。

Q912

When performing a BIA, who should calculate the recovery results?

ABusiness continuity coordinator

BIT management

CBusiness process owners

DInformation security manager

廣東話拆解Business process owners = 最了解業務中斷後果。IT = 技術角度，唔係業務角度。

PRIMARY objective of post-incident review

→

IMPROVE the response process (forward-looking, NOT blame)

▶

唔係追責，唔係量化損失，唔係 document timeline——係 forward-looking，改善未來 incident response。

「identify who was responsible」→ 唔係 primary objective。

Q920

What is the PRIMARY objective of a post-incident review?

AAdjusting budget provisioning

BPreserving forensic data

CTo improve the response process

DIdentifying who caused the incident

廣東話拆解Post-incident = forward-looking，改善 process。唔係追責，唔係 backward-looking。

Why use THIRD-PARTY for post-incident review

→

Independent & OBJECTIVE root cause analysis (avoid conflict of interest)

▶

自己 review 自己 = conflict of interest = 唔客觀。第三方 = 冇利益衝突 = 更準確 root cause。

「to identify lessons learned」→ 係 benefit，唔係 PRIMARY reason for third party。

Q949

PRIMARY purpose of involving third-party teams for post-incident reviews:

Aenable independent objective review of root cause

Bobtain support for enhancing third-party expertise

Cidentify lessons learned

Dobtain better buy-in for security program

廣東話拆解Third party = objectivity。唔係 lessons learned（自己都可以做），係 avoid conflict of interest。

Breach confirmed, data stolen — notify FIRST

→

DATA OWNERS who may be impacted

▶

Data owners = 最了解呢批數據，同時係 accountability 所在。先通知 data owners 評估損失，協調後續。

「customers」→ 睇落好合理，但唔係 FIRST。先要 data owners 評估 scope，才能決定點通知客戶。

Q988

Hacker confirmed corporate systems penetrated and customer data stolen. Notify FIRST:

Ainformation security steering committee

Bcustomers who may be impacted

Cdata owners who may be impacted

Dregulatory agencies

廣東話拆解Data owners FIRST → 評估損失 → 協調 response → 決定後續 notifications。

MOST important element for DR TEST success

→

Business management ACTIVELY PARTICIPATES

▶

Management support = 資源、員工認真、結果有人 action。冇 management，DR test 係走過場。

「identical equipment at hot site」→ 係 technical requirement，唔係 most important success factor。

Q892

Which is MOST important to ensure success of a disaster recovery test?

ATests are scheduled on weekends

BNetwork IP addresses are predefined

CEquipment at hot site is identical

DBusiness management actively participates

廣東話拆解Management participation = resources + commitment + accountability。冇管理層，DR test 冇意義。

Incident ERADICATION — compromised system with superuser access

→

REBUILD the system using ORIGINAL MEDIA

▶

Superuser 可以做任何改動（impossible to find all changes）。唯一確保 clean = rebuild from original。

「change all passwords and resume」→ 唔夠，superuser 可能已植入 backdoor。

Q1112

BEST protection if malicious program gains superuser privileges:

APrevent system admin access

BInspect system and IDS output

CRebuild the system using original media

DChange all passwords then resume

廣東話拆解Superuser compromise = rebuild from original media。唔係 patch，唔係 change password——可能已有 backdoor。

IR team MANUAL should PRIMARY contain

→

SEVERITY CRITERIA

▶

Severity criteria = 相對穩定，適合放係 manual。Phone directory、risk assessments = 頻繁更新，唔適合 manual。

「emergency call tree / phone directory」→ 頻繁改變，唔適合 IR manual。

Q1109

Which document should be contained in a computer incident response team manual?

ARisk assessment

BSeverity criteria

CEmployee phone directory

DTable of all backup files

廣東話拆解IR manual = relatively static content。Severity criteria = stable。Phone directory = changes frequently = 唔適合。

Incident triage — PRIMARY reason for conducting

→

PRIORITIZE LIMITED RESOURCES when handling incidents

▶

Resources 有限，要先處理最重要嘅 incidents。Triage = prioritization tool。

「to detect incident before it spreads」→ 係 containment，唔係 triage。

Q1107

What is the PRIMARY reason for conducting triage?

ATo prioritize limited resources when handling incidents

BTo align with mandatory process steps

CTo mitigate the chance of incident occurring

DTo detect an incident before it spreads

廣東話拆解Triage = prioritize resources。Limited resources = most important first。唔係 prevention，係 prioritization。

Data EXFILTRATION active incident — FIRST action

→

BLOCK the traffic going to attacker's servers

▶

Priority = stop ongoing damage。Block outbound traffic = contain exfiltration。先 stop，才 investigate。

「inform system owner first」→ 係重要步驟，但唔係 FIRST。Ongoing damage = stop first。

Q1102

Active incident — data being exfiltrated to attacker's servers. FIRST action:

AInform the system owner

BDetermine the cause of the incident

CEnsure affected system is turned off for forensics

DBlock the traffic going to the attacker's servers

廣東話拆解Active exfiltration = stop it FIRST。Block outbound traffic = contain damage。C = 破壞 forensics evidence 同時 stop business。

Ransomware — FIRST step incident response team should take

→

REMOVE the affected systems from the network

▶

Ransomware spreads quickly。Remove from network = contain spread。唔係 notify，唔係 restore（restore 可能 reinfect）。

「restore workstations from backups immediately」→ 可能 reinfect backups if not careful。Contain first。

Q1082

FIRST step when ransomware is detected:

ARemove the affected systems from the network

BNotify the system owners

CRestore affected workstations from backups

DReview event logs to identify infected systems

廣東話拆解Ransomware = fast spread。Remove from network FIRST = contain。Notify、review logs、restore = 之後。

Timely identification of security incidents — BEST course of action

→

Implement INCIDENT DETECTION

▶

Detection capability = prerequisite 嚟 timely identification。BIA / risk analysis 唔直接確保 timely detection。

「apply preventive and detective controls」→ 太 broad，唔係最 targeted answer。

Q1083

To ensure timely identification of security incidents, BEST action:

Adocument a business impact analysis

Breview a risk analysis

Cimplement incident detection

Dapply preventive and detective controls

廣東話拆解Timely identification = incident detection capability。BIA = business impact（唔係 detection）。

🟡 MED — 中頻必知 7 topics

RTO vs RPO — definitions

→

RTO = how LONG to restore (time)
RPO = maximum acceptable DATA LOSS (data point)

▶

RTO = Recovery Time Objective（幾耐要 back online）。RPO = Recovery Point Objective（最多損失幾多時間嘅數據）。兩個都由 BIA 決定。

「RTO = data loss」→ 錯，RPO 係 data loss。RTO 係 time。

Q985

The recovery time objective is reached at which milestone?

ADisaster declaration

BRecovery of the backups

CRestoration of the system

DSystem verification

廣東話拆解RTO = 恢復系統嘅時間目標。RPO = 數據損失目標（e.g. 最多損失4小時數據）。

PRIMARY factor when designing BACKUP STRATEGY

→

RECOVERY POINT OBJECTIVE (RPO)

▶

RPO = 可接受嘅數據損失 → 決定 backup 頻率。RTO = 恢復時間 → 決定 recovery site type。

「recovery time objective」→ RTO 決定 DR site，唔係 backup frequency。

Q928

PRIMARY factor for designing backup strategy to meet recovery targets:

AVolume of sensitive data

BRecovery point objective

CRecovery time objective

DInterruption window

廣東話拆解RPO → backup frequency。RTO → DR site type。AIW → overall recovery window。

AIW / SDO / MTO — definitions

→

AIW = Allowable Interruption Window (max acceptable downtime)
SDO = Service Delivery Objective (minimum service level during recovery)
MTO = Maximum Tolerable Outage

▶

AIW = 業務可接受嘅最長中斷時間。SDO = recovery 期間要達到嘅最低服務水平。MTO = 絕對最長停機時間。

「MTO determined by operational capabilities」→ 錯，MTO determined by available resources。

Q961

The PRIMARY factor determining maximum tolerable outage is:

Aavailable resources

Boperational capabilities

Clong haul network diversity

Dlast mile protection

廣東話拆解MTO = available resources（人員、設備、預算）決定。唔係 operational capabilities（呢個係預設嘅）。

DR site type selection — PRIMARY criterion for OFFSITE storage

→

Primary and offsite NOT SUBJECT TO SAME ENVIRONMENTAL THREAT

▶

兩個 site 唔能受同一個 disaster 影響（e.g. 唔能同一地震帶）。Distance = secondary。Cost = secondary。

「not in close proximity」→ 唔係 primary，proximity 係 factor，但 same environmental threat 更 specific。

Q984

PRIMARY selection criterion for an offsite media storage facility:

Aprimary and offsite not subject to same environmental threat

Bnot in close proximity to primary site

Clowest storage and maintenance costs

Davailability of cost-effective transportation

廣東話拆解Primary concern = 唔受同一 disaster 影響。Distance 係 one indicator，但唔係 primary criterion。

BCP testing — types and characteristics

→

Full interruption = most assurance
Parallel = continuous operations (both sites run)
Simulation = effective without disruption
Checklist = least assurance

▶

Full interruption = 最真實但最 disruptive。Parallel = production 繼續，同時測試 recovery site。需要 continuous operations 用 parallel test。

「full interruption best for continuous operations」→ 錯，parallel test 先係。

Q1044

For enterprise requiring continuous operations, which DR test:

AFull interruption test

BSimulation testing

CParallel test

DWalk-through

廣東話拆解Continuous operations = parallel test（production 繼續運行）。Full interruption = most assurance but shuts down production。

BCP maintenance — BEST way to confirm DRP is current

→

REGULAR TESTING of the disaster recovery plan

▶

Testing results reveal shortcomings + opportunities for improvement。Documentation review alone 唔夠。

「auditing business process changes」→ 唔係最好方法 confirm currency。

Q1023

BEST way to confirm disaster recovery planning is current:

AAudits of business process changes

BMaintenance of latest configurations

CRegular testing of the disaster recovery plan

DMaintenance of personnel contact list

廣東話拆解Regular testing = reveals what's outdated + what needs updating。Documentation = 唔夠 confirm currency。

Volatile data — handling during forensic investigation

→

Preserve VOLATILE DATA FIRST (before powering off)

▶

Volatile data (RAM content) = 只存在 while computer running。Power off = 永久失去。取證時要先 capture volatile data。

「power off immediately」→ 會 destroy volatile evidence。先 capture volatile，才 power off。

Q1002

Forensic team was commissioned to analyze processes. Why NOT disconnect power first?

ATo prevent disk corruption

BTo avoid loss of data stored in volatile memory

CTo conduct a hot-swap of the main disk drive

DTo prevent overwriting

廣東話拆解Volatile memory (RAM) = lost when power off。取證前先 capture volatile data（processes, network connections, encryption keys）。

🟢 LOW — 低頻補充 2 topics

SIEM — BEST to reduce false positives

→

BUILDING USE CASES in SIEM

▶

Use cases = 定義 specific scenarios that should trigger alerts。唔係 generic monitoring。

「improve quality of logs」→ 有幫助，但唔係 MOST effective for reducing false positives。

Q1001

Which MOST effectively reduces false-positive alerts from a SIEM?

ABuilding use cases

BNetwork traffic analysis

CAsset-based risk assessment

DQuality of logs

廣東話拆解SIEM use cases = targeted alert criteria = fewer false positives。Generic monitoring = more noise。

DR site proximity — PRIMARY reason to consider

→

When SELECTING AN ALTERNATE RECOVERY SITE

▶

Proximity 唔係做 BIA 或 tabletop 時要考慮。係 select alternate site 時要確保唔受同一 disaster 影響。

「during BIA」→ BIA 時考慮 RTO/RPO，唔係 proximity。

Q1009

Proximity factors must be considered when:

Aconducting a business impact analysis

Bconducting a table-top test

Cselecting an alternate recovery site

Ddeveloping a recovery checklist

廣東話拆解Proximity = alternate site selection。確保唔受同一 regional disaster 影響。

CISM 完整備考筆記 — All 76 Topics · HOT → MED → LOW

Information Security Governance — 治理

Information Security Risk Management — 風險管理

Information Security Program Management — 安全計劃

Information Security Incident Management — 事件管理