SlideShare a Scribd company logo

Chapter 08 security_management_models

Download as DOCX, PDF
H
husseinalshomali

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Technology
1 of 8
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 1 1. A security blueprint is the outline of the more thorough security framework. a. True b. False ANSWER: True 2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False ANSWER: False 3. Lattice-based access controlspecifies the level of access each subject has to each object, if any. a. True b. False ANSWER: True 4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False ANSWER: False 5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False ANSWER: False 6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________ ANSWER: False - blueprint 7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________ ANSWER: False - separation 8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________ ANSWER: False - framework 9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls— in other words, it mediates all access to objects by subjects. ____________ ANSWER: False - reference 10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________ ANSWER: False - methods
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 2 11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________ ANSWER: True 12. Dumpster delving is an information attack that involves searching through a target organization’s trash and recycling bins for sensitive information. ____________ ANSWER: False - diving 13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________ ANSWER: False - capabilities 14. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________ ANSWER: True 15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________ ANSWER: False - least 16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct ANSWER: d 17. Which access controlprinciple specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: c 18. Which access controlprinciple limits a user’s access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: a 19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels ANSWER: c 20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 3 a. preventative b. deterrent c. corrective d. compensating ANSWER: c 21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating ANSWER: b 22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating ANSWER: b 23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only ANSWER: d 24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary ANSWER: c 25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access controllist b. capabilities table c. access matrix d. sensitivity level ANSWER: a 26. In which form of access controlis access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these ANSWER: a 27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary ANSWER: c 28. Which security architecture model is part of a larger series of standards collectively referred to as the “Rainbow Series”? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 4 ANSWER: b 29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module ANSWER: b 30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs) ANSWER: b 31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba ANSWER: d 32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and externalconsistency ANSWER: c 33. Which of the following is the primary purpose of ISO/IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification ANSWER: d 34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO ANSWER: a 35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance ANSWER: d
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 5 36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization. ANSWER: security model 37. ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________. ANSWER: information security management systems ISMS 38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance. ANSWER: need to know need-to-know 39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels. ANSWER: Covert 40. In the COSO framework, ___________ activities include those policies and procedures that support management directives. ANSWER: control 41. Access controls are build on three key principles. List and briefly define them. ANSWER: Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function. Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion. 42. There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them. ANSWER: • Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs; for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal; for example, data backup and recovery software • Compensating—Resolves shortcomings; such as requiring the use of encryption for transmission of classified data over unsecured networks
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 6 43. Lattice-based access controls use a two-dimensional matrix to assign authorizations, what are the two dimensions and what are they called? ANSWER: Lattice-based access controlspecifies the level of access each subject has to each object, if any. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access controllist (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table. 44. What are the two primary access modes of the Bell-LaPadula model and what do they restrict? ANSWER: BLP access modes can be one of two types: simple security and the * (star) property. Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (no read up). The * property (the write property), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up (no write down). 45. What are the five principles that are focused on the governance and management of IT as specified by COBIT 5? ANSWER: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management 46. According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories? ANSWER: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 47. One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization. What are these categories as described by NIST? ANSWER: Management Operational (or administrative) Technical 48. What is the data classification for information deemed to be National Security Information for the U.S. military as specified in 2009 in Executive Order 13526? ANSWER: For most information, the U.S. military uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 12958 in 1995 and Executive Order 13526 in 2009. Here are the classifications along with descriptions from the document: Sec. 1.2. Classification Levels. (a) Information may be classified at one of the following three levels: 1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. 2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 7 49. When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why? ANSWER: When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization’s information assets. 50. Under what circumstances should access controls be centralized vs. decentralized? ANSWER: One area of discussion among practitioners is whether access controls should be centralized or decentralized. A collection of users with access to the same data typically has a centralized access control authority, even under a DAC model. The level of centralization appropriate to a given situation varies by organization and the type of information protected. The less critical the protected information, the more controls tend to be decentralized. When critical information assets are being protected, the use of a highly centralized access control toolset is indicated. a. blueprint b. DAC c. content-dependent access controls d. rule-based access controls e. separation of duties f. sensitivity levels g. storage channels h. task-based controls i. timing channels j. TCB 51. Controls access to a specific set of information based on its content. ANSWER: c 52. A TCSEC-defined covert channel, which transmit information by managing the relative timing of events. ANSWER: i 53. Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme. ANSWER: f 54. A framework or security model customized to an organization, including implementation details. ANSWER: a 55. A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user. ANSWER: h 56. Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. ANSWER: j
Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 8 57. Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion. ANSWER: e 58. Controls implemented at the discretion or option of the data user. ANSWER: b 59. One of the TCSEC’s covert channels, which communicate by modifying a stored object. ANSWER: g 60. Access is granted based on a set of rules specified by the centralauthority. ANSWER: d

Recommended

Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_securityhusseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_programhusseinalshomali
 
Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policyhusseinalshomali
 
Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencieshusseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskhusseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanismshusseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityhusseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...husseinalshomali
 

Recommended

Chapter 11 personnel_and_security
Chapter 11 personnel_and_securityChapter 11 personnel_and_security
Chapter 11 personnel_and_securityhusseinalshomali
 
Chapter 05 developing_the_security_program
Chapter 05 developing_the_security_programChapter 05 developing_the_security_program
Chapter 05 developing_the_security_programhusseinalshomali
 
Chapter 04 information_security_policy
Chapter 04 information_security_policyChapter 04 information_security_policy
Chapter 04 information_security_policyhusseinalshomali
 
Chapter 10 planning_for_contingencies
Chapter 10 planning_for_contingenciesChapter 10 planning_for_contingencies
Chapter 10 planning_for_contingencieshusseinalshomali
 
Chapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskChapter 06 risk_management_identifying_and_assessing_risk
Chapter 06 risk_management_identifying_and_assessing_riskhusseinalshomali
 
Chapter 12 protection_mechanisms
Chapter 12 protection_mechanismsChapter 12 protection_mechanisms
Chapter 12 protection_mechanismshusseinalshomali
 
Chapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityChapter 03 governance_and_strategic_planning_for_security
Chapter 03 governance_and_strategic_planning_for_securityhusseinalshomali
 
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...
Chapter 02 compliance_law_and_ethics test bank MANAGEMENT of INFORMATION SECU...husseinalshomali
 
Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Sdlc checklist
Sdlc checklistSdlc checklist
Sdlc checklistMwandayi
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architectureVishnupriya T H
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
Soc
SocSoc
SocMukesh Chaudhari
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Ch01
Ch01Ch01
Ch01Joe Christensen
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
Cis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.comCis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.comDavis104
 
CIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.comCIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.comdonaldzs97
 

More Related Content

What's hot

Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskhusseinalshomali
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practiceshusseinalshomali
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editionhusseinalshomali
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Sdlc checklist
Sdlc checklistSdlc checklist
Sdlc checklistMwandayi
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the WorkplaceJohn Macasio
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architectureVishnupriya T H
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfNapoleon NV
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplacedougfarre
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 

What's hot (20)

Chapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_riskChapter 07 risk_management_controlling_risk
Chapter 07 risk_management_controlling_risk
 
Chapter 09 security_management_practices
Chapter 09 security_management_practicesChapter 09 security_management_practices
Chapter 09 security_management_practices
 
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Editiontest bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
Security policy
Security policySecurity policy
Security policy
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
Sdlc checklist
Sdlc checklistSdlc checklist
Sdlc checklist
 
Information Security at the Workplace
Information Security at the WorkplaceInformation Security at the Workplace
Information Security at the Workplace
 
Security auditing architecture
Security auditing architectureSecurity auditing architecture
Security auditing architecture
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Soc
SocSoc
Soc
 
IC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdfIC-ISO-27001-Checklist-10838_PDF.pdf
IC-ISO-27001-Checklist-10838_PDF.pdf
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
Ch01
Ch01Ch01
Ch01
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 

Similar to Chapter 08 security_management_models

Cis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.comCis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.comDavis104
 
CIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.comCIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.comdonaldzs97
 
CIS 333 Imagine Your Future/newtonhelp.com   
CIS 333 Imagine Your Future/newtonhelp.com   CIS 333 Imagine Your Future/newtonhelp.com   
CIS 333 Imagine Your Future/newtonhelp.com   bellflower45
 
CIS 333 Effective Communication - tutorialrank.com
CIS 333 Effective Communication - tutorialrank.comCIS 333 Effective Communication - tutorialrank.com
CIS 333 Effective Communication - tutorialrank.comBartholomew19
 
Cis 333 Extraordinary Success/newtonhelp.com
Cis 333 Extraordinary Success/newtonhelp.com Cis 333 Extraordinary Success/newtonhelp.com
Cis 333 Extraordinary Success/newtonhelp.com amaranthbeg146
 
CIS 333 Life of the Mind/newtonhelp.com   
CIS 333 Life of the Mind/newtonhelp.com   CIS 333 Life of the Mind/newtonhelp.com   
CIS 333 Life of the Mind/newtonhelp.com   bellflower3
 
CIS 349 RANK Become Exceptional--cis349rank.com
CIS 349 RANK Become Exceptional--cis349rank.comCIS 349 RANK Become Exceptional--cis349rank.com
CIS 349 RANK Become Exceptional--cis349rank.comclaric103
 
CIS 333 Focus Dreams/newtonhelp.com
CIS 333 Focus Dreams/newtonhelp.comCIS 333 Focus Dreams/newtonhelp.com
CIS 333 Focus Dreams/newtonhelp.combellflower85
 
Cis 333 Education Organization / snaptutorial.com
Cis 333 Education Organization / snaptutorial.comCis 333 Education Organization / snaptutorial.com
Cis 333 Education Organization / snaptutorial.comBaileya82
 
CIS 349 RANK Education Counseling--cis349rank.com
CIS 349 RANK Education Counseling--cis349rank.comCIS 349 RANK Education Counseling--cis349rank.com
CIS 349 RANK Education Counseling--cis349rank.comshanaabe13
 
Cis 349 Teaching Effectively--tutorialrank.com
Cis 349 Teaching Effectively--tutorialrank.comCis 349 Teaching Effectively--tutorialrank.com
Cis 349 Teaching Effectively--tutorialrank.comSoaps82
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
CIS 349 RANK Achievement Education--cis349rank.com
CIS 349 RANK Achievement Education--cis349rank.comCIS 349 RANK Achievement Education--cis349rank.com
CIS 349 RANK Achievement Education--cis349rank.comclaric154
 
Cis 349 Education Specialist-snaptutorial.com
Cis 349 Education Specialist-snaptutorial.comCis 349 Education Specialist-snaptutorial.com
Cis 349 Education Specialist-snaptutorial.comrobertlesew95
 
CIS 349 RANK Lessons in Excellence--cis349rank.com
CIS 349 RANK Lessons in Excellence--cis349rank.comCIS 349 RANK Lessons in Excellence--cis349rank.com
CIS 349 RANK Lessons in Excellence--cis349rank.comRoelofMerwe139
 
CIS 349 RANK Inspiring Innovation--cis349rank.com
CIS 349 RANK Inspiring Innovation--cis349rank.comCIS 349 RANK Inspiring Innovation--cis349rank.com
CIS 349 RANK Inspiring Innovation--cis349rank.comKeatonJennings91
 
CIS 349 RANK Introduction Education--cis349rank.com
CIS 349 RANK Introduction Education--cis349rank.comCIS 349 RANK Introduction Education--cis349rank.com
CIS 349 RANK Introduction Education--cis349rank.comclaric263
 
Cis 349 Exceptional Education-snaptutorial.com
Cis 349 Exceptional Education-snaptutorial.comCis 349 Exceptional Education-snaptutorial.com
Cis 349 Exceptional Education-snaptutorial.comrobertleses8
 
CIS 349 Effective Communication/tutorialrank.com
CIS 349 Effective Communication/tutorialrank.com CIS 349 Effective Communication/tutorialrank.com
CIS 349 Effective Communication/tutorialrank.comjonhson185
 
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdfThangVuQuang4
 

Similar to Chapter 08 security_management_models (20)

Cis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.comCis 333 Enhance teaching / snaptutorial.com
Cis 333 Enhance teaching / snaptutorial.com
 
CIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.comCIS 333 Exceptional Education / snaptutorial.com
CIS 333 Exceptional Education / snaptutorial.com
 
CIS 333 Imagine Your Future/newtonhelp.com   
CIS 333 Imagine Your Future/newtonhelp.com   CIS 333 Imagine Your Future/newtonhelp.com   
CIS 333 Imagine Your Future/newtonhelp.com   
 
CIS 333 Effective Communication - tutorialrank.com
CIS 333 Effective Communication - tutorialrank.comCIS 333 Effective Communication - tutorialrank.com
CIS 333 Effective Communication - tutorialrank.com
 
Cis 333 Extraordinary Success/newtonhelp.com
Cis 333 Extraordinary Success/newtonhelp.com Cis 333 Extraordinary Success/newtonhelp.com
Cis 333 Extraordinary Success/newtonhelp.com
 
CIS 333 Life of the Mind/newtonhelp.com   
CIS 333 Life of the Mind/newtonhelp.com   CIS 333 Life of the Mind/newtonhelp.com   
CIS 333 Life of the Mind/newtonhelp.com   
 
CIS 349 RANK Become Exceptional--cis349rank.com
CIS 349 RANK Become Exceptional--cis349rank.comCIS 349 RANK Become Exceptional--cis349rank.com
CIS 349 RANK Become Exceptional--cis349rank.com
 
CIS 333 Focus Dreams/newtonhelp.com
CIS 333 Focus Dreams/newtonhelp.comCIS 333 Focus Dreams/newtonhelp.com
CIS 333 Focus Dreams/newtonhelp.com
 
Cis 333 Education Organization / snaptutorial.com
Cis 333 Education Organization / snaptutorial.comCis 333 Education Organization / snaptutorial.com
Cis 333 Education Organization / snaptutorial.com
 
CIS 349 RANK Education Counseling--cis349rank.com
CIS 349 RANK Education Counseling--cis349rank.comCIS 349 RANK Education Counseling--cis349rank.com
CIS 349 RANK Education Counseling--cis349rank.com
 
Cis 349 Teaching Effectively--tutorialrank.com
Cis 349 Teaching Effectively--tutorialrank.comCis 349 Teaching Effectively--tutorialrank.com
Cis 349 Teaching Effectively--tutorialrank.com
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
CIS 349 RANK Achievement Education--cis349rank.com
CIS 349 RANK Achievement Education--cis349rank.comCIS 349 RANK Achievement Education--cis349rank.com
CIS 349 RANK Achievement Education--cis349rank.com
 
Cis 349 Education Specialist-snaptutorial.com
Cis 349 Education Specialist-snaptutorial.comCis 349 Education Specialist-snaptutorial.com
Cis 349 Education Specialist-snaptutorial.com
 
CIS 349 RANK Lessons in Excellence--cis349rank.com
CIS 349 RANK Lessons in Excellence--cis349rank.comCIS 349 RANK Lessons in Excellence--cis349rank.com
CIS 349 RANK Lessons in Excellence--cis349rank.com
 
CIS 349 RANK Inspiring Innovation--cis349rank.com
CIS 349 RANK Inspiring Innovation--cis349rank.comCIS 349 RANK Inspiring Innovation--cis349rank.com
CIS 349 RANK Inspiring Innovation--cis349rank.com
 
CIS 349 RANK Introduction Education--cis349rank.com
CIS 349 RANK Introduction Education--cis349rank.comCIS 349 RANK Introduction Education--cis349rank.com
CIS 349 RANK Introduction Education--cis349rank.com
 
Cis 349 Exceptional Education-snaptutorial.com
Cis 349 Exceptional Education-snaptutorial.comCis 349 Exceptional Education-snaptutorial.com
Cis 349 Exceptional Education-snaptutorial.com
 
CIS 349 Effective Communication/tutorialrank.com
CIS 349 Effective Communication/tutorialrank.com CIS 349 Effective Communication/tutorialrank.com
CIS 349 Effective Communication/tutorialrank.com
 
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
1.1 Cyber Security Layers of Defense and Technology Solutions.pdf.pdf
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Chapter 08 security_management_models

  • 1. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 1 1. A security blueprint is the outline of the more thorough security framework. a. True b. False ANSWER: True 2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False ANSWER: False 3. Lattice-based access controlspecifies the level of access each subject has to each object, if any. a. True b. False ANSWER: True 4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False ANSWER: False 5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False ANSWER: False 6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________ ANSWER: False - blueprint 7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________ ANSWER: False - separation 8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________ ANSWER: False - framework 9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls— in other words, it mediates all access to objects by subjects. ____________ ANSWER: False - reference 10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________ ANSWER: False - methods
  • 2. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 2 11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________ ANSWER: True 12. Dumpster delving is an information attack that involves searching through a target organization’s trash and recycling bins for sensitive information. ____________ ANSWER: False - diving 13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________ ANSWER: False - capabilities 14. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________ ANSWER: True 15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________ ANSWER: False - least 16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct ANSWER: d 17. Which access controlprinciple specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: c 18. Which access controlprinciple limits a user’s access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: a 19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels ANSWER: c 20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
  • 3. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 3 a. preventative b. deterrent c. corrective d. compensating ANSWER: c 21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating ANSWER: b 22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating ANSWER: b 23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only ANSWER: d 24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary ANSWER: c 25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access controllist b. capabilities table c. access matrix d. sensitivity level ANSWER: a 26. In which form of access controlis access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these ANSWER: a 27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary ANSWER: c 28. Which security architecture model is part of a larger series of standards collectively referred to as the “Rainbow Series”? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria
  • 4. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 4 ANSWER: b 29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module ANSWER: b 30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs) ANSWER: b 31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba ANSWER: d 32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and externalconsistency ANSWER: c 33. Which of the following is the primary purpose of ISO/IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification ANSWER: d 34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO ANSWER: a 35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance ANSWER: d
  • 5. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 5 36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization. ANSWER: security model 37. ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________. ANSWER: information security management systems ISMS 38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance. ANSWER: need to know need-to-know 39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels. ANSWER: Covert 40. In the COSO framework, ___________ activities include those policies and procedures that support management directives. ANSWER: control 41. Access controls are build on three key principles. List and briefly define them. ANSWER: Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function. Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion. 42. There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them. ANSWER: • Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs; for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal; for example, data backup and recovery software • Compensating—Resolves shortcomings; such as requiring the use of encryption for transmission of classified data over unsecured networks
  • 6. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 6 43. Lattice-based access controls use a two-dimensional matrix to assign authorizations, what are the two dimensions and what are they called? ANSWER: Lattice-based access controlspecifies the level of access each subject has to each object, if any. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access controllist (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table. 44. What are the two primary access modes of the Bell-LaPadula model and what do they restrict? ANSWER: BLP access modes can be one of two types: simple security and the * (star) property. Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (no read up). The * property (the write property), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up (no write down). 45. What are the five principles that are focused on the governance and management of IT as specified by COBIT 5? ANSWER: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management 46. According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories? ANSWER: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 47. One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization. What are these categories as described by NIST? ANSWER: Management Operational (or administrative) Technical 48. What is the data classification for information deemed to be National Security Information for the U.S. military as specified in 2009 in Executive Order 13526? ANSWER: For most information, the U.S. military uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 12958 in 1995 and Executive Order 13526 in 2009. Here are the classifications along with descriptions from the document: Sec. 1.2. Classification Levels. (a) Information may be classified at one of the following three levels: 1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. 2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
  • 7. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 7 49. When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why? ANSWER: When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization’s information assets. 50. Under what circumstances should access controls be centralized vs. decentralized? ANSWER: One area of discussion among practitioners is whether access controls should be centralized or decentralized. A collection of users with access to the same data typically has a centralized access control authority, even under a DAC model. The level of centralization appropriate to a given situation varies by organization and the type of information protected. The less critical the protected information, the more controls tend to be decentralized. When critical information assets are being protected, the use of a highly centralized access control toolset is indicated. a. blueprint b. DAC c. content-dependent access controls d. rule-based access controls e. separation of duties f. sensitivity levels g. storage channels h. task-based controls i. timing channels j. TCB 51. Controls access to a specific set of information based on its content. ANSWER: c 52. A TCSEC-defined covert channel, which transmit information by managing the relative timing of events. ANSWER: i 53. Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme. ANSWER: f 54. A framework or security model customized to an organization, including implementation details. ANSWER: a 55. A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user. ANSWER: h 56. Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. ANSWER: j
  • 8. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 8 57. Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion. ANSWER: e 58. Controls implemented at the discretion or option of the data user. ANSWER: b 59. One of the TCSEC’s covert channels, which communicate by modifying a stored object. ANSWER: g 60. Access is granted based on a set of rules specified by the centralauthority. ANSWER: d