Ch.8

1. A security blueprint is the outline of the more thorough security framework. a. True b. False

2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False

3. Lattice-based access control specifies the level of access each subject has to each object, if any. a. True b. False

4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False

5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False

6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________

7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________

8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________

9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________

10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________

11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________

12. Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________

13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________

14. The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________

15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________

16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct

17. Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties

18. Which access control principle limits a user's access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties

19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels

20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? a. preventative b. deterrent c. corrective d. compensating

21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating

22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating

23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only

24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary

25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access control list b. capabilities table c. access matrix d. sensitivity level

26. In which form of access control is access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these

27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

28. Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria

29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module

30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)

31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba

32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and external consistency

IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification

34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO

35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance

36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

IEC 27002 and how to set up a(n) ____________________.

38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.

40. In the COSO framework, ___________ activities include those policies and procedures that support management directives.