Ch.8
39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.
Covert
4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False
False
6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________
False - blueprint
13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________
False - capabilities
12. Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________
False - diving
8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________
False - framework
15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________
False - least
10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________
False - methods
7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________
False - separation
1. A security blueprint is the outline of the more thorough security framework. a. True b. False
True
25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access control list b. capabilities table c. access matrix d. sensitivity level
a
21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating
b
17. Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties
c
20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? a. preventative b. deterrent c. corrective d. compensating
c
16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct
d
23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only
d
IEC 27002 and how to set up a(n) ____________________.
information security management systems ISMS
28. Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria
b
29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module
b
9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________
False - reference
11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________
True
14. The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________
True
3. Lattice-based access control specifies the level of access each subject has to each object, if any. a. True b. False
True
2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False
False
5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False
False
18. Which access control principle limits a user's access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties
a
26. In which form of access control is access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these
a
34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO
a
22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating
b
30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)
b
19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels
c
24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary
c
27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary
c
32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and external consistency
c
40. In the COSO framework, ___________ activities include those policies and procedures that support management directives.
control
31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba
d
35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance
d
IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification
d
38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
need to know need-to-know
36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.
security model
