Chapter 8

Controls implemented at the discretion or option of the data user.

b. DAC

Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security

j. TCB

__________ channels are unauthorized or unintended methods of communications hidden inside a computer system, including storage and timing channels.

Covert

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. T/F

False

The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. T/F

False

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access. T/F

False

Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors. T/F

False

In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________

False - blueprint

In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________

False - capabilities

Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. __________

False - diving

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________

False - framework

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________

False - least

The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________

False - methods

A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________

False - reference

A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. T/F

True

In information security, a security blueprint is a framework or security model customized to an organization, including implementation details. T/F

True

Lattice-based access control specifies the level of access each subject has to each object, if any. T/F

True

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. T/F

True

Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs. a. governance b. policy c. auditing d. awareness

a

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________. a. framework b. security plan c. security standard d. blueprint

a

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________. a. managing the development and operation of IT infrastructures b. operation of IT control systems to improve security c. managing the security infrastructure d. developing secure Web applications

a

Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access control list b. capabilities table c. access matrix d. sensitivity level

a

Which access control principle limits a user's access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties

a

Which of the following is a generic model for a security program? a. framework b. methodology c. security standard d. blueprint

a

Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO

a

A framework or security model customized to an organization, including implementation details.

a. blueprint

The selective method by which systems specify who may use a particular resource and how they may use it is called __________.

access control

An ATM that limits what kinds of transactions a user can perform is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

b

Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs)

b

Which control category discourages an incipient incident—e.g., video monitoring? a. preventative b. deterrent c. remitting d. compensating

b

Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating

b

A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary

c

An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________. a. rubbish surfing b. social engineering c. dumpster diving d. trash trolling

c

Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following? a. preventative b. deterrent c. corrective d. compensating

c

Which NIST publication describes the philosophical guidelines that the security team should integrate into the entire InfoSec process, beginning with "Security supports the mission of the organization"? a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008)

c

Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties

c

Which of the following is NOT a change control principle of the Clark-Wilson model? a. no changes by unauthorized subjects b. no unauthorized changes by authorized subjects c. no changes by authorized subjects without external validation d. the maintenance of internal and external consistency

c

Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle? a. discretionary access controls b. task-based access controls c. security clearances d. sensitivity levels

c

Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary

c

Controls access to a specific set of information based on its content.

c. content-dependent access controls

In the COSO framework, __________ activities include those policies and procedures that support management directives.

control

In information security, a framework or security model customized to an organization, including implementation details, is a _________. a. security standard b. methodology c. security policy d. blueprint

d

The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. control environment b. risk assessment c. control activities d. InfoSec governance

d

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them? a. need-to-know b. eyes only c. least privilege d. separation of duties

d

When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them? a. It was not as complete as other frameworks. b. The standard lacked the measurement precision associated with a technical standard. c. The standard was hurriedly prepared. d. It was feared it would lead to government intrusion into business matters.

d

Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only

d

Which of the following is the original purpose of ISO/IEC 17799? a. Use within an organization to obtain a competitive advantage b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To offer guidance for the management of InfoSec to individuals responsible for their organization's security programs

d

Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones? a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba

d

Access is granted based on a set of rules specified by the central authority.

d. rule-based access controls

Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.

e. separation of duties

which of the following is NOT one of them? a. It was not as complete as other frameworks. b. The standard lacked the measurement precision associated with a technical standard. c. The standard was hurriedly prepared. d. It was feared it would lead to government intrusion into business matters.

f

Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.

f. sensitivity levels

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a(n) __________.

framework

One of the TCSEC's covert channels, which communicate by modifying a stored object.

g. storage channel

A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.

h. task-based controls

A TCSEC-defined covert channel, which transmits information by managing the relative timing of events.

i. timing channel

Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy is known as the __________.

trusted computing base (TCB)

ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) __________.

information security management system (ISMS)

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is called __________.

least privilege

The __________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

need to know

Within TCB, a conceptual piece of the system that manages access controls—in other words, it mediates all access to objects by subjects—is known as a __________.

reference monitor

To design a security program, an organization can use a(n) __________, which is a generic outline of the more thorough and organization-specific blueprint.

security model framework

__________ channels are TCSEC-defined covert channels that communicate by modifying a stored object, such as in steganography.

Storage

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called ___ of duties.

Separation

The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization. a. Governance Framework b. Security Blueprint c. Risk Model d. Compliance Architecture

a

The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________. a. SP 800-100: Information Security Handbook: A Guide for Managers (2007) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996) d. SP 800-110, Rev. 1: Manager's Introduction to Information Security (2016)

a

In which form of access control is access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. none of these

a

One of the most widely referenced InfoSec management models, known as Information Technology—Code of Practice for Information Security Management, is also known as __________. a. ISO 27002 b. IEC 27100 c. NIST SP 800-12 d. IEEE 801

a

This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec. a. SP 800-12, Rev. 1: An Introduction to Information Security (2017) b. SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems (2006) c. SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems (2010) d. SP 800-55, Rev. 1: Performance Measurement Guide for Information Security (2008)

a

Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module

b

Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria

b

In information security, a framework or security model customized to an organization, including implementation details, is known as a(n) __________.

blueprint