Management of Information Security Chapter 8
task-based controls
A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.
blueprint
A framework or security model customized to an organization, including implementation details.
False
A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________
temporal isolation
A time-release safe is an example of which type of access control?
rule-based access controls
Access is granted based on a set of rules specified by the central authority.
governance
Although COBIT was designed to be an IT __________ and management structure, it includes a framework to support InfoSec requirements and assessment needs.
constrained user interface
An ATM that limits what kinds of transactions a user can perform is an example of which type of access control?
dumpster diving
An information attack that involves searching through a target organization's trash and recycling bins for sensitive information is known as __________.
content-dependent access controls
Controls access to a specific set of information based on its content.
DAC
Controls implemented at the discretion or option of the data user.
corrective
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
False
Dumpster exploitation is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. __________
False
In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). __________
blueprint
In information security, a framework or security model customized to an organization, including implementation details, is a _________.
False
In information security, a framework or security model customized to an organization, including implementation details, is known as a template. __________
storage channel
One of the TCSEC's covert channels, which communicate by modifying a stored object.
ISO 27002
One of the most widely referenced InfoSec management models, known as Information Technology—Code of Practice for Information Security Management, is also known as __________.
sensitivity levels
Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme.
separation of duties
Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.
False
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
InfoSec governance
The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
Governance Framework
The Information Security __________ is a managerial model provided by an industry working group, National Cyber Security Partnership, which provides guidance in the development and implementation of organizational InfoSec structures and recommends the responsibilities that various members should have in an organization.
managing the development and operation of IT infrastructures
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices primarily for __________.
False
The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. __________
False
The Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.
False
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as required privilege. __________
SP 800-12, Rev. 1: An Introduction to Information Security (2017)
This NIST publication provides information on the elements of InfoSec, key roles and responsibilities, an overview of threats and vulnerabilities, a description of the three NIST security policy categories, and an overview of the NIST RM Framework and its use, among other topics needed for a foundation in InfoSec.
access control list
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
False
Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data at the organization's competitors.
Protection Profile (PP)
Under the Common Criteria, which term describes the user-generated specifications for security requirements?
separation of duties
What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?
It was feared it would lead to government intrusion into business matters.
When the ISO 27002 standard was first proposed, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems; which of the following is NOT one of them?
SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (1996)
Which NIST publication describes the philosophical guidelines that the security team should integrate into the entire InfoSec process, beginning with "Security supports the mission of the organization"?
need-to-know
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
least privilege
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
deterrent
Which control category discourages an incipient incident—e.g., video monitoring?
mitigating
Which of the following is NOT a category of access control?
COBIT
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
security clearances
Which of the following specifies the authorization level that each user of an information asset is permitted to access, subject to the need-to-know principle?
reference monitor
Which piece of the Trusted Computing Base's security system manages access controls?
Biba
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones?
TCSEC
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
nondiscretionary
Which type of access controls can be role-based or task-based?
TCB
Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
timing channel
A TCSEC-defined covert channel, which transmits information by managing the relative timing of events.
True
A security clearance is an access control model in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. __________
False
A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. __________
True
In information security, a security blueprint is a framework or security model customized to an organization, including implementation details.
framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a __________.
False
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. __________
content-dependent access controls
In which form of access control is access to a specific set of information contingent on its subject matter?
True
Lattice-based access control specifies the level of access each subject has to each object, if any.
False
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolationof duties. __________
SP 800-100: Information Security Handbook: A Guide for Managers (2007)
The managerial tutorial equivalent of NIST SP 800-12, providing overviews of the roles and responsibilities of a security manager in the development, administration, and improvement of a security program, is NIST __________.
False
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as minimal access.
True
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. __________
no changes by authorized subjects without external validation
Which of the following is NOT a change control principle of the Clark-Wilson model?
for official use only
Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?
framework
Which of the following is a generic model for a security program?
To offer guidance for the management of InfoSec to individuals responsible for their organization's security programs
Which of the following is the original purpose of ISO/IEC 17799?