Chapter 08
True
A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________
False
A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls—in other words, it mediates all access to objects by subjects. ____________
Temporal Isolation
A time-release safe is an example of which type of access control?
Corrective
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
False
Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information. ____________
InfoSec Governance
The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
False
The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________
Need to know
The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
False
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________
True
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________
Security Model
To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.
Access Control List
Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following?
Need-to-know
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
Least Privilege
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
Deterrent
Which control category discourages an incipient incident?
Mitigating
Which of the following is NOT a category of access control?
No changes by authorized subjects without external validation
Which of the following is NOT a change control principle of the Clark-Wilson model?
For official use only
Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information?
Both A and B are correct (Security Model and Framework)
Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed?
COBIT
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute?
Security Clearances
Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle?
Reference Monitor
Which piece of the Trusted Computing Base's security system manages access controls?
TCSEC
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
Nondiscretionary
Which type of access controls can be role-based or task-based?
Covert
____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels.