Making sure that the data is accessible when and where it is needed is which of the following?
Correct Answer: D
Availability is making sure that the data is accessible when and where it is needed. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.
CISSP Exam Question 497
The steps of an access control model should follow which logical flow:
Correct Answer: C
Reference: HARRIS, Shon, CISSP All In One Exam Guide. Chapter 4, pages 126-127. A very excellent discussion on this topic stating the steps and explaining the processess of those steps is paraphrased (hopefully coherently) here: A user can identify themselves with a userid or account number. To be authenticated, a user usually provides a second piece of the credential set, like a password, passphase, cryptographic key, anatomical attribute, a token or a Personal Identification Number, or PIN. Once the user provides credentials and is properly identified, the system needs to determine it the user has the necessary rights and privileges to do so. If the user DOES have those rights and privileges, he is authorized access.
CISSP Exam Question 498
Which division of the Orange Book deals with discretionary protection (need-to-know)?
Correct Answer: B
Explanation/Reference: Explanation: The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classification system that is divided into hierarchical divisions of assurance levels: A. Verified protection B. Mandatory protection C. Discretionary protection D. Minimal security C1: Discretionary Security Protection: Discretionary access control is based on individuals and/or groups. It requires a separation of users and information, and identification and authentication of individual entities. Some type of access control is necessary so users can ensure their data will not be accessed and corrupted by others. The system architecture must supply a protected execution domain so privileged system processes are not adversely affected by lower-privileged processes. There must be specific ways of validating the system's operational integrity. The documentation requirements include design documentation, which shows that the system was built to include protection mechanisms, test documentation (test plan and results), a facility manual (so companies know how to install and configure the system correctly), and user manuals. Incorrect Answers: A: Division C, not D deals with discretionary protection. C: Division C, not B deals with discretionary protection. D: Division C, not A deals with discretionary protection. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 392-394
CISSP Exam Question 499
In discretionary access environments, which of the following entities is authorized to grant information access to other people?
Correct Answer: D
Explanation/Reference: Explanation: The data owner (information owner) is usually a member of management who is in charge of a specific business unit, and who is ultimately responsible for the protection and use of a specific subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classification of the data she is responsible for and alters that classification if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, defining security requirements per classification and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and defining user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: While the data owner is usually a member of management, this is not always the case. Therefore, the person authorized to grant information access to other people is not always the manager so this answer is incorrect. B: A Group Leader is not the person authorized to grant information access to other people (unless the group leader is also the data owner). C: The role of Security Manager does not give you the authority to grant information access to other people. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 121
CISSP Exam Question 500
Which of the following categories of hackers poses the greatest threat?
Correct Answer: A
Explanation/Reference: Explanation: Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access. Incorrect Answers: B: Student hackers are a lesser threat as a disgruntled employee already has access to the system. C: A disgruntled employee is a larger threat compared to a criminal hacker as the employee already has access to the system. D: A disgruntled employee is a larger threat compared to a corporate spy as the employee already has access to the system. References: Stewart, James M., Ed Tittel, and Mike Chapple, CISSP: Certified Information Systems Security Professional Study Guide, 5th Edition, Sybex, Indianapolis, 2011, p. 602
