The British Standard 7799/ISO Standard 17799 discusses cryptographic policies. It states, An organization should develop a policy on its use of cryptographic controls for protection of its information . . . . When developing a policy, the following should be considered: (Which of the following items would most likely NOT be listed?)
Correct Answer: D
A policy is a general statement of management's intent, and therefore, a policy would not specify the encryption scheme to be used. The other answers are appropriate for a cryptographic policy. The general standards document is BSI ISO/IEC 17799:2000,BS 7799 I: 2000, Information technology-Code of practice for information security management, British Standards Institution, London , UK . The standard is intended to provide a comprehensive set of controls comprising best practices in information security. ISO refers to the International Organization for Standardization and IEC is the International Electrotechnical Commission. These two entities form the system for worldwide standardization. The main chapter headings of the standard are: Security Policy Organizational Security Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
CISSP Exam Question 557
Which of the following test makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems?
Correct Answer: B
Security testing makes sure the modified or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems. Recovery testing checks the system's ability to recover after a software or hardware failure. Stress/volume testing involves testing an application with large quantities of data in order to evaluate performance during peak hours. Interface testing evaluates the connection of two or more components that pass information from one area to another. Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, Chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 300).
CISSP Exam Question 558
Qualitative loss resulting from the business interruption does not include:
Correct Answer: A
"Another method of risk analysis is qualitative, which does not assign numbers and monetary valu8es to components and losses." Pg 72 Shon Harris: All-in-One CISSP Certification
CISSP Exam Question 559
The Clark-Wilson Integrity Model (d. Clark, d. Wilson, A Comparison of Commercial and Military Computer Security Policies, Proceedings of the 1987 IEEE Computer Society Symposium on Research in Security and Privacy, Los Alamitos, CA, IEEE Computer Society Press, 1987) focuses on what two concepts?
Correct Answer: C
The Clark-Wilson Model is a model focused on the needs of the commercial world and is based on the theory that integrity is more important than confidentiality for commercial organizations. Further, the model incorporates the commercial concepts of separation of duty and wellformed transactions. The well-formed transaction of the model is implemented by the transformation procedure (TP.)ATP is defined in the model as the mechanism for transforming the set of constrained data items (CDIs) from one valid state of integrity to another valid state of integrity. The Clark-Wilson Model defines rules for separation of duty that denote the relations between a user, TPs, and the CDIs that can be operated upon by those TPs. The model talks about the access triple that is the user, the program that is permitted to operate on the data, and the data. The other answers are distracters.
CISSP Exam Question 560
What is the maximum allowable key size of the Rijndael encryption algorithm?
Correct Answer: C
The Rijndael algorithm, chosen as the Advanced Encryption Standard (AES) to replace DES, can be categorized as an iterated block cipher with a variable block length and key length that can be independently chosen as 128, 192 or 256 bits. Below you have a summary of the differences between AES and Rijndael. AES is the advanced encryption standard defined by FIPS 197. It is implemented differently than Rijndael: FIPS-197 specifies that the block size must always be 128 bits in AES, and that the key size may be either 128, 192, or 256 bits. Therefore AES-128, AES-192, and AES-256 are actually: Key Size (bits) Number of rounds Block Size (bits) AES-128 128 10 Rounds 128 AES-192 192 12 Rounds 128 AES-256 256 14 Rounds 128 Some book will say "up to 9 rounds will be done with a 128 bits keys". Really it is 10 rounds because you must include round zero which is the first round. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Reference(s) used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 153). and FIPS 197 and https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
