CISSP Sybex Official Study Guide Chapter 8 Review Questions Flashcards
What is system certification?
A. Formal acceptance of a stated system configuration
B. A technical evaluation of each part of a computer system to assess its compliance with security standards
C. A functional evaluation of the manufacturer’s goals for each hardware and software component to meet integration standards
D. A manufacturer’s certificate stating that all components were installed and configured correctly
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
B. A technical evaluation of each part of a computer system to assess its compliance with security standards
Explanation:
A system certification is a technical evaluation. Option A describes system accreditation. Options C and D refer to manufacturer standards, not implementation standards.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 961). Wiley. Kindle Edition.
What is system accreditation?
A. Formal acceptance of a stated system configuration
B. functional evaluation of the manufacturer’s goals for each hardware and software component to meet integration standards
C. Acceptance of test results that prove the computer system enforces the security policy
D. The process to specify secure communication between machines
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
A. Formal acceptance of a stated system configuration
Explanation:
Accreditation is the formal acceptance process. Option B is not an appropriate answer because it addresses manufacturer standards. Options C and D are incorrect because there is no way to prove that a configuration enforces a security policy, and accreditation does not entail secure communication specification.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 961). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 961). Wiley. Kindle Edition.
What is a closed system?
A. A system designed around final, or closed, standards
B. A system that includes industry standards
C. A proprietary system that uses unpublished protocols
D. Any machine that does not run Windows
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
C. A proprietary system that uses unpublished protocols
Explanation:
A closed system is one that uses largely proprietary or unpublished protocols and standards. Options A and D do not describe any particular systems, and Option B describes an open system.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 961). Wiley. Kindle Edition.
Which best describes a confined or constrained process?
A. A process that can run only for a limited time B. A process that can run only during certain times of the day
C. A process that can access only certain memory locations
D. A process that controls access to an object
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
A. A process that can run only for a limited time
Explanation:
A constrained process is one that can access only certain memory locations. Options A, B, and D do not describe a constrained process.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 961). Wiley. Kindle Edition.
What is an access object?
A. A resource a user or process wants to access B. A user or process that wants to access a resource
C. A list of valid access rules
D. The sequence of valid access types
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
A. A resource a user or process wants to access
Explanation:
An object is a resource a user or process wants to access. Option A describes an access object.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
What is a security control?
A. A security component that stores attributes that describe an object
B. A document that lists all data classification types
C. A list of valid access rules
D. A mechanism that limits access to an object
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 314). Wiley. Kindle Edition.
D. A mechanism that limits access to an object
Explanation:
A control limits access to an object to protect it from misuse by unauthorized users.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
For what type of information system security accreditation are the applications and systems at a specific, self-contained location evaluated?
A. System accreditation
B. Site accreditation
C. Application accreditation
D. Type accreditation
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
B. Site accreditation
Explanation:
The applications and systems at a specific, self-contained location are evaluated for DITSCAP and NIACAP site accreditation.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
How many major categories do the TCSEC criteria define?
A. Two
B. Three
C. Four
D. Five
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
C. Four
Explanation:
C. TCSEC defines four major categories: Category A is verified protection, Category B is mandatory protection, Category C is discretionary protection, and Category D is minimal protection.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
What is a trusted computing base (TCB)?
A. Hosts on your network that support secure transmissions
B. The operating system kernel and device drivers
C. The combination of hardware, software, and controls that work together to enforce a security policy
D. The software and controls that certify a security policy
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
C. The combination of hardware, software, and controls that work together to enforce a security policy
Explanation:
The TCB is the combination of hardware, software, and controls that work together to enforce a security policy.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
What is a security perimeter? (Choose all that apply.)
A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
C. The network where your firewall resides
D. Any connections to your computer system
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
A. The boundary of the physically secure area surrounding your system
B. The imaginary boundary that separates the TCB from the rest of the system
Explanation:
Although the most correct answer in the context of this chapter is Option B, Option A is also a correct answer in the context of physical security.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
What part of the TCB concept validates access to every resource prior to granting the requested access?
A. TCB partition
B. Trusted library
C. Reference monitor
D. Security kernel
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
C. Reference monitor
Explanation:
The reference monitor validates access to every resource prior to granting the requested access. Option D, the security kernel, is the collection of TCB components that work together to implement the reference monitor functions. In other words, the security kernel is the implementation of the reference monitor concept. Options A and B are not valid TCB concept components.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
What is the best definition of a security model?
A. A security model states policies an organization must follow.
B. A security model provides a framework to implement a security policy.
C. A security model is a technical evaluation of each part of a computer system to assess its concordance with security standards.
D. A security model is the process of formal acceptance of a certified configuration.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 315). Wiley. Kindle Edition.
B. A security model provides a framework to implement a security policy.
Explanation:
Option B is the only option that correctly defines a security model. Options A, C, and D define part of a security policy and the certification and accreditation process.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
Which security models are built on a state machine model?
A. Bell-LaPadula and Take-Grant
B. Biba and Clark-Wilson
C. Clark-Wilson and Bell-LaPadula
D. Bell-LaPadula and Biba
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 316). Wiley. Kindle Edition.
D. Bell-LaPadula and Biba
Explanation:
The Bell-LaPadula and Biba models are built on the state machine model.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
Which security model addresses data confidentiality?
A. Bell-LaPadula
B. Biba
C. Clark-Wilson
D. Brewer and Nash
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 316). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 316). Wiley. Kindle Edition.
A. Bell-LaPadula
Explanation:
Only the Bell-LaPadula model addresses data confidentiality. The Biba and Clark-Wilson models address data integrity. The Brewer and Nash model prevents conflicts of interest.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
Which Bell-LaPadula property keeps lower-level subjects from accessing objects with a higher security level?
A. (star) Security Property
B. No write up property
C. No read up property
D. No read down property
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 316). Wiley. Kindle Edition.
C. No read up property
Explanation:
The no read up property, also called the Simple Security Policy, prohibits subjects from reading a higher-security-level object.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 962). Wiley. Kindle Edition.
