1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 106
Выбрать главу

a. Nonrepudiation

b. Secrecy

c. Privacy

d. Sensitivity

148. a. Nonrepudiation is a part of the integrity goal, whereas secrecy, privacy, sensitivity, and criticality are part of the confidentiality goal.

149. Which of the following security goals is meant for intended uses only?

a. Confidentiality

b. Integrity

c. Availability

d. Accountability

149. c. Availability is for intended uses only and not for any other uses. Another definition of availability is ensuring timely and reliable access to and use of system-related information by authorized entities. Confidentiality (C), integrity (I), and availability (A) are security goals and are often called the CIA triad. Confidentiality is preserving authorized restrictions on information access and disclosure. Integrity is the property that protected and sensitive data has not been modified or deleted in an unauthorized and undetected manner. Accountability is tracing actions of an entity uniquely to that entity.

150. The advanced encryption standard (AES) is useful for securing which of the following?

a. Confidential but classified material

b. Secret but classified material

c. Top secret but unclassified material

d. Sensitive but unclassified material

150. d. The advanced encryption standard (AES) is an encryption algorithm used for securing sensitive but unclassified material. The loss, misuse, or unauthorized access to or modification of sensitive but unclassified material might adversely affect an organization’s security interests.

AES is not useful for securing confidential but classified material. AES is not useful for securing secret but classified material. AES is not useful for securing top secret but unclassified material. Top secret cannot be unclassified.

151. Business data classification schemes usually do not include which of the following?

a. Private

b. Public

c. For internal use only

d. Secret

151. d. The data classification terms such as secret and top secret are mostly used by government. The terms used in the other choices usually belong to business data classification scheme.

152. Data containing trade secrets is an example of which of the following data classification schemes?

a. Classified

b. Unclassified

c. Unclassified but sensitive

d. Confidential

152. c. A classified category includes sensitive, confidential, secret, and top secret. An unclassified category is public information, whereas an unclassified but sensitive category requires some protection as in the case of trade secrets.

153. Which of the following assists in complying with others?

a. Policy

b. Procedure

c. Standard

d. Guideline

153. b. Procedures normally assist in complying with applicable policies, standards, and guidelines because they deal with specific steps to carry out a specific task.

154. Which of the following is referred to when at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a moderate impact value and no security objective is assigned a high impact value for an information system?

a. Low-impact system

b. Moderate-impact system

c. High-impact system

d. No-impact system

154. b. A low-impact system is defined as an information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a potential impact value of low. In a moderate-impact system, at least one objective is assigned as moderate and no objective is assigned as high. In a high-impact system, at least one objective is assigned as high. No-impact system is incorrect because every system will have some impact, whether low, moderate, or high.

155. Which of the following security controls are needed when data is transferred from low network users to high network users?

1. Software/hardware guards

2. Automated processing

3. Automated blocking

4. Automated filtering

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 3 and 4

155. b. Data should be sanitized or separated between high network data/users and low network data/users. When data is transferred from low network users to high network users (i.e., data is regraded), automated data-blocking techniques with firewalls and software/hardware guards are needed to regulate the transfer.

When data is transferred from high network users to low network users (i.e., data is regraded), software/hardware guards, automated processing, and automated filtering techniques are needed to regulate the transfer. The goal of automated processing, blocking, and filtering techniques is an attempt to eliminate or identify viruses and other malicious code transfers. The goal of software/hardware guard is to facilitate transfer of data between private and public networks.

156. Which of the following is a prerequisite to IT security training?

a. Certification

b. Education

c. Awareness

d. Training

156. c. Awareness, training, and education are important processes for helping staff members carry out their roles and responsibilities for information technology security, but they are not the same. Awareness programs are a prerequisite to IT security training. Training is more formal and more active than awareness activities and is directed toward building knowledge and skills to facilitate job performance.

Education integrates all the security skills and competencies of the various functional specialists and adds a multidisciplinary study of concepts, issues, and principles. Normally, organizations seldom require evidence of qualification or certification as a condition of appointment.

157. When developing information systems security policies, organizations should pay particular attention to which of the following?

a. User education

b. User awareness

c. User behavior

d. User training

157. c. A relatively new risk receiving particular attention in organizational policies is user behavior. Some users may feel no compunction against browsing sensitive organizational computer files or inappropriate Internet sites if there is no clear guidance on what types of user behaviors are acceptable. These risks did not exist before the extensive use of networks, electronic mail, and the Internet.

158. A common technique for making an organization’s information systems security policies more useful is to distinguish between:

a. Policies and procedures

b. Policies and guidelines

c. Principles and practices

d. Policies and standards

~ 106 ~