81. From an access control viewpoint, which of the following requires an audit the most?
a. Public access accounts
b. Nonpublic accounts
c. Privileged accounts
d. Non-privileged accounts
81. c. The goal is to limit exposure due to operating from within a privileged account or role. A change of role for a user or process should provide the same degree of assurance in the change of access authorizations for that user or process. The same degree of assurance is also needed when a change between a privileged account and non-privileged account takes place. Auditing of privileged accounts is required mostly to ensure that privileged account users use only the privileged accounts and that non-privileged account users use only the non-privileged accounts. An audit is not required for public access accounts due to little or no risk involved. Privileged accounts are riskier than nonpublic accounts.
82. From an information flow policy enforcement viewpoint, which of the following allows forensic reconstruction of events?
1. Security attributes
2. Security policies
3. Source points
4. Destination points
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
82. c. The ability to identify source and destination points for information flowing in an information system allows for forensic reconstruction of events and increases compliance to security policies. Security attributes are critical components of the operations security concept.
83. From an access control policy enforcement viewpoint, which of the following should not be given a privileged user account to access security functions during the course of normal operations?
1. Network administration department
2. Security administration department
3. End user department
4. Internal audit department
a. 1 and 2
b. 3 only
c. 4 only
d. 3 and 4
83. d. Privileged user accounts should be established and administered in accordance with a role-based access scheme to access security functions. Privileged roles include network administration, security administration, system administration, database administration, and Web administration, and should be given access to security functions. End users and internal auditors should not be given a privileged account to access security functions during the course of normal operations.
84. From an access control account management point of view, service-oriented architecture implementations rely on which of the following?
a. Dynamic user privileges
b. Static user privileges
c. Predefined user privileges
d. Dynamic user identities
84. a. Service-oriented architecture (SOA) implementations rely on run-time access control decisions facilitated by dynamic privilege management. In contrast, conventional access control implementations employ static information accounts and predefined sets of user privileges. Although user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing business requirements and operational needs of the organization.
85. For privilege management, which of the following is the correct order?
a. Access control⇒Access management⇒Authentication management⇒Privilege management
b. Access management⇒Access control⇒Privilege management⇒Authentication management
c. Authentication management⇒Privilege management⇒Access control⇒Access management
d. Privilege management⇒Access management⇒Access control⇒Authentication management
85. c. Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity’s request for access to some resource should be granted. Authentication management deals with identities, credentials, and any other authentication data needed to establish an identity. Access management, which includes privilege management and access control, encompasses the science and technology of creating, assigning, storing, and accessing attributes and policies. These attributes and policies are used to decide whether an entity’s request for access should be allowed or denied. In other words, a typical access decision starts with authentication management and ends with access management, whereas privilege management falls in between.
86. From an access control viewpoint, which of the following are examples of super user accounts?
a. Root and guest accounts
b. Administrator and root accounts
c. Anonymous and root accounts
d. Temporary and end-user accounts
86. b. Super user accounts are typically described as administrator or root accounts. Access to super user accounts should be limited to designated security and system administration staff only, and not to the end-user accounts, guest accounts, anonymous accounts, or temporary accounts. Security and system administration staff use the super user accounts to access key security/system parameters and commands.
87. Responses to unsuccessful login attempts and session locks are implemented with which of the following?
a. Operating system and firmware
b. Application system and hardware
c. Operating system and application system
d. Hardware and firmware
87.c. Response to unsuccessful login attempts can be implemented at both the operating system and the application system levels. The session lock is implemented typically at the operating system level but may be at the application system level. Hardware and firmware are not used for unsuccessful login attempts and session lock.
88. Which of the following statements is not true about a session lock in access control?
a. A session lock is a substitute for logging out of the system.
b. A session lock can be activated on a device with a display screen.
c. A session lock places a publicly viewable pattern on to the device display screen.
d. A session lock hides what was previously visible on the device display screen.
88. a. A session lock prevents further access to an information system after a defined time period of inactivity. A session lock is not a substitute for logging out of the system as in logging out at the end of the workday. The other three choices are true statements about a session lock.
89. Which of the following user actions are permitted without identification or authentication?
1. Access to public websites
2. Emergency situations
3. Unsuccessful login attempts
4. Reestablishing a session lock
a. 1 only
b. 2 only
c. 1 and 2