123. In the trusted computing base (TCB) environment, which of the following is referred to when a trusted component is accidentally failed?
a. Compromise from above
b. Compromise from within
c. Compromise from below
d. Compromise from cross domains
123. c. Compromise from below occurs as a result of malicious or accidental failure of an underlying trusted component. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from cross domains is not relevant here.
124. When building or acquiring new applications systems, which of the following specifically deal with data security requirements?
a. Sequencing plan
b. System lifecycle
c. Technical architecture
d. Logical architecture
124. d. A logical (functional) architecture defines in business terms the activities or subfunctions that support the core areas of the business, the relationships among these activities or subfunctions, and the data required to supporting these activities or subfunctions.
A technical (physical) architecture defines subsystems, configuration items, data allocations, interfaces, and commons services that collectively provide a physical view of the target systems environment. The combination of logical and technical architecture can make up the organization’s total architecture.
A sequencing plan defines the actions that must be taken and their schedules, along with costs to cost-effectively evolve from the current to the future systems operating environment. A system life cycle defines the policies, processes, and products for managing information technology investments from conception, development, and deployment through maintenance, support, and operation.
125. Information architecture does not govern which of the following?
a. Collection of data
b. Management of data
c. Use of data
d. Archiving of data
125. d. Information architecture, which is a part of functional architecture, defines the information that is needed to achieve mission objectives and how the information systems can work together to satisfy those objectives. The architecture provides a standard framework to govern the collection, development, deployment, management, and use of data and resources to accomplish missions and objectives. Archiving of data is an operational issue, not an architecture issue.
126. Useful information architecture links better with which of the following?
a. Business planning to information technology planning
b. Information engineering to information systems
c. Applications security to logical security
d. Network security to encryption methods
126. a. Useful information architecture cannot be developed until an organization establishes a business planning process and links it to strategic information technology planning. This is a high-level planning effort, whereas the items in the other three choices are low-level planning efforts. Information engineering is a systematic process in which information systems are developed to precisely support the business of an organization.
127. Which of the following action items is not a part of security principle of “reduce vulnerabilities”?
a. Strive for simplicity
b. Implement least privilege
c. Base security on open standards for portability and interoperability
d. Minimize the system elements to be trusted
127. c. The action item “Base security on open standards for portability and interoperability” is a part of the ease-of-use security principle. The other three choices are part of the reduce vulnerabilities security principle.
128. Which of the following security controls are needed to protect digital and nondigital media during their transport?
1. Cryptography
2. Physical security controls
3. Locked storage container
4. Procedural security controls
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
128. d. Both digital and nondigital media during transport should be protected with cryptography (encryption), physical security controls, locked storage containers, and procedural security controls.
129. Information system partitioning is a part of which of the following protection strategies?
a. Defense-in-breadth
b. Defense-in-depth
c. Defense-in-technology
d. Defense-in-time
129. b. Using a defense-in-depth protection strategy, an information system can be partitioned into components residing in separate physical domains or environments to ensure safe and secure operations. It integrates people, technology, and operations to establish variable barriers across multiple layers and multiple functions.
A defense-in-breadth strategy is used to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or product life cycle. A defense-in technology uses compatible technology platforms, and a defense-in-time considers different time zones in the world to operate global information systems.
130. Which of the following creates several independent demilitarized zones (DMZs) on a network?
a. Multiple encryption methods
b. Multihomed firewalls
c. Multiple-chip cryptographic modules
d. Multilayered switches
130. b. Multihomed firewalls providing multiple lines-of-defense are allowed to create several independent demilitarized zones (DMZs)—one interfacing the Internet (public network), one interfacing the DMZ segments, and another one interfacing the internal company network (i.e., intranet). These firewalls have more than one network interface card (NIC) to work with. The other three choices do not have the capability to create several independent DMZs on a network.
131. Entrapment techniques against attacks by outsiders act as which of the following?
a. First line-of-defense
b. Second line-of-defense
c. Last line-of-defense
d. Multiple lines-of-defense
131. a. Entrapment techniques provide a first line-of-defense against attacks by outsiders using fake data and systems (decoys, honeypots, and honeynet systems). The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.
132. Which of the following is not a component of a system’s architecture?