Chat with AI
Deck 8: Security Management Models
Full screen (f)
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Question
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/60
Play
Full screen (f)
Deck 8: Security Management Models
1
Lattice-based access control specifies the level of access each subject has to each object,if any.
True
2
The Information Technology Infrastructure Library (ITIL)is a collection of policies and practices for managing the development and operation of IT infrastructures.____________
False
methods
methods
3
The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.____________
True
4
Which of the following specifies the authorization classification of information asset an individual user is permitted to access,subject to the need-to-know principle?
A) Discretionary access controls
B) Task-based access controls
C) Security clearances
D) Sensitivity levels
A) Discretionary access controls
B) Task-based access controls
C) Security clearances
D) Sensitivity levels
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
5
A security blueprint is the outline of the more thorough security framework.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
6
Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary?
A) need-to-know
B) eyes only
C) least privilege
D) separation of duties
A) need-to-know
B) eyes only
C) least privilege
D) separation of duties
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
7
Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
A) preventative
B) deterrent
C) corrective
D) compensating
A) preventative
B) deterrent
C) corrective
D) compensating
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
8
Which of the following is a generic blueprint offered by a service organization which must be flexible,scalable,robust,and detailed?
A) framework
B) security model
C) security standard
D) both A & B are correct
A) framework
B) security model
C) security standard
D) both A & B are correct
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
9
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
10
A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
11
A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls-in other words,it mediates all access to objects by subjects.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
12
Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
13
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
14
In information security,a specification of a model to be followed during the design, selection,and initial and ongoing implementation of all subsequent security controls is known as a blueprint.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
15
In a lattice-based access control,a restriction table is the row of attributes associated with a particular subject (such as a user). ____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
16
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
17
Under the Clark-Wilson model,internal consistency means that the system is consistent with similar data in the outside world.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
18
Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
19
Which access control principle limits a user's access to the specific information required to perform the currently assigned task?
A) need-to-know
B) eyes only
C) least privilege
D) separation of duties
A) need-to-know
B) eyes only
C) least privilege
D) separation of duties
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
20
In information security,a framework or security model customized to an organization,including implementation details is known as a floorplan._____________
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
21
Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones.
A) Clark-Wilson
B) Bell-LaPadula
C) Common Criteria
D) Biba
A) Clark-Wilson
B) Bell-LaPadula
C) Common Criteria
D) Biba
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
22
Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec,and was created by ISACA and the IT Governance Institute?
A) COBIT
B) COSO
C) NIST
D) ISO
A) COBIT
B) COSO
C) NIST
D) ISO
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
23
ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n)____________________.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
24
Which control category discourages an incipient incident?
A) preventative
B) deterrent
C) remitting
D) compensating
A) preventative
B) deterrent
C) remitting
D) compensating
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
25
Which of the following is NOT a change control principle of the Clark-Wilson model?
A) No changes by unauthorized subjects
B) No unauthorized changes by authorized subjects
C) No changes by authorized subjects without external validation
D) The maintenance of internal and external consistency
A) No changes by unauthorized subjects
B) No unauthorized changes by authorized subjects
C) No changes by authorized subjects without external validation
D) The maintenance of internal and external consistency
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
26
The COSO framework is built on five interrelated components.Which of the following is NOT one of them?
A) Control environment
B) Risk assessment
C) Control activities
D) InfoSec Governance
A) Control environment
B) Risk assessment
C) Control activities
D) InfoSec Governance
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
27
A time-release safe is an example of which type of access control?
A) content-dependent
B) constrained user interface
C) temporal isolation
D) nondiscretionary
A) content-dependent
B) constrained user interface
C) temporal isolation
D) nondiscretionary
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
28
Which of the following is NOT one of the three levels in the U.S.military data classification scheme for National Security Information?
A) confidential
B) secret
C) top secret
D) for official use only
A) confidential
B) secret
C) top secret
D) for official use only
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
29
The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
30
____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system,and include storage and timing channels.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
31
Which security architecture model is part of a larger series of standards collectively referred to as the "Rainbow Series"?
A) Bell-LaPadula
B) TCSEC
C) ITSEC
D) Common Criteria
A) Bell-LaPadula
B) TCSEC
C) ITSEC
D) Common Criteria
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
32
Which type of access controls can be role-based or task-based?
A) constrained
B) content-dependent
C) nondiscretionary
D) discretionary
A) constrained
B) content-dependent
C) nondiscretionary
D) discretionary
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
33
In the COSO framework,___________ activities include those policies and procedures that support management directives.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
34
Which of the following is NOT a category of access control?
A) preventative
B) mitigating
C) deterrent
D) compensating
A) preventative
B) mitigating
C) deterrent
D) compensating
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
35
To design a security program,an organization can use a(n)____________________,which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
36
Which piece of the Trusted Computing Base's security system manages access controls?
A) trusted computing base
B) reference monitor
C) covert channel
D) verification module
A) trusted computing base
B) reference monitor
C) covert channel
D) verification module
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
37
Under lattice-based access controls,the column of attributes associated with a particular object (such as a printer)is referred to as which of the following?
A) access control list
B) capabilities table
C) access matrix
D) sensitivity level
A) access control list
B) capabilities table
C) access matrix
D) sensitivity level
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
38
Which of the following is the primary purpose of ISO/IEC 27001:2005?
A) Use within an organization to formulate security requirements and objectives
B) Implementation of business-enabling information security
C) Use within an organization to ensure compliance with laws and regulations
D) To enable organizations that adopt it to obtain certification
A) Use within an organization to formulate security requirements and objectives
B) Implementation of business-enabling information security
C) Use within an organization to ensure compliance with laws and regulations
D) To enable organizations that adopt it to obtain certification
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
39
Under the Common Criteria,which term describes the user-generated specifications for security requirements?
A) Target of Evaluation (ToE)
B) Protection Profile (PP)
C) Security Target (ST)
D) Security Functional Requirements (SFRs)
A) Target of Evaluation (ToE)
B) Protection Profile (PP)
C) Security Target (ST)
D) Security Functional Requirements (SFRs)
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
40
In which form of access control is access to a specific set of information contingent on its subject matter?
A) content-dependent access controls
B) constrained user interfaces
C) temporal isolation
D) None of these
A) content-dependent access controls
B) constrained user interfaces
C) temporal isolation
D) None of these
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
41
When copies of classified information are no longer valuable or too many copies exist,what steps should be taken to destroy them properly? Why?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
42
One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization. What are these categories as described by NIST?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
43
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
44
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
One of the TCSEC's covert channels,which communicate by modifying a stored object.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
One of the TCSEC's covert channels,which communicate by modifying a stored object.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
45
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Within TCSEC,the combination of all hardware,firmware,and software responsible for enforcing the security policy.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Within TCSEC,the combination of all hardware,firmware,and software responsible for enforcing the security policy.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
46
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Ratings of the security level for a specified collection of information (or user)within a mandatory access control scheme.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Ratings of the security level for a specified collection of information (or user)within a mandatory access control scheme.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
47
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls access to a specific set of information based on its content.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls access to a specific set of information based on its content.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
48
What are the two primary access modes of the Bell-LaPadula model and what do they restrict?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
49
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
50
What is the data classification for information deemed to be National Security Information for the U.S.military as specified in 2009 in Executive Order 13526?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
51
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls implemented at the discretion or option of the data user.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls implemented at the discretion or option of the data user.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
52
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A TCSEC-defined covert channel,which transmit information by managing the relative timing of events.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A TCSEC-defined covert channel,which transmit information by managing the relative timing of events.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
53
According to COSO,internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
54
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Access is granted based on a set of rules specified by the central authority.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Access is granted based on a set of rules specified by the central authority.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
55
Under what circumstances should access controls be centralized vs.decentralized?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
56
What are the five principles that are focused on the governance and management of IT as specified by COBIT 5?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
57
a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A framework or security model customized to an organization,including implementation details.
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A framework or security model customized to an organization,including implementation details.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
58
Lattice-based access controls use a two-dimensional matrix to assign authorizations,what are the two dimensions and what are they called?
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
59
Access controls are build on three key principles. List and briefly define them.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
60
There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them.
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
Unlock Deck
k this deck
Unlock Deck
Unlock for access to all 60 flashcards in this deck.
