Читаем CISSP Practice полностью

53. Regarding access enforcement, which of the following mechanisms should not be employed when an immediate response is necessary to ensure public and environmental safety?

a. Dual cable

b. Dual authorization

c. Dual use certificate

d. Dual backbone

53. b. Dual authorization mechanisms require two forms of approval to execute. The organization should not employ a dual authorization mechanism when an immediate response is necessary to ensure public and environmental safety because it could slow down the needed response. The other three choices are appropriate when an immediate response is necessary.

54. Which of the following is not an example of nondiscretionary access control?

a. Identity-based access control

b. Mandatory access control

c. Role-based access control

d. Temporal constraints

54. a. Nondiscretionary access control policies have rules that are not established at the discretion of the user. These controls can be changed only through administrative action and not by users. An identity-based access control (IBAC) decision grants or denies a request based on the presence of an entity on an access control list (ACL). IBAC and discretionary access control are considered equivalent and are not examples of nondiscretionary access controls.

The other three choices are examples of nondiscretionary access controls. Mandatory access control deals with rules, role-based access control deals with job titles and functions, and temporal constraints deal with time-based restrictions and control time-sensitive activities.

55. Encryption is used to reduce the probability of unauthorized disclosure and changes to information when a system is in which of the following secure, non-operable system states?

a. Troubleshooting

b. Offline for maintenance

c. Boot-up

d. Shutdown

55. b. Secure, non-operable system states are states in which the information system is not performing business-related processing. These states include offline for maintenance, troubleshooting, bootup, and shutdown. Offline data should be stored with encryption in a secure location. Removing information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to that information via a network.

56. Bitmap objects and textual objects are part of which of the following security policy filters?

a. File type checking filters

b. Metadata content filters

c. Unstructured data filters

d. Hidden content filters

56. c. Unstructured data consists of two basic categories: bitmap objects (e.g., image, audio, and video files) and textual objects (e.g., e-mails and spreadsheets). Security policy filters include file type checking filters, dirty word filters, structured and unstructured data filters, metadata content filters, and hidden content filters.

57. Information flow control enforcement employing rulesets to restrict information system services provides:

1. Structured data filters

2. Metadata content filters

3. Packet filters

4. Message filters

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

57. c. Packet filters are based on header information whereas message filters are based on content using keyword searches. Both packet filters and message filters use rulesets. Structured data filters and metadata content filters do not use rulesets.

58. For information flow enforcement, what are explicit security attributes used to control?

a. Release of sensitive data

b. Data content

c. Data structure

d. Source objects

58. a. Information flow enforcement using explicit security attributes are used to control the release of certain types of information such as sensitive data. Data content, data structure, and source and destination objects are examples of implicit security attributes.

59. What do policy enforcement mechanisms, used to transfer information between different security domains prior to transfer, include?

1. Embedding rules

2. Release rules

3. Filtering rules

4. Sanitization rules

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4