Читаем CISSP Practice полностью

59. c. Policy enforcement mechanisms include the filtering and/or sanitization rules that are applied to information prior to transfer to a different security domain. Embedding rules and release rules do not handle information transfer.

60. Which of the following is not an example of policy rules for cross domain transfers?

a. Prohibiting more than two-levels of embedding

b. Facilitating policy decisions on source and destination

c. Prohibiting the transfer of archived information

d. Limiting embedded components within other components

60. b. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification subject, or attachments. The other three choices are examples of policy rules for cross domain transfers.

61. Which of the following are the ways to reduce the range of potential malicious content when transferring information between different security domains?

1. Constrain file lengths

2. Constrain character sets

3. Constrain schemas

4. Constrain data structures

a. 1 and 3

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

61. d. The information system, when transferring information between different security domains, implements security policy filters that constrain file lengths, character sets, schemas, data structures, and allowed enumerations to reduce the range of potential malicious and/or unsanctioned content.

62. Which of the following cannot detect unsanctioned information and prohibit the transfer of such information between different security domains (i.e., domain-type enforcement)?

a. Implementing one-way flows

b. Checking information for malware

c. Implementing dirty word list searches

d. Applying security attributes to metadata

62. a. One-way flows are implemented using hardware mechanisms for controlling the flow of information within a system and between interconnected systems. As such they cannot detect unsanctioned information.

The other three choices do detect unsanctioned information and prohibit the transfer with actions such as checking all transferred information for malware, implementing dirty word list searches on transferred information, and applying security attributes to metadata that are similar to information payloads.

63. Which of the following binds security attributes to information to facilitate information flow policy enforcement?

a. Security labels

b. Resolution labels

c. Header labels

d. File labels

63. b. Means to bind and enforce the information flow include resolution labels that distinguish between information systems and their specific components, and between individuals involved in preparing, sending, receiving, or disseminating information. The other three types of labels cannot bind security attributes to information.

64. Which of the following access enforcement mechanisms provides increased information security for an organization?

a. Access control lists

b. Business application system

c. Access control matrices

d. Cryptography

64. b. Normal access enforcement mechanisms include access control lists, access control matrices, and cryptography. Increased information security is provided at the application system level (i.e., accounting and marketing systems) due to the use of password and PIN.

65. What do architectural security solutions to enforce security policies about information on interconnected systems include?

1. Implementing access-only mechanisms

2. Implementing one-way transfer mechanisms

3. Employing hardware mechanisms to provide unitary flow directions

4. Implementing regrading mechanisms to reassign security attributes

a. 1 only

b. 2 only

c. 3 only

d. 1, 2, 3, and 4

65. d. Specific architectural security solutions can reduce the potential for undiscovered vulnerabilities. These solutions include all four items mentioned.

66. From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of static separation of duties?

1. Role-based access control

2. Workflow policy

3. Rule-based access control