Читаем CISSP Practice полностью

83. d. Privileged user accounts should be established and administered in accordance with a role-based access scheme to access security functions. Privileged roles include network administration, security administration, system administration, database administration, and Web administration, and should be given access to security functions. End users and internal auditors should not be given a privileged account to access security functions during the course of normal operations.

84. From an access control account management point of view, service-oriented architecture implementations rely on which of the following?

a. Dynamic user privileges

b. Static user privileges

c. Predefined user privileges

d. Dynamic user identities

84. a. Service-oriented architecture (SOA) implementations rely on run-time access control decisions facilitated by dynamic privilege management. In contrast, conventional access control implementations employ static information accounts and predefined sets of user privileges. Although user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing business requirements and operational needs of the organization.

85. For privilege management, which of the following is the correct order?

a. Access control⇒Access management⇒Authentication management⇒Privilege management

b. Access management⇒Access control⇒Privilege management⇒Authentication management

c. Authentication management⇒Privilege management⇒Access control⇒Access management

d. Privilege management⇒Access management⇒Access control⇒Authentication management

85. c. Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity’s request for access to some resource should be granted. Authentication management deals with identities, credentials, and any other authentication data needed to establish an identity. Access management, which includes privilege management and access control, encompasses the science and technology of creating, assigning, storing, and accessing attributes and policies. These attributes and policies are used to decide whether an entity’s request for access should be allowed or denied. In other words, a typical access decision starts with authentication management and ends with access management, whereas privilege management falls in between.

86. From an access control viewpoint, which of the following are examples of super user accounts?

a. Root and guest accounts

b. Administrator and root accounts

c. Anonymous and root accounts

d. Temporary and end-user accounts

86. b. Super user accounts are typically described as administrator or root accounts. Access to super user accounts should be limited to designated security and system administration staff only, and not to the end-user accounts, guest accounts, anonymous accounts, or temporary accounts. Security and system administration staff use the super user accounts to access key security/system parameters and commands.

87. Responses to unsuccessful login attempts and session locks are implemented with which of the following?

a. Operating system and firmware

b. Application system and hardware

c. Operating system and application system

d. Hardware and firmware

87.c. Response to unsuccessful login attempts can be implemented at both the operating system and the application system levels. The session lock is implemented typically at the operating system level but may be at the application system level. Hardware and firmware are not used for unsuccessful login attempts and session lock.

88. Which of the following statements is not true about a session lock in access control?

a. A session lock is a substitute for logging out of the system.

b. A session lock can be activated on a device with a display screen.

c. A session lock places a publicly viewable pattern on to the device display screen.

d. A session lock hides what was previously visible on the device display screen.

88. a. A session lock prevents further access to an information system after a defined time period of inactivity. A session lock is not a substitute for logging out of the system as in logging out at the end of the workday. The other three choices are true statements about a session lock.