Читаем CISSP Practice полностью

The other three choices do not deal with security states. Information system boundary means all components of a system to be authorized for operation have a defined boundary, and it excludes separately authorized systems to which the system is connected. Information system resilience is the capability of a system to continue to operate while under attack, even if in a degraded or debilitated state, and to rapidly recover operational capabilities for essential functions after a successful attack. Security control assessment is the testing and/or evaluation of the security controls (i.e., management, operational, and technical controls) to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of an information system.

123. In the trusted computing base (TCB) environment, which of the following is referred to when a trusted component is accidentally failed?

a. Compromise from above

b. Compromise from within

c. Compromise from below

d. Compromise from cross domains

123. c. Compromise from below occurs as a result of malicious or accidental failure of an underlying trusted component. Compromise from above occurs when an unprivileged user can write untrusted code that exploits vulnerability. Compromise from within occurs when a privileged user or process misuses the allocated privileges. Compromise from cross domains is not relevant here.

124. When building or acquiring new applications systems, which of the following specifically deal with data security requirements?

a. Sequencing plan

b. System lifecycle

c. Technical architecture

d. Logical architecture

124. d. A logical (functional) architecture defines in business terms the activities or subfunctions that support the core areas of the business, the relationships among these activities or subfunctions, and the data required to supporting these activities or subfunctions.

A technical (physical) architecture defines subsystems, configuration items, data allocations, interfaces, and commons services that collectively provide a physical view of the target systems environment. The combination of logical and technical architecture can make up the organization’s total architecture.

A sequencing plan defines the actions that must be taken and their schedules, along with costs to cost-effectively evolve from the current to the future systems operating environment. A system life cycle defines the policies, processes, and products for managing information technology investments from conception, development, and deployment through maintenance, support, and operation.

125. Information architecture does not govern which of the following?

a. Collection of data

b. Management of data

c. Use of data

d. Archiving of data

125. d. Information architecture, which is a part of functional architecture, defines the information that is needed to achieve mission objectives and how the information systems can work together to satisfy those objectives. The architecture provides a standard framework to govern the collection, development, deployment, management, and use of data and resources to accomplish missions and objectives. Archiving of data is an operational issue, not an architecture issue.

126. Useful information architecture links better with which of the following?

a. Business planning to information technology planning

b. Information engineering to information systems

c. Applications security to logical security

d. Network security to encryption methods

126. a. Useful information architecture cannot be developed until an organization establishes a business planning process and links it to strategic information technology planning. This is a high-level planning effort, whereas the items in the other three choices are low-level planning efforts. Information engineering is a systematic process in which information systems are developed to precisely support the business of an organization.

127. Which of the following action items is not a part of security principle of “reduce vulnerabilities”?

a. Strive for simplicity

b. Implement least privilege

c. Base security on open standards for portability and interoperability

d. Minimize the system elements to be trusted