Читаем CISSP Practice полностью

In addition, the DBMS should also have a versioning facility to track and record changes made to data over time through the history of design changes. The version management system should track version successors and predecessors. Although the rollback approach uses before images, the roll-forward approach uses after images. Both of these images are stored on a log tape. If a database is damaged, the after image copies can be added to a backup copy of the database. The database is rolled forward from a point in time when it is known to be correct to a later time.

152. Which of the following statements is true with respect to data dictionaries?

a. A data dictionary must always be active to be useful.

b. An active data dictionary must be dependent on database management systems.

c. A passive data dictionary is an important feature of database management systems.

d. A data dictionary can exist only with a database system.

152. b. In the case of an active data dictionary, there is no option, meaning that the data dictionary and the database management system go together; they need each other to function effectively.

The other three choices are not correct because (i) both active and passive data dictionaries are useful, (ii) a passive data dictionary may or may not require a check for currency of data descriptions before a program is executed, and (iii) nondatabase systems can have data dictionaries.

153. Deadly embraces or deadlock situations in a database can best be handled through which of the following?

a. Prevention

b. Detection

c. Correction

d. Ignoring

153. a. There are two general methods of handling deadlocks. The preferred method involves detecting the probability of deadlock and preventing its occurrence. The other method involves detecting the deadlock when it occurs and doing something to correct it. Deadlocks can be prevented through good database design, especially with physical design efforts. Deadlock situations are too common to ignore. Consistent use of the database can minimize the chances of deadlock.

154. Which of the following is not an example of a first line-of-defense?

a. Policies and procedures

b. Internal controls

c. Audit trails and logs

d. Training, awareness, and education

154. c. Audit trails and logs provide after-the-fact information to detect anomalies and therefore cannot provide the first line-of-defenses in terms of preventing an anomaly. Audit trails and logs provide second line-of-defenses, whereas all the other three choices provide first line-of-defense mechanisms.

155. Which of the following is an example of last line-of-defense?

a. Employee vigilance

b. Program change controls

c. Fault-tolerant techniques

d. Exterior protection

155. a. People can detect abnormalities that machines cannot through their common sense; therefore, employee vigilance is the last line-of-defense against anything that has escaped the first and/or second line-of-defense mechanisms. Exterior protection, such as walls and ceilings designed to prevent unauthorized entry, are examples of second line-of-defense, whereas the other three choices are examples of the first line-of-defense mechanisms.

The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems. The line-of-defenses form a core part of defense-in-depth strategy or security-in-depth strategy.

156. The principal aspects of the defense-in-depth strategy to achieve an effective information-assurance posture do not include which of the following?

a. People

b. Processes

c. Technology

d. Operations

156. b. The defense-in-depth strategy achieves an effective information assurance posture and includes people, technology, and operations, but not processes. Organizations address information assurance needs with people executing operations supported by technology.

157. Operations, one of the principal aspects of the defense-in-depth strategy does not include which of the following?

a. Certification and accreditation

b. Attack sensing and warning

c. System risk assessment

d. Recovery and reconstitution