Читаем CISSP Practice полностью

204. c. Compartmented security mode is the mode of operation that allows the system to process two or more types of compartmented information (information requiring a special authorization) or any one type of compartmented information with other than compartmented information. In this mode, system access is secured to at least the top-secret level, but all system users do not necessarily need to be formally authorized to access all types of compartmented information being processed and/or stored in the system.

Multilevel security mode is incorrect. It is the mode of operation that allows two or more classification levels of information to be processed simultaneously within the same system when some users are not cleared for all levels of information present.

Dedicated security mode is incorrect. It is the mode of operation in which the system is specifically and exclusively dedicated to and controlled for the processing of one particular type or classification of information, either for full-time operation or for a specified period of time.

Controlled mode is incorrect. It is a type of multilevel security in which a more limited amount of trust is placed in the hardware/software base of the system, with resultant restrictions on the classification levels and clearance levels that may be supported.

205. According to the Common Criteria (CC), security functional requirements do not include which of the following?

a. User data protection

b. Security management

c. Configuration management

d. Resource utilization

205. c. According to the Common Criteria (CC), configuration management is part of security assurance requirements, not a functional requirement. The other three choices are part of the security functional requirements.

206. According to the Common Criteria (CC), security assurance requirements do not include which of the following?

a. Privacy

b. Development

c. Tests

d. Vulnerability assessment

206. a. According to the Common Criteria (CC), privacy is part of security functional requirements, not a security assurance requirement. The other three choices are part of the security assurance requirements.

207. A factor favoring acceptability of a covert channel is which of the following?

a. High bandwidth

b. Low bandwidth

c. Narrow bandwidth

d. Broad bandwidth

207. b. Factors favoring acceptability of a covert channel include low bandwidth and the absence of application software that can exploit covert channels.

208. An information technology security principle should ensure which of the following?

a. No single point of access

b. No single point of use

c. No single point of responsibility

d. No single point of vulnerability

208. d. Good IT principles provide a foundation for better IT security. For example, a sound security policy provides a strong foundation for system design. Similarly, implementing a layered security approach ensures no single point of vulnerability in a computer system. The concern here is that if the single point-of-failure occurs because vulnerability is exploited, then the entire system can be compromised, which is risky.

209. What is the best time to implement a data dictionary system?

a. During the development of a new application system

b. During the redesign of an application system

c. During the reengineering of an application system

d. During the modification of an application system

209. a. Although it is best to implement a data dictionary during development of a new application system, it can also be implemented during a major redesign, reengineering, or maintenance of an existing application system.

210. Mapping information security needs to business data is a part of which of the following to secure multi-user and multiplatform environments?

a. Management controls

b. Technical controls

c. Physical controls

d. Procedural controls

210. a. Management controls deal with policies and directives. Mapping information security needs to business data is a management policy. Technical controls deal with technology and systems. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures.

211. Which of the following is not an example of the basic components of a generic Web browser?

a. Java

b. Active-X

c. CGI

d. Plug-ins