Which of the following Common Data Network Services is used to print documents to a shared printer or a print queue/spooler?
Correct Answer: B
Client/Server services allocate computing power resources among workstations with some shared resources centralized in servers. For example, if you are using a product that is working in a client/ server model, in reality you have a small piece of the product on your computer (client portion) and the larger piece of the software product is running on a different computer (server portion). The communication between these two pieces of the same software product needs to be controlled, which is why session layer protocols even exist. Session layer protocols take on the functionality of middleware, which allows software on two different computers to communicate. Distributed systems are the opposite of centralized systems like mainframes and thin client implementations. Traditional client/server architectures are the most common example of a distributed system. In a traditional client/server architecture, responsibilities for processing have been balanced between centralized servers providing services to multiple clients and client machines that focus on user interaction and standalone processing where appropriate. For the most part, servers are responsible for serving, meaning that they provide services that will be leveraged by the clients in the environment. Clients are the primary consumers of server services, while also hosting services of their own primarily for their own individual use. Reference used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 524). McGraw-Hill. Kindle Edition. and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 18741-18745). Auerbach Publications. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 100
Question 187
The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when:
Correct Answer: A
If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards. Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-LeachBliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or appropriate administrative and technical security measures to protect consumer information. The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S. Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the confidentiality and integrity of consumer personal information and requires the designation of an individual responsible for compliance. Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply. The act of compliance includes demonstrating due diligence, which is defined as "reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations". Reasonableness in software systems includes industries standards and may allow for imperfection. Lawyers representing firms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes "reasonable" security measures for several reasons, including: 1.Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology; 2.Compliance requires knowledge of specific security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and 3.Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non-compliance. In general, the costs of improved security are certain, but the improvement in security depends on unknown variables and probabilities outside the control of companies. The following reference(s) were used for this question: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 315. and http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf
Question 188
Refer to the information below to answer the question. An organization has hired an information security officer to lead their security department. The officer has adequate people resources but is lacking the other necessary components to have an effective security program. There are numerous initiatives requiring security involvement. Given the number of priorities, which of the following will MOST likely influence the selection of top initiatives?
Correct Answer: B
Question 189
Which general TCSEC security class category describes that mandatory access policies be enforced in the TCB? Exhibit:
Correct Answer: B
The Trusted Computer System Evaluation Criteria [Orange Book] defines major hierarchical classes of security by the letters D (least secure) through A (most secure): D. Minimal protection C. Discretionary protection (C1&C2) B. Mandatory protection (B1, B2, B3) A. Verified protection; formal methods (A1) Source: DoD 5200.28-STD Department of Defense Trusted Computer System Evaluation Criteria.
Question 190
An organization adopts a new firewall hardening standard. How can the security professional verify that the technical staff correct implemented the new standard?