Latest CISSP Exam Premium Dumps provide by TrainingQuiz.com to help you Passing CISSP Exam! TrainingQuiz.com offers the updated CISSP exam dumps, the TrainingQuiz.com CISSP exam questions has been updated to correct Answer. Get the latest TrainingQuiz.com CISSP pdf dumps with Exam Engine here:
(1533 Q&As Dumps, 40%OFF Special Discount: DumpsDB)
The ANSI ASC X12 (American National Standards Institute Accredited Standards Committee X12) Standard version 4010 applies to which one of the following HIPAA categories?
Correct Answer: C
The transactions addressed by HIPAA are: Health claims or similar encounter information Health care payment and remittance advice Coordination of Benefits Health claim status Enrollment and disenrollment in a health plan Eligibility for a health plan Health plan premium payments Referral certification and authorization The HIPAA EDI transaction standards to address these HIPAA transactions include the following: Health care claims or coordination of benefits Retail drug NCPCP (National Council for Prescription Drug Programs) v. 32 Dental claim ASC X12N 837: dental Professional claim ASC X12N 837: professional Institutional claim ASC X12N 837: institutional Payment and remittance advice ASC X12N 835 Health claim status ASC X12N 276/277 Plan enrollment ASC X12 834 Plan eligibility ASC X12 270/271 Plan premium payments ASC X12 820 Referral certification ASC X12 N 278 The American National Standards Institute was founded in 1917 and is the only source of American Standards. The ANSI Accredited Standards Committee X12 was chartered in 1979 and is responsible for cross-industry standards for electronic documents. The HIPAAprivacy standards, answer a, were finalized in April, 2001, and implementation must be accomplished by April 14, 2003. The privacy rule covers individually identifiable health care information transmitted, stored in electronic or paper form, or communicated orally. Protected health information (PHI) may not be disclosed unless disclosure is approved by the individual, permitted by the legislation, required for treatment, part of health care operations, required by law, or necessary for payment. PHI is defined as individually identifiable health information that is transmitted by electronic media, maintained in any medium described in the definition of electronic media under HIPAA, or is transmitted or maintained in any other form or medium. Answer b, code sets, refers to the codes that are used to fill in the data elements of the HIPAAtransaction standards. Examples of these codes are: ICD-9-CM (vols. 1 and 2) International Classification of Diseases, 9th Ed., Clinical Modification Diseases, injuries, impairments, other health related problems, their manifestations, and causes of injury, disease, impairment, or other health-related problems CPT (Current Procedural Terminology, 4th Ed. [CPT-4]), CDT (Code on Dental Procedures and Nomenclature, 2nd Ed. [CDT-2]) or ICD-9-CM (vol. 3) Procedures or other actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments NDC (National Drug Codes) drugs HCPCS (Health Care Financing Administration Common Procedure Coding System) Other health-related services, other substances, equipment, supplies, or other items used in health care services The proposed HIPAA Security Rule, answer d, mandates the protection of the confidentiality, integrity, and availability of protected health information (PHI) through: Administrative procedures Physical safeguards Technical services and mechanisms The rule also addresses electronic signatures, but the final rule will depend on industry progress on reaching a standard. In addition, the proposed security rule requires the appointment of a security officer.
Question 357
Within the realm of IT security, which of the following combinations best defines risk?
Correct Answer: B
Explanation/Reference: Explanation: Risk is defined as "the probability of a threat agent exploiting a vulnerability and the associated impact". The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs. NIST developed a risk methodology, which is specific to IT threats and how they relate to information security risks. It lays out the following steps: System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation Incorrect Answers: A: Threat coupled with a breach is not the definition of risk. C: Vulnerability coupled with an attack is not the definition of risk. D: Threat coupled with a breach of security is not the definition of risk. References: Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 77-79
Question 358
Which of the following is NOT a form of data erasure?
Correct Answer: A
Clearing refers to the overwriting of data media intended to be reused in same organization. Purging refers to degaussing or overwriting media intended to be removed from the organization. Destruction refers to completely destroying the media.
Question 359
Who determines the required level of independence for security control Assessors (SCA)?
Correct Answer: D
Question 360
What can be defined as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects from unauthorized access?
Correct Answer: A
The reference monitor refers to abstract machine that mediates all access to objects by subjects. This question is asking for the concept that governs access by subjects to objects, thus the reference monitor is the best answer. While the security kernel is similar in nature, it is what actually enforces the concepts outlined in the reference monitor. In operating systems architecture a reference monitor concept defines a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., files and sockets) on a system. The properties of a reference monitor are: The reference validation mechanism must always be invoked (complete mediation). Without this property, it is possible for an attacker to bypass the mechanism and violate the security policy. The reference validation mechanism must be tamperproof (tamperproof). Without this property, an attacker can undermine the mechanism itself so that the security policy is not correctly enforced. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (verifiable). Without this property, the mechanism might be flawed in such a way that the policy is not enforced. For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently verified, or what level of computer security it was intended to provide. The claim is that a reference validation mechanism that satisfies the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and sufficient properties for any system making this security claim. According to Ross Anderson, the reference monitor concept was introduced by James Anderson in an influential 1972 paper. Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept. The reference monitor, as defined in AIO V5 (Harris) is: "an access control concept that refers to an abstract machine that mediates all access to objects by subjects." The security kernel, as defined in AIO V5 (Harris) is: "the hardware, firmware, and software elements of a trusted computing based (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modification, and be verifiable as correct." The trusted computing based (TCB), as defined in AIO V5 (Harris) is: "all of the protection mechanisms within a computer system (software, hardware, and firmware) that are responsible for enforcing a security policy." The security domain, "builds upon the definition of domain (a set of resources available to a subject) by adding the fact that resources withing this logical structure (domain) are working under the same security policy and managed by the same group." The following answers are incorrect: "The security kernel" is incorrect. One of the places a reference monitor could be implemented is in the security kernel but this is not the best answer. "The trusted computing base" is incorrect. The reference monitor is an important concept in the TCB but this is not the best answer. "The security domain is incorrect." The reference monitor is an important concept in the security domain but this is not the best answer. Reference(s) used for this question: Official ISC2 Guide to the CBK, page 324 AIO Version 3, pp. 272 - 274 AIOv4 Security Architecture and Design (pages 327 - 328) AIOv5 Security Architecture and Design (pages 330 - 331) Wikipedia article at https://en.wikipedia.org/wiki/Reference_monitor