What are the three FUNDAMENTAL principles of security?
Correct Answer: B
Explanation/Reference: The following answers are incorrect because: Accountability, confidentiality and integrity is not the correct answer as Accountability is not one of the fundamental principle of security. Integrity, availability and accountability is not the correct answer as Accountability is not one of the fundamental principle of security. Availability, accountability and confidentiality is not the correct answer as Accountability is not one of the fundamental objective of security. References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages : 49-52
Question 708
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
Correct Answer: C
Section: Access Control Explanation/Reference: The matrix lists the users, groups and roles down the left side and the resources and functions across the top. The cells of the matrix can either indicate that access is allowed or indicate the type of access. CBK pp 317 - 318. AIO3, p. 169 describes it as a table if subjects and objects specifying the access rights a certain subject possesses pertaining to specific objects. In either case, the matrix is a way of analyzing the access control needed by a population of subjects to a population of objects. This access control can be applied using rules, ACL's, capability tables, etc. "A capacity table" is incorrect. This answer is a trap for the unwary -- it sounds a little like "capability table" but is just there to distract you. "An access control list" is incorrect. "It [ACL] specifies a list of users [subjects] who are allowed access to each object" CBK, p. 188 Access control lists (ACL) could be used to implement the rules identified by an access control matrix but is different from the matrix itself. "A capability table" is incorrect. "Capability tables are used to track, manage and apply controls based on the object and rights, or capabilities of a subject. For example, a table identifies the object, specifies access rights allowed for a subject, and permits access based on the user's posession of a capability (or ticket) for the object." CBK, pp. 191-192. To put it another way, as noted in AIO3 on p. 169, "A capabiltiy table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL." Again, a capability table could be used to implement the rules identified by an access control matrix but is different from the matrix itself. References: CBK pp. 191-192, 317-318 AIO3, p. 169
Question 709
The communications products and services, which ensure that the various components of a network (such as devices, protocols, and access methods) work together refers to:
Correct Answer: B
Section: Network and Telecommunications Explanation/Reference: A Network Architecture refers to the communications products and services, which ensure that the various components of a network (such as devices, protocols, and access methods) work together. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 101.
Question 710
Which of the following best defines a Computer Security Incident Response Team (CSIRT)?
Correct Answer: C
Explanation/Reference: RFC 2828 (Internet Security Glossary) defines a Computer Security Incident Response Team (CSIRT) as an organization that coordinates and supports the response to security incidents that involves sites within a defined constituency. This is the proper definition for the CSIRT. To be considered a CSIRT, an organization must provide a secure channel for receiving reports about suspected security incidents, provide assistance to members of its constituency in handling the incidents and disseminate incident- related information to its constituency and other involved parties. Security-related incidents do not necessarily have to be reported to the authorities. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.
Question 711
Which of the following is NOT a proper component of Media Viability Controls?
Correct Answer: B
Section: Security Operation Adimnistration Explanation/Reference: Media Viability Controls include marking, handling and storage. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 231.