Which of the following is not a responsibility of an information (data) owner?
Correct Answer: D
Section: Security Operation Adimnistration Explanation/Reference: This responsibility would be delegated to a data custodian rather than being performed directly by the information owner. "Determine what level of classification the information requires" is incorrect. This is one of the major responsibilities of an information owner. "Periodically review the classification assignments against business needs" is incorrect. This is one of the major responsibilities of an information owner. "Delegates responsibility of maintenance of the data protection mechanisms to the data custodian" is incorrect. This is a responsibility of the information owner. References: CBK p. 105. AIO3, p. 53-54, 960
Question 963
Which backup method does not reset the archive bit on files that are backed up?
Correct Answer: C
The differential backup method only copies files that have changed since the last full backup was performed. It is additive in the fact that it does not reset the archive bit so all changed or added files are backed up in every differential backup until the next full backup. The "additive backup method" is not a common backup method. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 69).
Question 964
Which of the following is NOT a part of a risk analysis?
Correct Answer: D
Explanation/Reference: This step is not a part of RISK ANALYSIS. A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure. Choosing the best countermeasure is not part of the risk analysis. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 3: Security Management Practices (page 73). HARRIS, Shon, Mike Meyers' CISSP(R) Certification Passport, 2002, McGraw-Hill, page 12.
Question 965
Which of the following keys has the SHORTEST lifespan?
Correct Answer: C
Section: Cryptography Explanation/Reference: As session key is a symmetric key that is used to encrypt messages between two users. A session key is only good for one communication session between users. For example , If Tanya has a symmetric key that she uses to encrypt messages between Lance and herself all the time , then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However , using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If , on the other hand , a new symmetric key were generated each time Lance and Tanya wanted to communicate , it would be used only during their dialog and then destroyed. if they wanted to communicate and hour later , a new session key would be created and shared. The other answers are not correct because : Public Key can be known to anyone. Private Key must be known and used only by the owner. Secret Keys are also called as Symmetric Keys, because this type of encryption relies on each user to keep the key a secret and properly protected. REFERENCES: SHON HARRIS , ALL IN ONE THIRD EDITION : Chapter 8 : Cryptography , Page : 619-620
Question 966
Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design specifications and security requirements?
Correct Answer: B
Explanation/Reference: Verification vs. Validation: Verification determines if the product accurately represents and meets the specifications. A product can be developed that does not match the original specifications. This step ensures that the specifications are properly met. Validation determines if the product provides the necessary solution intended real-world problem. In large projects, it is easy to lose sight of overall goal. This exercise ensures that the main goal of the project is met. From DITSCAP: 6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify compliance of the system with previously agreed security requirements. For each life-cycle development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements and evaluate vulnerabilities. 6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully integrated system to validate system operation in a specified computing environment with an acceptable level of residual risk. Validation shall culminate in an approval to operate. You must also be familiar with Verification and Validation for the purpose of the exam. A simple definition for Verification would be whether or not the developers followed the design specifications along with the security requirements. A simple definition for Validation would be whether or not the final product meets the end user needs and can be use for a specific purpose. Wikipedia has an informal description that is currently written as: Validation can be expressed by the query "Are you building the right thing?" and Verification by "Are you building it right? NOTE: DITSCAP was replaced by DIACAP some time ago (2007). While DITSCAP had defined both a verification and a validation phase, the DIACAP only has a validation phase. It may not make a difference in the answer for the exam; however, DIACAP is the cornerstone policy of DOD C&A and IA efforts today. Be familiar with both terms just in case all of a sudden the exam becomes updated with the new term. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1106). McGraw-Hill. Kindle Edition. http://iase.disa.mil/ditscap/DITSCAP.html https://en.wikipedia.org/wiki/Verification_and_validation For the definition of "validation" in DIACAP, Click Here Further sources for the phases in DIACAP, Click Here