Who is responsible for providing reports to the senior management on the effectiveness of the security controls?
Correct Answer: D
Explanation/Reference: IT auditors determine whether systems are in compliance with the security policies, procedures, standards, baselines, designs, architectures, management direction and other requirements" and "provide top company management with an independent view of the controls that have been designed and their effectiveness." "Information systems security professionals" is incorrect. Security professionals develop the security policies and supporting baselines, etc. "Data owners" is incorrect. Data owners have overall responsibility for information assets and assign the appropriate classification for the asset as well as ensure that the asset is protected with the proper controls. "Data custodians" is incorrect. Data custodians care for an information asset on behalf of the data owner. References: CBK, pp. 38 - 42. AIO3. pp. 99 - 104
Question 12
What security model implies a central authority that define rules and sometimes global rules, dictating what subjects can have access to what objects?
Correct Answer: D
As a security administrator you might configure user profiles so that users cannot change the system's time, alter system configuration files, access a command prompt, or install unapproved applications. This type of access control is referred to as nondiscretionary, meaning that access decisions are not made at the discretion of the user. Nondiscretionary access controls are put into place by an authoritative entity (usually a security administrator) with the goal of protecting the organization's most critical assets. Non-discretionary access control is when a central authority determines what subjects can have access to what objects based on the organizational security policy. Centralized access control is not an existing security model. Both, Rule Based Access Control (RuBAC or RBAC) and Role Based Access Controls (RBAC) falls into this category. Reference(s) used for this question: Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 221). McGraw-Hill. Kindle Edition. and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 33).
Question 13
How often should tests and disaster recovery drills be performed?
Correct Answer: C
Explanation/Reference: Tests and disaster recovery drills should be performed at least once a year. The company should have no confidence in an untested plan. Since systems and processes can change, frequent testing will aid in ensuring a plan will succeed. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 621).
Question 14
What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?
Correct Answer: C
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.
Question 15
Which of the following is not a DES mode of operation?
Correct Answer: C
Section: Cryptography Explanation Explanation/Reference: Output feedback (OFB) is a DES mode of operation, not input feedback. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 4: Cryptography (page 149).