Section: Security Operation Adimnistration Explanation Explanation/Reference: System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be verified that they work properly. The following answers are incorrect: The software of the system has been implemented as designed. Is incorrect because this would fall under Trusted system distribution. Users can't tamper with processes they do not own. Is incorrect because this would fall under Configuration Management. Design specifications have been verified against the formal top-level specification. Is incorrect because this would fall under Specification and verification. References: AIOv3 Security Models and Architecture (pages 302 - 306) DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm
Question 283
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on :
Correct Answer: B
Explanation/Reference: Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already under way. From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Page 7.
Question 284
Which of the following is defined as the most recent point in time to which data must be synchronized without adversely affecting the organization (financial or operational impacts)?
Correct Answer: A
Explanation/Reference: The recovery point objective (RPO) is the maximum acceptable level of data loss following an unplanned "event", like a disaster (natural or man-made), act of crime or terrorism, or any other business or technical disruption that could cause such data loss. The RPO represents the point in time, prior to such an event or incident, to which lost data can be recovered (given the most recent backup copy of the data). The recovery time objective (RTO) is a period of time within which business and / or technology capabilities must be restored following an unplanned event or disaster. The RTO is a function of the extent to which the interruption disrupts normal operations and the amount of revenue lost per unit of time as a result of the disaster. These factors in turn depend on the affected equipment and application(s). Both of these numbers represent key targets that are set by key businesses during business continuity and disaster recovery planning; these targets in turn drive the technology and implementation choices for business resumption services, backup / recovery / archival services, and recovery facilities and procedures. Many organizations put the cart before the horse in selecting and deploying technologies before understanding the business needs as expressed in RPO and RTO; IT departments later bear the brunt of user complaints that their service expectations are not being met. Defining the RPO and RTO can avoid that pitfall, and in doing so can also make for a compelling business case for recovery technology spending and staffing. For the CISSP candidate studying for the exam, there are no such objectives for "point of time," and "critical time." Those two answers are simply detracters. Reference: http://www.wikibon.org/Recovery_point_objective_/_recovery_time_objective_strategy
Question 285
The first step in the implementation of the contingency plan is to perform:
Correct Answer: B
A data backup is the first step in contingency planning. Without data, there is nothing to process. "No backup, no recovery". Backup for hardware should be taken care of next. Formal arrangements must be made for alternate processing capability in case the need should arise. Operating systems and application software should be taken care of afterwards. Source: VALLABHANENI, S. Rao, CISSP Examination Textbooks, Volume 2: Practice, SRV Professional Publications, 2002, Chapter 8, Business Continuity Planning & Disaster Recovery Planning (page 506).
Question 286
Which of the following best ensures accountability of users for the actions taken within a system or domain?
Correct Answer: B
Section: Access Control Explanation/Reference: Details: The only way to ensure accountability is if the subject is uniquely identified and authenticated. Identification alone does not provide proof the user is who they claim to be. After showing proper credentials, a user is authorized access to resources. References: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 126).