CHAPTER 5

Security Architecture and Models

This chapter is supplemental to and coordinated with the Security Architecture and Models chapter in the CISSP Prep Guide. The fundamentals of security architecture and models are covered in Chapter 5 of the CISSP Prep Guide at a level commensurate with that of the CISSP Examination.

This chapter includes advanced material relative to computer architectures, computer hardware, the Java security model, multilevel security, security models and their properties, Trusted Computer Systems, the Common Criteria, ITSEC, TCSEC, HIPAA privacy, HIPAA security, HIPAA transactions, HIPAA code sets, the Gramm-Leach-Bliley Act, privacy, NIACAP, DITSCAP, P3P and FedCIRC.

It is assumed that the reader has a basic knowledge of the material contained in Chapter 5 and has the CISSP Prep Guide available to provide background information for the advanced questions pertaining to security architecture and models. These questions and answers build upon the questions and answers covered in Chapter 5 of the CISSP Prep Guide.

Advanced Sample Questions

  1. When microcomputers were first developed, the instruction fetch time was much longer than the instruction execution time because of the relatively slow speed of memory accesses. This situation led to the design of the:
    1. Reduced Instruction Set Computer (RISC)
    2. Complex Instruction Set Computer (CISC)
    3. Superscalar processor
    4. Very-long-instruction-word (VLIW) processor
  2. The main objective of the Java Security Model (JSM) is to:
    1. Protect the user from hostile, network mobile code
    2. Protect a web server from hostile, client code
    3. Protect the local client from hostile, user-input code
    4. Provide accountability for events
  3. Which of the following would NOT be a component of a general enterprise security architecture model for an organization?
    1. Information and resources to ensure the appropriate level of risk management
    2. Consideration of all the items that comprise information security, including distributed systems, software, hardware, communications systems and networks
    3. A systematic and unified approach for evaluating the organization's information systems security infrastructure and defining approaches to implementation and deployment of information security controls
    4. IT system auditing
  4. In a multilevel security system (MLS), the Pump is:
    1. A two-way information flow device
    2. A one-way information flow device
    3. Compartmented Mode Workstation (CMW)
    4. A device that implements role-based access control
  5. The Bell-LaPadula model addresses which one of the following items?
    1. Covert channels
    2. The creation and destruction of subjects and objects
    3. Information flow from high to low
    4. Definition of a secure state transition
  6. In order to recognize the practical aspects of multilevel security in which, for example, an unclassified paragraph in a Secret document has to be moved to an Unclassified document, the Bell-LaPadula model introduces the concept of a:
    1. Simple security property
    2. Secure exchange
    3. Data flow
    4. Trusted subject
  7. In a refinement of the Bell-LaPadula model, the strong tranquility property states that:
    1. Objects never change their security level.
    2. Objects never change their security level in a way that would violate the system security policy.
    3. Objects can change their security level in an unconstrained fashion.
    4. Subjects can read up.
  8. As an analog of confidentiality labels, integrity labels in the Biba model are assigned according to which of the following rules?
    1. Objects are assigned integrity labels identical to the corresponding confidentiality labels.
    2. Objects are assigned integrity labels according to their trustworthiness; subjects are assigned classes according to the harm that would be done if the data were modified improperly.
    3. Subjects are assigned classes according to their trustworthiness; objects are assigned integrity labels according to the harm that would be done if the data were modified improperly.
    4. Integrity labels are assigned according to the harm that would occur from unauthorized disclosure of the information.
  9. The Clark-Wilson Integrity Model (D. Clark, D. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” Proceedings of the 1987 IEEE Computer Society Symposium on Research in Security and Privacy, Los Alamitos, CA, IEEE Computer Society Press, 1987) focuses on what two concepts?
    1. Separation of duty and well-formed transactions
    2. Least privilege and well-formed transactions
    3. Capability lists and domains
    4. Well-formed transactions and denial of service
  10. The model that addresses the situation wherein one group is not affected by another group using specific commands is called the:
    1. Information flow model
    2. Non-interference model
    3. Composition model
    4. Clark-Wilson model
  11. The secure path between a user and the Trusted Computing Base (TCB) is called:
    1. Trusted distribution
    2. Trusted path
    3. Trusted facility management
    4. The security perimeter
  12. The Common Criteria terminology for the degree of examination of the product to be tested is:
    1. Target of Evaluation (TOE)
    2. Protection Profile (PP)
    3. Functionality (F)
    4. Evaluation Assurance Level (EAL)
  13. A difference between the Information Technology Security Evaluation Criteria (ITSEC) and the Trusted Computer System Evaluation Criteria (TCSEC) is:
    1. TCSEC addresses availability as well as confidentiality
    2. ITSEC addresses confidentiality only
    3. ITSEC addresses integrity and availability as well as confidentiality
    4. TCSEC separates functionality and assurance
  14. Which of the following items BEST describes the standards addressed by Title II, Administrative Simplification, of the Health Insurance Portability and Accountability Act (U.S. Kennedy-Kassenbaum Health Insurance and Portability Accountability Act -HIPAA-Public Law 104-19)?
    1. Transaction Standards, to include Code Sets; Unique Health Identifiers; Security and Electronic Signatures and Privacy
    2. Transaction Standards, to include Code Sets; Security and Electronic Signatures and Privacy
    3. Unique Health Identifiers; Security and Electronic Signatures and Privacy
    4. Security and Electronic Signatures and Privacy
  15. Which one of the following is generally NOT considered a covered entity under Title II, Administrative Simplification, of the HIPAA law?
    1. Health care providers who transmit health information electronically in connection with standard transactions
    2. Health plans
    3. Employers
    4. Health care clearinghouses
  16. The principles of Notice, Choice, Access, Security, and Enforcement refer to which of the following?
    1. Authorization
    2. Privacy
    3. Nonrepudiation
    4. Authentication
  17. The simple security property of which one of the following models is described as:

    “A user has access to a client company's information, c, if and only if for all other information, o, that the user can read, either x(c) ≠ z (o) or x(c) = x (o), where x(c) is the client's company and z (o) are the competitors of x(c).”

    1. Biba
    2. Lattice
    3. Bell-LaPadula
    4. Chinese wall
  18. The two categories of the policy of separation of duty are:
    1. Span of control and functional separation
    2. Inference control and functional separation
    3. Dual control and functional separation
    4. Dual control and aggregation control
  19. In the National Information Assurance Certification and Accreditation Process (NIACAP), a type accreditation performs which one of the following functions?
    1. Evaluates a major application or general support system
    2. Verifies the evolving or modified system's compliance with the information agreed on in the System Security Authorization Agreement (SSAA)
    3. Evaluates an application or system that is distributed to a number of different locations
    4. Evaluates the applications and systems at a specific, self-contained location
  20. Which of the following processes establishes the minimum national standards for certifying and accrediting national security systems?
    1. CIAP
    2. DITSCAP
    3. NIACAP
    4. Defense audit
  21. Which of the following terms is NOT associated with a Read Only Memory (ROM)?
    1. Flash memory
    2. Field Programmable Gate Array (FPGA)
    3. Static RAM (SRAM)
    4. Firmware
  22. Serial data transmission in which information can be transmitted in two directions, but only one direction at a time is called:
    1. Simplex
    2. Half-duplex
    3. Synchronized
    4. Full-duplex
  23. The ANSI ASC X12 (American National Standards Institute Accredited Standards Committee X12) Standard version 4010 applies to which one of the following HIPAA categories?
    1. Privacy
    2. Code sets
    3. Transactions
    4. Security
  24. A 1999 law that addresses privacy issues related to health care, insurance, and finance and that will implemented by the states is:
    1. Gramm-Leach-Bliley (GLB)
    2. Kennedy-Kassebaum
    3. the Medical Action Bill
    4. the Insurance Reform Act
  25. The Platform for Privacy Preferences (P3P) was developed by the World Wide Web Consortium (W3C) for what purpose?
    1. To implement public key cryptography for transactions
    2. To evaluate a client's privacy practices
    3. To monitor users
    4. To implement privacy practices on Web sites
  26. What process is used to accomplish high-speed data transfer between a peripheral device and computer memory, bypassing the Central Processing Unit (CPU)?
    1. Direct memory access
    2. Interrupt processing
    3. Transfer under program control
    4. Direct access control
  27. An associative memory operates in which one of the following ways?
    1. Uses indirect addressing only
    2. Searches for values in memory exceeding a specified value
    3. Searches for a specific data value in memory
    4. Returns values stored in a memory address location specified in the CPU address register
  28. The following concerns usually apply to what type of architecture?
    • Desktop systems can contain sensitive information that may be at risk of being exposed.
    • Users may generally lack security awareness.
    • Modems present a vulnerability to dial-in attacks.
    • Lack of proper backup may exist.
    1. Distributed
    2. Centralized
    3. Open system
    4. Symmetric
  29. The definition “A relatively small amount (when compared to primary memory) of very high speed RAM, which holds the instructions and data from primary memory, that has a high probability of being accessed during the currently executing portion of a program” refers to what category of computer memory?
    1. Secondary
    2. Real
    3. Cache
    4. Virtual
  30. The organization that “establishes a collaborative partnership of computer incident response, security and law enforcement professionals who work together to handle computer security incidents and to provide both proactive and reactive security services for the U.S. Federal government” is called:
    1. CERT/CC
    2. Center for Infrastructure Protection
    3. Federal CIO Council
    4. Federal Computer Incident Response Center
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset