The MAIN purpose of placing a tamper seal on a computer system's case is to:
Correct Answer: A
Question 52
With MAC, who may NOT make decisions that derive from policy?
Correct Answer: A
As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Question 53
Who is accountable for the information within an Information System (IS)?
Correct Answer: A
Question 54
When planning for disaster recovery it is important to know a chain of command should one or more people become missing, incapacitated or otherwise available to lead the organization. Which of the following terms BEST describes this process?
Correct Answer: A
Explanation/Reference: Explanation: Organizations must ensure that there is always an executive available to make decisions during a disaster. Executive succession planning determines an organization's line of succession. Executives may become unavailable due to a variety of disasters, ranging from injury and loss of life to strikes, travel restrictions, and medical quarantines. Incorrect Answers: B: The purpose of a Continuity of Operations plan is to maintain operations during a disaster. Continuity of Operations does address chain of command recovery. C: A Business Impact Assessment (BIA) is an analysis that identifies the resources that are critical to an organization's ongoing viability and the threats posed to those resources. A BIA does address chain of command recovery. D: Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Business continuity planning does address chain of command recovery. References: Conrad, Eric, Seth Misenar and Joshua Feldman, CISSP Study Guide, 2nd Edition, Syngress, Waltham, 2012, p. 372
Question 55
Which of the following questions is less likely to help in assessing physical and environmental protection?
Correct Answer: C
Physical security and environmental security are part of operational controls, and are measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment. All the questions above are useful in assessing physical and environmental protection except for the one regarding processes that ensuring that unauthorized individuals cannot access information, which is more a production control. Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001 (Pages A-21 to A-24).
