Which of the following is not a preventive operational control?
Correct Answer: D
Conducting security awareness and technical training to ensure that end users and system users are aware of the rules of behaviour and their responsibilities in protecting the organization's mission is an example of a preventive management control, therefore not an operational control. Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management Guide for Information Technology Systems, 2001 (page 37).
Question 817
Which of the following statements pertaining to disaster recovery is incorrect?
Correct Answer: D
Section: Risk, Response and Recovery Explanation/Reference: It's interesting to note that the steps to resume normal processing operations will be different than the steps in the recovery plan; that is, the least critical work should be brought back first to the primary site. My explanation: at the point where the primary site is ready to receive operations again, less critical systems should be brought back first because one has to make sure that everything will be running smoothly at the primary site before returning critical systems, which are already operating normally at the recovery site. This will limit the possible interruption of processing to a minimum for most critical systems, thus making it the best option. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity Planning and Disaster Recovery Planning (page 291).
Question 818
Physically securing backup tapes from unauthorized access is obviously a security concern and is considered a function of the:
Correct Answer: A
Explanation/Reference: Physically securing the tapes from unauthorized access is obviously a security concern and is considered a function of the Operations Security Domain. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 71.
Question 819
Define the acronym RBAC
Correct Answer: A
Question 820
Which of the following models does NOT include data integrity or conflict of interest?
Correct Answer: C
Explanation/Reference: Bell LaPadula model (Bell 1975): The granularity of objects and subjects is not predefined, but the model prescribes simple access rights. Based on simple access restrictions the Bell LaPadula model enforces a discretionary access control policy enhanced with mandatory rules. Applications with rigid confidentiality requirements and without strong integrity requirements may properly be modeled. These simple rights combined with the mandatory rules of the policy considerably restrict the spectrum of applications which can be appropriately modeled. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. Also check: Proceedings of the IFIP TC11 12th International Conference on Information Security, Samos (Greece), May 1996, On Security Models.
