SSCP : System Security Certified Practitioner (SSCP) : Part 29

SSCP : System Security Certified Practitioner (SSCP) : Part 29

  1. Identification and authentication are the keystones of most access control systems. Identification establishes:

    • User accountability for the actions on the system.
    • Top management accountability for the actions on the system.
    • EDP department accountability for the actions of users on the system.
    • Authentication for actions on the system

    Explanation:

    Identification and authentication are the keystones of most access control systems. Identification establishes user accountability for the actions on the system.

    The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users.

    Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is. Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.

    For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting. Once these steps are completed successfully, the user can access and use network resources; however, it is necessary to track the user’s activities and enforce accountability for his actions.

    Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token.

    These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. But we are not done yet. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject.

    Although identification, authentication, authorization, and accountability have close and complementary definitions, each has distinct functions that fulfill a specific requirement in the process of access control. A user may be properly identified and authenticated to the network, but he may not have the authorization to access the files on the file server. On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach.

    Reference(s) used for this question:

    Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Access Control ((ISC)2 Press) (Kindle Locations 889-892). Auerbach Publications. Kindle Edition.
    and
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3875-3878). McGraw-Hill. Kindle Edition.
    and
    Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3833-3848). McGraw-Hill. Kindle Edition.
    and
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

  2. Passwords can be required to change monthly, quarterly, or at other intervals:

    • depending on the criticality of the information needing protection
    • depending on the criticality of the information needing protection and the password’s frequency of use
    • depending on the password’s frequency of use
    • not depending on the criticality of the information needing protection but depending on the password’s frequency of use
    Explanation:
    Passwords can be compromised and must be protected. In the ideal case, a password should only be used once. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password’s frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36 & 37.

  3. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to?

    • Illiminated at nine feet high with at least three foot-candles
    • Illiminated at eight feet high with at least three foot-candles
    • Illiminated at eight feet high with at least two foot-candles
    • Illuminated at nine feet high with at least two foot-candles
    Explanation:

    The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high with at least two foot-candles.

    It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of two foot-candles.

    One footcandle ≈ 10.764 lux. The footcandle (or lumen per square foot) is a non-SI unit of illuminance. Like the BTU, it is obsolete but it is still in fairly common use in the United States, particularly in construction-related engineering and in building codes. Because lux and footcandles are different units of the same quantity, it is perfectly valid to convert footcandles to lux and vice versa.

    The name “footcandle” conveys “the illuminance cast on a surface by a one-candela source one foot away.” As natural as this sounds, this style of name is now frowned upon, because the dimensional formula for the unit is not foot • candela, but lumens per square foot.

    Some sources do however note that the “lux” can be thought of as a “metre-candle” (i.e. the illuminance cast on a surface by a one-candela source one meter away). A source that is farther away casts less illumination than one that is close, so one lux is less illuminance than one footcandle. Since illuminance follows the inverse-square law, and since one foot = 0.3048 m, one lux = 0.30482 footcandle ≈ 1/10.764 footcandle.

    TIPS FROM CLEMENT:
    Illuminance (light level) – The amount of light, measured in foot-candles (US unit), that falls n a surface, either horizontal or vertical.

    Parking lots lighting needs to be an average of 2 foot candles; uniformity of not more than 3:1, no area less than 1 fc.

    All illuminance measurements are to be made on the horizontal plane with a certified light meter calibrated to NIST standards using traceable light sources.

    The CISSP Exam Cram 2 from Michael Gregg says:
    Lighting is a commonly used form of perimeter protection.

    Some studies have found that up to 80% of criminal acts at businesses and shopping centers happen in adjacent parking lots. Therefore, it’s easy to see why lighting can be such an important concern.

    Outside lighting discourages prowlers and thieves.
    The National Institute of Standards and Technologies (NIST) states that, for effective perimeter control, buildings should be illuminated 8 feet high, with 2-foot candle power.

    Reference used for this question:

    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 325.
    and
    Shon’s AIO v5 pg 459
    and
    http://en.wikipedia.org/wiki/Foot-candle

  4. This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill. What best describes this scenario?

    • Excessive Rights
    • Excessive Access
    • Excessive Permissions
    • Excessive Privileges
    Explanation:

    Even thou all 4 terms are very close to each other, the best choice is Excessive Privileges which would include the other three choices presented.

    Reference(s) used for this question:
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 645.
    and

  5. Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring?

    • Wave pattern motion detectors
    • Capacitance detectors
    • Field-powered devices
    • Audio detectors
    Explanation:
    Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors. Penetration of this field changes the electrical capacitance of the field enough to generate and alarm. Wave pattern motion detectors generate a frequency wave pattern and send an alarm if the pattern is disturbed as it is reflected back to its receiver. Field-powered devices are a type of personnel access control devices. Audio detectors simply monitor a room for any abnormal sound wave generation and trigger an alarm.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 344).

  6. Physical security is accomplished through proper facility construction, fire and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is not a component that achieves this type of security?

    • Administrative control mechanisms
    • Integrity control mechanisms
    • Technical control mechanisms
    • Physical control mechanisms
    Explanation:

    Integrity Controls Mechanisms are not part of physical security. All of the other detractors were correct this one was the wrong one that does not belong to Physical Security. Below you have more details extracted from the SearchSecurity web site:
    Information security depends on the security and management of the physical space in which computer systems operate. Domain 9 of the CISSP exam’s Common Body of Knowledge addresses the challenges of securing the physical space, its systems and the people who work within it by use of administrative, technical and physical controls. The following Qs are covered:

    Facilities management: The administrative processes that govern the maintenance and protection of the physical operations space, from site selection through emergency response.
    Risks, issues and protection strategies: Risk identification and the selection of security protection components.
    Perimeter security: Typical physical protection controls.

    Facilities management
    Facilities management is a complex component of corporate security that ranges from the planning of a secure physical site to the management of the physical information system environment. Facilities management responsibilities include site selection and physical security planning (i.e. facility construction, design and layout, fire and water damage protection, antitheft mechanisms, intrusion detection and security procedures.) Protections must extend to both people and assets. The necessary level of protection depends on the value of the assets and data. CISSP® candidates must learn the concept of critical-path analysis as a means of determining a component’s business function criticality relative to the cost of operation and replacement. Furthermore, students need to gain an understanding of the optimal location and physical attributes of a secure facility. Among the Qs covered in this domain are site inspection, location, accessibility and obscurity, considering the area crime rate, and the likelihood of natural hazards such as floods or earthquakes.

    This domain also covers the quality of construction material, such as its protective qualities and load capabilities, as well as how to lay out the structure to minimize risk of forcible entry and accidental damage. Regulatory compliance is also touched on, as is preferred proximity to civil protection services, such as fire and police stations. Attention is given to computer and equipment rooms, including their location, configuration (entrance/egress requirements) and their proximity to wiring distribution centers at the site.

    Physical risks, issues and protection strategies
    An overview of physical security risks includes risk of theft, service interruption, physical damage, compromised system integrity and unauthorized disclosure of information. Interruptions to business can manifest due to loss of power, services, telecommunications connectivity and water supply. These can also seriously compromise electronic security monitoring alarm/response devices. Backup options are also covered in this domain, as is a strategy for quantifying the risk exposure by simple formula.

    Investment in preventive security can be costly. Appropriate redundancy of people skills, systems and infrastructure must be based on the criticality of the data and assets to be preserved. Therefore a strategy is presented that helps determine the selection of cost appropriate controls. Among the Qs covered in this domain are regulatory and legal requirements, common standard security protections such as locks and fences, and the importance of establishing service level agreements for maintenance and disaster support. Rounding out the optimization approach are simple calculations for determining mean time between failure and mean time to repair (used to estimate average equipment life expectancy) — essential for estimating the cost/benefit of purchasing and maintaining redundant equipment.

    As the lifeblood of computer systems, special attention is placed on adequacy, quality and protection of power supplies. CISSP candidates need to understand power supply concepts and terminology, including those for quality (i.e. transient noise vs. clean power); types of interference (EMI and RFI); and types of interruptions such as power excess by spikes and surges, power loss by fault or blackout, and power degradation from sags and brownouts. A simple formula is presented for determining the total cost per hour for backup power. Proving power reliability through testing is recommended and the advantages of three power protection approaches are discussed (standby UPS, power line conditioners and backup sources) including minimum requirements for primary and alternate power provided.

    Environmental controls are explored in this domain, including the value of positive pressure water drains and climate monitoring devices used to control temperature, humidity and reduce static electricity. Optimal temperatures and humidity settings are provided. Recommendations include strict procedures during emergencies, preventing typical risks (such as blocked fans), and the use of antistatic armbands and hygrometers. Positive pressurization for proper ventilation and monitoring for air born contaminants is stressed.

    The pros and cons of several detection response systems are deeply explored in this domain. The concept of combustion, the classes of fire and fire extinguisher ratings are detailed. Mechanisms behind smoke-activated, heat-activated and flame-activated devices and Automatic Dial-up alarms are covered, along with their advantages, costs and shortcomings. Types of fire sources are distinguished and the effectiveness of fire suppression methods for each is included. For instance, Halon and its approved replacements are covered, as are the advantages and the inherent risks to equipment of the use of water sprinklers.

    Administrative controls
    The physical security domain also deals with administrative controls applied to physical sites and assets. The need for skilled personnel, knowledge sharing between them, separation of duties, and appropriate oversight in the care and maintenance of equipment and environments is stressed. A list of management duties including hiring checks, employee maintenance activities and recommended termination procedures is offered. Emergency measures include accountability for evacuation and system shutdown procedures, integration with disaster and business continuity plans, assuring documented procedures are easily available during different types of emergencies, the scheduling of periodic equipment testing, administrative reviews of documentation, procedures and recovery plans, responsibilities delegation, and personnel training and drills.

    Perimeter security
    Domain nine also covers the devices and techniques used to control access to a space. These include access control devices, surveillance monitoring, intrusion detection and corrective actions. Specifications are provided for optimal external boundary protection, including fence heights and placement, and lighting placement and types. Selection of door types and lock characteristics are covered. Surveillance methods and intrusion-detection methods are explained, including the use of video monitoring, guards, dogs, proximity detection systems, photoelectric/photometric systems, wave pattern devices, passive infrared systems, and sound and motion detectors, and current flow sensitivity devices that specifically address computer theft. Room lock types — both preset and cipher locks (and their variations) — device locks, such as portable laptop locks, lockable server bays, switch control locks and slot locks, port controls, peripheral switch controls and cable trap locks are also covered. Personal access control methods used to identify authorized users for site entry are covered at length, noting social engineering risks such as piggybacking. Wireless proximity devices, both user access and system sensing readers are covered (i.e. transponder based, passive devices and field powered devices) in this domain.

    Now that you’ve been introduced to the key concepts of Domain 9, watch the Domain 9, Physical Security video
    Return to the CISSP Essentials Security School main page
    See all SearchSecurity.com’s resources on CISSP certification training
    Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 280.

  7. Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished:

    • through access control mechanisms that require identification and authentication and through the audit function.
    • through logical or technical controls involving the restriction of access to systems and the protection of information.
    • through logical or technical controls but not involving the restriction of access to systems and the protection of information.
    • through access control mechanisms that do not require identification and authentication and do not operate through the audit function.
    Explanation:
    Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization’s security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

  8. In Discretionary Access Control the subject has authority, within certain limitations,

    • but he is not permitted to specify what objects can be accessible and so we need to get an independent third party to specify what objects can be accessible.
    • to specify what objects can be accessible.
    • to specify on a aggregate basis without understanding what objects can be accessible.
    • to specify in full detail what objects can be accessible.
    Explanation:

    With Discretionary Access Control, the subject has authority, within certain limitations, to specify what objects can be accessible.

    For example, access control lists can be used. This type of access control is used in local, dynamic situations where the subjects must have the discretion to specify what resources certain users are permitted to access.

    When a user, within certain limitations, has the right to alter the access control to certain objects, this is termed as user-directed discretionary access control. In some instances, a hybrid approach is used, which combines the features of user-based and identity-based discretionary access control.

    References:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
    and
    HARRIS, Shon, All-In-One CISSP Certification Exam Guide 5th Edition, McGraw-Hill/Osborne, 2010, Chapter 4: Access Control (page 210-211).

  9. Which of the following are additional access control objectives?

    • Consistency and utility
    • Reliability and utility
    • Usefulness and utility
    • Convenience and utility
    Explanation:
    Availability assures that a system’s authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility. These and other related objectives flow from the organizational security policy. This policy is a high-level statement of management intent regarding the control of access to information and the personnel who are authorized to receive that information. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system’s vulnerability to these threats, and the risk that the threat may materialize
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32.

  10. Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?

    • Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision.
    • Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols.
    • Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
    • Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.
    Explanation:
    Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

  11. What does the (star) integrity axiom mean in the Biba model?

    • No read up
    • No write down
    • No read down
    • No write up
    Explanation:
    The (star) integrity axiom of the Biba access control model states that an object at one level of integrity is not permitted to modify an object of a higher level of integrity (no write up).
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 205).

  12. Which of the following centralized access control mechanisms is the least appropriate for mobile workers accessing the corporate network over analog lines?

    • TACACS
    • Call-back
    • CHAP
    • RADIUS
    Explanation:
    Call-back allows for a distant user connecting into a system to be called back at a number already listed in a database of trusted users. The disadvantage of this system is that the user must be at a fixed location whose phone number is known to the authentication server. Being mobile workers, users are accessing the system from multiple locations, making call-back inappropriate for them.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 44).

  13. Which of the following is NOT a compensating measure for access violations?

    • Backups
    • Business continuity planning
    • Insurance
    • Security awareness
    Explanation:
    Security awareness is a preventive measure, not a compensating measure for access violations.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 50).

  14. Which of the following statements pertaining to biometrics is false?

    • Increased system sensitivity can cause a higher false rejection rate
    • The crossover error rate is the point at which false rejection rate equals the false acceptance rate.
    • False acceptance rate is also known as Type II error.
    • Biometrics are based on the Type 2 authentication mechanism.
    Explanation:
    Authentication is based on three factor types: type 1 is something you know, type 2 is something you have and type 3 is something you are. Biometrics are based on the Type 3 authentication mechanism.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 37).

  15. Which of the following statements pertaining to Kerberos is TRUE?

    • Kerberos does not address availability
    • Kerberos does not address integrity
    • Kerberos does not make use of Symmetric Keys
    • Kerberos cannot address confidentiality of information
    Explanation:

    The question was asking for a TRUE statement and the only correct statement is “Kerberos does not address availability”.

    Kerberos addresses the confidentiality and integrity of information. It does not directly address availability.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control systems (page 42).

  16. In regards to information classification what is the main responsibility of information (data) owner?

    • determining the data sensitivity or classification level
    • running regular data backups
    • audit the data users
    • periodically check the validity and accuracy of the data
    Explanation:

    Making the determination to decide what level of classification the information requires is the main responsibility of the data owner.

    The data owner within classification is a person from Management who has been entrusted with a data set that belong to the company. It could be for example the Chief Financial Officer (CFO) who has been entrusted with all financial date or it could be the Human Resource Director who has been entrusted with all Human Resource data. The information owner will decide what classification will be applied to the data based on Confidentiality, Integrity, Availability, Criticality, and Sensitivity of the data.

    The Custodian is the technical person who will implement the proper classification on objects in accordance with the Data Owner. The custodian DOES NOT decide what classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply.

    NOTE:
    The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC it means the person who has created an object. For example, if I create a file on my system then I am the owner of the file and I can decide who else could get access to the file. It is left to my discretion. Within DAC access is granted based solely on the Identity of the subject, this is why sometimes DAC is referred to as Identity Based Access Control.

    The other choices were not the best answer

    Running regular backups is the responsibility of custodian.
    Audit the data users is the responsibility of the auditors
    Periodically check the validity and accuracy of the data is not one of the data owner responsibility

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: Security Management Practices.

  17. Which of the following is not a two-factor authentication mechanism?

    • Something you have and something you know.
    • Something you do and a password.
    • A smartcard and something you are.
    • Something you know and a password.
    Explanation:

    Something you know and a password fits within only one of the three ways authentication could be done. A password is an example of something you know, thereby something you know and a password does not constitute a two-factor authentication as both are in the same category of factors.

    A two-factor (strong) authentication relies on two different kinds of authentication factors out of a list of three possible choice:

    something you know (e.g. a PIN or password),
    something you have (e.g. a smart card, token, magnetic card),
    something you are is mostly Biometrics (e.g. a fingerprint) or something you do (e.g. signature dynamics).

    TIP FROM CLEMENT:
    On the real exam you can expect to see synonyms and sometimes sub-categories under the main categories. People are familiar with Pin, Passphrase, Password as subset of Something you know.

    However, when people see choices such as Something you do or Something you are they immediately get confused and they do not think of them as subset of Biometrics where you have Biometric implementation based on behavior and physilogical attributes. So something you do falls under the Something you are category as a subset.

    Something your do would be signing your name or typing text on your keyboard for example.

    Strong authentication is simply when you make use of two factors that are within two different categories.

    Reference(s) used for this question:
    Shon Harris, CISSP All In One, Fifth Edition, pages 158-159

  18. Which of the following is most affected by denial-of-service (DOS) attacks?

    • Confidentiality
    • Integrity
    • Accountability
    • Availability
    Explanation:
    Denial of service attacks obviously affect availability of targeted systems.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 61).

  19. What refers to legitimate users accessing networked services that would normally be restricted to them?

    • Spoofing
    • Piggybacking
    • Eavesdropping
    • Logon abuse
    Explanation:
    Unauthorized access of restricted network services by the circumvention of security access controls is known as logon abuse. This type of abuse refers to users who may be internal to the network but access resources they would not normally be allowed.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page 74).

  20. Which division of the Orange Book deals with discretionary protection (need-to-know)?

    • D
    • C
    • B
    • A
    Explanation:

    C deals with discretionary protection. See matric below:

    SSCP System Security Certified Practitioner (SSCP) Part 29 Q20 034
    SSCP System Security Certified Practitioner (SSCP) Part 29 Q20 034

    TCSEC Matric

    The following are incorrect answers:

    D is incorrect. D deals with minimal security.
    B is incorrect. B deals with mandatory protection.
    A is incorrect. A deals with verified protection.
    Reference(s) used for this question:
    CBK, p. 329 – 330

    and
    Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments