1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 10
Выбрать главу

72. From an access control point of view, the Chinese Wall policy focuses on which of the following?

a. Confidentiality

b. Integrity

c. Availability

d. Assurance

72. a. The Chinese Wall policy is used where company sensitive information (i.e., confidentiality) is divided into mutually disjointed conflict-of-interest categories. The Biba model focuses on integrity. Availability, assurance, and integrity are other components of security principles that are not relevant to the Chinese Wall policy.

73. From an access control point of view, which of the following maintains consistency between the internal data and users’ expectations of that data?

a. Security policy

b. Workflow policy

c. Access control policy

d. Chinese Wall policy

73. b. The goal of workflow policy is to maintain consistency between the internal data and external (users’) expectations of that data. This is because the workflow is a process, consisting of tasks, documents, and data. The Chinese Wall policy deals with dividing sensitive data into separate categories. The security policy and the access control policy are too general to be of any importance here.

74. From an access control point of view, separation of duty is not related to which of the following?

a. Safety

b. Reliability

c. Fraud

d. Security

74. b. Computer systems must be designed and developed with security and safety in mind because unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems). With separation of duty (SOD), fraud can be minimized when sensitive tasks are separated from each other (e.g., signing a check from requesting a check). Reliability is more of an engineering term in that a computer system is expected to perform with the required precision on a consistent basis. On the other hand, SOD deals with people and their work-related actions, which are not precise and consistent.

75. Which of the following statements are true about access controls, safety, trust, and separation of duty?

1. No leakage of access permissions are allowed to an unauthorized principal.

2. No access privileges can be escalated to an unauthorized principal.

3. No principals’ trust means no safety.

4. No separation of duty means no safety.

a. 1 only

b. 2 only

c. 1, 2, and 3

d. 1, 2, 3, and 4

75. d. If complete trust by a principal is not practical, there is a possibility of a safety violation. The separation of duty concept is used to enforce safety and security in some access control models. In an event where there are many users (subjects), objects, and relations between subjects and objects, safety needs to be carefully considered.

76. From a safety configuration viewpoint, the separation of duty concept is not enforced in which of the following?

a. Mandatory access control policy

b. Bell-LaPadula access control model

c. Access control matrix model

d. Domain type enforcement access control model

76. c. The separation of duty concept is not enforced by the access control matrix model because it is not safety configured and is based on an arbitrary constraint. The other three choices use restricted access control models with access constraints that describe the safety requirements of any configuration.

77. Which of the following statements are true about access controls and safety?

1. More complex safety policies need more flexible access controls.

2. Adding flexibility to restricted access control models increases safety problems.

3. A trade-off exists between the expressive power of an access control model and the ease of safety enforcement.

4. In the implicit access constraints model, safety enforcement is relatively easier than in the arbitrary constraints model.

a. 1 and 3

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

77. d. In general, access control policy expression models, such as role-based and access control matrix models, operate on arbitrary constraints and safety enforcement is difficult. In implicit (restricted) access constraints models (e.g., Bell-LaPadula), the safety enforcement is attainable.

78. The purpose of static separation of duty is to address problems, such as static exclusivity and the assurance principle. Which of the following refers to the static exclusivity problem?

1. To reduce the likelihood of fraud.

2. To prevent the loss of user objectivity.

3. One user is less likely to commit fraud when this user is a part of many users involved in a business transaction.

4. Few users are less likely to commit collusion when these users are a part of many users involved in a business transaction.

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

78. a. A static exclusivity problem is the condition for which it is considered dangerous for any user to gain authorization for a conflicting set of access capabilities. The motivation for exclusivity relations includes reducing the likelihood of fraud or preventing the loss of user objectivity. The assurance principle deals with committing fraud or collusion when many users are involved in handling a business transaction.

79. Role-based access control and the least privilege principle do not enable which of the following?

a. Read access to a specified file

b. Write access to a specified directory

c. Connect access to a given host computer

d. One administrator with super-user access permissions

79. d. The concept of limiting access or least privilege is simply to provide no more authorization than necessary to perform required functions. Best practice suggests it is better to have several administrators with limited access to security resources rather than one administrator with super-user access permissions. The principle of least privilege is connected to the role-based access control in that each role is assigned those access permissions needed to perform its functions, as mentioned in the other three choices.

80. Extensible access control markup language (XACML) framework incorporates the support of which of the following?

a. Rule-based access control (RuBAC)

b. Mandatory access control (MAC)

c. Role-based access control (RBAC)

d. Discretionary access control (DAC)

80. c. The extensible access control markup language (XACML) framework does not provide support for representing the traditional access controls (e.g., RuBAC, MAC, and DAC), but it does incorporate the role-based access control (RBAC) support. The XACML specification describes building blocks from which an RBAC solution is developed.

~ 10 ~