1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 283
Выбрать главу

a. Use simulation software.

b. Examine all letters and parcels coming into a building.

c. Hire security guards.

d. Keep motor vehicles away from the building.

7. c. There is no substitute for vigilant and resourceful security guards protecting the buildings. Simulation software is available that can assess the vulnerability of a structure to explosive blasts by simulating the detonation of devices at various design points. Security can be improved by simply keeping vehicles away from near proximity to the structure. It also makes sense to examine all letters and parcels coming into a building for explosives.

Sources and References

“Access Control in Support of Information Systems, Security Technical Implementation Guide.” (DISA-STIG, Version 2 and Release 2). December 2008. Defense Information Systems Agency (DISA), The U.S. Department of Defense (DOD).

Garcia, Mary Lynn. 2001. The Design and Evaluation of Physical Protection Systems. Burlington, MA: Butterworth-Heinemann.

National Fire Protection Association (NFPA) 10, 1998. Quincy, MA.

National Fire Protection Association (NFPA) 25, 1998.Quincy, MA.

CPP Study Guide, 10th Edition. 1999. Alexandria, VA: The American Society for Industrial Security (ASIS).

Patterson, David G., III. 2004. Implementing Physical Protection Systems. Alexandria, VA: ASIS International.

“Security Requirements for Cryptographic Modules” (NIST FIPS PUB 140-3 draft), July 2007. National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland.

Tyska, Louis A. and Fennelly, Lawrence J. 2000. 150 Things You Should Know About Physical Security. Woburn, MA: Butterworth-Heinemann.

Appendix A

CISSP Glossary 2012

This appendix provides a glossary of key information systems and information technology security terms useful to the CISSP Exam candidates. Reading the glossary terms prior to reading the practice chapters (domains) can help the candidate understand the chapter contents better. More than one definition of a key term is provided to address multiple meanings and contexts in which the term is used or applied.

The glossary is provided for a clear understanding of technical terms used in the ten domains of this book. The CISSP Exam candidates should know these terms for a better comprehension of the subject matter presented. This glossary is a good source for answering multiple-choice questions on the CISSP Exam.

Numbers and Letters

1G

The first generation of analog-based wireless technology.

2G

The second generation of digital wireless technology that supports voice and text.

3G

The third generation of digital wireless technology that supports video.

4G

The fourth generation of digital wireless technology that provides faster display of multimedia.

802.1Q

The IEEE standard for virtual local-area networks (VLANs).

802.2

The IEEE standard for logical link control. (IEEE is Institute of Electrical and Electronics Engineers.)

802.3

The IEEE standard for carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications for Ethernet local-area networks (LANs).

802.4

The IEEE standard for Token bus access method and physical layer specifications for LANs.

802.5

The IEEE standard for Token ring access method and physical layer specifications for LANs.

802.6

The IEEE standard for Distributed queue dual bus access method and physical layer specifications for wired metropolitan-area networks (MANs).

802.11

The IEEE standard for wireless LAN medium access control (MAC) sublayer and physical layer specifications. It uses a path-sharing protocol.

802.11a

The IEEE standard for radio band that is faster than 80211b but has a smaller range.

802.11b

The IEEE standard that is inexpensive and popular with sufficient speed but with interference problems.

802.11e

The IEEE standard for providing quality of service (QoS).

802.11f

The IEEE standard for achieving access point interoperability.

802.11g

The IEEE standard that is fast but expensive and is mostly used by businesses.

802.11i

The IEEE standard for providing improved security over wired equivalent privacy (WEP).

802.11n

The IEEE standard for improving throughput rates.

802.11r

The IEEE standard for improving the amount of time for data connectivity.

802.11t

The IEEE standard for providing performance metrics.

802.11w

The IEEE standard for providing data integrity, data origination authenticity, replay protection, and data confidentiality.

802.15

The IEEE standard for wireless personal-area networks (e.g., Bluetooth).

802.16

The IEEE standard for air interface for fixed broadband wireless access systems such as wireless MANs.

A

Abstraction

(1) It is related to stepwise refinement and modularity of computer programs. (2) It is presented in levels such as high-level dealing with system/program requirements and low-level dealing with programming issues.

Access

(1) The ability to make use of any information system (IS) or information technology (IT) resources. (2) The ability to do something with information in a computer. (3) Access refers to the technical ability to do something (e.g., read, create, modify, or delete a file or execute a program).

Acceptable level of risk

A judicious and carefully considered assessment that an IT activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of IT assets, threats and vulnerabilities, countermeasures and their efficacy in compensating for vulnerabilities, and operational requirements.

Acceptable risk

A concern that is acceptable to responsible management, due to the cost and magnitude of implementing controls.

Access aggregation

Combines access permissions either in one system or multiple systems for system user or end-user convenience and efficiency and to eliminate duplicate and unnecessary work. Access aggregation can be achieved through single-sign on system (SSO), reduced sign-on system (RSO), or other methods. Note that access aggregation must be compatible with a user’s authorized access rights, privileges, and permissions and cannot exceed them because of an “authorization creep” problem, which is a major risk. Access aggregation process must meet the following requirements:

Support for the separation of duty concept to avoid conflict of interest situations (administrative)

Support for the principles of least privilege and elimination of authorization creep through reauthorization

Support for the controlled inheritance of access privileges

Support for safety through access constraint models such as static and dynamic separation of duties (technical)

~ 283 ~