search

Which security architecture model is part of a larger series of standards collectively referred to as the Rainbow Series?

1 Jahrs vor
Kommentare: 0
Ansichten: 25

Skip to content

Show

ManVila

  • Home
  • Expert Answers
  • Contact Us

Menu

Type and press enter to search

June 11, 2021June 11, 2021Expert Answers

Question:

Question

Which security architecture model is part of a larger series of standards collectively referred to as the “Rainbow Series”?

Bell-LaPadula

ITSEC

TCSEC

Common Criteria

Expert Answer:

Step 1

TCSEC security architecture model:

  • It is an acronym for The Trusted Computer System Evaluation Criteria.
  • It belongs to a larger series of standards, which are generally referred to as the “Rainbow

Post navigation

Previous Post

(Solved):Q: Write a program …

Next Post

(Solved):Q: 2. A client usin…

manvila

View posts by manvila

  1. (Solved):Q: 1.Jul 18 Debit(?…

    August 10, 2022

  2. (Solved):Q: Explain how mana…

    August 10, 2022

  3. (Solved):Q: Afghan Inc. manu…

    August 10, 2022

Successfully reported this slideshow.

Your SlideShare is downloading. ×

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Which security architecture model is part of a larger series of standards collectively referred to as the Rainbow Series?

test bank MANAGEMENT of INFORMATION SECURITY, Fifth Edition

More Related Content

Which security architecture model is part of a larger series of standards collectively referred to as the Rainbow Series?

  1. 1. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 1 1. A security blueprint is the outline of the more thorough security framework. a. True b. False ANSWER: True 2. Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. a. True b. False ANSWER: False 3. Lattice-based access controlspecifies the level of access each subject has to each object, if any. a. True b. False ANSWER: True 4. Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world. a. True b. False ANSWER: False 5. Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure. a. True b. False ANSWER: False 6. In information security, a framework or security model customized to an organization, including implementation details is known as a floorplan. _____________ ANSWER: False - blueprint 7. The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties. ____________ ANSWER: False - separation 8. In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls is known as a blueprint. ____________ ANSWER: False - framework 9. A security monitor is a conceptual piece of the system within the trusted computer base that manages access controls— in other words, it mediates all access to objects by subjects. ____________ ANSWER: False - reference 10. The Information Technology Infrastructure Library (ITIL) is a collection of policies and practices for managing the development and operation of IT infrastructures. ____________ ANSWER: False - methods
  2. 2. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 2 11. A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access. ____________ ANSWER: True 12. Dumpster delving is an information attack that involves searching through a target organization’s trash and recycling bins for sensitive information. ____________ ANSWER: False - diving 13. In a lattice-based access control, a restriction table is the row of attributes associated with a particular subject (such as a user). ____________ ANSWER: False - capabilities 14. The principle of limiting users’ access privileges to the specific information required to perform their assigned tasks is known as need-to-know. ____________ ANSWER: True 15. The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege. ____________ ANSWER: False - least 16. Which of the following is a generic blueprint offered by a service organization which must be flexible, scalable, robust, and detailed? a. framework b. security model c. security standard d. both A & B are correct ANSWER: d 17. Which access controlprinciple specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: c 18. Which access controlprinciple limits a user’s access to the specific information required to perform the currently assigned task? a. need-to-know b. eyes only c. least privilege d. separation of duties ANSWER: a 19. Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? a. Discretionary access controls b. Task-based access controls c. Security clearances d. Sensitivity levels ANSWER: c 20. Controls that remedy a circumstance or mitigate damage done during an incident are categorized as which of the following?
  3. 3. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 3 a. preventative b. deterrent c. corrective d. compensating ANSWER: c 21. Which of the following is NOT a category of access control? a. preventative b. mitigating c. deterrent d. compensating ANSWER: b 22. Which control category discourages an incipient incident? a. preventative b. deterrent c. remitting d. compensating ANSWER: b 23. Which of the following is NOT one of the three levels in the U.S. military data classification scheme for National Security Information? a. confidential b. secret c. top secret d. for official use only ANSWER: d 24. Which type of access controls can be role-based or task-based? a. constrained b. content-dependent c. nondiscretionary d. discretionary ANSWER: c 25. Under lattice-based access controls, the column of attributes associated with a particular object (such as a printer) is referred to as which of the following? a. access controllist b. capabilities table c. access matrix d. sensitivity level ANSWER: a 26. In which form of access controlis access to a specific set of information contingent on its subject matter? a. content-dependent access controls b. constrained user interfaces c. temporal isolation d. None of these ANSWER: a 27. A time-release safe is an example of which type of access control? a. content-dependent b. constrained user interface c. temporal isolation d. nondiscretionary ANSWER: c 28. Which security architecture model is part of a larger series of standards collectively referred to as the “Rainbow Series”? a. Bell-LaPadula b. TCSEC c. ITSEC d. Common Criteria
  4. 4. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 4 ANSWER: b 29. Which piece of the Trusted Computing Base's security system manages access controls? a. trusted computing base b. reference monitor c. covert channel d. verification module ANSWER: b 30. Under the Common Criteria, which term describes the user-generated specifications for security requirements? a. Target of Evaluation (ToE) b. Protection Profile (PP) c. Security Target (ST) d. Security Functional Requirements (SFRs) ANSWER: b 31. Which security architecture model is based on the premise that higher levels of integrity are more worthy of trust than lower ones. a. Clark-Wilson b. Bell-LaPadula c. Common Criteria d. Biba ANSWER: d 32. Which of the following is NOT a change control principle of the Clark-Wilson model? a. No changes by unauthorized subjects b. No unauthorized changes by authorized subjects c. No changes by authorized subjects without external validation d. The maintenance of internal and externalconsistency ANSWER: c 33. Which of the following is the primary purpose of ISO/IEC 27001:2005? a. Use within an organization to formulate security requirements and objectives b. Implementation of business-enabling information security c. Use within an organization to ensure compliance with laws and regulations d. To enable organizations that adopt it to obtain certification ANSWER: d 34. Which of the following provides advice about the implementation of sound controls and control objectives for InfoSec, and was created by ISACA and the IT Governance Institute? a. COBIT b. COSO c. NIST d. ISO ANSWER: a 35. The COSO framework is built on five interrelated components. Which of the following is NOT one of them? a. Control environment b. Risk assessment c. Control activities d. InfoSec Governance ANSWER: d
  5. 5. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 5 36. To design a security program, an organization can use a(n) ____________________, which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization. ANSWER: security model 37. ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n) ____________________. ANSWER: information security management systems ISMS 38. The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance. ANSWER: need to know need-to-know 39. ____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system, and include storage and timing channels. ANSWER: Covert 40. In the COSO framework, ___________ activities include those policies and procedures that support management directives. ANSWER: control 41. Access controls are build on three key principles. List and briefly define them. ANSWER: Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties. Need-to-know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function. Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion. 42. There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them. ANSWER: • Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization • Deterrent—Discourages or deters an incipient incident; an example would be signs that indicate video monitoring • Preventative—Helps an organization avoid an incident; an example would be the requirement for strong authentication in access controls • Detective—Detects or identifies an incident or threat when it occurs; for example, anti-malware software • Corrective—Remedies a circumstance or mitigates damage done during an incident; for example, changes to a firewall to block the recurrence of a diagnosed attack • Recovery—Restores operating conditions back to normal; for example, data backup and recovery software • Compensating—Resolves shortcomings; such as requiring the use of encryption for transmission of classified data over unsecured networks
  6. 6. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 6 43. Lattice-based access controls use a two-dimensional matrix to assign authorizations, what are the two dimensions and what are they called? ANSWER: Lattice-based access controlspecifies the level of access each subject has to each object, if any. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access controllist (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table. 44. What are the two primary access modes of the Bell-LaPadula model and what do they restrict? ANSWER: BLP access modes can be one of two types: simple security and the * (star) property. Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (no read up). The * property (the write property), on the other hand, prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up (no write down). 45. What are the five principles that are focused on the governance and management of IT as specified by COBIT 5? ANSWER: Principle 1: Meeting Stakeholder Needs Principle 2: Covering the Enterprise End-to- End Principle 3: Applying a Single, Integrated Framework Principle 4: Enabling a Holistic Approach Principle 5: Separating Governance From Management 46. According to COSO, internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories? ANSWER: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 47. One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization. What are these categories as described by NIST? ANSWER: Management Operational (or administrative) Technical 48. What is the data classification for information deemed to be National Security Information for the U.S. military as specified in 2009 in Executive Order 13526? ANSWER: For most information, the U.S. military uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 12958 in 1995 and Executive Order 13526 in 2009. Here are the classifications along with descriptions from the document: Sec. 1.2. Classification Levels. (a) Information may be classified at one of the following three levels: 1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe. 2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe. 3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.
  7. 7. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 7 49. When copies of classified information are no longer valuable or too many copies exist, what steps should be taken to destroy them properly? Why? ANSWER: When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly, usually after double signature verification. Documents should be destroyed by means of shredding, burning, or transfer to a service offering authorized document destruction. Policy should ensure that no classified information is inappropriately disposed of in trash or recycling areas. Otherwise, people who engage in dumpster diving, the retrieval of information from refuse or recycling bins, may compromise the security of the organization’s information assets. 50. Under what circumstances should access controls be centralized vs. decentralized? ANSWER: One area of discussion among practitioners is whether access controls should be centralized or decentralized. A collection of users with access to the same data typically has a centralized access control authority, even under a DAC model. The level of centralization appropriate to a given situation varies by organization and the type of information protected. The less critical the protected information, the more controls tend to be decentralized. When critical information assets are being protected, the use of a highly centralized access control toolset is indicated. a. blueprint b. DAC c. content-dependent access controls d. rule-based access controls e. separation of duties f. sensitivity levels g. storage channels h. task-based controls i. timing channels j. TCB 51. Controls access to a specific set of information based on its content. ANSWER: c 52. A TCSEC-defined covert channel, which transmit information by managing the relative timing of events. ANSWER: i 53. Ratings of the security level for a specified collection of information (or user) within a mandatory access control scheme. ANSWER: f 54. A framework or security model customized to an organization, including implementation details. ANSWER: a 55. A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user. ANSWER: h 56. Within TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy. ANSWER: j
  8. 8. Name: Class: Date: Chapter 08 - Security Management Models Copyright Cengage Learning. Powered by Cognero. Page 8 57. Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion. ANSWER: e 58. Controls implemented at the discretion or option of the data user. ANSWER: b 59. One of the TCSEC’s covert channels, which communicate by modifying a stored object. ANSWER: g 60. Access is granted based on a set of rules specified by the centralauthority. ANSWER: d

Which piece of the Trusted Computing Base's security system manages access controls quizlet?

(T/F) A security monitor is a conceptual piece of system within the trusted computer base that manages access controls-in other words, it mediates all access to objects by subjects.

Is a specification of a model to be followed during the design selection and initial and ongoing?

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including InfoSec policies, security education and training programs, and technological controls. Also known as a security model.

What is the information security principle that requires significant tasks to be split up so that more than 1 individual is required to complete them?

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

Which is a generic outline of the more thorough and organization specific blueprint?

A security blueprint is the outline of the more thorough security framework.

security architecture model part larger series standards collectively referred rainbow series

zusammenhängende Posts

What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?
What is the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them?

Which of the following variables is the most influential in determining how do you structure an information security program?
Which of the following variables is the most influential in determining how do you structure an information security program?

What is the security education training and awareness program describe how the program aims to enhance security?
What is the security education training and awareness program describe how the program aims to enhance security?

Which of the following characteristics of information security where only those with sufficient privileges may access certain information?
Which of the following characteristics of information security where only those with sufficient privileges may access certain information?

Which model represents ideal decision making and cant usually be obtained by real people in real organizations?
Which model represents ideal decision making and cant usually be obtained by real people in real organizations?

Which of the following is a decision-making model that describes how individuals should behave
Which of the following is a decision-making model that describes how individuals should behave

The final step in the continuous change process model involves recognizing and defining a problem.
The final step in the continuous change process model involves recognizing and defining a problem.

In which of the following steps of OD process does OD practitioner starts meet and interview managers?
In which of the following steps of OD process does OD practitioner starts meet and interview managers?

App die fotos macht wenn man den code falsch eingibt
App die fotos macht wenn man den code falsch eingibt

When using data security measures analysts can choose between protecting an entire spreadsheet or protecting certain cells within the spreadsheet 1 point True False?
When using data security measures analysts can choose between protecting an entire spreadsheet or protecting certain cells within the spreadsheet 1 point True False?

Werbung

NEUESTEN NACHRICHTEN

Which of the following are website design features that not annoy customers?
1 Jahrs vor . durch UnyieldingHurricane
Hyperefficient chips of the future may also be made out of carbon nanotubes.
1 Jahrs vor . durch AdvancedAbsurdity
Ab in den Urlaub Login funktioniert nicht
1 Jahrs vor . durch UngratefulCabal
Sibylle berg ein paar leute suchen das glück und lachen sich tot
1 Jahrs vor . durch BloodshotScenery
Nicht schon wieder an die Ostsee text
1 Jahrs vor . durch LunaticAdultery
Indirect methods for determining which evaluative criteria are being used include
1 Jahrs vor . durch OverstuffedMailing
What are 4 most important factors influencing consumer purchasing decisions?
1 Jahrs vor . durch GalvanizedGrappling
When evaluating research material the three primary evaluation criteria are?
1 Jahrs vor . durch Down-to-earthRedemption
Was geht durch eine Tür aber geht niemals rein und kommt niemals raus Lösung
1 Jahrs vor . durch RepulsivePullman
E-bike mit bosch motor 85 nm
1 Jahrs vor . durch UntrainedTuesday

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeentrdeptjp
Urheberrechte © © 2024 membukakan Inc.