Under the Bell-LaPadula model, the ____ property prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level.
simple security
Need to know limits a user's access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function.
True
Under the Clark-Wilson model, internal consistency means that the system is consistent with similar data in the outside world.
True
____________________ access controls are required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user.
Mandatory
Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
False
A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion is known as ____.
separation of duties
____ controls cover security processes that are designed by the strategic planners and executed by security administrators.
Management
The primary objective of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a private-sector initiative formed in 1985, is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce it
True
BS 7799 Part 2 and ISO 27001 implement the components of BS7799 Part 1 and ISO 17799 using a(n) ____________________ cycle.
Plan-Do-Check-Act
Operational controls cover security processes designed by strategic planners, are integrated into the organization's management practices and are routinely used by security administrators to design, implement and monitor other control systems.
False
Controls that are structured and coordinated within a data classification scheme that rates each collection of information as well as each user are called ____.
mandatory access controls
The ___ or Chinese Wall model is designed to prevent a conflict of interest between two parties.
Brewer-Nash
Under the Bell-LaPadula model, the ____ property prohibits a high-level subject from sending messages to a lower-level object. In short, subjects can read down and objects can write or append up.
star (*)
____ access controls are determined by a central authority and can be based on roles or tasks.
Nondiscretionary
The personnel security ____________________ structure assigns each user of an information asset an authorization level that identifies the level of information classification he or she can access.
clearance
____________________ controls restore operating conditions back to normal.
Recovery
____ provides a library of Special Publications that includes Generally Accepted Principles and Practices for Securing IT Systems.
NIST
The objective of COBIT is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence.
False
Which of the following is NOT a change control principle of the Clark-Wilson model?
No changes by authorized subjects without external validation
The major process steps in the ISO 27000 series include Plan-Do-Check-Act.
True
Controls that remedy a circumstance or mitigate damage done during an incident as called ____,
Corrective
ISO/IEC 27001's primary purpose is to enable organizations that adopt it to obtain ____________________, and thus the standard makes a better assessment tool than an implementation framework.
Certification
Preventative controls discourage or deter an incipient incident.
False
Controls that discourage an incipient incident are called ____.
deterrent
Which of the following is not an element of the Clark-Wilson model?
Internal consistency validation items
One discretionary model is ____________________-based access controls, in which access is granted based on a set of mandates specified by the central authority.
rule
The COSO framework is built on five interrelated components. Which of the following is NOT one of them?
Information management
COBIT is an IT ____________________ framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks.
governance
In rule-based access controls, access is granted based on a set of rules which may be specified by an individual user.
True
The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties is known as ____.
least privilege
____________________ -based access controls assign users a matrix of authorizations for particular areas of access, and contains subjects and objects, with the boundaries associated with each subject/object pair clearly demarcated.
Lattice
____________________ is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.
least privilege
Access to a specific set of information may be dependent on its subject matter is called ____.
content-dependent access controls
According to COSO a(n) ____ is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of the objectives.
internal control
A(n) ____________________ is the outline of an information security blueprint.
framework
ITSEC is the international set of equivalent for evaluating computer systems, and is very similar to the TCSEC.
True
Lattice-based access control assigns users a matrix of authorizations for particular areas of access.
False
The Graham-Denning model most closely represents which of the following access control model?
Lattice-based access controls
The Biba model is a state machine model that helps ensure the confidentiality of an information system by means of MACs, data classification, and security clearances.
False
In the ____________________ confidentiality model, rules prevent information from being moved from a level of higher security to a level of lower security.
Bell-LaPadula
An Automated Teller Machine (ATM) is an example of ____.
constrained user interfaces
The trusted computer base is the piece of the system that manages access controls under TCSEC.
False
Discretionary controls are determined by a central authority in the organization.
True
____ helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002.
COSO
One discretionary model is ____, in which access is granted based on a set of rules specified by the central authority.
rule-based access controls
Nondiscretionary controls can be based on roles or on a specified set of
tasks
Under the Biba model, the ____ property permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object.
integrity star(*)
The Clark-Wilson model, designed for commercial environments is a(n) ____ model.
integrity
Under TCSEC, the ____ is the piece of the system that manages access controls�in other words, it mediates all access to objects by subjects.
reference monitor
Under the Biba model, the ____ property permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object.
simple integrity