CISSP Practice полностью

File protection rules are designed to inhibit unauthorized access, modification, and deletion of a file. The access granularity principle states that protection at the data file level is considered coarse granularity, whereas protection at the data field level is considered to be of a finer granularity. Both strengthen the security practices.

The objectives of trans-border data flows and data privacy laws are to protect personal data from unauthorized disclosure, modification, and destruction. Trans-border data flow is the transfer of data across national borders. Privacy refers to the social balance between an individual’s right to keep information confidential and the societal benefit derived from sharing information. Both strengthen the security practices.

21. Which of the following is not the major purpose of information system security plans?

a. Describe major application systems.

b. Define the security requirements.

c. Describe the security controls.

d. Delineate the roles and responsibilities.

21. a. The information security plan should reflect inputs from various managers with responsibilities concerning the system. Major applications are described when defining security boundaries of a system, meaning boundaries are established within and around application systems.

The major purposes of the information system security plan are to (i) provide an overview of the security requirements of the system, (ii) describe the security controls in place or planned for meeting those requirements, (iii) delineate the roles and responsibilities, and (iv) define the expected behavior of all individuals who access the system.

22. The information system security plan is an important deliverable in which of the following processes?

a. Configuration management

b. System development life cycle

c. Network monitoring

d. Continuous assessment

22. b. The information system security plan is an important deliverable in the system development life cycle (SDLC) process. Those responsible for implementing and managing information systems must participate in addressing security controls to be applied to their systems. The other three choices are examples of ongoing information security program monitoring activities.

23. Which of the following approves the system security plan prior to the security certification and accreditation process?

a. Information system owner

b. Program manager

c. Information system security officer

d. Business owner

23. c. Prior to the security certification and accreditation process, the information system security officer (the authorizing official, independent from the system owner) typically approves the security plan. In addition, some systems may contain sensitive information after the storage media is removed. If there is a doubt whether sensitive information remains on a system, the information system security officer should be consulted before disposing of the system because the officer deals with technical aspects of a system. The information system owner is also referred to as the program manager and business owner.

24. Which of the following is the key factor in the development of the security assessment and authorization policy?

a. Risk management

b. Continuous monitoring

c. Testing the system

d. Evaluating the system

24. a. An organization’s risk management strategy is the key factor in the development of the security assessment and authorization policy. The other three choices are part of the purpose of assessing the security controls in an information system.

25. Which of the following is a prerequisite for developing an information system security plan?

1. Security categorization of a system

2. Analysis of impacts

3. Grouping of general support systems

4. Labeling of major application systems

a. 1 and 4

b. 2 and 3

c. 1 and 2

d. 3 and 4

25. c. Before the information system security plan can be developed, the information system and the data/information resident within that system must be categorized based on impact analysis (i.e., low, medium, or high impact). Then a determination can be made as to which systems in the inventory can be logically grouped into general support systems or major application systems.

26. Which of the following defines security boundaries for an information system?

1. Information

2. Personnel

3. Equipment

4. Funds

a. 1 only

b. 1 and 2

c. 1 and 3