109. The major reason for using compensating security controls for an information system is in lieu of which of the following?
a. Prescribed controls
b. Management controls
c. Operational controls
d. Technical controls
109. a. Compensating security controls are the management, operational, or technical controls used by an organization, which are implemented in lieu of prescribed controls in the low, moderate, or high security control baselines. All these controls provide equivalent or comparable protection for an information system.
110. Which of the following is not a part of operational controls as they relate to system security controls?
a. Access controls
b. Contingency planning controls
c. Incident response controls
d. Physical security controls
110. a. Access control, along with identification and authentication and audit and accountability, is a part of technical control. Contingency planning controls are incorrect because they are a part of operational controls. Incident response controls are incorrect because they are a part of operational controls. Physical security controls are incorrect because they are a part of operational controls.
111. The process of selecting the appropriate security controls and applying the system security scoping guidance is to achieve which of the following?
a. Reasonable security
b. Adequate security
c. Normal security
d. Advanced security
111. b. Adequate security is defined as security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information. The process of selecting the appropriate security controls and applying the scoping guidelines to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization. Note that the adequate security is more than the reasonable security and the normal security and less than the advanced security.
112. Which of the following is not an example of a common security control?
a. Access control
b. Management control
c. Operational control
d. Hybrid control
112. a. Security controls not designated as common controls are considered system-specific controls and are the responsibility of the information system owner. For example, access control is a part of technical control and is a system-specific control. Many of the management and operational controls needed to protect an information system may be excellent candidates for common security control status. Common security controls reduce security costs when they are centrally managed in terms of development, implementation, and assessment. Hybrid controls contain both common and system-specific controls.
113. Which of the following determines the adequacy of security in a software product?
1. How a product is tested?
2. How a product is evaluated?
3. How a product is applied related to other systems?
4. How a product is developed related to other systems?
a. 1 only
b. 2 only
c. 3 and 4
d. 1, 2, 3, and 4
113. c. The way in which a software product is developed, integrated, and applied to other system components affects the adequacy of its security.
Even when a product successfully completes a formal security evaluation, it may contain vulnerabilities (e.g., buffer overflow problems). Using a tested and evaluated software product does not necessarily ensure a secure and adequate operational environment.
114. Which of the following items is not a replacement for the other three items?
a. Enabling system logs
b. Conducting formal audits
c. Reviewing system logs manually
d. Reviewing system logs automatically
114. b. Although conducted periodically, formal audits are useful, but are not a replacement for day-to-day management of the security status of a system. Enabling system logs and reviewing their contents manually or through automated report summaries can sometimes be the best means of uncovering unauthorized behavior of people and systems and detecting security problems. The critical point here is that day-to-day management is more timely and effective than periodic audits, which could be too late.
115. Minimal functionality in an application system relates to which of the following security principles?
