CISSP Practice полностью

“Capability Maturity Model for Software, Version 1.1, Technical Report,” CMU/SEI-93-TR-024, Software Engineering Institute (SEI), Carnegie Mellon University (CMU), Pittsburg, Pennsylvania, February 1993. (www.sei.cum.edu/publications/documents/93.reports/93.tr.024.html).

“The Case for Using Layered Defenses to Stop Worms (NSA Report# C43-002R-2004),” National Security Agency (NSA), Fort Meade, Maryland, June 2004.

“Guide for the Security Certification and Accreditation of Federal Information Systems (NIST SP800-37),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2004.

“Guide to Securing Microsoft Windows XP Systems for IT Professionals (NIST SP800-68R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 2008.

“Guidelines on Active Content and Mobile Code (NIST SP800-28 V2 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 3, System Development Life Cycle, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 11, Certification, Accreditation, and Security Assessments, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“Information Security Handbook: A Guide for Managers (NIST SP800-100 Draft),” Chapter 14, Configuration Management, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2006.

“An Introduction to Computer Security: The NIST Handbook (NIST SP800-12),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 1995.

“The Open Web Application Security Project,” (www.owasp.org), January 2004.

“Security Considerations in the Information Systems Development Lifecycle (NIST SP800-64R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, October 2003.

“Security Requirements for Cryptographic Modules (NIST FIPS PUB 140-3 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, July 2007.

“Source Code Security Analysis Tool Functional Specification (NIST SP500-268 V1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2007.

Domain 5

Cryptography

Traditional Questions, Answers, and Explanations

1. For security protection mechanisms for cryptographic data in storage, backup, and archives, the storage of keying material is a part of which of the following cryptographic services?

a. Confidentiality

b. Availability

c. Integrity

d. Labels

1. b. The availability service for data in storage deals with backup and archive storages. During a key’s crypto-period, keying material (i.e., keys and initialization vectors) should be stored in both normal operational storage and in backup storage. After the end of a key’s crypto-period, keying material should be placed in archive storage. The other three choices do not deal with backup and archive storages.

2. Which of the following is referred to when two cryptographic key component holders manage the process of handling the two components of a cryptographic key?

a. Key list

b. Key escrow

c. Key loader

d. Key exchange

2. b. In general, escrow is something (for example, a document or an encryption key) that is delivered to a third party to be given to the grantee only upon the fulfillment of a predefined condition (i.e., a grantor and grantee relationship with a third party in the middle). Key escrow is the processes of managing (for example, generating, storing, transferring, and auditing) the two components of a cryptographic key by two component holders. A key component is the two values from which a key can be derived. A key escrow system entrusts the two components comprising a cryptographic key (for example, a device unique key) to two key component holders (also called escrow agents).