127. c. The action item “Base security on open standards for portability and interoperability” is a part of the ease-of-use security principle. The other three choices are part of the reduce vulnerabilities security principle.
128. Which of the following security controls are needed to protect digital and nondigital media during their transport?
1. Cryptography
2. Physical security controls
3. Locked storage container
4. Procedural security controls
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
128. d. Both digital and nondigital media during transport should be protected with cryptography (encryption), physical security controls, locked storage containers, and procedural security controls.
129. Information system partitioning is a part of which of the following protection strategies?
a. Defense-in-breadth
b. Defense-in-depth
c. Defense-in-technology
d. Defense-in-time
129. b. Using a defense-in-depth protection strategy, an information system can be partitioned into components residing in separate physical domains or environments to ensure safe and secure operations. It integrates people, technology, and operations to establish variable barriers across multiple layers and multiple functions.
A defense-in-breadth strategy is used to identify, manage, and reduce risk of exploitable vulnerabilities at every stage of the system, network, or product life cycle. A defense-in technology uses compatible technology platforms, and a defense-in-time considers different time zones in the world to operate global information systems.
130. Which of the following creates several independent demilitarized zones (DMZs) on a network?
a. Multiple encryption methods
b. Multihomed firewalls
c. Multiple-chip cryptographic modules
d. Multilayered switches
130. b. Multihomed firewalls providing multiple lines-of-defense are allowed to create several independent demilitarized zones (DMZs)—one interfacing the Internet (public network), one interfacing the DMZ segments, and another one interfacing the internal company network (i.e., intranet). These firewalls have more than one network interface card (NIC) to work with. The other three choices do not have the capability to create several independent DMZs on a network.
131. Entrapment techniques against attacks by outsiders act as which of the following?
a. First line-of-defense
b. Second line-of-defense
c. Last line-of-defense
d. Multiple lines-of-defense
131. a. Entrapment techniques provide a first line-of-defense against attacks by outsiders using fake data and systems (decoys, honeypots, and honeynet systems). The line-of-defenses are security mechanisms for limiting and controlling access to and use of computer system resources. They exercise a directing or restraining influence over the behavior of individuals and the content of computer systems.
132. Which of the following is not a component of a system’s architecture?
a. Functional
b. Technical
c. Physical
d. Mechanical
132. d. A system’s architecture defines the critical attributes of an organization’s collection of information systems in both business/functional and technical/physical terms. Mechanical is not included.
133. Which of the following can represent a single point-of-failure for host applications?
a. Cloud computing
b. Smart grid computing
c. Utility computing
d. Quantum computing
133. a. Cloud computing, which is a form of distributed computing, can become a single point-of-failure due to failure of cloud storage services, network devices, database clusters, and network upgrades for the applications hosted there. In such situations, the services of a second cloud provider could be used to back up data processed by the primary (first) provider to ensure that during a prolonged disruption or serious disaster at the primary site, the data remains available for immediate resumption of critical operations. Note that both the user’s data and essential security services may reside in and be managed within the network cloud.
