217. a. In particular, the Common Criteria (CC) addresses some aspects of physical protection. CC does not contain security evaluation criteria pertaining to administrative security measures not related directly to the IT security functionality. CC does not cover the evaluation of technical physical aspects of IT security such as electromagnetic emanation control. CC does not cover the inherent qualities of cryptographic algorithms.
218. Which of the following requires that all users must have formal access approval?
a. Compartmented security mode
b. System-high security mode
c. Controlled mode
d. Limited access mode
218. b. The system-high security mode requires that if the system processes special access information, all users must have formal access approval.
219. Protecting interconnectivity communication devices is a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
219. c. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Physical security controls (e.g., locked rooms and closets) are used to protect interconnectivity communication devices. Management controls deal with policies and directives. Technical controls deal with technology and systems.
220. Which of the following is not a broad-based security objective for ensuring information systems protection?
a. Prepare and prevent
b. Breach and damage
c. Detect and respond
d. Build and grow
220. b. Breach and damage are narrow-based security objectives because they signify the occurrence of a security incident and recovery from its damage. The scope of prepare and prevent includes minimizing the possibility of a significant attack on critical information assets and networks. Detect and respond includes identifying and assessing an attack in a timely manner. Build and grow is building organizations and facilities, hiring and training people, and establishing policies and procedures.
221. The totality of protection mechanisms used for enforcing a security policy is which of the following?
a. Trusted computing base
b. Trusted path
c. Trusted software
d. Trusted subject
221. a. The trusted computing base (TCB) is the totality of protection mechanisms within a computer system, including hardware, firmware, and software, the combination of which is responsible for enforcing a security policy. The other three choices are part of the TCB.
222. Requiring signed conflict-of-interest and nondisclosure statements are a part of which of the following to secure multi-user and multiplatform environments?
a. Management controls
b. Technical controls
c. Physical controls
d. Procedural controls
222. d. Physical controls and procedural controls are part of operational controls, which are day-to-day procedures. Requiring signed conflict of interest and nondisclosure statements are a part of procedural controls. Management controls deal with policies and directives. Technical controls deal with technology and systems.
223. Taken to its extreme, what does active content become?
a. Built-in macro processing
b. Delivery mechanism for mobile code
c. Scripting language
d. Virtual machine
223. b. Taken to its extreme, active content becomes, in effect, a delivery mechanism for mobile code. Active content involves a host of new technologies such as built-in macro processing, scripting language, and virtual machine.
224. A denial-of-service attack is an example of which of the following threat categories that apply to systems on the Internet?
a. Browser-oriented
b. User-oriented
c. Server-oriented
d. Network-oriented
