32. a. Software flaws result in potential vulnerabilities. The configuration management process can track and verify the required or anticipated flaw remediation actions.
Flaws discovered during security assessments, continuous monitoring, incident-response activities, or system error handling activities become inputs to the configuration management process. Automated patch management tools should facilitate flaw remediation by promptly installing security-relevant software updates (for example, patches, service packs, and hot fixes).
33. Audit trails establish which of the following information security objectives?
a. Confidentiality
b. Integrity
c. Accountability
d. Availability
33. c. Accountability is the existence of a record that permits the identification of an individual who performed some specific activity so that responsibility for that activity can be established through audit trails. Audit trails do not establish the other three choices.
34. Audit trails are least useful to which of the following?
a. Training
b. Deterrence
c. Detection
d. Prosecution
34. a. Audit trails are useful in detecting unauthorized and illegal activities. They also act as a deterrent and aid in prosecution of transgressors. They are least useful in training because audit trails are recorded after the fact. They show what was done, when, and by whom.
35. In terms of audit records, which of the following information is most useful?
1. Timestamps
2. Source and destination address
3. Privileged commands
4. Group account users
a. 1 only
b. 1 and 2
c. 3 and 4
d. 1, 2, 3, and 4
35. c. Audit records contain minimum information such as timestamps, source and destination addresses, and outcome of the event (i.e., success or failure). But the most useful information is recording of privileged commands and the individual identities of group account users.
36. Which of the following is an example of improper separation of duties?
a. Computer security is embedded into computer operations.
b. Security administrators are separate from security auditors.
c. Mission-critical functions and support functions are separate from each other.
d. Quality assurance is separate from network security.
36. a. A natural tension often exists between computer security and computer operations functions. Some organizations embed a computer security program in computer operations to resolve this tension. The typical result of this organizational strategy is a computer security program that lacks independence, has minimal authority, receives little management attention, and has few resources to work with. The other three choices are examples of proper separation of duties.
37. What are labels used on internal data structures called?
a. Automated marking
b. Automated labeling
c. Hard-copy labeling
d. Output labeling
37. b. Automated labeling refers to labels used on internal data structures such as records and files within the information system. Automated marking refers to labels used on external media such as hard-copy documents and output from the information system (for example, reports).
38. Which of the following is not allowed when an information system cannot be sanitized due to a system failure?
a. Periodic maintenance
b. Remote maintenance
c. Preventive maintenance
d. Detective maintenance
38. b. Media sanitization (scrubbing) means removing information from media such that information recovery is not possible. Specifically, it removes all labels, markings, and activity logs. An organization approves, controls, and monitors remotely executed maintenance and diagnostic activities. If the information system cannot be sanitized due to a system failure, remote maintenance is not allowed because it is a high-risk situation. The other three types of maintenance are low risk situations.
39. Regarding configuration change management, organizations should analyze new software in which of the following libraries before installation?
a. Development library
b. Test library
c. Quarantine library
d. Operational library
