CISSP- Security Architecture And Design

Approved & Edited by ProProfs Editorial Team
The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.
Learn about Our Editorial Process
| By Cindymurray
C
Cindymurray
Community Contributor
Quizzes Created: 8 | Total Attempts: 14,956
Questions: 20 | Attempts: 737

SettingsSettingsSettings
CISSP Quizzes & Trivia

Questions and Answers
  • 1. 

    A holistic lifecycle for developing security architecture that begins with assessing business requirements and subsequently creating a “chain of traceability” through phases of strategy, concept, design, implementation and metrics is characteristic of which of the following frameworks?

    • A.

      Zachman

    • B.

      SABSA

    • C.

      ISO 27000

    • D.

      TOGAF

    Correct Answer
    B. SABSA
    Explanation
    SABSA (Sherwood Applied Business Security Architecture)
    is a holistic lifecycle for developing security architecture that begins with assessing
    business requirements. It generates a “chain of traceability” of security requirements
    to business functionality, through the phases of strategy, concept, design,
    implementation, and metrics. It represents any architecture using six layers, each
    representing a diff erent perspective for the design and construction and use of the
    target system. Page 672.

    Rate this question:

  • 2. 

    Which of the following component of ITIL’s service portfolio is primarily focused on translating designs into operational services through a standard project management standard?

    • A.

      Service strategy

    • B.

      Service design

    • C.

      Service transition

    • D.

      Service operations

    Correct Answer
    C. Service transition
    Explanation
    Service strategy is not necessarily part of service portfolio. It
    addresses new business needs and is used to generate the service portfolio, which
    includes the range of all the services that will be provided. Service design focuses
    on creating the services within the service portfolio. Service transition is primarily
    concerned with translating the service design into operational services and once
    these services have been deployed, they are transferred into steady-state service
    operations. Th e metrics that is collected for each service is used for continual service
    improvement. Pages 675–676.

    Rate this question:

  • 3. 

    Without proper definition of security requirements, systems fail. Which of the following can be used to capture detailed security requirements?

    • A.

      Threat modeling

    • B.

      Data classification

    • C.

      Risk assessments

    • D.

      All of the above

    Correct Answer
    D. All of the above
    Explanation
    Th reat modeling can be used to determine the threats to your
    system or software, which can be used to generate detailed countermeasure requirements.
    Data classifi cation can be used to determine appropriate levels of protection
    for the data that is transmitted or stored and this can be used to determine
    confi dentiality, integrity or availability requirements. Determining residual and
    acceptable risk thresholds can be used to generate security requirements as well.
    Page 677.

    Rate this question:

  • 4. 

    Formerly known as ISO 17799, which of the following security standards is universally recognized as the standards for sound security practices and is focused on the standardization and certifi cation of an organization’s information security management system (ISMS)?

    • A.

      ISO 15408

    • B.

      ISO 27001

    • C.

      ISO 9001

    • D.

      ISO 9146

    Correct Answer
    B. ISO 27001
    Explanation
    ISO 27000 series will assist organizations of all types to
    understand the fundamentals, principles, and concepts to improve the protection
    of their information assets. ISO 15408 is the common criteria which includes the
    evaluation criteria for IT security. ISO 9001 provides the requirements for quality
    management system. ISO 9126 is an international standard for the evaluation of
    software quality. Page 679.

    Rate this question:

  • 5. 

    Which of the following describes the rules that need to be implemented to ensure that the security requirements are met?

    • A.

      Security kernel

    • B.

      Security policy

    • C.

      Security model

    • D.

      Security reference monitor

    Correct Answer
    B. Security policy
    Explanation
    Security policy documents the security requirements of
    an organization. Subsequently, a security model is a specification that describes
    the rules to be implemented to support and enforce the security policy. While
    the security policy provides the “What” requirements needs to be met, the
    security model provides “HOW” (the rules by which) the requirements will
    be met. The part of the operating system where security features are located
    is the security kernel. Security reference monitor is the tamperproof module
    that controls the access request of software to either the data or the system.
    Page 682.

    Rate this question:

  • 6. 

    A two dimensional grouping of individual subjects into groups or roles and granting access to groups to objects is an example of which of the following types of models?

    • A.

      Multilevel lattice

    • B.

      State machine

    • C.

      Noninterference

    • D.

      Matrix-based

    Correct Answer
    D. Matrix-based
    Explanation
    While lattice-based models tend to treat similar subjects and
    objects with similar restrictions, matrix-based models focus on one-to-one relationships
    between subjects and objects. Th e best known example is the organization
    of subjects and objects into an access control matrix. An access control matrix is a
    two-dimensional table that allows for individual subjects and objects to be related
    to each other. A state machine model, describes the behavior of a system as it moves
    between one state and another, from one moment to another. A noninterference
    model maintains activities at diff erent security levels to separate these levels from
    each other. In this way, it minimizes leakages that may happen through covert
    channels, because there is complete separation between security levels. Page 684.

    Rate this question:

  • 7. 

    Th e * security property of which of the following models ensures that a subject with clearance level of “secret” has the ability to write only to a set of objects and in order to prevent disclosure, the subject may write to objects classifi ed as “secret” or “top Secret” but is prevented from writing information classifi ed as “public”?

    • A.

      Biba

    • B.

      Clark–Wilson

    • C.

      Brewer–Nash

    • D.

      Bell–LaPadula

    Correct Answer
    D. Bell–LaPadula
    Explanation
    Bell–LaPadula is a confi dentiality model that deals with the
    prevention of information disclosure. Page 685.

    Rate this question:

  • 8. 

    Which of the following is unique to the Biba integrity model?

    • A.

      Simple property

    • B.

      * (star) property

    • C.

      Invocation property

    • D.

      Strong * property

    Correct Answer
    C. Invocation property
    Explanation
    Both Biba and Bell–LaPadula have the simple and * (star)
    property and the strong * property is part of the confi dentiality Bell–LaPadula model. Th e Invocation property is unique to the Biba integrity model, which considers
    a situation where corruption may occur because a less trustworthy subject
    was allowed to invoke the powers of a subject with more trust. Page 688

    Rate this question:

  • 9. 

    Which of the following models must be most considered in a shared data hosting environment so that the data of one customer is not disclosed a competitor or other customers sharing that hosted environment?

    • A.

      Brewer–Nash

    • B.

      Clark–Wilson

    • C.

      Bell–LaPadula

    • D.

      Lipner

    Correct Answer
    A. Brewer–Nash
    Explanation
    While the other models listed can provide confi dentiality assurance,
    it is only the Brewer–Nash Model, which is also known as the Chinese wall
    model, that has a clear separation of access rights. Th e principle of Brewer–Nash
    model is that users should not be able to access the confi dential information of both
    a client organization and one or more of its competitors. It is called the Chinese
    wall model because, like the Great Wall of China, once you are on one side of the
    wall, you cannot get to the other side. Page 691.

    Rate this question:

  • 10. 

    Which of the following is the security model that is primarily concerned with how the subjects and objects are created and how subjects are assigned rights or privileges?

    • A.

      Bell–LaPadula

    • B.

      Biba

    • C.

      Chinese Wall

    • D.

      Graham–Denning

    Correct Answer
    D. Graham–Denning
    Explanation
    Th e Graham–Denning access control model has three parts: a
    set of objects, a set of subjects, and a set of rights. Bell–LaPadula is a confi dentiality
    model. Biba is an integrity model. Th e Chinese Wall Model is also a confi dential
    assurance model that deals with the about separation of access. Page 692.

    Rate this question:

  • 11. 

    Which of the following ISO standard provides the evaluation criteria that can be used to evaluate security requirements of diff erent vendor products?

    • A.

      15408

    • B.

      27000

    • C.

      TCSEC

    • D.

      ITSEC

    Correct Answer
    A. 15408
    Explanation
    ISO/IEC 15408 is commonly referred to as the common
    criteria. It is an internationally recognized standard provided the fi rst truly international
    product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certifi ed under
    TCSEC, ITSEC, and other criteria.It takes a very similar approach to ITSEC by
    providing a fl exible set of functional and assurance requirements, and like ITSEC,
    it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing
    the general approach to product evaluation and providing mutual recognition
    of such evaluations all over the world. Page 697.

    Rate this question:

  • 12. 

    In the Common Criteria, the common set of functional and assurance requirements for a category of vendor products deployed in a particular type of environment is known as

    • A.

      Protection profiles

    • B.

      Security target

    • C.

      Trusted computing Base

    • D.

      Ring protection

    Correct Answer
    A. Protection profiles
    Explanation
    Protection profi les are the common set of functional and assurance
    requirements while security target is the specifi c functional and assurance
    requirements that the author of the security target wants a given product to fulfi
    ll. Trusted computing base and ring protection are not concepts of the common
    criteria. Page 698.

    Rate this question:

  • 13. 

    Which of the following evaluation assurance level that is formally verified, designed, and tested is expected for high risk situation?

    • A.

      EAL 1

    • B.

      EAL 3

    • C.

      EAL 5

    • D.

      EAL 7

    Correct Answer
    D. EAL 7
    Explanation
    EAL 7 is the only one that given after the product is formally
    verifi ed, designed, and tested. All the other levels of assurances are not formally
    verifi ed. Page 698.

    Rate this question:

  • 14. 

    Formal acceptance of an evaluated system by management is known as

    • A.

      Certification

    • B.

      Accreditation

    • C.

      Validation

    • D.

      Verification

    Correct Answer
    B. Accreditation
    Explanation
    In the accreditation phase, management evaluates the capacity
    of a system to meet the needs of the organization. If management determines that
    the needs of the system satisfy the needs of the organization, they will formally
    accept the evaluated system, usually for a defi ned period of time. During the certifi -
    cation phase, the product or system is tested to see whether it meets the documented requirements (including any security requirements). Validation and verifi cation are
    usually part of the certification phase. Page 699.

    Rate this question:

  • 15. 

    Which stage of the capability maturity model (CMM) is characterized by having organizational processes that are proactive?

    • A.

      Initial

    • B.

      Managed

    • C.

      Defined

    • D.

      Optimizing

    Correct Answer
    C. Defined
    Explanation
    In the initial stage, the processes are unpredictable, poorly
    controlled, and reactive. During the managed stage, the processes are characterized
    for projects (not the entire organization) and it is often reactive. In the defi ned
    stage, the processes are characterized for the entire organization and are proactive.
    In the optimizing stage the organization focuses on continuous process improvement.
    Page 701.

    Rate this question:

  • 16. 

    Which of the following provides a method of quantifying risks associated with information technology in addition to helping with validating the abilities of new security controls and countermeasures to address the identifi ed risks?

    • A.

      Threat/risk assessment

    • B.

      Penetration testing

    • C.

      Vulnerability assessment

    • D.

      Data classification

    Correct Answer
    A. Threat/risk assessment
    Explanation
    Penetration testing, vulnerability assessments, and data classifi
    cation may help with the identifi cation of threats and countermeasures, but do
    not necessarily always translate or quantify the threats and vulnerabilities to risk.
    Page 706.

    Rate this question:

  • 17. 

    The use of the proxies to protect more trusted assets from less sensitive ones is an example of which of the following types of security services?

    • A.

      Access control

    • B.

      Boundary control

    • C.

      Integrity

    • D.

      Audit and monitoring

    Correct Answer
    B. Boundary control
    Explanation
    Access control services focus on the identifi cation, authentication,
    and authorization of subject entities (whether human or machine) as they are
    deployed and employed to access the organization’s assets. Th ese services are concerned
    with how and whether information is allowed to fl ow from one set of systems
    to another, or from one state to another. Boundary control systems are intended to
    enforce security zones of control by isolating entry points from one zone to another
    (choke points). Integrity services focus on the maintenance of high-integrity systems
    and data through automated checking to detect and correct corruption. Audit and
    monitoring services focus on the secure collection, storage, and analysis of audited
    events through centralized logging as well as the events themselves through intrusion
    detection systems (HIDS and NIDS) and similar services. Page 706.

    Rate this question:

  • 18. 

    Which of the following is the main reason for security concerns in mobile computing devices?

    • A.

      The 3G protocol is inherently insecure

    • B.

      Lower processing power

    • C.

      Hackers are targeting mobile devices

    • D.

      The lack of antivirus software.

    Correct Answer
    B. Lower processing power
    Explanation
    Th ese devices share common security concerns with other
    resource-constrained devices. In many cases, security services have been sacrifi ced
    to provide richer user interaction when processing power is very limited. Also, their
    mobility has made them a prime vector for data loss since they can be used to transmit
    and store information in ways that may be diffi cult to control. Page 713.

    Rate this question:

  • 19. 

    Device drivers that enable the OS to control and communicate with hardware need to be securely designed, developed, and deployed because

    • A.

      They are typically installed by end-users and granted access to supervisor state to help them run faster.

    • B.

      Th ey are typically installed by administrators and granted access to user mode state to help them run faster.

    • C.

      Th ey are typically installed by software without human interaction.

    • D.

      They are integrated as part of the operating system.

    Correct Answer
    A. They are typically installed by end-users and granted access to supervisor state to help them run faster.
    Explanation
    Device drivers that control input/output devices are typically
    installed by end-users (not necessarily administrators) and are often granted access
    to supervisor state to help them run faster. Th is may allow a malformed driver to
    be used to compromise the system unless other controls are in place to mitigate this
    risk. Drivers are not add-ons to the operating system and usually require human
    interaction for installation. Page 722.

    Rate this question:

  • 20. 

    A system administrator grants group rights to a group of individuals called “Accounting” instead of granting individual rights to each individual. Th is is an example of which of the following security mechanisms?

    • A.

      Layering

    • B.

      Data hiding

    • C.

      Cryptographic protections

    • D.

      Abstraction

    Correct Answer
    D. Abstraction
    Explanation
    In computer programming, layering is the organization of
    programming into separate functional components that interact in some sequential
    and hierarchical way, with each layer usually having an interface only to the layer
    above it and the layer below it. Data hiding maintains activities at diff erent security
    levels to separate these levels from each other. Cryptography can be used in a variety
    of ways to protect sensitive system functions and data. By encrypting sensitive
    information and limiting the availability of key material, data can be hidden from
    less privileged parts of the system. Abstraction involves the removal of characteristics
    from an entity in order to easily represent its essential properties. Page 724.

    Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 22, 2012
    Quiz Created by
    Cindymurray
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.