CISSP- Security Architecture And Design

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Cindymurray
C
Cindymurray
Community Contributor
Quizzes Created: 8 | Total Attempts: 15,187
| Attempts: 761 | Questions: 20
Please wait...
Question 1 / 20
0 %
0/100
Score 0/100
1. Formerly known as ISO 17799, which of the following security standards is universally recognized as the standards for sound security practices and is focused on the standardization and certifi cation of an organization's information security management system (ISMS)?

Explanation

ISO 27000 series will assist organizations of all types to
understand the fundamentals, principles, and concepts to improve the protection
of their information assets. ISO 15408 is the common criteria which includes the
evaluation criteria for IT security. ISO 9001 provides the requirements for quality
management system. ISO 9126 is an international standard for the evaluation of
software quality. Page 679.

Submit
Please wait...
About This Quiz
CISSP Quizzes & Trivia

This CISSP quiz focuses on Security Architecture and Design, assessing knowledge in frameworks like SABSA, ITIL, and standards such as ISO 27001. It covers lifecycle development, service transitions,... see moresecurity policies, and matrix-based models, essential for professionals aiming to certify or deepen their understanding in security architecture. see less

2. Without proper definition of security requirements, systems fail. Which of the following can be used to capture detailed security requirements?

Explanation

Th reat modeling can be used to determine the threats to your
system or software, which can be used to generate detailed countermeasure requirements.
Data classifi cation can be used to determine appropriate levels of protection
for the data that is transmitted or stored and this can be used to determine
confi dentiality, integrity or availability requirements. Determining residual and
acceptable risk thresholds can be used to generate security requirements as well.
Page 677.

Submit
3. Which of the following describes the rules that need to be implemented to ensure that the security requirements are met?

Explanation

Security policy documents the security requirements of
an organization. Subsequently, a security model is a specification that describes
the rules to be implemented to support and enforce the security policy. While
the security policy provides the “What” requirements needs to be met, the
security model provides “HOW” (the rules by which) the requirements will
be met. The part of the operating system where security features are located
is the security kernel. Security reference monitor is the tamperproof module
that controls the access request of software to either the data or the system.
Page 682.

Submit
4. Which of the following provides a method of quantifying risks associated with information technology in addition to helping with validating the abilities of new security controls and countermeasures to address the identifi ed risks?

Explanation

Penetration testing, vulnerability assessments, and data classifi
cation may help with the identifi cation of threats and countermeasures, but do
not necessarily always translate or quantify the threats and vulnerabilities to risk.
Page 706.

Submit
5. Th e * security property of which of the following models ensures that a subject with clearance level of "secret" has the ability to write only to a set of objects and in order to prevent disclosure, the subject may write to objects classifi ed as "secret" or "top Secret" but is prevented from writing information classifi ed as "public"?

Explanation

Bell–LaPadula is a confi dentiality model that deals with the
prevention of information disclosure. Page 685.

Submit
6. Which of the following is the security model that is primarily concerned with how the subjects and objects are created and how subjects are assigned rights or privileges?

Explanation

Th e Graham–Denning access control model has three parts: a
set of objects, a set of subjects, and a set of rights. Bell–LaPadula is a confi dentiality
model. Biba is an integrity model. Th e Chinese Wall Model is also a confi dential
assurance model that deals with the about separation of access. Page 692.

Submit
7. Formal acceptance of an evaluated system by management is known as

Explanation

In the accreditation phase, management evaluates the capacity
of a system to meet the needs of the organization. If management determines that
the needs of the system satisfy the needs of the organization, they will formally
accept the evaluated system, usually for a defi ned period of time. During the certifi -
cation phase, the product or system is tested to see whether it meets the documented requirements (including any security requirements). Validation and verifi cation are
usually part of the certification phase. Page 699.

Submit
8. A two dimensional grouping of individual subjects into groups or roles and granting access to groups to objects is an example of which of the following types of models?

Explanation

While lattice-based models tend to treat similar subjects and
objects with similar restrictions, matrix-based models focus on one-to-one relationships
between subjects and objects. Th e best known example is the organization
of subjects and objects into an access control matrix. An access control matrix is a
two-dimensional table that allows for individual subjects and objects to be related
to each other. A state machine model, describes the behavior of a system as it moves
between one state and another, from one moment to another. A noninterference
model maintains activities at diff erent security levels to separate these levels from
each other. In this way, it minimizes leakages that may happen through covert
channels, because there is complete separation between security levels. Page 684.

Submit
9. Which of the following evaluation assurance level that is formally verified, designed, and tested is expected for high risk situation?

Explanation

EAL 7 is the only one that given after the product is formally
verifi ed, designed, and tested. All the other levels of assurances are not formally
verifi ed. Page 698.

Submit
10. Which of the following is unique to the Biba integrity model?

Explanation

Both Biba and Bell–LaPadula have the simple and * (star)
property and the strong * property is part of the confi dentiality Bell–LaPadula model. Th e Invocation property is unique to the Biba integrity model, which considers
a situation where corruption may occur because a less trustworthy subject
was allowed to invoke the powers of a subject with more trust. Page 688

Submit
11. Which of the following models must be most considered in a shared data hosting environment so that the data of one customer is not disclosed a competitor or other customers sharing that hosted environment?

Explanation

While the other models listed can provide confi dentiality assurance,
it is only the Brewer–Nash Model, which is also known as the Chinese wall
model, that has a clear separation of access rights. Th e principle of Brewer–Nash
model is that users should not be able to access the confi dential information of both
a client organization and one or more of its competitors. It is called the Chinese
wall model because, like the Great Wall of China, once you are on one side of the
wall, you cannot get to the other side. Page 691.

Submit
12. The use of the proxies to protect more trusted assets from less sensitive ones is an example of which of the following types of security services?

Explanation

Access control services focus on the identifi cation, authentication,
and authorization of subject entities (whether human or machine) as they are
deployed and employed to access the organization’s assets. Th ese services are concerned
with how and whether information is allowed to fl ow from one set of systems
to another, or from one state to another. Boundary control systems are intended to
enforce security zones of control by isolating entry points from one zone to another
(choke points). Integrity services focus on the maintenance of high-integrity systems
and data through automated checking to detect and correct corruption. Audit and
monitoring services focus on the secure collection, storage, and analysis of audited
events through centralized logging as well as the events themselves through intrusion
detection systems (HIDS and NIDS) and similar services. Page 706.

Submit
13. A system administrator grants group rights to a group of individuals called "Accounting" instead of granting individual rights to each individual. Th is is an example of which of the following security mechanisms?

Explanation

In computer programming, layering is the organization of
programming into separate functional components that interact in some sequential
and hierarchical way, with each layer usually having an interface only to the layer
above it and the layer below it. Data hiding maintains activities at diff erent security
levels to separate these levels from each other. Cryptography can be used in a variety
of ways to protect sensitive system functions and data. By encrypting sensitive
information and limiting the availability of key material, data can be hidden from
less privileged parts of the system. Abstraction involves the removal of characteristics
from an entity in order to easily represent its essential properties. Page 724.

Submit
14. In the Common Criteria, the common set of functional and assurance requirements for a category of vendor products deployed in a particular type of environment is known as

Explanation

Protection profi les are the common set of functional and assurance
requirements while security target is the specifi c functional and assurance
requirements that the author of the security target wants a given product to fulfi
ll. Trusted computing base and ring protection are not concepts of the common
criteria. Page 698.

Submit
15. Which of the following component of ITIL's service portfolio is primarily focused on translating designs into operational services through a standard project management standard?

Explanation

Service strategy is not necessarily part of service portfolio. It
addresses new business needs and is used to generate the service portfolio, which
includes the range of all the services that will be provided. Service design focuses
on creating the services within the service portfolio. Service transition is primarily
concerned with translating the service design into operational services and once
these services have been deployed, they are transferred into steady-state service
operations. Th e metrics that is collected for each service is used for continual service
improvement. Pages 675–676.

Submit
16. A holistic lifecycle for developing security architecture that begins with assessing business requirements and subsequently creating a "chain of traceability" through phases of strategy, concept, design, implementation and metrics is characteristic of which of the following frameworks?

Explanation

SABSA (Sherwood Applied Business Security Architecture)
is a holistic lifecycle for developing security architecture that begins with assessing
business requirements. It generates a “chain of traceability” of security requirements
to business functionality, through the phases of strategy, concept, design,
implementation, and metrics. It represents any architecture using six layers, each
representing a diff erent perspective for the design and construction and use of the
target system. Page 672.

Submit
17. Which of the following ISO standard provides the evaluation criteria that can be used to evaluate security requirements of diff erent vendor products?

Explanation

ISO/IEC 15408 is commonly referred to as the common
criteria. It is an internationally recognized standard provided the fi rst truly international
product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certifi ed under
TCSEC, ITSEC, and other criteria.It takes a very similar approach to ITSEC by
providing a fl exible set of functional and assurance requirements, and like ITSEC,
it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing
the general approach to product evaluation and providing mutual recognition
of such evaluations all over the world. Page 697.

Submit
18. Device drivers that enable the OS to control and communicate with hardware need to be securely designed, developed, and deployed because

Explanation

Device drivers that control input/output devices are typically
installed by end-users (not necessarily administrators) and are often granted access
to supervisor state to help them run faster. Th is may allow a malformed driver to
be used to compromise the system unless other controls are in place to mitigate this
risk. Drivers are not add-ons to the operating system and usually require human
interaction for installation. Page 722.

Submit
19. Which of the following is the main reason for security concerns in mobile computing devices?

Explanation

Th ese devices share common security concerns with other
resource-constrained devices. In many cases, security services have been sacrifi ced
to provide richer user interaction when processing power is very limited. Also, their
mobility has made them a prime vector for data loss since they can be used to transmit
and store information in ways that may be diffi cult to control. Page 713.

Submit
20. Which stage of the capability maturity model (CMM) is characterized by having organizational processes that are proactive?

Explanation

In the initial stage, the processes are unpredictable, poorly
controlled, and reactive. During the managed stage, the processes are characterized
for projects (not the entire organization) and it is often reactive. In the defi ned
stage, the processes are characterized for the entire organization and are proactive.
In the optimizing stage the organization focuses on continuous process improvement.
Page 701.

Submit
View My Results

Quiz Review Timeline (Updated): Mar 21, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 21, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Dec 22, 2012
    Quiz Created by
    Cindymurray
Cancel
  • All
    All (20)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
Formerly known as ISO 17799, which of the following security standards...
Without proper definition of security requirements, systems fail....
Which of the following describes the rules that need to be implemented...
Which of the following provides a method of quantifying risks...
Th e * security property of which of the following models ensures that...
Which of the following is the security model that is primarily...
Formal acceptance of an evaluated system by management is known as
A two dimensional grouping of individual subjects into groups or roles...
Which of the following evaluation assurance level that is formally...
Which of the following is unique to the Biba integrity model?
Which of the following models must be most considered in a shared data...
The use of the proxies to protect more trusted assets from less...
A system administrator grants group rights to a group of individuals...
In the Common Criteria, the common set of functional and assurance ...
Which of the following component of ITIL's service portfolio is...
A holistic lifecycle for developing security architecture that begins...
Which of the following ISO standard provides the evaluation criteria...
Device drivers that enable the OS to control and communicate with...
Which of the following is the main reason for security concerns in...
Which stage of the capability maturity model (CMM) is characterized by...
Alert!

Advertisement