Access Rules

Controlling access by a subject (an active entity such as individual or
process) to an object (a passive entity such as a file) involves setting up access rules.
These rules can be classified into three access control models: Mandatory, Discretionary,
and Non-Discretionary.
An access matrix is one of the means used to implement access control.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

Skin scans

The following are typical biometric characteristics that are used to uniquely
authenticate an individual's identity:
Fingerprints
Retina scans
Iris scans
Facial scans
Palm scans
Hand geometry
Voice
Handwritten signature dynamics
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.
And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
2002, chapter 4: Access Control (pages 127-131).

Clark-Wilson model

The Clark-Wilson model differs from other models that are subject- and
object- oriented by introducing a third access element programs resulting in what is called
an access triple, which prevents unauthorized users from modifying data or programs. The
Biba model uses objects and subjects and addresses integrity based on a hierarchicallattice of integrity levels. The non-interference model is related to the information flow
model with restrictions on the information flow. The Sutherland model approaches integrity
by focusing on the problem of inference.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 12).
And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security
Management, CRC Press, 1997, Domain 1: Access Control.

you are.

This is more commonly known as biometrics and is one of the most accurate
ways to authenticate an individual.
The rest of the answers are incorrect because they not one of the three recognized forms
for Authentication

Third floor

You data center should be located in the middle of the facility or the core of a
building to provide protection from natural disasters or bombs and provide easier access to
emergency crewmembers if necessary. By being at the core of the facility the external wall
would act as a secondary layer of protection as well.
Information processing facilities should not be located on the top floors of buildings in case
of a fire or flooding coming from the roof. Many crimes and theft have also been conducted
by simply cutting a large hole on the roof.
They should not be in the basement because of flooding where water has a natural
tendancy to flow down :-) Even a little amount of water would affect your operation
considering the quantity of electrical cabling sitting directly on the cement floor under under
your raise floor.
The data center should not be located on the first floor due to the presence of the main
entrance where people are coming in and out. You have a lot of high traffic areas such as
the elevators, the loading docks, cafeteria, coffee shopt, etc.. Really a bad location for a
data center.
So it was easy to come up with the answer by using the process of elimination where the
top, the bottom, and the basement are all bad choices. That left you with only one possible
answer which is the third floor.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 5th Edition, Page
425.

Iris pattern

The iris pattern is considered lifelong. Unique features of the iris are:
freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas.
Voice, signature and retina patterns are more likely to change over time, thus are not as
suitable for authentication over a long period of time without needing re-enrollment.
Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1
(derived from the Information Security Management Handbook, 4th Ed., by Tipton &
Krause).

Type 4. Something you are, such as a system administrator or security administrator

Authentication is based on the following three factor types:
Type 1. Something you know, such as a PIN or password
Type 2. Something you have, such as an ATM card or smart card
Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina
scan
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
2002, chapter 4: Access Control (pages 132-133).

 TCSEC

The Answer: TCSEC; The TCSEC, frequently referred to as the Orange
Book, is the centerpiece of the DoD Rainbow Series publications.
Initially issued by the National Computer Security Center (NCSC) an arm of the National
Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the
development of the Common Criteria international standard originally published in 2005.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 197-199.
Wikepedia
http://en.wikipedia.org/wiki/TCSEC

 biometrics

An alternative to using passwords for authentication in logical or technical
access control is biometrics. Biometrics are based on the Type 3 authentication
mechanism-something you are.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.

 Access-Granted

In response to an access-request from a client, a RADIUS server returns one
of three authentication responses: access-accept, access-reject, or access-challenge, the
latter being a request for additional authentication information such as a one-time password
from a token or a callback identifier.
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 2, 2001, CRC Press, NY, page 36.

clipping level

The correct answer is "clipping level". This is the point at which a system
decides to take some sort of action when an action repeats a preset number of times. That
action may be to log the activity, lock a user account, temporarily close a port, etc.
Example: The most classic example of a clipping level is failed login attempts. If you have a system configured to lock a user's account after three failed login attemts, that is the
"clipping level".
The other answers are not correct because:
Acceptance level, forgiveness level, and logging level are nonsensical terms that do not
exist (to my knowledge) within network security.
Reference:
Official ISC2 Guide - The term "clipping level" is not in the glossary or index of that book. I
cannot find it in the text either. However, I'm quite certain that it would be considered part
of the CBK, despite its exclusion from the Official Guide.
All in One Third Edition page: 136 - 137

Illiminated at eight feet high with at least three foot-candles

The National Institute of Standards and Technology (NIST) standard
pertaining to perimeter protection states that critical areas should be illuminated eight feet
high with at least two foot-candles.
It can also be referred to as illuminating to a height of eight feet, with a BRIGHTNESS of
two foot-candles.
One footcandle 10.764 lux. The footcandle (or lumen per square foot) is a non-SI unit of
illuminance. Like the BTU, it is obsolete but it is still in fairly common use in the United
States, particularly in construction-related engineering and in building codes. Because lux
and footcandles are different units of the same quantity, it is perfectly valid to convert footcandles to lux and vice versa.
The name "footcandle" conveys "the illuminance cast on a surface by a one-candela
source one foot away." As natural as this sounds, this style of name is now frowned upon,
because the dimensional formula for the unit is not foot • candela, but lumens per square
foot.
Some sources do however note that the "lux" can be thought of as a "metre-candle" (i.e.
the illuminance cast on a surface by a one-candela source one meter away). A source that
is farther away casts less illumination than one that is close, so one lux is less illuminance
than one footcandle. Since illuminance follows the inverse-square law, and since one foot =
0.3048 m, one lux = 0.30482 footcandle 1/10.764 footcandle.
TIPS FROM CLEMENT:
Illuminance (light level) – The amount of light, measured in foot-candles (US unit), that fallsn a surface, either horizontal or vertical.
Parking lots lighting needs to be an average of 2 foot candles; uniformity of not more than
3:1, no area less than 1 fc.
All illuminance measurements are to be made on the horizontal plane with a certified light
meter calibrated to NIST standards using traceable light sources.
The CISSP Exam Cram 2 from Michael Gregg says:
Lighting is a commonly used form of perimeter protection.
Some studies have found that up to 80% of criminal acts at businesses and shopping
centers happen in adjacent parking lots. Therefore, it's easy to see why lighting can be
such an important concern.
Outside lighting discourages prowlers and thieves. The National Institute of Standards and Technologies (NIST) states that, for effective
perimeter control, buildings should be illuminated 8 feet high, with 2-foot candle power.
Reference used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001,
Page 325.
and
Shon's AIO v5 pg 459and
http://en.wikipedia.org/wiki/Foot-candle