Regression testing

Regression testing is the process of rerunning a portion of the test scenario
or test plan to ensure that changes or corrections have not introduced new errors. The data
used in regression testing should be the same as the data used in the original test. Unit
testing refers to the testing of an individual program or module. Pilot testing is a preliminary
test that focuses only on specific and predetermined aspects of a system. Parallel testing is
the process of feeding test data into two systems and comparing the results.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, Chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 300).

Assurance that the security policy can be enforced in an efficient and reliable manner.

A trusted system is one that meets its intended security requirements. It
involves sufficiency and effectiveness, not necessarily efficiency, in enforcing a security
policy. Put succinctly, trusted systems have (1) policy, (2) mechanism, and (3) assurance.Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide,
January 2002.

Senior Management

If there is no support by senior management to implement, execute, and
enforce security policies and procedure, then they won't work. Senior management must
be involved in this because they have an obligation to the organization to protect the
assests . The requirement here is for management to show “due diligence” in establishing
an effective compliance, or security program. It is senior management that could face legal
repercussions if they do not have sufficient controls in place.
The following answers are incorrect:
IS security specialists. Is incorrect because it is not the best answer. Senior management
bears the primary responsibility for determining the level of protection needed.
Senior security analysts. Is incorrect because it is not the best answer. Senior management
bears the primary responsibility for determining the level of protection needed.
systems auditors. Is incorrect because it is not the best answer, system auditors are
responsible that the controls in place are effective. Senior management bears the primary
responsibility for determining the level of protection needed.

Aggregation

Aggregation is the act of obtaining information of a higher sensitivity by
combining information from lower levels of sensitivity.
The incorrect answers are:
Polyinstantiation is the development of a detailed version of an object from another object
using different values in the new object.
Inference is the ability of users to infer or deduce information about data at sensitivity levels
for which they do not have access privilege.
Data mining refers to searching through a data warehouse for data correlations.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 261).KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Database Security Issues (page 358).

Integrity.

Integrity refers to the protection of information from unauthorized modification
or deletion.
Confidentiality is incorrect. Confidentiality refers to the protection of information from
unauthorized disclosure.
Availability is incorrect. Availability refers to the assurance that information and services will
be available to authorized users in accordance with the service level objective.
Auditability is incorrect. Auditability refers to the ability to trace an action to the identity that
performed it and identify the date and time at which it occurred.
References:
CBK,pp. 5 - 6
AIO3, pp. 56 - 57

Aggregation

The Internet Security Glossary (RFC2828) defines aggregation as a
circumstance in which a collection of information items is required to be classified at a
higher security level than any of the individual items that comprise it.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

The Spiral model

The spiral model is actually a meta-model that incorporates a number of the
software development models. This model depicts a spiral that incorporates the various
phases of software development. The model states that each cycle of the spiral involves
the same series of steps for each part of the project. CPM refers to the Critical Path
Methodology.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 246).

The management team.

If there is no support by management to implement, execute, and enforce
security policies and procedure, then they won't work. Senior management must be
involved in this because they have an obligation to the organization to protect the assests .The requirement here is for management to show “due diligence” in establishing an
effective compliance, or security program.
The following answers are incorrect:
The tech support team. Is incorrect because the ultimate responsibility is with management
for the security of computer-based information systems.
The Operation Team. Is incorrect because the ultimate responsibility is with management
for the security of computer-based information systems.
The Training Team. Is incorrect because the ultimate responsibility is with management for
the security of computer-based information systems.
Reference(s) used for this question:
OIG CBK Information Security Management and Risk Management (page 20 - 22)

Senior management

They are responsible for security of the organization and the protection of its
assets.
The following answers are incorrect because :
Data owner is incorrect as data owners should not decide as to what security measures
should be applied.
Auditor is also incorrect as auditor cannot decide as to what security measures should beapplied.
The information security specialist is also incorrect as they may have the technical
knowledge of how security measures should be implemented and configured , but they
should not be in a position of deciding what measures should be applied.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.

Value

Information classification should be based on the value of the information to
the organization and its sensitivity (reflection of how much damage would accrue due to
disclosure).
Age is incorrect. While age might be a consideration in some cases, the guiding principles
should be value and sensitivity.
Useful life. While useful lifetime is relevant to how long data protections should be applied,
the classification is based on information value and sensitivity.
Personal association is incorrect. Information classification decisions should be based on
value of the information and its sensitiviry.
References
CBK, pp. 101 - 102.

Unauthorized persons or processes.

Confidentiality assures that the information is not disclosed to unauthorized
persons or processes.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 31.

Dual Control

The question mentions clearly "operating together". Which means the BEST
answer is Dual Control.
Two mechanisms necessary to implement high integrity environments where separation of
duties is paramount are dual control or split knowledge.
Dual control enforces the concept of keeping a duo responsible for an activity. It requires
more than one employee available to perform a task. It utilizes two or more separate
entities (usually persons), operating together, to protect sensitive functions or information.Whenever the dual control feature is limited to something you know., it is often called split
knowledge (such as part of the password, cryptographic keys etc.) Split knowledge is the
unique “what each must bring” and joined together when implementing dual control.
To illustrate, let say you have a box containing petty cash is secured by one combination
lock and one keyed lock. One employee is given the combination to the combo lock and
another employee has possession of the correct key to the keyed lock. In order to get the
cash out of the box both employees must be present at the cash box at the same time. One
cannot open the box without the other. This is the aspect of dual control.
On the other hand, split knowledge is exemplified here by the different objects (the
combination to the combo lock and the correct physical key), both of which are unique and
necessary, that each brings to the meeting.
This is typically used in high value transactions / activities (as per the organizations risk
appetite) such as:
Approving a high value transaction using a special user account, where the password of
this user account is split into two and managed by two different staff. Both staff should bepresent to enter the password for a high value transaction. This is often combined with the
separation of duties principle. In this case, the posting of the transaction would have been
performed by another staff. This leads to a situation where collusion of at least 3 people are
required to make a fraud transaction which is of high value.
Payment Card and PIN printing is separated by SOD principles. Now the organization can
even enhance the control mechanism by implementing dual control / split knowledge. The
card printing activity can be modified to require two staff to key in the passwords for
initiating the printing process. Similarly, PIN printing authentication can also be made to be
implemented with dual control. Many Host Security modules (HSM) comes with built in
controls for dual controls where physical keys are required to initiate the PIN printing
process.
Managing encryption keys is another key area where dual control / split knowledge to be
implemented.
PCIDSS defines Dual Control as below. This is more from a cryptographic perspective, still
useful:
Dual Control: Process of using two or more separate entities (usually persons) operating in
concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single
person is permitted to access or use the materials (for example, the cryptographic key). For
manual key generation, conveyance, loading, storage, and retrieval, dual control requires
dividing knowledge of the key among the entities. (See also Split Knowledge).
Split knowledge: Condition in which two or more entities separately have key components
that individually convey no knowledge of the resultant cryptographic key.
It is key for information security professionals to understand the differences between Dual
Control and Separation of Duties. Both complement each other, but are not the same.
The following were incorrect answers:
Segregation of Duties address the splitting of various functions within a process to different
users so that it will not create an opportunity for a single user to perform conflicting tasks.
For example, the participation of two or more persons in a transaction creates a system of
checks and balances and reduces the possibility of fraud considerably. So it is important foran organization to ensure that all tasks within a process has adequate separation.
Let us look at some use cases of segregation of duties
A person handling cash should not post to the accounting records
A loan officer should not disburse loan proceeds for loans they approved
Those who have authority to sign cheques should not reconcile the bank accounts
The credit card printing personal should not print the credit card PINs
Customer address changes must be verified by a second employee before the change
can be activated.
In situations where the separation of duties are not possible, because of lack of staff, thesenior management should set up additional measure to offset the lack of adequate
controls.
To summarise, Segregation of Duties is about Separating the conflicting duties to reduce
fraud in an end to end function.
Need To Know (NTK):
The term "need to know", when used by government and other organizations (particularly
those related to the military), describes the restriction of data which is considered very
sensitive. Under need-to-know restrictions, even if one has all the necessary officialapprovals (such as a security clearance) to access certain information, one would not be
given access to such information, unless one has a specific need to know; that is, access
to the information must be necessary for the conduct of one's official duties. As with most
security mechanisms, the aim is to make it difficult for unauthorized access to occur,
without inconveniencing legitimate access. Need-to-know also aims to discourage
"browsing" of sensitive material by limiting access to the smallest possible number of
people.
EXAM TIP: HOW TO DECIPHER THIS QUESTION
First, you probably nototiced that both Separation of Duties and Segregation of Duties are
synonymous with each others. This means they are not the BEST answers for sure. That
was an easy first step.
For the exam remember:
Separation of Duties is synonymous with Segregation of Dutiesare
synonymous with each others. This means they are not the BEST answers for sure. That
was an easy first step.
For the exam remember:
Separation of Duties is synonymous with Segregation of Duties
Dual Control is synonymous with Split Knowledge
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 16048-16078). Auerbach Publications. Kindle
Edition.and
http://www.ciso.in/dual-control-or-segregation-of-duties/