The project will fail to meet business and user needs

This is the most serious risk of inadequate systems development life cycle
methodolgy.
The following answers are incorrect because :
The project will be completed late is incorrect as it is not most devastating as the above
answer.
The project will exceed the cost estimates is also incorrect when compared to the above
correct answer.
The project will be incompatible with existing systems is also incorrect when compared to
the above correct answer.
Reference: Information Systems Audit and Control Association, Certified Information
Systems Auditor 2002 review manual, chapter 6: Business Application System
Development, Acquisition, Implementation and Maintenance (page 290).

Errors in critical modules are detected earlier.

The bottom-up approach to software testing begins with the testing of atomic
units, such as programs and modules, and work upwards until a complete system testing
has taken place. The advantages of using a bottom-up approach to software testing are the
fact that there is no need for stubs or drivers and errors in critical modules are found
earlier. The other choices refer to advantages of a top down approach which follows the
opposite path.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 299).

Be designed with a short- to mid-term focus

An effective information security policy should be designed with a long-term
focus. All other characteristics apply.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices,
Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

They provide users with a direct access to peripherals

In computer science, hierarchical protection domains, often called protection
rings, are mechanisms to protect data and functionality from faults (fault tolerance) and
malicious behaviour (computer security). This approach is diametrically opposite to that of    capability-based security.
Computer operating systems provide different levels of access to resources. A protection
ring is one of two or more hierarchical levels or layers of privilege within the architecture of
a computer system. This is generally hardware-enforced by some CPU architectures that
provide different CPU modes at the hardware or microcode level.
Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered
zero) to least privileged (least trusted, usually with the highest ring number). On most
operating systems, Ring 0 is the level with the most privileges and interacts most directly
with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's
resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating
access between rings can improve security by preventing programs from one ring or
privilege level from misusing resources intended for programs in another. For example,
spyware running as a user program in Ring 3 should be prevented from turning on a web
camera without informing the user, since hardware access should be a Ring 1 function
reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
"They provide strict boundaries and definitions on what the processes that work within each
ring can access" is incorrect. This is in fact one of the characteristics of a ring protection
system.
"Programs operating in inner rings are usually referred to as existing in a privileged mode"
is incorrect. This is in fact one of the characteristics of a ring protection system.
"They support the CIA triad requirements of multitasking operating systems" is incorrect.
This is in fact one of the characteristics of a ring protection system.
Reference(s) used for this question:
CBK, pp. 310-311
AIO3, pp.AIOv4 Security Architecture and Design (pages 308 - 310)
AIOv5 Security Architecture and Design (pages 309 - 312)

Only data to and from critical systems and applications should be allowed through the
firewall.

Only data to and from critical systems and applications should be allowed
through the firewall is a detractor. Critical systems or applications do not necessarily need
to have traffic go through a firewall. Even if they did, only the minimum required services
should be allowed. Systems that are not deemed critical may also need to have traffic go
through the firewall.
Least privilege is a basic tenet of computer security that means users should be given only
those rights required to do their jobs or tasks. Least privilege is ensuring that you have the
minimum privileges necessary to do a task. An admin NOT using his admin account to
check email is a clear example of this.
Reference(s) used for this question:
National Security Agency, Systems and Network Attack Center (SNAC), The 60 Minute
Network Security Guide, February 2002, page 9.

validation

Software Development Verification vs. Validation:
Verification determines if the product accurately represents and meets the design
specifications given to the developers. A product can be developed that does not match the
original specifications. This step ensures that the specifications are properly met and
closely followed by the development team.
Validation determines if the product provides the necessary solution intended real-world
problem. It validates whether or not the final product is what the user expected in the first
place and whether or not it solve the problem it intended to solve. In large projects, it is
easy to lose sight of overall goal. This exercise ensures that the main goal of the project is
met.
From DITSCAP:
6.3.2. Phase 2, Verification. The Verification phase shall include activities to verify
compliance of the system with previously agreed security requirements. For each life-cycle
development activity, DoD Directive 5000.1 (reference (i)), there is a corresponding set of security activities, enclosure 3, that shall verify compliance with the security requirements
and evaluate vulnerabilities.
6.3.3. Phase 3, Validation. The Validation phase shall include activities to evaluate the fully
integrated system to validate system operation in a specified computing environment with
an acceptable level of residual risk. Validation shall culminate in an approval to operate.
NOTE:
DIACAP has replace DITSCAP but the definition above are still valid and applicable for the
purpose of the exam.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 1106). McGraw-
Hill. Kindle Edition.and
http://iase.disa.mil/ditscap/DITSCAP.html

Project initiation and Planning

In most projects the conditions for failure are established at the beginning of
the project. Thus risk management should be established at the commencement of the
project with a risk assessment during project initiation.
As it is clearly stated in the ISC2 book: Security should be included at the first phase of
development and throughout all of the phases of the system development life cycle. This is
a key concept to understand for the purpose for the exam.
The most useful time is to undertake it at project initiation, although it is often valuable to
update the current risk analysis at later stages.
Attempting to retrofit security after the SDLC is completed would cost a lot more money
and might be impossible in some cases. Look at the family of browsers we use today, for
the past 8 years they always claim that it is the most secure version that has been released
and within days vulnerabilities will be found.
Risks should be monitored throughout the SDLC of the project and reassessed when appropriate.
The phases of the SDLC can very from one source to another one. It could be as simple as
Concept, Design, and Implementation. It could also be expanded to include more phases
such as this list proposed within the ISC2 Official Study book:
Project Initiation and Planning
Functional Requirements Definition
System Design Specification
Development and Implementation
Documentations and Common Program Controls
Testing and Evaluation Control, certification and accreditation (C&A)
Transition to production (Implementation) And there are two phases that will extend beyond the SDLC, they are:
Operation and Maintenance Support (O&M)
Revisions and System Replacement (Disposal)
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 291).
and
The Official ISC2 Guide to the CISSP CBK , Second Edition, Page 182-185

A protection domain

A protection domain consists of the execution and memory space assigned
to each process. The purpose of establishing a protection domain is to protect programs
from all unauthorized modification or executional interference. The security perimeter is the
boundary that separates the Trusted Computing Base (TCB) from the remainder of the
system. Security labels are assigned to resources to denote a type of classification.
Abstraction is a way to protect resources in the fact that it involves viewing system
components at a high level and ignoring its specific details, thus performing information
hiding.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security
Architecture and Models (page 193).

Fail safe

NOTE: This question is referring to a system which is Logical/Technical, so it
is in the context of a system that you must choose the right answer. This is very important
to read the question carefully and to identify the context whether it is in the Physical world
or in the Technical/Logical world.
RFC 2828 (Internet Security Glossary) defines fail safe as a mode of system termination
that automatically leaves system processes and components in a secure state when a
failure occurs or is detected in the system.
A secure state means in the Logical/Technical world that no access would be granted or no
packets would be allowed to flow through the system inspecting the packets such as a
firewall for example.
If the question would have made reference to a building or something specific to the
Physical world then the answer would have been different. In the Physical World everything
becomes open and full access would be granted. See the valid choices below for the
Physical context.  Fail-safe in the physical security world is when doors are unlocked automatically in case of
emergency. Used in environment where humans work around. As human safety is prime
concern during Fire or other hazards.
The following were all wrong choices:
Fail-secure in the physical security world is when doors are locked automatically in case of
emergency. Can be in an area like Cash Locker Room provided there should be alternative
manually operated exit door in case of emergency.
Fail soft is selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system.
Fail Over is a redundancy mechanism and does not apply to this question.
There is a great post within the CCCure Forums on this specific QUESTION NO: :
saintrockz who is a long term contributor to the forums did outstanding research and you
have the results below. The CCCure forum is a gold mine where thousands of QUESTION
NO: s related to the CBK have been discussed.
According to the Official ISC2 Study Guide (OIG):
Fault Tolerance is defined as built-in capability of a system to provide continued correct
execution in the presence of a limited number of hardware or software faults. It means a
system can operate in the presence of hardware component failures. A single component
failure in a fault-tolerant system will not cause a system interruption because the alternate
component will take over the task transparently. As the cost of components continues to
drop, and the demand for system availability increases, many non-fault-tolerant systems
have redundancy built-in at the subsystem level. As a result, many non-fault-tolerant
systems can tolerate hardware faults - consequently, the line between a fault-tolerant system and a non-fault-tolerant system becomes increasingly blurred.
According to Common Criteria:
Fail Secure - Failure with preservation of secure state, which requires that the TSF (TOE
security functions) preserve a secure state in the face of the identified failures.
Acc. to The CISSP Prep Guide, Gold Ed.:
Fail over - When one system/application fails, operations will automatically switch to the
backup system.
Fail safe - Pertaining to the automatic protection of programs and/or processing systems to
maintain safety when a hardware or software failure is detected in a system.
Fail secure - The system preserves a secure state during and after identified failures occur.
Fail soft - Pertaining to the selective termination of affected non-essential processing when
a hardware or software failure is detected in a system.
Acc. to CISSP for Dummies:
Fail closed - A control failure that results all accesses blocked.
Fail open - A control failure that results in all accesses permitted.
Failover - A failure mode where, if a hardware or software failure is detected, the system
automatically transfers processing to a hot backup component, such as a clustered server.
Fail-safe - A failure mode where, if a hardware or software failure is detected, program
execution is terminated, and the system is protected from compromise. to CISSP for Dummies:
Fail closed - A control failure that results all accesses blocked.
Fail open - A control failure that results in all accesses permitted.
Failover - A failure mode where, if a hardware or software failure is detected, the system
automatically transfers processing to a hot backup component, such as a clustered server.
Fail-safe - A failure mode where, if a hardware or software failure is detected, program
execution is terminated, and the system is protected from compromise.to CISSP for Dummies:
Fail closed - A control failure that results all accesses blocked.
Fail open - A control failure that results in all accesses permitted.
Failover - A failure mode where, if a hardware or software failure is detected, the system
automatically transfers processing to a hot backup component, such as a clustered server.
Fail-safe - A failure mode where, if a hardware or software failure is detected, program
execution is terminated, and the system is protected from compromise.Fail-soft (or resilient) - A failure mode where, if a hardware or software failure is detected,
certain, noncritical processing is terminated, and the computer or network continues to
function in a degraded mode.
Fault-tolerant - A system that continues to operate following failure of a computer or
network component.
It's good to differentiate this concept in Physical Security as well:
Fail-safe
• Door defaults to being unlocked
• Dictated by fire codes
Fail-secure
• Door defaults to being locked
Reference((s) used for this question:
SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

systems programmer

Reason: The security administrator, security analysis, and the system auditor
need access to portions of the security systems to accomplish their jobs. The system
programmer does not need access to the working (AKA: Production) security systems.
Programmers should not be allowed to have ongoing direct access to computers running
production systems (systems used by the organization to operate its business). Tomaintain system integrity, any changes they make to production systems should be tracked
by the organization’s change management control system.
Because the security administrator’s job is to perform security functions, the performance
of non-security tasks must be strictly limited. This separation of duties reduces the
likelihood of loss that results from users abusing their authority by taking actions outside of
their assigned functional responsibilities.
References:
OFFICIAL (ISC)2® GUIDE TO THE CISSP® EXAM (2003), Hansche, S., Berti, J., Hare,
H., Auerbach Publication, FL, Chapter 5 - Operations Security, section 5.3,”Security
Technology and Tools,” Personnel section (page 32).
KRUTZ, R. & VINES, R. The CISSP Prep Guide: Gold Edition (2003), Wiley Publishing
Inc., Chapter 6: Operations Security, Separations of Duties (page 303).

DSS emphasizes flexibility in the decision making approach of users.

DSS emphasizes flexibility in the decision-making approach of users. It is
aimed at solving less structured problems, combines the use of models and analytic
techniques with traditional data access and retrieval functions and supports semi-structured
decision-making tasks.
DSS is sometimes referred to as the Delphi Method or Delphi Technique:
The Delphi technique is a group decision method used to ensure that each member gives
an honest opinion of what he or she thinks the result of a particular threat will be. This
avoids a group of individuals feeling pressured to go along with others’ thought processesand enables them to participate in an independent and anonymous way. Each member of
the group provides his or her opinion of a certain threat and turns it in to the team that is
performing the analysis. The results are compiled and distributed to the group members,
who then write down their comments anonymously and return them to the analysis group.
The comments are compiled and redistributed for more comments until a consensus is
formed. This method is used to obtain an agreement on cost, loss values, and probabilities
of occurrence without individuals having to agree verbally.
Here is the ISC2 book coverage of the subject:
One of the methods that uses consensus relative to valuation of information is the
consensus/modified Delphi method. Participants in the valuation exercise are asked to
comment anonymously on the task being discussed. This information is collected and
disseminated to a participant other than the original author. This participant comments
upon the observations of the original author. The information gathered is discussed in a
public forum and the best course is agreed upon by the group (consensus).EXAM TIP:
The DSS is what some of the books are referring to as the Delphi Method or Delphi
Technique. Be familiar with both terms for the purpose of the exam.
The other answers are incorrect:
'DSS is aimed at solving highly structured problems' is incorrect because it is aimed at
solving less structured problems.
'DSS supports only structured decision-making tasks' is also incorrect as it supports semistructured
decision-making tasks.
'DSS combines the use of models with non-traditional data access and retrieval functions'
is also incorrect as it combines the use of models and analytic techniques with traditional
data access and retrieval functions.
Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 91). McGraw-Hill.
Kindle Edition.
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations
1424-1426). Auerbach Publications. Kindle Edition

A covert channel

A covert channel is an unintended communication path within a system,
therefore it is not protected by the system's normal security mechanisms. Covert channels
are a secret way to convey information.
Covert channels are addressed from TCSEC level B2.
The following are incorrect answers:
A trusted path is the protected channel that allows a user to access the Trusted Computing
Base (TCB) without being compromised by other processes or users.
A protection domain consists of the execution and memory space assigned to each
process.
A maintenance hook is a hardware or software mechanism that was installed to permit
system maintenance and to bypass the system's security protections. Reference used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 6: Operations Security
(page 219).