in parallel with every phase throughout the project

The other answers are not correct because:
You are always looking for the "best" answer. While each of the answers listed here could
be considered correct in that each of them require input from the security staff, the best
answer is for that input to happen at all phases of the project.
Reference:
Official ISC2 Guide page: 556
All in One Third Edition page: 832 - 833

Polyinstantiation

Polyinstantiation enables a relation to contain multiple tuples with the same
primary keys with each instance distinguished by a security level. When this information is
inserted into a database, lower-level subjects need to be restricted from this information.
Instead of just restricting access, another set of data is created to fool the lower-level
subjects into thinking that the information actually means something else.Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, chapter 11: Application and System Development (page 727).

Data is delivered in the exact order in which it is sent

IPSec provide replay protection that ensures data is not delivered multiple
times, however IPsec does not ensure that data is delivered in the exact order in which it is
sent. IPSEC uses TCP and packets may be delivered out of order to the receiving side
depending which route was taken by the packet.
Internet Protocol Security (IPsec) has emerged as the most commonly used network layer
security control for protecting communications. IPsec is a framework of open standards for
ensuring private communications over IP networks. Depending on how IPsec is
implemented and configured, it can provide any combination of the following types of
protection:
Confidentiality. IPsec can ensure that data cannot be read by unauthorized parties. This is
accomplished by encrypting data using a cryptographic algorithm and a secret key a value
known only to the two parties exchanging data. The data can only be decrypted by
someone who has the secret key.
Integrity. IPsec can determine if data has been changed (intentionally or unintentionally)
during transit. The integrity of data can be assured by generating a message authentication
code (MAC) value, which is a cryptographic checksum of the data. If the data is altered and
the MAC is recalculated, the old and new MACs will differ.
Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint
with which it wishes to communicate, ensuring that the network traffic and data is being sent from the expected host.
Replay Protection. The same data is not delivered multiple times, and data is not delivered
grossly out of order. However, IPsec does not ensure that data is delivered in the exact
order in which it is sent.
Traffic Analysis Protection. A person monitoring network traffic does not know which parties
are communicating, how often communications are occurring, or how much data is being
exchanged. However, the number of packets being exchanged can be counted.
Access Control. IPsec endpoints can perform filtering to ensure that only authorized IPsec
users can access particular network resources. IPsec endpoints can also allow or block
certain types of network traffic, such as allowing Web server access but denying file
sharing.
The following are incorrect answers because they are all features provided by IPSEC:
"Data cannot be read by unauthorized parties" is wrong because IPsec providesconfidentiality through the usage of the Encapsulating Security Protocol (ESP), once
encrypted the data cannot be read by unauthorized parties because they have access only
to the ciphertext. This is accomplished by encrypting data using a cryptographic algorithm
and a session key, a value known only to the two parties exchanging data. The data can
only be decrypted by someone who has a copy of the session key.
"The identity of all IPsec endpoints are confirmed by other endpoints" is wrong because
IPsec provides peer authentication: Each IPsec endpoint confirms the identity of the other
IPsec endpoint with which it wishes to communicate, ensuring that the network traffic and
data is being sent from the expected host.
"The number of packets being exchanged can be counted" is wrong because although
IPsec provides traffic protection where a person monitoring network traffic does not know
which parties are communicating, how often communications are occurring, or how much
data is being exchanged, the number of packets being exchanged still can be counted.Reference(s) used for this question:
NIST 800-77 Guide to IPsec VPNs . Pages 2-3 to 2-4

Trusted computing base

The Trusted Computing Base (TCB) is defined as the total combination of
protection mechanisms within a computer system. The TCB includes hardware, software,
and firmware. These are part of the TCB because the system is sure that these
components will enforce the security policy and not violate it.
The security kernel is made up of hardware, software, and firmware components at fall
within the TCB and implements and enforces the reference monitor concept.
Reference:
AIOv4 Security Models and Architecture pgs 268, 273

Backward chaining

Backward-chaining mode - the expert system backtracks to determine if a
given hypothesis is valid. Backward-chaining is generally used when there are a large
number of possible solutions relative to the number of inputs.
Incorrect answers are:In a forward-chaining mode, the expert system acquires information and comes to a
conclusion based on that information. Forward-chaining is the reasoning approach that can
be used when there is a small number of solutions relative to the number of inputs.
Blackboard is an expert system-reasoning methodology in which a solution is generated by
the use of a virtual blackboard, wherein information or potential solutions are placed on the
blackboard by a plurality of individuals or expert knowledge sources. As more information is
placed on the blackboard in an iterative process, a solution is generated.
Lateral-chaining mode - No such expert system mode.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 259).
KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Expert Systems (page 354).

Eavesdropping.

Eavesdropping is not a countermeasure, it is a type of attack where you are
collecting traffic and attempting to see what is being send between entities communicating
with each other.
The following answers are incorrect:
Padding Messages. Is incorrect because it is considered a countermeasure you make
messages uniform size, padding can be used to counter this kind of attack, in which decoy
traffic is sent out over the network to disguise patterns and make it more difficult to uncoverpatterns.
Sending Noise. Is incorrect because it is considered a countermeasure, tansmitting noninformational
data elements to disguise real data.
Faraday Cage Is incorrect because it is a tool used to prevent emanation of
electromagnetic waves. It is a very effective tool to prevent traffic analysis.

Operational Assurance and Life-Cycle Assurance.

Are the two types of assurance mentioned in the Orange book.
The following answers are incorrect:
Operational Assurance and Architectural Assurance. Is incorrect because Architectural
Assurance is not a type of assurance mentioned in the Orange book.
Design Assurance and Implementation Assurance. Is incorrect because neither are types
of assurance mentioned in the Orange book.
Architectural Assurance and Implementation Assurance. Is incorrect because neither are
types of assurance mentioned in the Orange book.

confidentiality.

From the published (ISC)2 goals for the Certified Information Systems
Security Professional candidate, domain definition. Confidentiality is making sure that only
those who are supposed to access the data can access it.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

remanence

Actually the term "remanence" comes from electromagnetism, the study of
the electromagnetics. Originally referred to (and still does in that field of study) the
magnetic flux that remains in a magnetic circuit after an applied magnetomotive force has
been removed. Absolutely no way a candidate will see anywhere near that much detail on
any similar CISSP question, but having read this, a candidate won't be likely to forget it
either.
It is becoming increasingly commonplace for people to buy used computer equipment,
such as a hard drive, or router, and find information on the device left there by the previous
owner; information they thought had been deleted. This is a classic example of data
remanence: the remains of partial or even the entire data set of digital information.
Normally, this refers to the data that remain on media after they are written over or
degaussed. Data remanence is most common in storage systems but can also occur in
memory.Specialized hardware devices known as degaussers can be used to erase data saved to
magnetic media. The measure of the amount of energy needed to reduce the magnetic
field on the media to zero is known as coercivity.
It is important to make sure that the coercivity of the degausser is of sufficient strength to
meet object reuse requirements when erasing data. If a degausser is used with insufficient
coercivity, then a remanence of the data will exist. Remanence is the measure of the
existing magnetic field on the media; it is the residue that remains after an object is
degaussed or written over.
Data is still recoverable even when the remanence is small. While data remanence exists,
there is no assurance of safe object reuse.
Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 4207-4210). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 19694-19699). Auerbach Publications. Kindle
Edition

The reference monitor.

The reference monitor concept is an abstract machine that ensures that all
subjects have the necessary access rights before accessing objects. Therefore, the kernel
will mediates all accesses to objects by subjects and will do so by validating through thereference monitor concept.
The kernel does not decide whether or not the access will be granted, it will be the
Reference Monitor which is a subset of the kernel that will say YES or NO.
All access requests will be intercepted by the Kernel, validated through the reference
monitor, and then access will either be denied or granted according to the request and the
subject privileges within the system.
1. The reference monitor must be small enough to be full tested and valided
2. The Kernel must MEDIATE all access request from subjects to objects
3. The processes implementing the reference monitor must be protected
4. The reference monitor must be tamperproof
The following answers are incorrect: The security kernel is the mechanism that actually enforces the rules of the reference
monitor concept.
The other answers are distractors.
Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330
also see
http://en.wikipedia.org/wiki/Reference_monitor

The Reference Monitor

The reference monitor refers to abstract machine that mediates all access to
objects by subjects.
This question is asking for the concept that governs access by subjects to objects, thus the
reference monitor is the best answer. While the security kernel is similar in nature, it is what
actually enforces the concepts outlined in the reference monitor.
In operating systems architecture a reference monitor concept defines a set of design
requirements on a reference validation mechanism, which enforces an access control
policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read
and write) on objects (e.g., files and sockets) on a system. The properties of a reference
monitor are:
The reference validation mechanism must always be invoked (complete mediation).
Without this property, it is possible for an attacker to bypass the mechanism and violate the
security policy. The reference validation mechanism must be tamperproof (tamperproof). Without this
property, an attacker can undermine the mechanism itself so that the security policy is not
correctly enforced.
The reference validation mechanism must be small enough to be subject to analysis and
tests, the completeness of which can be assured (verifiable). Without this property, the
mechanism might be flawed in such a way that the policy is not enforced.
For example, Windows 3.x and 9x operating systems were not built with a reference
monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows
XP, was designed to contain a reference monitor, although it is not clear that its properties
(tamperproof, etc.) have ever been independently verified, or what level of computer
security it was intended to provide.
The claim is that a reference validation mechanism that satisfies the reference monitor
concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone
complete analysis and testing to verify correctness. The abstract model of a reference
monitor has been widely applied to any type of system that needs to enforce access
control, and is considered to express the necessary and sufficient properties for any
system making this security claim.
According to Ross Anderson, the reference monitor concept was introduced by James
Anderson in an influential 1972 paper.Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria
(TCSEC) must enforce the reference monitor concept.
The reference monitor, as defined in AIO V5 (Harris) is: "an access control concept that
refers to an abstract machine that mediates all access to objects by subjects."
The security kernel, as defined in AIO V5 (Harris) is: "the hardware, firmware, and software
elements of a trusted computing based (TCB) that implement the reference monitor
concept. The kernel must mediate all access between subjects and objects, be protected
from modification, and be verifiable as correct."
The trusted computing based (TCB), as defined in AIO V5 (Harris) is: "all of the protection
mechanisms within a computer system (software, hardware, and firmware) that are
responsible for enforcing a security policy."The security domain, "builds upon the definition of domain (a set of resources available to a
subject) by adding the fact that resources withing this logical structure (domain) are
working under the same security policy and managed by the same group."
The following answers are incorrect:
"The security kernel" is incorrect. One of the places a reference monitor could be
implemented is in the security kernel but this is not the best answer.
"The trusted computing base" is incorrect. The reference monitor is an important concept in
the TCB but this is not the best answer.
"The security domain is incorrect." The reference monitor is an important concept in the
security domain but this is not the best answer.
Reference(s) used for this question:
Official ISC2 Guide to the CBK, page 324 AIO Version 3, pp. 272 - 274
AIOv4 Security Architecture and Design (pages 327 - 328)
AIOv5 Security Architecture and Design (pages 330 - 331)
Wikipedia article at https://en.wikipedia.org/wiki/Reference_monitor

Network availability

Network availability can be defined as an area of the Telecommunications
and Network Security domain that directly affects the Information Systems Security tenet of
Availability.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.