Data or Information Owner

The data or information owner also referred to as "Data Owner" would be the
best person. That is the individual or officer who is ultimately responsible for the protection
of the information and can therefore decide what are the adequate security controls
according to the data sensitivity and data criticality. The auditor would be the best person to
determine the adequacy of controls and whether or not they are working as expected by
the owner. The function of the auditor is to come around periodically and make sure you are doing
what you are supposed to be doing. They ensure the correct controls are in place and are
being maintained securely. The goal of the auditor is to make sure the organization
complies with its own policies and the applicable laws and regulations.
Organizations can have internal auditors and/ or external auditors. The external auditors
commonly work on behalf of a regulatory body to make sure compliance is being met. For
example CobiT, which is a model that most information security auditors follow when
evaluating a security program. While many security professionals fear and dread auditors,
they can be valuable tools in ensuring the overall security of the organization. Their goal is
to find the things you have missed and help you understand how to fix the problem.
The Official ISC2 Guide (OIG) says:IT auditors determine whether users, owners, custodians, systems, and networks are in
compliance with the security policies, procedures, standards, baselines, designs,
architectures, management direction, and other requirements placed on systems. The
auditors provide independent assurance to the management on the appropriateness of the
security controls. The auditor examines the information systems and determines whether
they are designed, configured, implemented, operated, and managed in a way ensuring
that the organizational objectives are being achieved. The auditors provide top company
management with an independent view of the controls and their effectiveness.
Example:
Bob is the head of payroll. He is therefore the individual with primary responsibility over the
payroll database, and is therefore the information/data owner of the payroll database. In
Bob's department, he has Sally and Richard working for him. Sally is responsible for
making changes to the payroll database, for example if someone is hired or gets a raise.
Richard is only responsible for printing paychecks. Given those roles, Sally requires both
read and write access to the payroll database, but Richard requires only read access to it.Bob communicates these requirements to the system administrators (the "information/data
custodians") and they set the file permissions for Sally's and Richard's user accounts so
that Sally has read/write access, while Richard has only read access.
So in short Bob will determine what controls are required, what is the sensitivily and
criticality of the Data. Bob will communicate this to the custodians who will implement the
requirements on the systems/DB. The auditor would assess if the controls are in fact
providing the level of security the Data Owner expects within the systems/DB. The auditor
does not determine the sensitivity of the data or the crititicality of the data.The other answers are not correct because:
A "system auditor" is never responsible for anything but auditing... not actually making
control decisions but the auditor would be the best person to determine the adequacy of
controls and then make recommendations.
A "system manager" is really just another name for a system administrator, which is
actually an information custodian as explained above.
A "Data or information user" is responsible for implementing security controls on a day-today
basis as they utilize the information, but not for determining what the controls should
be or if they are adequate.
References:Official ISC2 Guide to the CISSP CBK, Third Edition , Page 477
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Information Security Governance and Risk Management ((ISC)2 Press) (Kindle Locations
294-298). Auerbach Publications. Kindle Edition.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
3108-3114).
Information Security Glossary
Responsibility for use of information resources

to review the document on the specified review date

"publication within the organization" is the goal of the Publication Phase "write a proposal to management that states the objectives of the policy" is part of Initial
and Evaluation Phase "Present the document to an approving body" is part of Approval
Phase.
Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.
Also: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 8: Business Continuity
Planning and Disaster Recovery Planning (page 286).

employee's attitudes and behaviors towards enterprise's security posture

The Answer: security awareness training is to modify employees behaviour
and attitude towards towards enterprise's security posture.
Security-awareness training is performed to modify employees’ behavior and attitude
toward security. This can best be achieved through a formalized process of securityawareness
training.
It is used to increase the overall awareness of security throughout the company. It is
targeted to every single employee and not only to one group of users.
Unfortunately you cannot apply a patch to a human being, the only thing you can do is to
educate employees and make them more aware of security issues and threats. Never
underestimate human stupidity.
Reference(s) used for this question:TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation. also see:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 130). McGraw-
Hill. Kindle Edition.

acceptance phase

The Answer: "acceptance phase". Note the question asks about an
"evaluation report" - which details how the system evaluated, and an "accreditation
statement" which describes the level the system is allowed to operate at. Because those
two activities are a part of testing and testing is a part of the acceptance phase, the only
answer above that can be correct is "acceptance phase".
The other answers are not correct because:
The "project initiation and planning phase" is just the idea phase. Nothing has been
developed yet to be evaluated, tested, accredited, etc.
The "system design specification phase" is essentially where the initiation and planning
phase is fleshed out. For example, in the initiation and planning phase, we might decide we
want the system to have authentication. In the design specification phase, we decide that
that authentication will be accomplished via username/password. But there is still nothing
actually developed at this point to evaluate or accredit.The "development & documentation phase" is where the system is created and
documented. Part of the documentation includes specific evaluation and accreditation
criteria. That is the criteria that will be used to evaluate and accredit the system during the
"acceptance phase".In other words - you cannot evaluate or accredit a system that has not been created yet. Of
the four answers listed, only the acceptance phase is dealing with an existing system. The
others deal with planning and creating the system, but the actual system isn't there yet.
Reference:
Official ISC2 Guide Page: 558 - 559
All in One Third Edition page: 832 - 833 (recommended reading)

A security kernel

A security kernel is defined as the hardware, firmware and software elements
of a trusted computing base that implement the reference monitor concept. A reference
monitor is a system component that enforces access controls on an object. A protection
domain consists of the execution and memory space assigned to each process. The use of
protection rings is a scheme that supports multiple protection domains.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security
Architecture and Models (page 194).

Processes are constrained so that each cannot access objects outside its permitted
domain.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

A communication channel that allows transfer of information in a manner that violates
the system's security policy.

The Answer: A communication channel that allows transfer of information in
a manner that violates the system's security policy.
A covert channel is a way for an entity to receive information in an unauthorized manner. It
is an information flow that is not controlled by a security mechanism. This type of
information path was not developed for communication; thus, the system does not properly
protect this path, because the developers never envisioned information being passed in
this way.
Receiving information in this manner clearly violates the system’s security policy. The
channel to transfer this unauthorized data is the result of one of the following conditions:•
Oversight in the development of the product
• Improper implementation of access controls
• Existence of a shared resource between the two entities
• Installation of a Trojan horse
The following answers are incorrect:An undocumented backdoor that has been left by a programmer in an operating system is
incorrect because it is not a means by which unauthorized transfer of information takes
place. Such backdoor is usually referred to as a Maintenance Hook.
An open system port that should be closed is incorrect as it does not define a covert
channel.
A trojan horse is incorrect because it is a program that looks like a useful program but
when you install it it would include a bonus such as a Worm, Backdoor, or some other
malware without the installer knowing about it.
Reference(s) used for this question:
Shon Harris AIO v3 , Chapter-5 : Security Models & Architecture
AIOv4 Security Architecture and Design (pages 343 - 344)
AIOv5 Security Architecture and Design (pages 345 - 346)

To communicate management's intentions in regards to information security

A Corporate Security Policy is a high level document that indicates what are
management`s intentions in regard to Information Security within the organization. It is high
level in purpose, it does not give you details about specific products that would be use,
specific steps, etc..
The organization’s requirements for access control should be defined and documented in
its security policies. Access rules and rights for each user or group of users should be
clearly stated in an access policy statement. The access control policy should minimally
consider:Statements of general security principles and their applicability to the organization
Security requirements of individual enterprise applications, systems, and services
Consistency between the access control and information classification policies of different
systems and networks
Contractual obligations or regulatory compliance regarding protection of assets
Standards defining user access profiles for organizational roles
Details regarding the management of the access control system
As a Certified Information System Security Professional (CISSP) you would be involved
directly in the drafting and coordination of security policies, standards and supporting
guidelines, procedures, and baselines.
Guidance provided by the CISSP for technical security issues, and emerging threats are
considered for the adoption of new policies. Activities such as interpretation of government
regulations and industry trends and analysis of vendor solutions to include in the security
architecture that advances the security of the organization are performed by the CISSP aswell.
The following are incorrect answers:
To transfer the responsibility for the information security to all users of the organization is
bogus. You CANNOT transfer responsibility, you can only tranfer authority. Responsibility
will also sit with upper management. The keyworks ALL and USERS is also an indication
that it is the wrong choice.
To provide detailed steps for performing specific actions is also a bogus detractor. A step
by step document is referred to as a procedure. It details how to accomplish a specific task.
To provide a common framework for all development activities is also an invalid choice.
Security Policies are not restricted only to development activities.
Reference Used for this question: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 1551-1565). Auerbach Publications. Kindle
Edition.
and Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 9109-9112). Auerbach Publications. KindleEdition.

Storage and timing.

The Orange book requires protection against two types of covert channels,
Timing and Storage.
The following answers are incorrect:
Storage and low bits. Is incorrect because, low bits would not be considered a covert
channel.
Storage and permissions. Is incorrect because, permissions would not be considered a
covert channel.
Storage and classification. Is incorrect because, classification would not be considered a
covert channel.

 pipelining

Pipelining is a natural concept in everyday life, e.g. on an assembly line.
Consider the assembly of a car: assume that certain steps in the assembly line are to
install the engine, install the hood, and install the wheels (in that order, with arbitrary
interstitial steps). A car on the assembly line can have only one of the three steps done at
once. After the car has its engine installed, it moves on to having its hood installed, leaving
the engine installation facilities available for the next car. The first car then moves on to
wheel installation, the second car to hood installation, and a third car begins to have its
engine installed. If engine installation takes 20 minutes, hood installation takes 5 minutes,
and wheel installation takes 10 minutes, then finishing all three cars when only one car can
be assembled at once would take 105 minutes. On the other hand, using the assembly line,
the total time to complete all three is 75 minutes. At this point, additional cars will come off
the assembly line at 20 minute increments.In computing, a pipeline is a set of data processing elements connected in series, so that
the output of one element is the input of the next one. The elements of a pipeline are often
executed in parallel or in time-sliced fashion; in that case, some amount of buffer storage is
often inserted between elements. Pipelining is used in processors to allow overlapping
execution of multiple instructions within the same circuitry. The circuitry is usually divided
into stages, including instruction decoding, arithmetic, and register fetching stages, wherein
each stage processes one instruction at a time.
The following were not correct answers:
CISC: is a CPU design where single instructions execute several low-level operations
(such as a load from memory, an arithmetic operation, and a memory store) within a single
instruction.
RISC: is a CPU design based on simplified instructions that can provide higher
performance as the simplicity enables much faster execution of each instruction.
Multitasking: is a method where multiple tasks share common processing resources, such
as a CPU, through a method of fast scheduling that gives the appearance of parallelismbut in reality only one task is being performed at any one time.
Reference:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 188-189.
Also seehttp://en.wikipedia.org/wiki/Pipeline_(computing)

System Integrity.

This is a requirement starting as low as C1 within the TCSEC rating.
The Orange book requires the following for System Integrity Hardware and/or software
features shall be provided that can be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
NOTE FROM CLEMENT:
This is a question that confuses a lot of people because most people take for granted that
the orange book with its associated Bell LaPadula model has nothing to do with integrity.
However you have to be careful about the context in which the word integrity is being used.
You can have Data Integrity and you can have System Integrity which are two completely
different things.
Yes, the Orange Book does not specifically address the Integrity requirements, however it
has to run on top of systems that must meet some integrity requirements.
This is part of what they call operational assurance which is defined as a level of
confidence of a trusted system’s architecture and implementation that enforces the
system’s security policy. It includes:
System architecture
Covert channel analysis
System integrity
Trusted recovery
DATA INTEGRITY
Data Integrity is very different from System Integrity. When you have integrity of the data,
there are three goals:
1. Prevent authorized users from making unauthorized modifications
2. Preven unauthorized users from making modifications
3. Maintaining internal and external consistancy of the data
Bell LaPadula which is based on the Orange Book address does not address Integrity, it
addresses only Confidentiality.
Biba address only the first goal of integrity.
Clark-Wilson addresses the three goals of integrity.
In the case of this question, there is a system integrity requirement within the TCB. Asmentioned above here is an extract of the requirements: Hardware and/or software
features shall be provided that can be used to periodically validate the correct operation of
the on-site hardware and firmware elements of the TCB.
The following answers are incorrect:
Security Testing. Is incorrect because Security Testing has no set of requirements in the
Orange book.
Design Verification. Is incorrect because the Orange book's requirements for Design
Verification include: A formal model of the security policy must be clearly identified and
documented, including a mathematical proof that the model is consistent with its axioms
and is sufficient to support the security policy.
System Architecture Specification. Is incorrect because there are no requirements for
System Architecture Specification in the Orange book.The following reference(s) were used for this question:
Trusted Computer Security Evaluation Criteria (TCSEC), DoD 5200.28-STD, page 15, 18,
25, 31, 40, 50.
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, SecurityArchitecture and Design, Page 392-397, for users with the Kindle Version see Kindle
Locations 28504-28505.
and
DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm

Personnel

Personnel cause more security issues than hacker attacks, outside
espionage, or equipment failure.
The following answers are incorrect because:
Outside espionage is incorrect as it is not the best answer.
Hackers is also incorrect as it is not the best answer.
Equipment failure is also incorrect as it is not the best answer.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 56