White-box testing examines the program internal logical structure.

Black-box testing observes the system external behavior, while white-box
testing is a detailed exam of a logical path, checking the possible conditions.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 299).

 Protection mechanisms implemented after an information system has become
operational.

The Internet Security Glossary (RFC2828) defines add-on security as "The
retrofitting of protection mechanisms, implemented by hardware or software, after the
[automatic data processing] system has become operational."
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

 Owner

The Data/Information Owner is ultimately responsible for the protection of thedata. It is the Data/Information Owner that decides upon the classifications of that data they
are responsible for.
The data owner decides upon the classification of the data he is responsible for and alters
that classification if the business need arises.
The following answers are incorrect:
Security Administrator. Is incorrect because this individual is responsible for ensuring that
the access right granted are correct and support the polices and directives that the
Data/Information Owner defines.
User. Is Incorrect because the user uses/access the data according to how the
Data/Information Owner defined their access.Auditor. Is incorrect because the Auditor is responsible for ensuring that the access levels
are appropriate. The Auditor would verify that the Owner classified the data properly.
References:
CISSP All In One Third Edition, Shon Harris, Page 121

Deleting files on disk before reusing the space.

Object reuse requirements, applying to systems rated TCSEC C2 and above,
are used to protect files, memory, and other objects in a trusted system from being
accidentally accessed by users who are not authorized to access them. Deleting files on
disk merely erases file headers in a directory structure. It does not clear data from the disk
surface, thus making files still recoverable. All other options involve clearing used space,preventing any unauthorized access.
Source: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly,
July 1992 (page 119).

Operation/Maintenance

The operation phase of an IT system is concerned with user authentication.
Authentication is the process where a system establishes the validity of a transmission,
message, or a means of verifying the eligibility of an individual, process, or machine to
carry out a desired action, thereby ensuring that security is not compromised by an
untrusted source.
It is essential that adequate authentication be achieved in order to implement security
policies and achieve security goals. Additionally, level of trust is always an issue when
dealing with cross-domain interactions. The solution is to establish an authentication policy
and apply it to cross-domain interactions as required.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (page 15).

Security Officers

The security officer would be the best person to oversea the development of
such policies.
Security officers and their teams have typically been charged with the responsibility of
creating the security policies. The policies must be written and communicated appropriately
to ensure that they can be understood by the end users. Policies that are poorly written, or
written at too high of an education level (common industry practice is to focus the content
for general users at the sixth- to eighth-grade reading level), will not be understood.
Implementing security policies and the items that support them shows due care by the
company and its management staff. Informing employees of what is expected of them and
the consequences of noncompliance can come down to a liability issue.
While security officers may be responsible for the development of the security policies, the
effort should be collaborative to ensure that the business issues are addressed.
The security officers will get better corporate support by including other areas in policydevelopment. This helps build buy-in by these areas as they take on a greater ownership of
the final product. Consider including areas such as HR, legal, compliance, various IT areas
and specific business area representatives who represent critical business units.
When policies are developed solely within the IT department and then distributed without
business input, they are likely to miss important business considerations. Once policy
documents have been created, the basis for ensuring compliance is established.
Depending on the organization, additional documentation may be necessary to support
policy. This support may come in the form of additional controls described in standards,
baselines, or procedures to help personnel with compliance. An important step after
documentation is to make the most current version of the documents readily accessible to
those who are expected to follow them. Many organizations place the documents on their
intranets or in shared file folders to facilitate their accessibility. Such placement of these
documents plus checklists, forms, and sample documents can make awareness more
effective For your exam you should know the information below:
End User - The end user is responsible for protecting information assets on a daily basis
through adherence to the security policies that have been communicated.
Executive Management/Senior Management - Executive management maintains the
overall responsibility for protection of the information assets. The business operations are
dependent upon information being available, accurate, and protected from individuals
without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information
security activities throughout the organization. The security officer works with many
different individuals, such as executive management, management of the business units,
technical staff, business partners, auditors, and third parties such as vendors. The security
officer and his or her team are responsible for the design, implementation, management,
and review of the organization’s security policies, standards, procedures, baselines, and
guidelines.Information Systems Security Professional- Drafting of security policies, standards and
supporting guidelines, procedures, and baselines is coordinated through these individuals.
Guidance is provided for technical security issues, and emerging threats are considered for
the adoption of new policies. Activities such as interpretation of government regulations
and industry trends and analysis of vendor solutions to include in the security architecture
that advances the security of the organization are performed in this role.
Data/Information/Business/System Owners - A business executive or manager is typically
responsible for an information asset. These are the individuals that assign the appropriate
classification to information assets. They ensure that the business information is protected
with appropriate controls. Periodically, the information asset owners need to review the
classification and access rights associated with information assets. The owners, or their
delegates, may be required to approve access to the information. Owners also need to
determine the criticality, sensitivity, retention, backups, and safeguards for the information.
Owners or their delegates are responsible for understanding the risks that exist with
regards to the information that they control Data/Information Custodian/Steward - A data custodian is an individual or function that
takes care of the information on behalf of the owner. These individuals ensure that the
information is available to the end users and is backed up to enable recovery in the event
of data loss or corruption. Information may be stored in files, databases, or systems whose technical infrastructure must be managed, by systems administrators. This group
administers access rights to the information assets.
Information Systems Auditor- IT auditors determine whether users, owners, custodians,
systems, and networks are in compliance with the security policies, procedures, standards,
baselines, designs, architectures, management direction, and other requirements placed
on systems. The auditors provide independent assurance to the management on the
appropriateness of the security controls. The auditor examines the information systems and
determines whether they are designed, configured, implemented, operated, and managed
in a way ensuring that the organizational objectives are being achieved. The auditors
provide top company management with an independent view of the controls and their
effectiveness.Business Continuity Planner - Business continuity planners develop contingency plans to
prepare for any occurrence that could have the ability to impact the company’s objectives
negatively. Threats may include earthquakes, tornadoes, hurricanes, blackouts, changes in
the economic/political climate, terrorist activities, fire, or other major actions potentially
causing significant harm. The business continuity planner ensures that business processes
can continue through the disaster and coordinates those activities with the business areas
and information technology personnel responsible for disaster recovery.
Information Systems/ Technology Professionals- These personnel are responsible for
designing security controls into information systems, testing the controls, and implementing
the systems in production environments through agreed upon operating policies and
procedures. The information systems professionals work with the business owners and the
security professionals to ensure that the designed solution provides security controls
commensurate with the acceptable criticality, sensitivity, and availability requirements of
the application.Security Administrator - A security administrator manages the user access request process
and ensures that privileges are provided to those individuals who have been authorized for
access by application/system/data owners. This individual has elevated privileges and
creates and deletes accounts and access permissions. The security administrator also
terminates access privileges when individuals leave their jobs or transfer between company
divisions. The security administrator maintains records of access request approvals and
produces reports of access rights for the auditor during testing in an access controls audit
to demonstrate compliance with the policies.
Network/Systems Administrator - A systems administrator (sysadmin/netadmin) configures
network and server hardware and the operating systems to ensure that the information can be available and accessible. The administrator maintains the computing infrastructure
using tools and utilities such as patch management and software distribution mechanisms
to install updates and test patches on organization computers. The administrator tests and
implements system upgrades to ensure the continued reliability of the servers and network
devices. The administrator provides vulnerability management through either commercial
off the shelf (COTS) and/or non-COTS solutions to test the computing environment and
mitigate vulnerabilities appropriately.Physical Security - The individuals assigned to the physical security role establish
relationships with external law enforcement, such as the local police agencies, state police,
or the Federal Bureau of Investigation (FBI) to assist in investigations. Physical security
personnel manage the installation, maintenance, and ongoing operation of the closed
circuit television (CCTV) surveillance systems, burglar alarm systems, and card reader
access control systems. Guards are placed where necessary as a deterrent to
unauthorized access and to provide safety for the company employees. Physical security
personnel interface with systems security, human resources, facilities, and legal and
business areas to ensure that the practices are integrated.Security Analyst - The security analyst role works at a higher, more strategic level than the
previously described roles and helps develop policies, standards, and guidelines, as well
as set various baselines. Whereas the previous roles are “in the weeds” and focus on
pieces and parts of the security program, a security analyst helps define the security
program elements and follows through to ensure the elements are being carried out and
practiced properly. This person works more at a design level than at an implementation
level.Administrative Assistants/Secretaries - This role can be very important to information
security; in many companies of smaller size, this may be the individual who greets visitors,
signs packages in and out, recognizes individuals who desire to enter the offices, and
serves as the phone screener for executives. These individuals may be subject to social
engineering attacks, whereby the potential intruder attempts to solicit confidential
information that may be used for a subsequent attack. Social engineers prey on the
goodwill of the helpful individual to gain entry. A properly trained assistant will minimize the
risk of divulging useful company information or of providing unauthorized entry.Help Desk Administrator - As the name implies, the help desk is there to field questions
from users that report system problems. Problems may include poor response time,
potential virus infections, unauthorized access, inability to access system resources, or
questions on the use of a program. The help desk is also often where the first indications of
security issues and incidents will be seen. A help desk individual would contact thecomputer security incident response team (CIRT) when a situation meets the criteria
developed by the team. The help desk resets passwords, resynchronizes/reinitializes
tokens and smart cards, and resolves other problems with access control.
Supervisor - The supervisor role, also called user manager, is ultimately responsible for all
user activity and any assets created and owned by these users. For example, suppose
Kathy is the supervisor of ten employees. Her responsibilities would include ensuring that
these employees understand their responsibilities with respect to security; making sure the
employees’ account information is up-to-date; and informing the security administrator
when an employee is fired, suspended, or transferred. Any change that pertains to an
employee’s role within the company usually affects what access rights they should and
should not have, so the user manager must inform the security administrator of these
changes immediately.Change Control Analyst Since the only thing that is constant is change, someone must
make sure changes happen securely. The change control analyst is responsible for
approving or rejecting requests to make changes to the network, systems, or software. This
role must make certain that the change will not introduce any vulnerabilities, that it has
been properly tested, and that it is properly rolled out. The change control analyst needs to
understand how various changes can affect security, interoperability, performance, and
productivity. Or, a company can choose to just roll out the change and see what happensThe following answers are incorrect:
Systems Administrator - A systems administrator (sysadmin/netadmin) configures network
and server hardware and the operating systems to ensure that the information can be
available and accessible. The administrator maintains the computing infrastructure using
tools and utilities such as patch management and software distribution mechanisms to
install updates and test patches on organization computers. The administrator tests and
implements system upgrades to ensure the continued reliability of the servers and network
devices. The administrator provides vulnerability management through either commercial
off the shelf (COTS) and/or non-COTS solutions to test the computing environment and
mitigate vulnerabilities appropriately.End User - The end user is responsible for protecting information assets on a daily basis
through adherence to the security policies that have been communicated.
Security Administrator - A security administrator manages the user access request process
and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. This individual has elevated privileges and
creates and deletes accounts and access permissions. The security administrator also
terminates access privileges when individuals leave their jobs or transfer between company
divisions. The security administrator maintains records of access request approvals and
produces reports of access rights for the auditor during testing in an access controls audit
to demonstrate compliance with the policies.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 109
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 108). McGraw-
Hill. Kindle Edition

Availability

An company security program must:
1) assure that systems and applications operate effectively and provide appropriate
confidentiality, integrity, and availability;
2) protect informationcommensurate with the level of risk and magnitude ofharmresulting
fromloss, misuse, unauthorized access, or modification.
The property of a system or a system resource being accessible and usable upon demand
by an authorized system entity, according to performance specifications for the system; i.e.,
a system is available if it provides services according to the system design whenever users
request them.The following are incorrect answers:
Confidentiality - The information requires protection from unauthorized disclosure and only
the INTENDED recipient should have access to the meaning of the data either in storage or
in transit.
Integrity - The information must be protected from unauthorized, unanticipated, or
unintentional modification. This includes, but is not limited to:
Authenticity –A third party must be able to verify that the content of a message has not
been changed in transit.Non-repudiation – The origin or the receipt of a specific message must be verifiable by a
third party.
Accountability - A security goal that generates the requirement for actions of an entity to be
traced uniquely to that entity.
Reference used for this question:
RFC 2828
and
SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide
for Information Technology Systems, November 2001 (page 5).

 Operational controls

Many important issues in computer security involve human users, designers,
implementers, and managers.
A broad range of security issues relates to how these individuals interact with computers
and the access and authorities they need to do their jobs. Since operational controls
address security methods focusing on mechanisms primarily implemented and executed by
people (as opposed to systems), personnel security is considered a form of operational
control.
Operational controls are put in place to improve security of a particular system (or group of
systems). They often require specialized expertise and often rely upon management
activities as well as technical controls. Implementing dual control and making sure that you
have more than one person that can perform a task would fall into this category as well.
Management controls focus on the management of the IT security system and the
management of risk for a system. They are techniques and concerns that are normally
addressed by management.
Technical controls focus on security controls that the computer system executes. The
controls can provide automated protection for unauthorized access of misuse, facilitate
detection of security violations, and support security requirements for applications and data.
Reference use for this question:
NIST SP 800-53 Revision 4 http://dx.doi.org/10.6028/NIST.SP.800-53r4
You can get it as a word document by clicking HERE
NIST SP 800-53 Revision 4 has superseded the document below:
SWANSON, Marianne, NIST Special Publication 800-26, Security Self-Assessment Guide
for Information Technology Systems, November 2001 (Page A-18).

Read-Only Media

Atoms and Data
Shon Harris says: "A device that performs degaussing generates a coercive magnetic force
that reduces the magnetic flux density of the storage media to zero. This magnetic force is
what properly erases data from media. Data are stored on magnetic media by the
representation of the polarization of the atoms. Degaussing changes"
The latest ISC2 book says:
"Degaussing can also be a form of media destruction. High-power degaussers are so
strong in some cases that they can literally bend and warp the platters in a hard drive.
Shredding and burning are effective destruction methods for non-rigid magnetic media.
Indeed, some shredders are capable of shredding some rigid media such as an optical
disk. This may be an effective alternative for any optical media containing nonsensitive
information due to the residue size remaining after feeding the disk into the machine.
However, the residue size might be too large for media containing sensitive information.
Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state
media. Specialized devices are available for grinding the face of optical media that either
sufficiently scratches the surface to render the media unreadable or actually grinds off the
data layer of the disk. Several services also exist which will collect drives, destroy them on
site if requested and provide certification of completion. It will be the responsibility of the
security professional to help, select, and maintain the most appropriate solutions for media
cleansing and disposal."
Degaussing is achieved by passing the magnetic media through a powerful magnet field to
rearrange the metallic particles, completely removing any resemblance of the previously
recorded signal (from the "all about degaussers link below). Therefore, degaussing will
work on any electronic based media such as floppy disks, or hard disks - all of these are
examples of electronic storage. However, "read-only media" includes items such as paper
printouts and CD-ROM wich do not store data in an electronic form or is not magnetic
storage. Passing them through a magnet field has no effect on them.
Not all clearing/ purging methods are applicable to all media— for example, optical media
is not susceptible to degaussing, and overwriting may not be effective against Flash
devices. The degree to which information may be recoverable by a sufficiently motivated
and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military
classification rules, read and follow the rules and standards.
I will admit that this is a bit of a trick question. Determining the difference between "readonly
media" and "read-only memory" is difficult for the question taker. However, I believe it
is representative of the type of question you might one day see on an exam.
The other answers are incorrect because:
Floppy Disks, Magnetic Tapes, and Magnetic Hard Disks are all examples of magnetic
storage, and therefore are erased by degaussing.
A videotape is a recording of images and sounds on to magnetic tape as opposed to film
stock used in filmmaking or random access digital media. Videotapes are also used for
storing scientific or medical data, such as the data produced by an electrocardiogram. In
most cases, a helical scan video head rotates against the moving tape to record the data in
two dimensions, because video signals have a very high bandwidth, and static heads
would require extremely high tape speeds. Videotape is used in both video tape recorders
(VTRs) or, more commonly and more recently, videocassette recorder (VCR) and
camcorders. A Tape use a linear method of storing information and since nearly all video
recordings made nowadays are digital direct to disk recording (DDR), videotape is
expected to gradually lose importance as non-linear/random-access methods of storing
digital video data become more common.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
25627-25630). McGraw-Hill. Kindle Edition.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Security Operations (Kindle Locations 580-588). . Kindle Edition.
All About Degaussers and Erasure of Magnetic Media:
http://www.degausser.co.uk/degauss/degabout.htm
http://www.degaussing.net/
http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

Functional design analysis and Planning

The software development life cycle (SDLC) (sometimes referred to as the
System Development Life Cycle) is the process of creating or altering software systems,
and the models and methodologies that people use to develop these systems.
The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:
This section addresses security considerations unique to the second SDLC phase. Key
security activities for this phase include:
• Conduct the risk assessment and use the results to supplement the baseline security
controls;
• Analyze security requirements;
• Perform functional and security testing;
• Prepare initial documents for system certification and accreditation; and
• Design security architecture.
Reviewing this publication you may want to pick development/acquisition. Although
initiation would be a decent choice, it is correct to say during this phase you would only
brainstorm the idea of security requirements. Once you start to develop and acquire
hardware/software components then you would also develop the security controls for
these. The Shon Harris reference below is correct as well.
Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC
differently:
Project initiation
Functional design analysis and planning
System design specifications
Software development
Installation
Maintenance support Revision and replacement
According to the author (Shon Harris), security requirements should be developed during
the functional design analysis and planning phase.SDLC POSITIONING FROM NIST 800-64

C:\Users\MCS\Desktop\1.jpg
SDLC Positioning in the enterprise
Information system security processes and activities provide valuable input into managing
IT systems and their development, enabling risk identification, planning and mitigation. A
risk management approach involves continually balancing the protection of agency
information and assets with the cost of security controls and mitigation strategies
throughout the complete information system development life cycle (see Figure 2-1 above).
The most effective way to implement risk management is to identify critical assets and
operations, as well as systemic vulnerabilities across the agency. Risks are shared and not
bound by organization, revenue source, or topologies. Identification and verification of
critical assets and operations and their interconnections can be achieved through the
system security planning process, as well as through the compilation of information from
the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA)
processes to establish insight into the agency’s vital business operations, their supporting
assets, and existing interdependencies and relationships.
With critical assets and operations identified, the organization can and should perform a
business impact analysis (BIA). The purpose of the BIA is to relate systems and assets                                      with the critical services they provide and assess the consequences of their disruption. By
identifying these systems, an agency can manage security effectively by establishing
priorities. This positions the security office to facilitate the IT program’s cost-effective
performance as well as articulate its business impact and value to the agency.
SDLC OVERVIEW FROM NIST 800-64
SDLC Overview from NIST 800-64 Revision 2                                                                                                                                                                                              C:\Users\MCS\Desktop\1.jpg
NIST 800-64 Revision 2 is one publication within the NISTstandards that I would
recommend you look at for more details about the SDLC. It describe in great details what
activities would take place and they have a nice diagram for each of the phases of the
SDLC. You will find a copy at:
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
DISCUSSION:
Different sources present slightly different info as far as the phases names are concerned.
People sometimes gets confused with some of the NIST standards. For example NIST
800-64 Security Considerations in the Information System Development Life Cycle has
slightly different names, the activities mostly remains the same.
NIST clearly specifies that Security requirements would be considered throughout ALL of
the phases. The keyword here is considered, if a question is about which phase they would
be developed than Functional Design Analysis would be the correct choice. Within the NIST standard they use different phase, howeverr under the second phase you
will see that they talk specifically about Security Functional requirements analysis which
confirms it is not at the initiation stage so it become easier to come out with the answer to
this question. Here is what is stated:
The security functional requirements analysis considers the system security environment,
including the enterprise information security policy and the enterprise security architecture.
The analysis should address all requirements for confidentiality, integrity, and availability of
information, and should include a review of all legal, functional, and other security
requirements contained in applicable laws, regulations, and guidance.
At the initiation step you would NOT have enough detailed yet to produce the Security
Requirements. You are mostly brainstorming on all of the issues listed but you do not
develop them all at that stage.
By considering security early in the information system development life cycle (SDLC), you
may be able to avoid higher costs later on and develop a more secure system from the
start.
NIST says:
NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-
64, Security Considerations in the Information System Development Life Cycle, by Tim
Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements
in their planning for every phase of the system life cycle, and to select, acquire, and use
appropriate and cost-effective security controls.
I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is
a must for this exam.
References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth
Edition, Page 956
and
NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-
Revision2.pdf
and
http://www.mks.com/resources/resource-pages/software-development-life-cycle-sdlcsystem-
development              

availability

Availability is making sure that the data is accessible when and where it is
needed.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

alteration

Integrity is the opposite of "alteration."
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.