Security testing

Security testing makes sure the modified or new system includes appropriate
access controls and does not introduce any security holes that might compromise other
systems.
Recovery testing checks the system's ability to recover after a software or hardware failure.  Stress/volume testing involves testing an application with large quantities of data in order to
evaluate performance during peak hours.
Interface testing evaluates the connection of two or more components that pass information
from one area to another.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, Chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 300).

What records to backup

It is critical that a determination be made of WHAT data is important and
should be retained and protected. Without determining the data to be backed up, the
potential for error increases. A record or file could be vital and yet not included in a backup
routine. Alternatively, temporary or insignificant files could be included in a backup routine
unnecessarily.
The following answers were incorrect:
When to make backups Although it is important to consider schedules for backups, this is
done after the decisions are made of what should be included in the backup routine.
Where to keep backups The location of storing backup copies of data (Such as tapes, online
backups, etc) should be made after determining what should be included in the backup
routine and the method to store the backup.
How to store backups The backup methodology should be considered after determining
what data should be included in the backup routine.

Equally to all phases.

Risk is defined as the combination of the probability that a particular threat
source will exploit, or trigger, a particular information system vulnerability and the resulting
mission impact should this occur. Previously, risk avoidance was a common IT security
goal. That changed as the nature of the risk became better understood. Today, it is
recognized that elimination of all risk is not cost-effective. A cost-benefit analysis should be
conducted for each proposed control. In some cases, the benefits of a more secure system
may not justify the direct and indirect costs. Benefits include more than just prevention of
monetary loss; for example, controls may be essential for maintaining public trust and
confidence. Direct costs include the cost of purchasing and installing a given technology;
indirect costs include decreased system performance and additional training. The goal is to
enhance mission/business capabilities by managing mission/business risk to an acceptable
level.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (page 8).

Establish a security audit function.

The keyword within the question is: preliminary
This means that you are starting your effort, you cannot audit if your infrastructure is not
even in place.
Reference used for this question:
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Testing should be performed with live data to cover all possible situations.

Explanation: Live or actual field data is not recommended for use in the testing
procedures because both data types may not cover out of range situations and the correct
outputs of the test are unknown. Live data would not be the best data to use because of the
lack of anomalies and also because of the risk of exposure to your live data.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 251).

Executables from the Internet may attempt an intentional attack when they are
downloaded on a client system.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Virtual storage

Virtual storage a service provided by the operating system where it uses a
combination of RAM and disk storage to simulate a much larger address space than is
actually present. Infrequently used portions of memory are paged out by being written to
secondary storage and paged back in when required by a running program.
Most OS’s have the ability to simulate having more main memory than is physically
available in the system. This is done by storing part of the data on secondary storage, such
as a disk. This can be considered a virtual page. If the data requested by the system is not
currently in main memory, a page fault is taken. This condition triggers the OS handler. If
the virtual address is a valid one, the OS will locate the physical page, put the right
information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate
virtual address space along with its own mappings and protections.
The following are incorrect answers:
Primary storage is incorrect. Primary storage refers to the combination of RAM, cache and
the processor registers. Primary Storage The data waits for processing by the processors,
it sits in a staging area called primary storage. Whether implemented as memory, cache, or
registers (part of the CPU), and regardless of its location, primary storage stores data that
has a high probability of being requested by the CPU, so it is usually faster than long-term,
secondary storage. The location where data is stored is denoted by its physical memory
address. This memory register identifier remains constant and is independent of the value
stored there. Some examples of primary storage devices include random-access memory
(RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory
(ROM). RAM is volatile, that is, when the system shuts down, it flushes the data in RAM
although recent research has shown that data may still be retrievable. Contrast this
Secondary storage is incorrect. Secondary storage holds data not currently being used by
the CPU and is used when data must be stored for an extended period of time using highcapacity,
nonvolatile storage. Secondary storage includes disk, floppies, CD's, tape, etc.
While secondary storage includes basically anything different from primary storage, virtual
memory's use of secondary storage is usually confined to high-speed disk storage.
Real storage is incorrect. Real storage is another word for primary storage and
distinguishes physical memory from virtual memory.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 17164-17171). Auerbach Publications. Kindle
Edition.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 17196-17201). Auerbach Publications. Kindle
Edition.
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 17186-17187). Auerbach Publications. Kindle
Edition

Rotation of duties

Job rotations reduce the risk of collusion of activities between individuals.
Companies with individuals working with sensitive information or systems where there
might be the opportunity for personal gain through collusion can benefit by integrating job
rotation with segregation of duties. Rotating the position may uncover activities that the
individual is performing outside of the normal operating procedures, highlighting errors or
fraudulent behavior.
Rotation of duties is a method of reducing the risk associated with a subject performing a
(sensitive) task by limiting the amount of time the subject is assigned to perform the task
before being moved to a different task.
The following are incorrect answers:
Key escrow is related to the protection of keys in storage by splitting the key in pieces that
will be controlled by different departments. Key escrow is the process of ensuring a third
party maintains a copy of a private key or key needed to decrypt information. Key escrow
also should be considered mandatory for most organization’s use of cryptography as
encrypted information belongs to the organization and not the individual; however often an
individual’s key is used to encrypt the information.
Separation of duties is a basic control that prevents or detects errors and irregularities by
assigning responsibility for different parts of critical tasks to separate individuals, thus
limiting the effect a single person can have on a system. One individual should not have
the capability to execute all of the steps of a particular process. This is especially important
in critical business areas, where individuals may have greater access and capability to
modify, delete, or add data to the system. Failure to separate duties could result in
individuals embezzling money from the company without the involvement of others. The need-to-know principle specifies that a person must not only be cleared to access
classified or other sensitive information, but have requirement for such information to carry
out assigned job duties. Ordinary or limited user accounts are what most users are
assigned. They should be restricted only to those privileges that are strictly required,
following the principle of least privilege. Access should be limited to specific objects
following the principle of need-to-know.
The principle of least privilege requires that each subject in a system be granted the most
restrictive set of privileges (or lowest clearance) needed for the performance of authorized
tasks. Least privilege refers to granting users only the accesses that are required to
perform their job functions. Some employees will require greater access than others based
upon their job functions. For example, an individual performing data entry on a mainframe
system may have no need for Internet access or the ability to run reports regarding the
information that they are entering into the system. Conversely, a supervisor may have the
need to run reports, but should not be provided the capability to change information in the
database.
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10628-10631). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10635-10638). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 10693-10697). Auerbach Publications. Kindle
Edition.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 16338-16341). Auerbach Publications. Kindle
Edition

Writing

Media Viability Controls include marking, handling and storage.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 231.

Be lead by a Chief Security Officer and report directly to the CEO.

In order to offer more independence and get more attention from
management, an IT security function should be independent from IT and report directly to
the CEO. Having it report to a specialized business unit (e.g. legal) is not recommended as
it promotes a low technology view of the function and leads people to believe that it is
someone else's problem.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version
1.0, april 1999.

Initiation

A security policy is an important document to develop while designing an
information system. The security policy begins with the organization's basic commitment to
information security formulated as a general policy statement.
The policy is then applied to all aspects of the system design or security solution. The
policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and
assurance) the system should support, and these goals guide the procedures, standards
and controls used in the IT security architecture design.
The policy also should require definition of critical assets, the perceived threat, and
security-related roles and responsibilities.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (page 6).

Security Testing and Trusted distribution.

Security testing and trusted distribution are required for Life-Cycle
Assurance.
The following answers are incorrect: System Architecture and Design specification. Is incorrect because System Architecture is
not requried for Life-Cycle Assurance.
Security Testing and Covert Channel Analysis. Is incorrect because Covert Channel
Analysis is not requried for Life-Cycle Assurance.
Configuration Management and Trusted Facility Management. Is incorrect because Trusted
Facility Management. is not requried for Life-Cycle Assurance.