Fencing

Physical controls are items put into place to protect facility, personnel, and
resources. Examples of physical controls are security guards, locks, fencing, and lighting.
The following answers are incorrect answers:
Monitoring of system activity is considered to be administrative control.
Identification and authentication methods are considered to be a technical control.
Logical access control mechanisms is also considered to be a technical control.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
1280-1282). McGraw-Hill. Kindle Edition.

Confidential.

Typically there are three to four levels of information classification used by
most organizations:
Confidential: Information that, if released or disclosed outside of the organization, would
create severe problems for the organization. For example, information that provides a
competitive advantage is important to the technical or financial success (like trade secrets,
intellectual property, or research designs), or protects the privacy of individuals would be
considered confidential. Information may include payroll information, health records, credit
information, formulas, technical designs, restricted regulatory information, senior
management internal correspondence, or business strategies or plans. These may also be
called top secret, privileged, personal, sensitive, or highly confidential. In other words this
information is ok within a defined group in the company such as marketing or sales, but is
not suited for release to anyone else in the company without permission.
The following answers are incorrect:
Public: Information that may be disclosed to the general public without concern for harming
the company, employees, or business partners. No special protections are required, and
information in this category is sometimes referred to as unclassified. For example,
information that is posted to a company’s public Internet site, publicly released
announcements, marketing materials, cafeteria menus, and any internal documents that
would not present harm to the company if they were disclosed would be classified as
public. While there is little concern for confidentiality, integrity and availability should be
considered.
Internal Use Only: Information that could be disclosed within the company, but could harm
the company if disclosed externally. Information such as customer lists, vendor pricing,
organizational policies, standards and procedures, and internal organization
announcements would need baseline security protections, but do not rise to the level of
protection as confidential information. In other words, the information may be used freely
within the company but any unapproved use outside the company can pose a chance of
harm.Restricted: Information that requires the utmost protection or, if discovered by unauthorized
personnel, would cause irreparable harm to the organization would have the highest level
of classification. There may be very few pieces of information like this within an
organization, but data classified at this level requires all the access control and protection
mechanisms available to the organization. Even when information classified at this level
exists, there will be few copies of it
Reference(s) Used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 952-976). Auerbach Publications. Kindle Edition.

Auditing

Operational controls are controls over the hardware, the media used and the
operators using these resources.
Operational controls are controls that are implemented and executed by people, they are
most often procedures.
Backup and recovery, contingency planning and operations procedures are operational
controls.
Auditing is considered an Administrative / detective control. However the actual auditing
mechanisms in place on the systems would be consider operational controls.

 Indirect addressing

Indirect addressing is when the address location that is specified in the
program instruction contains the address of the final desired location. Direct addressing is
when a portion of primary memory is accessed by specifying the actual address of the
memory location. Indexed addressing is when the contents of the address defined in the
program's instruction is added to that of an index register. Program addressing is not a
defined memory addressing mode.
Source: WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study
Guide), April 2002 (page 2).

B. To control the stability of the test environment.

The test environment must be controlled and stable in order to ensure that
development projects are tested in a realistic environment which, as far as possible, mirrors
the live environment.
Reference(s) used for this question:
Information Systems Audit and Control Association, Certified Information Systems Auditor
2002 review manual, chapter 6: Business Application System Development, AcImplementation and Maintenance (page 309).

It is non-transparent to the endpoint applications so changes are needed to the
applications and databases involved

: Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security
Management Handbook, 4th Edition, Volume 2, Auerbach.

Disclosure of residual data.

This question is asking you to consider the effects of object reuse. Object
reuse is "reassigning to subject media that previously contained information. Object reuse
is a security concern because if insufficient measures were taken to erase the information
on the media, the information may be disclosed to unauthorized personnel."
This concept relates to Security Architecture and Design, because it is in level C2: Controlled Access Protection, of the Orange Book, where "The object reuse concept must
be invoked, meaning that any medium holding data must not contain any remnants of
information after it is release for another subject to use."
REFERENCE:
AIO Version 5 (Shon Harris), page 360
and
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Multilevel security mode

The multilevel security mode permits two or more classification levels of
information to be processed at the same time when all the users do not have the clearance
of formal approval to access all the information being processed by the system.
In dedicated security mode, all users have the clearance or authorization and need-to-know
to all data processed within the system.
In system-high security mode, all users have a security clearance or authorization to
access the information but not necessarily a need-to-know for all the information processed
on the system (only some of the data).
In compartmented security mode, all users have the clearance to access all the information
processed by the system, but might not have the need-to-know and formal access
approval. Generally, Security modes refer to information systems security modes of operations used
in mandatory access control (MAC) systems. Often, these systems contain information at
various levels of security classification.
The mode of operation is determined by:
The type of users who will be directly or indirectly accessing the system.
The type of data, including classification levels, compartments, and categories, that are
processed on the system.
The type of levels of users, their need to know, and formal access approvals that the users
will have.
Dedicated security mode
In this mode of operation, all users must have:
Signed NDA for ALL information on the system.
Proper clearance for ALL information on the system.
Formal access approval for ALL information on the system.
A valid need to know for ALL information on the system.
All users can access ALL data.
System high security mode
In this mode of operation, all users must have:
Signed NDA for ALL information on the system.
Proper clearance for ALL information on the system.
Formal access approval for ALL information on the system.
A valid need to know for SOME information on the system.
All users can access SOME data, based on their need to know.
Compartmented security mode
In this mode of operation, all users must have:
Signed NDA for ALL information on the system.
Proper clearance for ALL information on the system.
Formal access approval for SOME information they will access on the system.
A valid need to know for SOME information on the system. All users can access SOME data, based on their need to know and formal access
approval.
Multilevel security mode
In this mode of operation, all users must have:
Signed NDA for ALL information on the system.
Proper clearance for SOME information on the system.
Formal access approval for SOME information on the system.
A valid need to know for SOME information on the system.
All users can access SOME data, based on their need to know, clearance and formal
access approval.
REFERENCES:
WALLHOFF, John, CBK#6 Security Architecture and Models (CISSP Study Guide), April
2002 (page 6).
and
http://en.wikipedia.org/wiki/Security_Modes

initiation, evaluation, development, approval, publication, implementation, and
maintenance.

The common steps used the the development of security policy are initiation
of the project, evaluation, development, approval, publication, implementation, and
maintenance. The other choices listed are the phases of the software development life
cycle and not the step used to develop ducuments such as Policies, Standards, etc...  Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.

Confidentiality

Confidentiality is the prevention of the intentional or unintentional
unauthorized disclosure of contents.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 60.

Ensuring that the user alone does not have sufficient rights to subvert an important
process.

Ensuring that the user alone does not have sufficient rights to subvert an
important process is a concern of the separation of duties principle and it does not concern
the least privilege principle.Source: DUPUIS, Clément, Access Control Systems and Methodology CISSP Open Study
Guide, version 1.0, march 2002 (page 33).

Advisory policies are not mandated. Regulatory policies must be implemented.

Advisory policies are security polices that are not mandated to be followed
but are strongly suggested, perhaps with serious consequences defined for failure to follow
them (such as termination, a job action warning, and so forth). A company with such
policies wants most employees to consider these policies mandatory.
Most policies fall under this broad category.
Advisory policies can have many exclusions or application levels. Thus, these policies can
control some employees more than others, according to their roles and responsibilities
within that organization. For example, a policy that
requires a certain procedure for transaction processing might allow for an alternative
procedure under certain, specified conditions.
Regulatory
Regulatory policies are security policies that an organization must implement due to
compliance, regulation, or other legal requirements. These companies might be financial
institutions, public utilities, or some other type of organization that operates in the public
interest. These policies are usually very detailed and are specific to the industry in which
the organization operates.
Regulatory polices commonly have two main purposes:
1. To ensure that an organization is following the standard procedures or base practices of
operation in its specific industry
2. To give an organization the confidence that it is following the standard and accepted
industry policy Informative
Informative policies are policies that exist simply to inform the reader. There are no implied
or specified requirements, and the audience for this information could be certain internal
(within the organization) or external parties. This does not mean that the policies are
authorized for public consumption but that they are general enough to be distributed to
external parties (vendors accessing an extranet, for example) without a loss of
confidentiality.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Page 12, Chapter 1: Security
Management Practices.
also see:
The CISSP Prep Guide:Mastering the Ten Domains of Computer Security by Ronald L.
Krutz, Russell Dean Vines, Edward M. Stroz
also see:
http://i-data-recovery.com/information-security/information-security-policies-standardsguidelines-
and-procedures