The security kernel is an access control concept, not an actual physical component.

The reference monitor, not the security kernel is an access control concept. The security kernel is made up of software, and firmware components that fall within the
TCB and implements and enforces the reference monitor concept. The security kernel
mediates all access and functions between subjects and objects. The security kernel is the
core of the TCB and is the most commonly used approach to building trusted computing
systems.
There are three main requirements of the security kernel:
• It must provide isolation for the processes carrying out the reference monitor concept, and
the processes must be tamperproof.
• It must be invoked for every access attempt and must be impossible to circumvent. Thus,
the security kernel must be implemented in a complete and foolproof way.
• It must be small enough to be able to be tested and verified in a complete and
comprehensive manner.
The following answers are incorrect:
The security kernel is made up of mechanisms that fall under the TCB and implements and
enforces the reference monitor concept. Is incorrect because this is the definition of the
security kernel.
The security kernel must provide isolation for the processes carrying out the reference
monitor concept and they must be tamperproof. Is incorrect because this is one of the three
requirements that make up the security kernel.
The security kernel must be small enough to be able to be tested and verified in a complete
and comprehensive manner. Is incorrect because this is one of the three requirements that
make up the security kernel.

Disclosure of residual data.

Allowing objects to be used sequentially by multiple users without a refresh
of the objects can lead to disclosure of residual data. It is important that steps be taken to
eliminate the chance for the disclosure of residual data.
Object reuse refers to the allocation or reallocation of system resources to a user or, more
appropriately, to an application or process. Applications and services on a computer
system may create or use objects in memory and in storage to perform programmatic
functions. In some cases, it is necessary to share these resources between various system
applications. However, some objects may be employed by an application to perform
privileged tasks on behalf of an authorized user or upstream application. If object usage is
not controlled or the data in those objects is not erased after use, they may become
available to unauthorized users or processes.
Disclosure of residual data and Unauthorized obtaining of a privileged execution state are
both a problem with shared memory and resources. Not clearing the heap/stack can result
in residual data and may also allow the user to step on somebody's session if the security
token/identify was maintained in that space. This is generally more malicious and
intentional than accidental though. The MOST common issue would be Disclosure of
residual data.
The following answers are incorrect:
Unauthorized obtaining of a privileged execution state. Is incorrect because this is not a
problem with Object Reuse.
Data leakage through covert channels. Is incorrect because it is not the best answer. A
covert channel is a communication path. Data leakage would not be a problem created by
Object Reuse. In computer security, a covert channel is a type of computer security attack
that creates a capability to transfer information objects between processes that are not
supposed to be allowed to communicate by the computer security policy. The term,
originated in 1973 by Lampson is defined as "(channels) not intended for information
transfer at all, such as the service program's effect on system load." to distinguish it from
Legitimate channels that are subjected to access controls by COMPUSEC.
Denial of service through a deadly embrace. Is incorrect because it is only a detractor.
References: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 4174-4179). Auerbach Publications. Kindle
Edition.
and
https://www.fas.org/irp/nsa/rainbow/tg018.htm
and
http://en.wikipedia.org/wiki/Covert_channel

System and information owners

The system and information owners are responsible for ensuring that proper
controls are in place to address integrity, confidentiality, and availability of the IT systems
and data they own. IT security practitioners are responsible for proper implementation of
security requirements in their IT systems.
Source: STONEBURNER, Gary et al., NIST Special publication 800-30, Risk management
Guide for Information Technology Systems, 2001 (page 6).

Product design

The Product design phase deals with incorporating security specifications,
adjusting test plans and data, determining access controls, design documentation,
evaluating encryption options, and verification.
Implementation is incorrect because it deals with Installing security software, running the
system, acceptance testing, security software testing, and complete documentation
certification and accreditation (where necessary).
Detailed design is incorrect because it deals with information security policy, standards,
legal issues, and the early validation of concepts.
software plans and requirements is incorrect because it deals with addressesing threats,
vulnerabilities, security requirements, reasonable care, due diligence, legal liabilities,
cost/benefit analysis, level of protection desired, test plans.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 252).
KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Security Life Cycle Components, Figure 7.5 (page 346).
145
At which of the basic phases of the System Development Life Cycle are security
requirements formalized?
A. Disposal
B. System Design Specifications
C. Development and Implementation
D. Functional Requirements Definition
Answer: D
During the Functional Requirements Definition the project management and systems
development teams will conduct a comprehensive analysis of current and possible future
functional requirements to ensure that the new system will meet end-user needs. The
teams also review the documents from the project initiation phase and make any revisions or updates as needed. For smaller projects, this phase is often subsumed in the project
initiation phase. At this point security requirements should be formalized.
The Development Life Cycle is a project management tool that can be used to plan,
execute, and control a software development project usually called the Systems
Development Life Cycle (SDLC).
The SDLC is a process that includes systems analysts, software engineers, programmers,
and end users in the project design and development. Because there is no industry-wide
SDLC, an organization can use any one, or a combination of SDLC methods.
The SDLC simply provides a framework for the phases of a software development project
from defining the functional requirements to implementation. Regardless of the method
used, the SDLC outlines the essential phases, which can be shown together or as separate
elements. The model chosen should be based on the project.
For example, some models work better with long-term, complex projects, while others are
more suited for short-term projects. The key element is that a formalized SDLC is utilized.
The number of phases can range from three basic phases (concept, design, and
implement) on up.
The basic phases of SDLC are:
Project initiation and planning
Functional requirements definition
System design specifications
Development and implementation
Documentation and common program controls
Testing and evaluation control, (certification and accreditation)
Transition to production (implementation)
The system life cycle (SLC) extends beyond the SDLC to include two additional phases:
Operations and maintenance support (post-installation)
Revisions and system replacement
System Design Specifications
This phase includes all activities related to designing the system and software. In this
phase, the system architecture, system outputs, and system interfaces are designed. Data input, data flow, and output requirements are established and security features are
designed, generally based on the overall security architecture for the company.
Development and Implementation
During this phase, the source code is generated, test scenarios and test cases are
developed, unit and integration testing is conducted, and the program and system are
documented for maintenance and for turnover to acceptance testing and production. As
well as general care for software quality, reliability, and consistency of operation, particular
care should be taken to ensure that the code is analyzed to eliminate common
vulnerabilities that might lead to security exploits and other risks.
Documentation and Common Program Controls
These are controls used when editing the data within the program, the types of logging the
program should be doing, and how the program versions should be stored. A large number
of such controls may be needed, see the reference below for a full list of controls.
Acceptance
In the acceptance phase, preferably an independent group develops test data and tests the
code to ensure that it will function within the organization’s environment and that it meets
all the functional and security requirements. It is essential that an independent group test
the code during all applicable stages of development to prevent a separation of duties
issue. The goal of security testing is to ensure that the application meets its security
requirements and specifications. The security testing should uncover all design and
implementation flaws that would allow a user to violate the software security policy and
requirements. To ensure test validity, the application should be tested in an environment
that simulates the production environment. This should include a security certification
package and any user documentation.
Certification and Accreditation (Security Authorization)
Certification is the process of evaluating the security stance of the software or system
against a predetermined set of security standards or policies. Certification also examines
how well the system performs its intended functional requirements. The certification or
evaluation document should contain an analysis of the technical and nontechnical security
features and countermeasures and the extent to which the software or system meets the
security requirements for its mission and operational environment.
Transition to Production (Implementation)
During this phase, the new system is transitioned from the acceptance phase into the live
production environment. Activities during this phase include obtaining security
accreditation; training the new users according to the implementation and training schedules; implementing the system, including installation and data conversions; and, if
necessary, conducting any parallel operations.
Revisions and System Replacement
As systems are in production mode, the hardware and software baselines should be
subject to periodic evaluations and audits. In some instances, problems with the application
may not be defects or flaws, but rather additional functions not currently developed in the
application. Any changes to the application must follow the same SDLC and be recorded in
a change management system. Revision reviews should include security planning and
procedures to avoid future problems. Periodic application audits should be conducted and
include documenting security incidents when problems occur. Documenting system failures
is a valuable resource for justifying future system enhancements.
Below you have the phases used by NIST in it's 800-63 Revision 2 document
As noted above, the phases will vary from one document to another one. For the purpose
of the exam use the list provided in the official ISC2 Study book which is presented in short
form above. Refer to the book for a more detailed description of activities at each of the
phases of the SDLC.
However, all references have very similar steps being used. As mentioned in the official
book, it could be as simple as three phases in it's most basic version (concept, design, and
implement) or a lot more in more detailed versions of the SDLC. The key thing is to make use of an SDLC

C:\Users\MCS\Desktop\1.jpg
SDLC phases
Reference(s) used for this question:
NIST SP 800-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-
Rev2/SP800-64-Revision2.pdf
and
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition:
Software Development Security ((ISC)2 Press) (Kindle Locations 134-157). Auerbach
Publications. Kindle Edition.

Reference Monitor.

Because the Reference Monitor is responsible for access control to the
objects by the subjects it compares the security labels of a subject and an object.
According to the OIG: The reference monitor is an access control concept referring to an
abstract machine that mediates all accesses to objects by subjects based on information in
an access control database. The reference monitor must mediate all access, be protected
from modification, be verifiable as correct, and must always be invoked. The reference
monitor, in accordance with the security policy, controls the checks that are made in the
access control database.
The following are incorrect:
Validation Module. A Validation Module is typically found in application source code and is
used to validate data being inputted.Clearance Check. Is a distractor, there is no such thing other than what someone would do
when checking if someone is authorized to access a secure facility.
Security Module. Is typically a general purpose module that prerforms a variety of security
related functions.
References:
OIG CBK, Security Architecture and Design (page 324)
AIO, 4th Edition, Security Architecture and Design, pp 328-328.
Wikipedia - http://en.wikipedia.org/wiki/Reference_monitor

Data remanence

The main issue with media reuse is data remanence, where residual
information still resides on a media that has been erased. Degaussing, purging and
destruction are ways to handle media that contains data that is no longer needed or used.
Source: WALLHOFF, John, CBK#10 Physical Security (CISSP Study Guide), April 2002
(page 5).

 Motherboard

The CPU, storage devices and peripherals each have specialized roles in the
security archecture. The CPU, or microprocessor, is the brains behind a computer system
and performs calculations as it solves problemes and performs system tasks. Storage
devices provide both long- and short-term stoarge of information that the CPU has either
processed or may process. Peripherals (scanners, printers, modems, etc) are devices that
either input datra or receive the data output by the CPU.
The motherboard is the main circuit board of a microcomputer and contains the connectors
for attaching additional boards. Typically, the motherboard contains the CPU, BIOS,
memory, mass storage interfaces, serial and parallel ports, expansion slots, and all the
controllers required to control standard peripheral devices.
Reference(s) used for this question:
TIPTON, Harold F., The Official (ISC)2 Guide to the CISSP CBK (2007), page 308.

It specifies how hardware and software should be used throughout the organization.

A security policy would NOT define how hardware and software should be
used throughout the organization. A standard or a procedure would provide such details
but not a policy.
A security policy is a formal statement of the rules that people who are given access to
anorganization's technology and information assets must abide. The policy communicates
the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security
provided, ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the
managers of their obligatory requirements for protecting technology and information assets.
The policy should specify the mechanisms through which these requirements can be met.
Another purpose is to provide a baseline from which to acquire, configure and audit
computer systems and networks for compliance with the policy. In order for a security
policy to be appropriate and effective, it needs to have the acceptance and support of all
levels of employees within the organization. A good security policy must:
• Be able to be implemented through system administration procedures, publishing of
acceptable use guidelines, or other appropriate methods
• Be able to be enforced with security tools, where appropriate, and with sanctions, where
actual prevention is not technically feasible
• Clearly define the areas of responsibility for the users, the administrators, and the
managers
• Be communicated to all once it is established
• Be flexible to the changing environment of a computer network since it is a living
document
Reference(s) used for this question:
National Security Agency, Systems and Network Attack Center (SNAC),The 60 Minute
Network Security Guide, February 2002, page 7.
or
A local copy is kept at:
https://www.freepracticetests.org/documents/The-60-Minute-Network-Securi
ty-Guide.pdf

Prevent paths that could lead to inappropriate disclosure.

Inappropriate disclosure is a confidentiality, not an integrity goal.
All of the other choices above are integrity goals addressed by the Clark-Wilson integrity
model.
The Clark-Wilson model is an integrity model that addresses all three integrity goals:
1. prevent unauthorized users from making modifications,
2. prevent authorized users from making improper modifications, and
3. maintain internal and external consistency through auditing.
NOTE: Biba address only the first goal of integrity above
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1384). McGraw-
Hill. Kindle Edition.

Inadequate user participation in defining the system's requirements.

Inadequate user participation in defining the system's requirements. Most
projects fail to meet the needs of the users because there was inadequate input in the
initial steps of the project from the user community and what their needs really are.
The other answers, while potentially valid, are incorrect because they do not represent the
most common problem assosciated with information systems failing to meet the needs of
users.References: All in One pg 834
Only users can define what their needs are and, therefore, what the system should
accomplish. Lack of adequate user involvement, especially in the systems requirements
phase, will usually result in a system that doesn't fully or adequately address the needs of
the user.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 296).

A standalone workstation on which the password database is copied and processed by
the cracking program.

Poor password selection is frequently a major security problem for any
system's security. Administrators should obtain and use password-guessing programs
frequently to identify those users having easily guessed passwords.
Because password-cracking programs are very CPU intensive and can slow the system on
which it is running, it is a good idea to transfer the encrypted passwords to a standalone
(not networked) workstation. Also, by doing the work on a non-networked machine, any
results found will not be accessible by anyone unless they have physical access to that
system.
Out of the four choice presented above this is the best choice.However, in real life you would have strong password policies that enforce complexity
requirements and does not let the user choose a simple or short password that can be
easily cracked or guessed. That would be the best choice if it was one of the choice
presented.
Another issue with password cracking is one of privacy. Many password cracking tools can
avoid this by only showing the password was cracked and not showing what the password
actually is. It is masking the password being used from the person doing the cracking.
Source: National Security Agency, Systems and Network Attack Center (SNAC), The 60
Minute Network Security Guide, February 2002, page 8.

Assurance procedures

Controls provide accountability for individuals accessing information.
Assurance procedures ensure that access control mechanisms correctly implement the
security policy for the entire life cycle of an information system.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 33)