Deck 8: Security Management Models

​The Information Technology Infrastructure Library (ITIL)is a collection of policies and practices for managing the development and operation of IT infrastructures.____________

The principle of limiting users' access privileges to the specific information required to perform their assigned tasks is known as need-to-know.____________

A security blueprint is the outline of the more thorough security framework.

Separation of duties is the principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties.

​A person's security clearance is a personnel security structure in which each user of an information asset is assigned an authorization level that identifies the level of classified information he or she is cleared to access.____________

​A security ​monitor is a conceptual piece of the system within the trusted computer base that manages access controls-in other words,it mediates all access to objects by subjects.____________

Information Technology Infrastructure Library provides guidance in the development and implementation of an organizational InfoSec governance structure.

The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary is known as minimal privilege.____________

In information security,a specification of a model to be followed during the design, selection,and initial and ongoing implementation of all subsequent security controls is known as a blueprint.____________

In a lattice-based access control,a restriction table is the row of attributes associated with a particular subject (such as a user).​ ____________

The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them is called isolation of duties.____________

Under the Clark-Wilson model,internal consistency means that the system is consistent with similar data in the outside world.

​Dumpster delving is an information attack that involves searching through a target organization's trash and recycling bins for sensitive information.____________

In information security,a framework or security model customized to an organization,including implementation details is known as a floorplan._____________

ISO/IEC 27001 provides implementation details on how to implement ISO/IEC 27002 and how to set up a(n)____________________.

The ____________________ principle is based on the requirement that people are not allowed to view data simply because it falls within their level of clearance.

____________________ channels are unauthorized or unintended methods of communications hidden inside a computer system,and include storage and timing channels.

In the COSO framework,___________ activities include those policies and procedures that support management directives.

To design a security program,an organization can use a(n)____________________,which is a generic outline of the more thorough and organization-specific blueprint offered by a service organization.

When copies of classified information are no longer valuable or too many copies exist,what steps should be taken to destroy them properly? Why?

One approach used to categorize access control methodologies categorizes controls based on their operational impact on the organization. What are these categories as described by NIST?

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A form of nondiscretionary control where access is determined based on the tasks assigned to a specified user.

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
One of the TCSEC's covert channels,which communicate by modifying a stored object.

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Within TCSEC,the combination of all hardware,firmware,and software responsible for enforcing the security policy.

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Ratings of the security level for a specified collection of information (or user)within a mandatory access control scheme.

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls access to a specific set of information based on its content.

What are the two primary access modes of the Bell-LaPadula model and what do they restrict?

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Requires that significant tasks be split up in such a way that more than one individual is responsible for their completion.

What is the data classification for information deemed to be National Security Information for the U.S.military as specified in 2009 in Executive Order 13526?

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Controls implemented at the discretion or option of the data user.

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A TCSEC-defined covert channel,which transmit information by managing the relative timing of events.

According to COSO,internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in what three categories?

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
Access is granted based on a set of rules specified by the central authority.

Under what circumstances should access controls be centralized vs.decentralized?

What are the five principles that are focused on the governance and management of IT as specified by COBIT 5?

a. Blueprint
b. DAC
c. content-dependent access controls
d. rule-based access controls
e. separation of duties
f. sensitivity levels
g. storage channels
h. task-based controls
i. timing channelsj. TCB
A framework or security model customized to an organization,including implementation details.

Lattice-based access controls use a two-dimensional matrix to assign authorizations,what are the two dimensions and what are they called?

Access controls are build on three key principles. List and briefly define them.

There are seven access controls methodologies categorized by their inherent characteristics. List and briefly define them.