A development methodology

RAD stands for Rapid Application Development.
RAD is a methodology that enables organizations to develop strategically important
systems faster while reducing development costs and maintaining quality.
RAD is a programming system that enables programmers to quickly build working
programs.
In general, RAD systems provide a number of tools to help build graphical user interfacesthat would normally take a large development effort.
Two of the most popular RAD systems for Windows are Visual Basic and Delphi.
Historically, RAD systems have tended to emphasize reducing development time,
sometimes at the expense of generating in-efficient executable code. Nowadays, though,
many RAD systems produce extremely faster code that is optimized.
Conversely, many traditional programming environments now come with a number of visual
tools to aid development. Therefore, the line between RAD systems and other development
environments has become blurred.
Reference:
Information Systems Audit and Control Association, Certified Information Systems Auditor
2002 review manual, chapter 6: Business Application System Development, Acquisition,
Implementation and Maintenance (page 307)
http://www.webopedia.com

Monitoring for physical intrusion

There are three broad categories of access control: administrative, technical, and physical.
Each category has different access control mechanisms that can be carried out manually or
automatically. All of these access control mechanisms should work in concert with each
other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, a partial list is
shown here. Not all controls fall into a single category, many of the controls will be in two ormore categories. Below you have an example with backups where it is in all three
categories:
Administrative Controls
Policy and procedures
- A backup policy would be in place
Personnel controls
Supervisory structure
Security-awareness training
Testing
Physical Controls
Network segregation
Perimeter security
Computer controls
Work area separationData backups (actual storage of the media, i:e Offsite Storage Facility)
Cabling
Technical Controls
System access
Network architecture
Network access
Encryption and protocols
Control zone
Auditing
Backup (Actual software doing the backups)
The following answers are incorrect :
Password and resource management is considered to be a logical or technical control.
Identification and authentication methods is considered to be a logical or technical controlIntrusion Detection Systems is considered to be a logical or technical control.
Reference : Shon Harris , AIO v3 , Chapter - 4 : Access Control , Page : 180 - 185

Regression testing

Regression testing is the process of rerunning a portion of the test scenario
or test plan to ensure that changes or corrections have not introduced new errors. The data
used in regression testing should be the same as the data used in the original test. Unit
testing refers to the testing of an individual program or module. Pilot testing is a preliminary
test that focuses only on specific and predetermined aspects of a system. Parallel testing is
the process of feeding test data into two systems and comparing the results.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, Chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 300).

Assurance that the security policy can be enforced in an efficient and reliable manner.

A trusted system is one that meets its intended security requirements. It
involves sufficiency and effectiveness, not necessarily efficiency, in enforcing a security
policy. Put succinctly, trusted systems have (1) policy, (2) mechanism, and (3) assurance.Source: HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide,
January 2002.

Senior Management

If there is no support by senior management to implement, execute, and
enforce security policies and procedure, then they won't work. Senior management must
be involved in this because they have an obligation to the organization to protect the
assests . The requirement here is for management to show “due diligence” in establishing
an effective compliance, or security program. It is senior management that could face legal
repercussions if they do not have sufficient controls in place.
The following answers are incorrect:
IS security specialists. Is incorrect because it is not the best answer. Senior management
bears the primary responsibility for determining the level of protection needed.
Senior security analysts. Is incorrect because it is not the best answer. Senior management
bears the primary responsibility for determining the level of protection needed.
systems auditors. Is incorrect because it is not the best answer, system auditors are
responsible that the controls in place are effective. Senior management bears the primary
responsibility for determining the level of protection needed.

Aggregation

Aggregation is the act of obtaining information of a higher sensitivity by
combining information from lower levels of sensitivity.
The incorrect answers are:
Polyinstantiation is the development of a detailed version of an object from another object
using different values in the new object.
Inference is the ability of users to infer or deduce information about data at sensitivity levels
for which they do not have access privilege.
Data mining refers to searching through a data warehouse for data correlations.
Sources:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 261).KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing
Inc., 2003, Chapter 7: Database Security Issues (page 358).

Integrity.

Integrity refers to the protection of information from unauthorized modification
or deletion.
Confidentiality is incorrect. Confidentiality refers to the protection of information from
unauthorized disclosure.
Availability is incorrect. Availability refers to the assurance that information and services will
be available to authorized users in accordance with the service level objective.
Auditability is incorrect. Auditability refers to the ability to trace an action to the identity that
performed it and identify the date and time at which it occurred.
References:
CBK,pp. 5 - 6
AIO3, pp. 56 - 57

Aggregation

The Internet Security Glossary (RFC2828) defines aggregation as a
circumstance in which a collection of information items is required to be classified at a
higher security level than any of the individual items that comprise it.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

The Spiral model

The spiral model is actually a meta-model that incorporates a number of the
software development models. This model depicts a spiral that incorporates the various
phases of software development. The model states that each cycle of the spiral involves
the same series of steps for each part of the project. CPM refers to the Critical Path
Methodology.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 246).

The management team.

If there is no support by management to implement, execute, and enforce
security policies and procedure, then they won't work. Senior management must be
involved in this because they have an obligation to the organization to protect the assests .The requirement here is for management to show “due diligence” in establishing an
effective compliance, or security program.
The following answers are incorrect:
The tech support team. Is incorrect because the ultimate responsibility is with management
for the security of computer-based information systems.
The Operation Team. Is incorrect because the ultimate responsibility is with management
for the security of computer-based information systems.
The Training Team. Is incorrect because the ultimate responsibility is with management for
the security of computer-based information systems.
Reference(s) used for this question:
OIG CBK Information Security Management and Risk Management (page 20 - 22)