Very-Long Instruction-Word Processor (VLIW)

Very long instruction word (VLIW) describes a computer processing
architecture in which a language compiler or pre-processor breaks program instruction
down into basic operations that can be performed by the processor in parallel (that is, at
the same time). These operations are put into a very long instruction word which the
processor can then take apart without further analysis, handing each operation to an
appropriate functional unit.
The following answer are incorrect:
The term "CISC" (complex instruction set computer or computing) refers to computers
designed with a full set of computer instructions that were intended to provide needed
capabilities in the most efficient way. Later, it was discovered that, by reducing the full set
to only the most frequently used instructions, the computer would get more work done in a
shorter amount of time for most applications. Intel's Pentium microprocessors are CISC
microprocessors.
The PowerPC microprocessor, used in IBM's RISC System/6000 workstation and
Macintosh computers, is a RISC microprocessor. RISC takes each of the longer, more
complex instructions from a CISC design and reduces it to multiple instructions that are shorter and faster to process. RISC technology has been a staple of mobile devices for
decades, but it is now finally poised to take on a serious role in data center servers and
server virtualization. The latest RISC processors support virtualization and will change the
way computing resources scale to meet workload demands.
A superscalar CPU architecture implements a form of parallelism called instruction level
parallelism within a single processor. It therefore allows faster CPU throughput than would
otherwise be possible at a given clock rate. A superscalar processor executes more than
one instruction during a clock cycle by simultaneously dispatching multiple instructions to
redundant functional units on the processor. Each functional unit is not a separate CPU
core but an execution resource within a single CPU such as an arithmetic logic unit, a bit
shifter, or a multiplier.
Reference(s) Used for this question:
http://whatis.techtarget.com/definition/0,,sid9_gci214395,00.html
and
http://searchcio-midmarket.techtarget.com/definition/CISC
and
http://en.wikipedia.org/wiki/Superscalar

Policies

Policies are high-level statements, beliefs, goals and objectives and the
general means for their attainment for a specific subject area. Standards are mandatory
activities, action, rules or regulations designed to provide policies with the support structure
and specific direction they require to be effective. Guidelines are more general statements
of how to achieve the policies objectives by providing a framework within which to
implement procedures. Procedures spell out the specific steps of how the policy andsupporting standards and how guidelines will be implemented.
Source: HARE, Chris, Security management Practices CISSP Open Study Guide, version
1.0, april 1999. 

system stability.

A major objective with Configuration Management is stability. The changes to
the system are controlled so that they don't lead to weaknesses or faults in th system.
The following answers are incorrect:
system maintenance. Is incorrect because it is not the best answer. Configuration
Management does control the changes to the system but it is not as important as the
overall stability of the system.
system operations. Is incorrect because it is not the best answer, the overall stability of the
system is much more important.
system tracking. Is incorrect because while tracking changes is important, it is not the best
answer. The overall stability of the system is much more important.

System functions are layered, and none of the functions in a given layer can access
data outside that layer.

Data Hiding is protecting data so that it is only available to higher levels this
is done and is also performed by layering, when the software in each layer maintains its
own global data and does not directly reference data outside its layers.
The following answers are incorrect:
Auditing processes and their memory addresses cannot be accessed by user processes. Is
incorrect because this does not offer data hiding.
Only security processes are allowed to write to ring zero memory. This is incorrect, the
security kernel would be responsible for this.
It is a form of strong encryption cipher. Is incorrect because this does not conform to the
definition of data hiding

Overt channel

An overt channel is a path within a computer system or network that is
designed for the authorized transfer of data. The opposite would be a covert channel which
is an unauthorized pathA covert channel is a way for an entity to receive information in an unauthorized manner. It
is an information flow that is not controlled by a security mechanism. This type of
information path was not developed for communication; thus, the system does not properly
protect this path, because the developers never envisioned information being passed in
this way. Receiving information in this manner clearly violates the system’s security policy.
All of the other choices are bogus detractors.
Reference(s) used for this question:
KRUTZ,Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 219.
and
Shon Harris, CISSP All In One (AIO), 6th Edition , page 380
and
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 378). McGraw-
Hill. Kindle Edition.

Evaluation

Evaluation as a general term is described as the process of independently
assessing a system against a standard of comparison, such as evaluation criteria.
Evaluation criterias are defined as a benchmark, standard, or yardstick against which
accomplishment, conformance, performance, and suitability of an individual, hardware,
software, product, or plan, as well as of risk-reward ratio is measured.
What is computer security evaluation? Computer security evaluation is the detailed examination and testing of the security
features of an IT system or product to ensure that they work correctly and effectively and
do not show any logical vulnerabilities. The Security Target determines the scope of the
evaluation. It includes a claimed level of Assurance that determines how rigorous the
evaluation is.
Criteria
Criteria are the "standards" against which security evaluation is carried out. They define
several degrees of rigour for the testing and the levels of assurance that each confers.
They also define the formal requirements needed for a product (or system) to meet each
Assurance level.
TCSEC
The US Department of Defense published the first criteria in 1983 as the Trusted Computer
Security Evaluation Criteria (TCSEC), more popularly known as the "Orange Book". The
current issue is dated 1985. The US Federal Criteria were drafted in the early 1990s as a
possible replacement but were never formally adopted. ITSEC
During the 1980s, the United Kingdom, Germany, France and the Netherlands produced
versions of their own national criteria. These were harmonised and published as the
Information Technology Security Evaluation Criteria (ITSEC). The current issue, Version
1.2, was published by the European Commission in June 1991. In September 1993, it was
followed by the IT Security Evaluation Manual (ITSEM) which specifies the methodology to
be followed when carrying out ITSEC evaluations.
Common Criteria
The Common Criteria represents the outcome of international efforts to align and develop
the existing European and North American criteria. The Common Criteria project
harmonises ITSEC, CTCPEC (Canadian Criteria) and US Federal Criteria (FC) into the
Common Criteria for Information Technology Security Evaluation (CC) for use in evaluating
products and systems and for stating security requirements in a standardised way.
Increasingly it is replacing national and regional criteria with a worldwide set accepted by
the International Standards Organisation (ISO15408). The following answer were not applicable:
Certification is the process of performing a comprehensive analysis of the security features
and safeguards of a system to establish the extent to which the security requirements are
satisfied. Shon Harris states in her book that Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of
accreditation.
Wikipedia describes it as: Certification is a comprehensive evaluation of the technical and
non-technical security controls (safeguards) of an information system to support the
accreditation process that establishes the extent to which a particular design and
implementation meets a set of specified security requirements
Accreditation is the official management decision to operate a system. Accreditation is the
formal declaration by a senior agency official (Designated Accrediting Authority (DAA) or
Principal Accrediting Authority (PAA)) that an information system is approved to operate at
an acceptable level of risk, based on the implementation of an approved set of technical,
managerial, and procedural security controls (safeguards).
Acceptance testing refers to user testing of a system before accepting delivery. Reference(s) used for this question:
HARE, Chris, Security Architecture and Models, Area 6 CISSP Open Study Guide, January
2002.
and
https://en.wikipedia.org/wiki/Certification_and_Accreditation
and
http://www.businessdictionary.com/definition/evaluation-criteria.html
and
http://www.cesg.gov.uk/products_services/iacs/cc_and_itsec/secevalcriteria.shtml

The project will fail to meet business and user needs

This is the most serious risk of inadequate systems development life cycle
methodolgy.
The following answers are incorrect because :
The project will be completed late is incorrect as it is not most devastating as the above
answer.
The project will exceed the cost estimates is also incorrect when compared to the above
correct answer.
The project will be incompatible with existing systems is also incorrect when compared to
the above correct answer.
Reference: Information Systems Audit and Control Association, Certified Information
Systems Auditor 2002 review manual, chapter 6: Business Application System
Development, Acquisition, Implementation and Maintenance (page 290).

Errors in critical modules are detected earlier.

The bottom-up approach to software testing begins with the testing of atomic
units, such as programs and modules, and work upwards until a complete system testing
has taken place. The advantages of using a bottom-up approach to software testing are the
fact that there is no need for stubs or drivers and errors in critical modules are found
earlier. The other choices refer to advantages of a top down approach which follows the
opposite path.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development,
Acquisition, Implementation and Maintenance (page 299).

Be designed with a short- to mid-term focus

An effective information security policy should be designed with a long-term
focus. All other characteristics apply.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices,
Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 397).

They provide users with a direct access to peripherals

In computer science, hierarchical protection domains, often called protection
rings, are mechanisms to protect data and functionality from faults (fault tolerance) and
malicious behaviour (computer security). This approach is diametrically opposite to that of    capability-based security.
Computer operating systems provide different levels of access to resources. A protection
ring is one of two or more hierarchical levels or layers of privilege within the architecture of
a computer system. This is generally hardware-enforced by some CPU architectures that
provide different CPU modes at the hardware or microcode level.
Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered
zero) to least privileged (least trusted, usually with the highest ring number). On most
operating systems, Ring 0 is the level with the most privileges and interacts most directly
with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's
resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating
access between rings can improve security by preventing programs from one ring or
privilege level from misusing resources intended for programs in another. For example,
spyware running as a user program in Ring 3 should be prevented from turning on a web
camera without informing the user, since hardware access should be a Ring 1 function
reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
"They provide strict boundaries and definitions on what the processes that work within each
ring can access" is incorrect. This is in fact one of the characteristics of a ring protection
system.
"Programs operating in inner rings are usually referred to as existing in a privileged mode"
is incorrect. This is in fact one of the characteristics of a ring protection system.
"They support the CIA triad requirements of multitasking operating systems" is incorrect.
This is in fact one of the characteristics of a ring protection system.
Reference(s) used for this question:
CBK, pp. 310-311
AIO3, pp.AIOv4 Security Architecture and Design (pages 308 - 310)
AIOv5 Security Architecture and Design (pages 309 - 312)