Read-Only Media

Atoms and Data
Shon Harris says: "A device that performs degaussing generates a coercive magnetic force
that reduces the magnetic flux density of the storage media to zero. This magnetic force is
what properly erases data from media. Data are stored on magnetic media by the
representation of the polarization of the atoms. Degaussing changes"
The latest ISC2 book says:
"Degaussing can also be a form of media destruction. High-power degaussers are so
strong in some cases that they can literally bend and warp the platters in a hard drive.
Shredding and burning are effective destruction methods for non-rigid magnetic media.
Indeed, some shredders are capable of shredding some rigid media such as an optical
disk. This may be an effective alternative for any optical media containing nonsensitive
information due to the residue size remaining after feeding the disk into the machine.
However, the residue size might be too large for media containing sensitive information.
Alternatively, grinding and pulverizing are acceptable choices for rigid and solid-state
media. Specialized devices are available for grinding the face of optical media that either
sufficiently scratches the surface to render the media unreadable or actually grinds off the
data layer of the disk. Several services also exist which will collect drives, destroy them on
site if requested and provide certification of completion. It will be the responsibility of the
security professional to help, select, and maintain the most appropriate solutions for media
cleansing and disposal."
Degaussing is achieved by passing the magnetic media through a powerful magnet field to
rearrange the metallic particles, completely removing any resemblance of the previously
recorded signal (from the "all about degaussers link below). Therefore, degaussing will
work on any electronic based media such as floppy disks, or hard disks - all of these are
examples of electronic storage. However, "read-only media" includes items such as paper
printouts and CD-ROM wich do not store data in an electronic form or is not magnetic
storage. Passing them through a magnet field has no effect on them.
Not all clearing/ purging methods are applicable to all media— for example, optical media
is not susceptible to degaussing, and overwriting may not be effective against Flash
devices. The degree to which information may be recoverable by a sufficiently motivated
and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military
classification rules, read and follow the rules and standards.
I will admit that this is a bit of a trick question. Determining the difference between "readonly
media" and "read-only memory" is difficult for the question taker. However, I believe it
is representative of the type of question you might one day see on an exam.
The other answers are incorrect because:
Floppy Disks, Magnetic Tapes, and Magnetic Hard Disks are all examples of magnetic
storage, and therefore are erased by degaussing.
A videotape is a recording of images and sounds on to magnetic tape as opposed to film
stock used in filmmaking or random access digital media. Videotapes are also used for
storing scientific or medical data, such as the data produced by an electrocardiogram. In
most cases, a helical scan video head rotates against the moving tape to record the data in
two dimensions, because video signals have a very high bandwidth, and static heads
would require extremely high tape speeds. Videotape is used in both video tape recorders
(VTRs) or, more commonly and more recently, videocassette recorder (VCR) and
camcorders. A Tape use a linear method of storing information and since nearly all video
recordings made nowadays are digital direct to disk recording (DDR), videotape is
expected to gradually lose importance as non-linear/random-access methods of storing
digital video data become more common.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations
25627-25630). McGraw-Hill. Kindle Edition.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition :
Security Operations (Kindle Locations 580-588). . Kindle Edition.
All About Degaussers and Erasure of Magnetic Media:
http://www.degausser.co.uk/degauss/degabout.htm
http://www.degaussing.net/
http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

Functional design analysis and Planning

The software development life cycle (SDLC) (sometimes referred to as the
System Development Life Cycle) is the process of creating or altering software systems,
and the models and methodologies that people use to develop these systems.
The NIST SP 800-64 revision 2 has within the description section of para 3.2.1:
This section addresses security considerations unique to the second SDLC phase. Key
security activities for this phase include:
• Conduct the risk assessment and use the results to supplement the baseline security
controls;
• Analyze security requirements;
• Perform functional and security testing;
• Prepare initial documents for system certification and accreditation; and
• Design security architecture.
Reviewing this publication you may want to pick development/acquisition. Although
initiation would be a decent choice, it is correct to say during this phase you would only
brainstorm the idea of security requirements. Once you start to develop and acquire
hardware/software components then you would also develop the security controls for
these. The Shon Harris reference below is correct as well.
Shon Harris' Book (All-in-One CISSP Certification Exam Guide) divides the SDLC
differently:
Project initiation
Functional design analysis and planning
System design specifications
Software development
Installation
Maintenance support Revision and replacement
According to the author (Shon Harris), security requirements should be developed during
the functional design analysis and planning phase.SDLC POSITIONING FROM NIST 800-64

C:\Users\MCS\Desktop\1.jpg
SDLC Positioning in the enterprise
Information system security processes and activities provide valuable input into managing
IT systems and their development, enabling risk identification, planning and mitigation. A
risk management approach involves continually balancing the protection of agency
information and assets with the cost of security controls and mitigation strategies
throughout the complete information system development life cycle (see Figure 2-1 above).
The most effective way to implement risk management is to identify critical assets and
operations, as well as systemic vulnerabilities across the agency. Risks are shared and not
bound by organization, revenue source, or topologies. Identification and verification of
critical assets and operations and their interconnections can be achieved through the
system security planning process, as well as through the compilation of information from
the Capital Planning and Investment Control (CPIC) and Enterprise Architecture (EA)
processes to establish insight into the agency’s vital business operations, their supporting
assets, and existing interdependencies and relationships.
With critical assets and operations identified, the organization can and should perform a
business impact analysis (BIA). The purpose of the BIA is to relate systems and assets                                      with the critical services they provide and assess the consequences of their disruption. By
identifying these systems, an agency can manage security effectively by establishing
priorities. This positions the security office to facilitate the IT program’s cost-effective
performance as well as articulate its business impact and value to the agency.
SDLC OVERVIEW FROM NIST 800-64
SDLC Overview from NIST 800-64 Revision 2                                                                                                                                                                                              C:\Users\MCS\Desktop\1.jpg
NIST 800-64 Revision 2 is one publication within the NISTstandards that I would
recommend you look at for more details about the SDLC. It describe in great details what
activities would take place and they have a nice diagram for each of the phases of the
SDLC. You will find a copy at:
http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf
DISCUSSION:
Different sources present slightly different info as far as the phases names are concerned.
People sometimes gets confused with some of the NIST standards. For example NIST
800-64 Security Considerations in the Information System Development Life Cycle has
slightly different names, the activities mostly remains the same.
NIST clearly specifies that Security requirements would be considered throughout ALL of
the phases. The keyword here is considered, if a question is about which phase they would
be developed than Functional Design Analysis would be the correct choice. Within the NIST standard they use different phase, howeverr under the second phase you
will see that they talk specifically about Security Functional requirements analysis which
confirms it is not at the initiation stage so it become easier to come out with the answer to
this question. Here is what is stated:
The security functional requirements analysis considers the system security environment,
including the enterprise information security policy and the enterprise security architecture.
The analysis should address all requirements for confidentiality, integrity, and availability of
information, and should include a review of all legal, functional, and other security
requirements contained in applicable laws, regulations, and guidance.
At the initiation step you would NOT have enough detailed yet to produce the Security
Requirements. You are mostly brainstorming on all of the issues listed but you do not
develop them all at that stage.
By considering security early in the information system development life cycle (SDLC), you
may be able to avoid higher costs later on and develop a more secure system from the
start.
NIST says:
NIST`s Information Technology Laboratory recently issued Special Publication (SP) 800-
64, Security Considerations in the Information System Development Life Cycle, by Tim
Grance, Joan Hash, and Marc Stevens, to help organizations include security requirements
in their planning for every phase of the system life cycle, and to select, acquire, and use
appropriate and cost-effective security controls.
I must admit this is all very tricky but reading skills and paying attention to KEY WORDS is
a must for this exam.
References:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, Fifth
Edition, Page 956
and
NIST S-64 Revision 2 at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-
Revision2.pdf
and
http://www.mks.com/resources/resource-pages/software-development-life-cycle-sdlcsystem-
development              

availability

Availability is making sure that the data is accessible when and where it is
needed.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

alteration

Integrity is the opposite of "alteration."
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 59.

Review of security controls

Management controls focus on the management of the IT security system
and the management of risk for a system.
They are techniques and concerns that are normally addressed by management.
Routine evaluations and response to identified vulnerabilities are important elements of
managing the risk of a system, thus considered management controls.
SECURITY CONTROLS: The management, operational, and technical controls
(i.e.,safeguards or countermeasures) prescribed for an information system to protect the
confidentiality, integrity, and availability of the system and its information.
SECURITY CONTROL BASELINE: The set of minimum security controls defined for a lowimpact,
moderate-impact,or high-impact information system.
The following are incorrect answers:
Personnel security, physical and environmental protection and documentation are forms of
operational controls.
Reference(s) used for this question:
http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
and
FIPS PUB 200 at http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf

What are the actions that need to be performed in case of a disaster?

Actions to be performed in case of a disaster are not normally part of an
information security policy but part of a Disaster Recovery Plan (DRP).
Only personnel implicated in the plan should have a copy of the Disaster Recovery Plan
whereas everyone should be aware of the contents of the organization's information
security policy.
Source: ALLEN, Julia H., The CERT Guide to System and Network Security Practices,
Addison-Wesley, 2001, Appendix B, Practice-Level Policy Considerations (page 398).

A security domainThe reference monitor

The reference monitor is an abstract machine which must mediate all access
to subjects to objects, be protected from modification, be verifiable as correct, and is
always invoked. The security kernel is the hardware, firmware and software elements of a
trusted computing base that implement the reference monitor concept. The security
perimeter includes the security kernel as well as other security-related system functions
that are within the boundary of the trusted computing base. System elements that are
outside of the security perimeter need not be trusted. A security domain is a domain of trust
that shares a single security policy and single management.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Establishing the priorities of requests

Change control sub-phase includes Recreating and analyzing the problem,
Determining the interface that is presented to the user, and Establishing the priorities of
requests.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and
Systems Development (page 252).

During requirements development

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

Accreditation

Accreditation: is an administrative declaration by a designated authority that
an information system is approved to operate in a particular security configuration with a
prescribed set of safeguards. It is usually based on a technical certification of the system's
security mechanisms.
Certification: Technical evaluation (usually made in support of an accreditation action) of an
information system\'s security features and other safeguards to establish the extent to
which the system\'s design and implementation meet specified security requirements.
Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.