Auditing and controlling any changes to the Trusted Computing Base.

All of these are components of Configuration Management.
The following answers are incorrect:
Auditing of changes to the Trusted Computing Base. Is incorrect because it refers only to
auditing the changes, but nothing about controlling them. Control of changes to the Trusted Computing Base. Is incorrect because it refers only to
controlling the changes, but nothing about ensuring the changes will not lead to a
weakness or fault in the system.
Changes in the configuration access to the Trusted Computing Base. Is incorrect because
this does not refer to controlling the changes or ensuring the changes will not lead to a
weakness or fault in the system.

Running regular backups and periodically testing the validity of the backup data.

This responsibility would be delegated to a data custodian rather than being
performed directly by the information owner.
"Determine what level of classification the information requires" is incorrect. This is one of
the major responsibilities of an information owner.
"Periodically review the classification assignments against business needs" is incorrect.
This is one of the major responsibilities of an information owner.
"Delegates responsibility of maintenance of the data protection mechanisms to the data
custodian" is incorrect. This is a responsibility of the information owner.
References:
CBK p. 105.
AIO3, p. 53-54, 960

Completeness, Isolation, and Verifiability

A security kernel is responsible for enforcing a security policy. It is a strict
implementation of a reference monitor mechanism. The architecture of a kernel operating
system is typically layered, and the kernel should be at the lowest and most primitive level.
It is a small portion of the operating system through which all references to information and
all changes to authorizations must pass. In theory, the kernel implements access control
and information flow control between implemented objects according to the security policy.
To be secure, the kernel must meet three basic conditions:
completeness (all accesses to information must go through the kernel),
isolation (the kernel itself must be protected from any type of unauthorized access),
and verifiability (the kernel must be proven to meet design specifications).
The reference monitor, as noted previously, is an abstraction, but there may be a reference
validator, which usually runs inside the security kernel and is responsible for performing
security access checks on objects, manipulating privileges, and generating any resulting
security audit messages.
A term associated with security kernels and the reference monitor is the trusted computing
base (TCB). The TCB is the portion of a computer system that contains all elements of the
system responsible for supporting the security policy and the isolation of objects. The
security capabilities of products for use in the TCB can be verified through various
evaluation criteria, such as the earlier Trusted Computer System Evaluation Criteria
(TCSEC) and the current Common Criteria standard.
Many of these security terms—reference monitor, security kernel, TCB—are defined
loosely by vendors for purposes of marketing literature. Thus, it is necessary for security
professionals to read the small print and between the lines to fully understand what the vendor is offering in regard to security features.
TIP FOR THE EXAM:
The terms Security Kernel and Reference monitor are synonymous but at different levels.
As it was explained by Diego:
While the Reference monitor is the concept, the Security kernel is the implementation of
such concept (via hardware, software and firmware means).
The two terms are the same thing, but on different levels: one is conceptual, one is
"technical"
The following are incorrect answers:
Confidentiality, Integrity, and Availability
Policy, mechanism, and assurance
Isolation, layering, and abstraction
Reference(s) used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 13858-13875). Auerbach Publications. Kindle
Edition.

Prevention of the modification of information by unauthorized users.
.

There is no need to prevent modification from authorized users. They are
authorized and allowed to make the changes. On top of this, it is also NOT one of the goal
of Integrity within Clark-Wilson. As it turns out, the Biba model addresses only the first of the three integrity goals which is
Prevention of the modification of information by unauthorized users. Clark-Wilson
addresses all three goals of integrity.
The Clark–Wilson model improves on Biba by focusing on integrity at the transaction level
and addressing three major goals of integrity in a commercial environment. In addition to
preventing changes by unauthorized subjects, Clark and Wilson realized that high-integrity
systems would also have to prevent undesirable changes by authorized subjects and to
ensure that the system continued to behave consistently. It also recognized that it would
need to ensure that there is constant mediation between every subject and every object if
such integrity was going to be maintained.
Integrity is addressed through the following three goals:
1. Prevention of the modification of information by unauthorized users.
2. Prevention of the unauthorized or unintentional modification of information by authorized
users.
3. Preservation of the internal and external consistency.
The following reference(s) were used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 17689-17694). Auerbach Publications. Kindle
Edition.
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 31.

Logical access control mechanisms

It is considered to be a technical control.
Logical is synonymous with Technical Control. That was the easy answer.
There are three broad categories of access control: Administrative, Technical, and
Physical.
Each category has different access control mechanisms that can be carried out manually or
automatically. All of these access control mechanisms should work in concert with each
other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, as shown here:
Administrative Controls
• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing
Physical Controls
Network segregation
Perimeter security
Computer controls
Work area separation
Data backups
Technical Controls
System access
Network architecture
Network access
Encryption and protocols
Control zone
Auditing The following answers are incorrect :
Screening of personnel is considered to be an administrative control
Development of policies, standards, procedures and guidelines is considered to be an
administrative control
Change control procedures is considered to be an administrative control.
Reference : Shon Harris AIO v3 , Chapter - 3 : Security Management Practices , Page : 52-
54

Confidentiality, integrity and availability

The following answers are incorrect because:
Accountability, confidentiality and integrity is not the correct answer as Accountability is not
one of the fundamental principle of security.
Integrity, availability and accountability is not the correct answer as Accountability is not
one of the fundamental principle of security.
Availability, accountability and confidentiality is not the correct answer as Accountability is
not one of the fundamental objective of security.
References : Shon Harris AIO v3 , Chapter - 3: Security Management Practices , Pages :
49-52

An apparent loophole deliberately implanted in an operating system program as a trap
for intruders.

A Pseudo flaw is something that looks like it is vulnerable to attack, but really
acts as an alarm or triggers automatic actions when an intruder attempts to exploit the flaw.
The following answers are incorrect:
An omission when generating Psuedo-code. Is incorrect because it is a distractor.
Used for testing for bounds violations in application programming. Is incorrect, this is a
testing methodology.
A normally generated page fault causing the system to halt. This is incorrect because it is
distractor.

The appropriate company staff are notified about the termination.

Even though Logical access to information by a terminated employee is
possible if the ID and password of the terminated employee has not been deleted this is
only one part of the termination procedures. If user ID is not disabled or deleted, it could be
possible for the employee without physical access to visit the companies networks remotely
and gain access to the information. Please note that this can also be seen in a different way: the most important thing to do
could also be to inform others of the person's termination, because even if user ID's and
passwords are deleted, a terminated individual could simply socially engineer their way
back in by calling an individual he/she used to work with and ask them for access. He could
intrude on the facility or use other weaknesses to gain access to information after he has
been terminated.
By notifying the appropriate company staff about the termination, they would in turn intitiate
account termination, ask the employee to return company property, and all credentials
would be withdrawn for the individual concerned. This answer is more complete than
simply disabling account.
It seems harsh and cold when this actually takes place , but too many companies have
been hurt by vengeful employees who have lashed out at the company when their positions
were revoked for one reason or another. If an employee is disgruntled in any way, or the
termination is unfriendly, that employee’s accounts should be disabled right away, and all
passwords on all systems changed.
For your exam you should know the information below:
Employee Termination Processes
Employees join and leave organizations every day. The reasons vary widely, due to
retirement,reduction in force, layoffs, termination with or without cause, relocation to
another city, careeropportunities with other employers, or involuntary transfers.
Terminations may be friendly or unfriendly and will need different levels of care as a result.
Friendly Terminations
Regular termination is when there is little or no evidence or reason to believe that the
termination is not agreeable to both the company and the employee. A standard set of
procedures, typically maintained by the human resources department, governs the
dismissal of the terminated employee to ensure that company property is returned, and all
access is removed. These procedures may include exit interviews and return of keys,
identification cards, badges, tokens, and cryptographic keys. Other property, such as
laptops, cable locks, credit cards, and phone cards, are also collected. The user manager
notifies the security department of the termination to ensure that access is revoked for all
platforms and facilities. Some facilities choose to immediately delete the accounts, while
others choose to disable the accounts for a policy defined period, for example, 30 days, to
account for changes or extensions in the final termination date. The termination process
should include a conversation with the departing associate about their continued
responsibility for confidentiality of information Unfriendly Terminations
Unfriendly terminations may occur when the individual is fired, involuntarily transferred, laid
off,or when the organization has reason to believe that the individual has the means and
intention to potentially cause harm to the system. Individuals with technical skills and higher
levels of access, such as the systems administrators, computer programmers, database
administrators, or any individual with elevated privileges, may present higher risk to the
environment. These individuals could alter files, plant logic bombs to create system file
damage at a future date, or remove sensitive information. Other disgruntled users could
enter erroneous data into the system that may not be discovered for several months. In
these situations, immediate termination of systems access is warranted at the time of
termination or prior to notifying the employee of the termination. Managing the people
aspect of security, from pre-employment to postemployment, is critical to ensure that
trustworthy, competent resources are employed to further the business objectives that will
protect company information. Each of these actions contributes to preventive, detective, or
corrective personnel controls.
The following answers are incorrect:
The other options are less important.
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 99
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 129). McGraw-
Hill. Kindle Edition.

The system is originally designed to provide the necessary security.

The earlier in the process that security is planned for and implement thecheaper it is. It is also much more efficient if security is addressed in each phase of the
development cycle rather than an add-on because it gets more complicated to add at the
end. If security plan is developed at the beginning it ensures that security won't be
overlooked.
The following answers are incorrect:
The system is optimized prior to the addition of security. Is incorrect because if you wait to
implement security after a system is completed the cost of adding security increases
dramtically and can become much more complex.
The system is procured off-the-shelf. Is incorrect because it is often difficult to add security
to off-the shelf systems.
The system is customized to meet the specific security threat. Is incorrect because this is a
distractor. This implies only a single threat

Treated as an integral part of the overall system design.

Explanation: Security must be considered in information system design. Experience has
shown it is very difficult to implement security measures properly and successfully after a
system has been developed, so it should be integrated fully into the system life-cycle
process. This includes establishing security policies, understanding the resulting security
requirements, participating in the evaluation of security products, and finally in the
engineering, design, implementation, and disposal of the system.
Source: STONEBURNER, Gary & al, National Institute of Standards and Technology
(NIST), NIST Special Publication 800-27, Engineering Principles for Information
Technology Security (A Baseline for Achieving Security), June 2001 (page 7).