WGU, Information Security and Assurance (C725), SET IV STUDY Questions and Answers (2022/2023) (Verified Answers)

WGU, Information Security and Assurance (C725), SET IV STUDY Questions and Answers (2022/2023) (Verified Answers) Part 1: Introduction and General Model Part 2: CC Evaluation Methodology Part 3: Extensions to the Methodology Three parts of the Common Evaluation Methodology This part of the CEM describes agreed-upon principles of evaluation and introduces agreed-upon evaluation terminology dealing with the process of evaluation. Part 1: Introduction and General Model This part of the CEM is based on CC Part 3 evaluator actions. It uses well-defined assertions to refine CC Part 3 evaluator actions and tangible evaluator activities to determine requirement compliance. In addition, it offers guidance to further clarify the intent evaluator actions. This part provides for methodologies to evaluate the following: PPs STs EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Components not included in an EAL Part 2: CC Evaluation Methodology This part of the CEM takes full advantage of the evaluation results. This part includes topics such as guidance on the composition and content of evaluation document deliverables. Part 3: Extensions to the Methodology Bell-LaPadula model Biba integrity model Clark and Wilson model Noninterference model State machine modelAccess matrix model Information flow model Security models that help evaluators determine if the implementation of a reference monitor meets the design requirements The two security models that were a major influence for the TCSEC and ITSEC, Bell-LaPadula model and the Biba integrity model Formed in the 1970's, a formal security model that describes a set of access control rules. A subjects access to an object is allowed or disallowed by comparing the objects security classification with the subjects security clearance. It is intended to preserve the principle of least privilege. It is a formal description of allowable paths of information flow in a secure system and defines security requirements for systems handling data at different sensitivity levels. The model defines a secure state and access between subjects and objects in accordance with specific security policy. Bell-LaPadula Model The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. This security model uses a read-up, write-down approach. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Think of CIA analysts and the information they need to perform their duties. Under this model, an analyst with Top Secret clearance can see only information that's labeled as Top Secret with respect to integrity (confirmed by multiple sources, and so forth); likewise, this analyst can contribute information only at his or her clearance level. People with higher clearances are not "poisoned" with data from a lower level of integrity and cannot poison those with clearances higher than theirs. Biba Integrity Model A security model that Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties. Clark and Wilson model A security model that covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. A security model that acts as an abstract mathematical model consisting of state variables and transition functions. State machine mode A security model that acts as a state machine model for a discretionary access control environment. Access matrix model A security model that simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy. Information flow model Which of the following terms best describes the primary concern of the Biba security model? A. Confidentiality B. Reliability C. Availability D. Integrity D. Integrity Explanation: The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data/ Which of the following events is considered a man-made disaster? A. Earthquake B. Tornado C. Flooding caused by a broken water main D. Labor walkout Labor walkout Which of the following statements is not true about the BCP and DRP? A. Both plans deal with security infractions after they occur. B. Both plans describe preventative, not reactive, security procedures. C. The BCP and DRP share the goal of maintaining "business as usual" activities. D. They belong to the same domain of the Common Body of Knowledge. B. Both plans describe preventative, not reactive, security procedures. Explanation: The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency (preventative) and The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive). Which of the following is the number one priority of disaster response? A. Hardware protection B. Software protection C. Transaction processing D. Personnel safety D. Personnel safety Involves reviewing the risks to organizational procedures Business continuity plan Focuses on policies and procedures that make a disruptive event have a little impact on the business Business continuity plan A type of law that forms the bedrock of the body of laws that preserve the peace and keep our society safe. Many high-profile court cases involve matters of this type of law; these are the laws that the police and other law enforcement agencies concern themselves with. This type of law contains prohibitions against acts such as murder, assault, robbery, and arson. Penalties for violating these statutes fall in a range that includes mandatory hours of community service, monetary penalties in the form of fines (small and large), and deprivation of civil liberties in the form of prison sentences. Criminal Law A type of law that form the bulk of our body of laws. They are designed to provide for an orderly society and govern matters that are not crimes but that require an impartial arbiter to settle between individuals and organizations. Examples of the types of matters include contract disputes, real estate transactions, employment matters, and estate/probate procedures. They're also are used to create the framework of government that the executive branch uses to carry out its responsibilities. These laws provide budgets for governmental activities and lay out the authority granted to the executive branch to create administrative laws (see the next section). Civil Law A type of law that covers topics as mundane as the procedures to be used within a federal agency to obtain a desk telephone to more substantial issues such as the immigration policies that will be used to enforce the laws passed by Congress. It does not require an act of the legislative branch to gain the force of law, it must comply with all existing civil and criminal laws. Administrative Law The first major piece of cybercrime-specific legislation in the United States. It was written to exclusively cover computer crimes that crossed state boundaries to avoid infringing on states' rights. Computer Fraud and Abuse Act (CFAA) T or F The major provisions of the original Comprehensive Crime Control Act (CCCA) of 1984 made it a crime to perform the following: - Access classified information or financial information in a federal system without authorization or in excess of authorized privileges- Access a computer used exclusively by the federal government without authorizationUse a federal computer to perpetrate a fraud (unless the only object of the fraud was to gain use of the computer itself) - Cause malicious damage to a federal computer system in excess of $1,000 - Modify medical records in a computer when doing so impairs or may impair the examination, diagnosis, treatment, or medical care of an individual - Traffic in computer passwords if the trafficking affects interstate commerce or involves a federal computer system True T or FWhen Congress passed the CFAA, it raised the threshold of damage from $1,000 to $5,000 but also dramatically altered the scope of the regulation. Instead of merely covering federal computers that processed sensitive information, the act was changed to cover all "federal interest" computers. This widened the coverage of the act to include the following: - Any computer used exclusively by the U.S. government - Any computer used exclusively by a financial institution - Any computer used by the government or a financial institution when the offense impedes the ability of the government or institution to use that system - Any combination of computers used to commit an offense when they are not all located in the same state True T or FIn 1994, Congress recognized that the face of computer security had drastically changed since the CFAA was last amended in 1986 and made a number of sweeping changes to the act. Collectively, these changes (CFAA Amendments) are referred to as the Computer Abuse Amendments Act of 1994 and included the following provisions:- Outlawed the creation of any type of malicious code that might cause damage to a computer system- Modified the CFAA to cover any computer used in interstate commerce rather than just "federal interest" computer systems- Allowed for the imprisonment of offenders, regardless of whether they actually intended to cause damage- Provided legal authority for the victims of computer crime to pursue civil action to gain injunctive relief and compensation for damages True The documents released in 1991 provided punishment guidelines to help federal judges interpret computer crime laws. Three major provisions of these guidelines have had a lasting impact on the information security community. Federal Sentencing Guidelines - The guidelines formalized the prudent man rule, which requires senior executives to take personal responsibility for ensuring the due care that ordinary, prudent individuals would exercise in the same situation. This rule, developed in the realm of fiscal responsibility, now applies to information security as well.- The guidelines allowed organizations and executives to minimize punishment for infractions by demonstrating that they used due diligence in the conduct of their information security duties.- The guidelines outlined three burdens of proof for negligence. First, the person accused of negligence must have a legally recognized obligation. Second, the person must have failed to comply with recognized standards. Finally, there must be a causal relationship between the act of negligence and subsequent damages. The three major provisions of the Federal Sentencing Guidelines This Act, amended by Congress in the mid 90's to the Computer Fraud and Abuse Act included the following main new areas of coverage:- Broadens CFAA to cover computer systems used in international commerce in addition to systems used in interstate commerce- Extends similar protections to portions of the national infrastructure other than computing systems, such as railroads, gas pipelines,