WGU, Information Security and Assurance (C725), SET IV STUDY Questions and Answers (2022/2023) (Verified Answers)

WGU, Information Security and Assurance (C725), SET IV STUDY Questions and Answers (2022/2023) (Verified Answers) Part 1: Introduction and General Model Part 2: CC Evaluation Methodology Part 3: Extensions to the Methodology Three parts of the Common Evaluation Methodology This part of the CEM describes agreed-upon principles of evaluation and introduces agreed-upon evaluation terminology dealing with the process of evaluation. Part 1: Introduction and General Model This part of the CEM is based on CC Part 3 evaluator actions. It uses well-defined assertions to refine CC Part 3 evaluator actions and tangible evaluator activities to determine requirement compliance. In addition, it offers guidance to further clarify the intent evaluator actions. This part provides for methodologies to evaluate the following: PPs STs EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Components not included in an EAL Part 2: CC Evaluation Methodology This part of the CEM takes full advantage of the evaluation results. This part includes topics such as guidance on the composition and content of evaluation document deliverables. Part 3: Extensions to the Methodology Bell-LaPadula model Biba integrity model Clark and Wilson model Noninterference model State machine modelAccess matrix model Information flow model Security models that help evaluators determine if the implementation of a reference monitor meets the design requirements The two security models that were a major influence for the TCSEC and ITSEC, Bell-LaPadula model and the Biba integrity model Formed in the 1970's, a formal security model that describes a set of access control rules. A subjects access to an object is allowed or disallowed by comparing the objects security classification with the subjects security clearance. It is intended to preserve the principle of least privilege. It is a formal description of allowable paths of information flow in a secure system and defines security requirements for systems handling data at different sensitivity levels. The model defines a secure state and access between subjects and objects in accordance with specific security policy. Bell-LaPadula Model The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data. This security model uses a read-up, write-down approach. Subjects cannot read objects of lesser integrity and cannot write to objects of higher integrity. Think of CIA analysts and the information they need to perform their duties. Under this model, an analyst with Top Secret clearance can see only information that's labeled as Top Secret with respect to integrity (confirmed by multiple sources, and so forth); likewise, this analyst can contribute information only at his or her clearance level. People with higher clearances are not "poisoned" with data from a lower level of integrity and cannot poison those with clearances higher than theirs. Biba Integrity Model A security model that Proposes "well formed transactions." It requires mathematical proof that steps are performed in order exactly as they are listed, authenticates the individuals who perform the steps, and defines separation of duties. Clark and Wilson model A security model that covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. Covers ways to prevent subjects operating in one domain from affecting each other in violation of security policy. A security model that acts as an abstract mathematical model consisting of state variables and transition functions. State machine mode A security model that acts as a state machine model for a discretionary access control environment. Access matrix model A security model that simplifies analysis of covert channels. A covert channel is a communication channel that allows two cooperating processes of different security levels (one higher than the other) to transfer information in a way that violates a system's security policy. Information flow model Which of the following terms best describes the primary concern of the Biba security model? A. Confidentiality B. Reliability C. Availability D. Integrity D. Integrity Explanation: The Biba model covers integrity levels, which are analogs to the sensitivity levels from the Bell-LaPadula model. Integrity levels cover inappropriate modification of data and prevent unauthorized users from making modifications to resources and data/ Which of the following events is considered a man-made disaster? A. Earthquake B. Tornado C. Flooding caused by a broken water main D. Labor walkout Labor walkout Which of the following statements is not true about the BCP and DRP? A. Both plans deal with security infractions after they occur. B. Both plans describe preventative, not reactive, security procedures. C. The BCP and DRP share the goal of maintaining "business as usual" activities. D. They belong to the same domain of the Common Body of Knowledge. B. Both plans describe preventative, not reactive, security procedures. Explanation: The business continuity plan (BCP) describes the critical processes, procedures, and personnel that must be protected in the event of an emergency (preventative) and The disaster recovery plan (DRP) describes the exact steps and procedures personnel in key departments, specifically the IT department, must follow to recover critical business systems in the event of a disaster that causes the loss of access to systems required for business operations (reactive). Which of the following is the number one priority of disaster response? A. Hardware protection B. Software protection C. Transaction processing D. Personnel safety D. Personnel safety Involves reviewing the risks to organizational procedures Business continuity plan Focuses on policies and procedures that make a disruptive event have a little impact on the business Business continuity plan