[CCCure CISSP] Q4April-13 Some cccure Quiz question doubts

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[CCCure CISSP] Q4April-13 Some cccure Quiz question doubts

Amlan Deb
 
Hi guys,
 
I have some doubts regarding some cccure Quiz questions and concepts mentioned below. Would really appreciate it if you could take out some time and help me with them.
 
Thanks,
Amlan
 

Doubt#4
========
(This one involves 2 questions and explanations which are mentioned below)
 

7. 

1.     Question: 14 | Difficulty: 4/5 | Relevancy: 3/3

What is a "system high" security policy?

o      A system with data that contains only data of the highest security classification.

o     A system where all users are cleared to view the most highly classified data on the system.

o      A system that contains only data of one security classification.

o      A system that uses a Multi-Level Security Policy to separate the highly classified data from the other data residing on the system.

You did not provide any answer to this question. Please review details below.

The correct answer is: A system where all users are cleared to view the most highly classified data on the system.

Because all data on the system has the same security level of the highest security level found the users must also be cleared to access data at that level. However, the user can still be restricted from the information if they do not have a need to know pertaining to the specific object.

The following answers are incorrect:

A system with data that contains only data of the highest security classification. Is incorrect because the system can contain data of any security classification, it is not restricted to only the highest security classification. 

A system that contains only data of one security classification. This is incorrect as the data residing on the system can have any security classification, but the data that has a lower security classification could only be accessed by individuals that had the highest security level to match that of the highest security level of the data on the system.

A system that uses a Multi-Level Security Policy to separate the highly classified data from the other data residing on the system. Is incorrect because there is no separation. All data residing on the system is treated if it had the same high security classification.

Modified 8/27/2007 - J. Hajec; 4/14/2007 - S. Stone.

Checked for QA by M. Zagorski

Comment:

A System High or System High Mode policy is unique compared to other policies. With System High Mode the security level for all data is treated as if it is the same security level of the highest level of any data located in the computing environment. That means you can have an unclassified document on a System High computer but if there is also Top Secret documents located on it then the unclassified document is also treated as if it were a Top Secret document and anyone without Top Secret clearance would not be able to access any document, including the unclassified document.

References:

OIG CBK, Glossary (page 995)

AIO, 3rd Edition, Security Models and Architecture (page 297)

AIO, 4th Edition, Security Architecture and Design, p 352.

Wikipedia - http://en.wikipedia.org/wiki/Security_modes#System_high_security_mode

 

Covered topic: <A title="System-high security mode - A mode of operation of an information system, wherein all users having access to the system possess a security clearance or authorization, but not necessarily a need-to-know, for all data handled by the system." href="javascript:void(0)">System-high security mode

 

78. 

1.     Question: 789 | Difficulty: 4/5 | Relevancy: 3/3

In what security mode can a system be operating if all users have the clearance or authorization and need-to-know to all data processed within the system?

o     Dedicated security mode

o      System-high security mode

o      Compartmented security mode

o      Multilevel security mode

You did not provide any answer to this question. Please review details below.

The correct answer is:   Dedicated security mode

In dedicated security mode, all users have a clearence and formal need to know for all information processed within the system.  If for example, the system stores and processes top secret information on the "Nova Widgets" program, then all users of the system must have both a top secret clearence and a formal need to know for the "Nova Widgets" program.

Wikipedia has a great summary within one table as shown below:

<v:imagedata o:href="https://www.freepracticetests.org/images/securitymodes.jpg" src="file:///C:\Users\amlan.deb\AppData\Local\Temp\msohtmlclip1\01\clip_image001.jpg">

The following answers are incorrect:

System-high security mode.  System-high security mode requires all users to have a clearence for the level of information stored and processed by the system but all users have a need to know for only some of the data stored and processed by the system.  For example, though all information on "Nova Widgets" is top secret and all users of the system must therefore have a top secret clearence, some users may only have a need to know for "Nova Widgets Ordnance" information while other users may only have a need to know for the "Nova Widgets Guidance and Propulsion" information.

Compartmented security mode.  Compartmented security mode allows a system to have differing levels of information and all users have clearence to access all the information (which means they must be cleared to access the highest level of information stored and processed on the sytem) but not all users have the need to know.

Multilevel security mode.  In multi-level mode, the system stores and processes information of differing classifications but users are only required to have clearence and need to know for the information they need to access.  For example, multilevel security would allow a system that processes confidential and secret information to be accessed by users with clearences of confidential and secret but the system would impose controls to assure that each user only accesses information for which they have both clearence and formal need to know.


Reference(s) used for this question:

AIO3, pp. 296 - 298
AIOv4 Security Architecture and Design (pages 351 - 355)
AIOv5 Security Architecture and Design (pages 353 - 356)

Wikipedia has great information at:  https://en.wikipedia.org/wiki/Security_modes

Last modified 6/18/2007 R. Austin
Thanks to Benedict Pasaribu for providing updated references for this question.

Comment:

These modes form a descending order of restrictiveness:

Dedicated -- one level of information classification; all users have a need to know

System-high -- one level of information classification; not all users have need to know for all information.

Compartmented -- multiple levels of information classification but users must all be cleared for the highest level; not all users have need to know for all information

Multilevel -- multiple levels of information classification; not all users have need to know for all information; users must have appropriate clearence matching the information they need to know

Contributor: Christian Vezina

Study area: Security Architecture and Design

Covered topic: <A title="Security modes - A description of the conditions under which an information system functions, based on the sensitivity of data processed and the clearance levels and authorizations of the users." href="javascript:void(0)">Security modes

This question is also tied to the following area:SSCP

 

My doubt:

1. In Qs7: the text highlighted in Red is contradicting the text highlighted in Blue (provided in the explanation of answer of Qs7)

Because all data on the system has the same security level of the highest security level found the users must also be cleared to access data at that level.

the system can contain data of any security classification, it is not restricted to only the highest security classification. 

This is incorrect as the data residing on the system can have any security classification.

2. Also, if the explanation of System High Security mode in Qs7 (blue text) is correct then in Qs78 (and other places) shouldn’t it be described as:

System High -- multiple levels of information classification; not all users have need to know for all information.

Or do we just need to keep in mind that even though the systems in System High Mode can contain multiple levels of information classification but since it can only be accessed by individuals that had the highest security level, so in the definition we need to show it as:

System High -- one level of information classification; not all users have need to know for all information.

 

_______________________________________________
You can find the list archive at:
http://cissp-study.3965.n7.nabble.com/

CISSPstudy mailing list
[hidden email]

To UNSUBSCRIBE, SUBSCRIBE, or MANAGE your accout visit the link below:
http://cccure.org/mailman/listinfo/cisspstudy_cccure.org