Which type of control is concerned with avoiding occurrences of risks?
Correct Answer: C
Section: Access Control Explanation/Reference: Preventive controls are concerned with avoiding occurrences of risks while deterrent controls are concerned with discouraging violations. Detecting controls identify occurrences and compensating controls are alternative controls, used to compensate weaknesses in other controls. Supervision is an example of compensating control. Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Question 652
Which of the following describes a logical form of separation used by secure computing systems?
Correct Answer: B
Section: Security Operation Adimnistration Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
Question 653
Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures?
Correct Answer: C
Explanation/Reference: The common steps used the the development of security policy are initiation of the project, evaluation, development, approval, publication, implementation, and maintenance. The other choices listed are the phases of the software development life cycle and not the step used to develop ducuments such as Policies, Standards, etc... Reference: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 3, 2002, Auerbach Publications.
Question 654
Which of the following would be the best criterion to consider in determining the classification of an information asset?
Correct Answer: A
Section: Security Operation Adimnistration Explanation/Reference: Information classification should be based on the value of the information to the organization and its sensitivity (reflection of how much damage would accrue due to disclosure). Age is incorrect. While age might be a consideration in some cases, the guiding principles should be value and sensitivity. Useful life. While useful lifetime is relevant to how long data protections should be applied, the classification is based on information value and sensitivity. Personal association is incorrect. Information classification decisions should be based on value of the information and its sensitiviry. References CBK, pp. 101 - 102.
