CertiGuide to Security+  9  Chapter 7:  Practice Exam Answers

Answers to Questions 76-80 1 Answers to Questions 86-90

81. Under role based access control, access rights are grouped by:

A. Sensitivity label

B. Role name

C. Rules

D. Policy name

Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.

Rules specify the individual access control decision criteria, not groupings of anything. Policy names are typically given to sets of rules for access control and other security-related decisions. Sensitivity labels are used in Mandatory Access Control (MAC), rather than Role-based access control (RBAC).

& Section 1.1: Access Control

& Section 5.5.5: MAC/DAC/RBAC

82. Which of the following will you consider as a "role" under a role based access control system?

A. Bank teller

B. Bank computer

C. Bank network

D. Bank rules

Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.

Bank computer, network and rules are not job-related roles.

& Section 1.1: Access Control

& Section 5.5.5: MAC/DAC/RBAC

83. The Lattice Based Access Control model was developed MAINLY to deal with:

A. Affinity

B. Integrity

C. Confidentiality

D. No Answer is Correct

Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. These controls are applied to objects. An object is a container of information, and an object can be a directory or file. In summary, this is a model that deals with confidentiality and to limited extent integrity.

Integrity based access control is related to mandatory access control, but it is not the primary use of the Lattice Based Access Control model. Affinity is not primarily related to the Lattice Based Access Control model, and access control is not as concerned with integrity as it is with confidentiality.

& Section 1.1: Access Control

& Section 5.5.5: MAC/DAC/RBAC

84. With the Lattice Based Access Control model, a security class is also called a:

A. Control factor

B. Security label

C. Mandatory number

D. Serial ID

Explanation: The Lattice Based Access Control model was developed to deal mainly with information flow in computer systems. Information flow is clearly central to confidentiality but to some extent it also applies to integrity. The basic work in this area was done around 1970 and was driven mostly by the defense sector. Information flow in computer systems is concerned with flow from one security class (also called security label) to another. Some possible security labels would be "secret", "top secret", etc. These controls are applied to objects. An object is a container of information; an object can be a directory or file.

& Section 1.1: Access Control

& Section 5.5.5: MAC/DAC/RBAC

85. What should you do to the user accounts as soon as employment is terminated?

A. Disable the user accounts and have the data kept for a specified period of time

B. Maintain the user accounts and have the data kept for a specified period of time

C. Disable the user accounts and erase immediately the data kept

D. No Answer is Correct

Explanation: A record of user logins with time and date stamps must be kept to ensure that any unauthorized access that occurs can be detected (although possibly after the fact). User accounts shall be disabled and data kept for a specified period of time as soon as employment is terminated. All users must log on to gain network access.

If the user account is maintained, then the terminated employee can potentially access the network via dial-up or the Internet, and gain access to company data and resources, so it is important that the account be disabled. It is a good idea to retain the former employee's data for a period of time, until you think it will no longer be needed by the company. Although normally public directories are provided for storing company documents spreadsheets, etc., it's fairly normal for much job-related data to end up in an employee's home directory as well.

& Section 5.4.1.9.1: Termination (HR Policy)

Answers to Questions 76-80 1 Answers to Questions 86-90