CISSP PRACTICE QUESTIONS – 20210402

Effective CISSP Questions

A France computer manufacturer submits a trusted computer system for the Common Criteria evaluation and receives an EAL 7. The system supports the security policy that allows a user cleared as confidential to prepare reports to the supervisor at the secret level. Which of the following is least likely to be used in the design as a formal model? (Wentz QOTD)
A. Finite state machine
B. Information flow model
C. Non-interference model
D. Mandatory access control

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Mandatory access control.

Mandatory access control is the access control policy or requirement; it’s not a formal model. Instead, it can be fulfilled by formal models. A model is a detailed description or scaled representation of an entity; a formal model is a rigorous model developed by applying mathematically-based notation and language.

  • The finite state machine is a common formal model.
  • The information flow model is not really a model but generally refers to formal models that can control information flow. So does the non-interference model. However, most of the study guides treat them as a “model.” This question follows this perspective.

An EAL 7 product implies it is backed by a formal design.

Common Criteria EAL

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

一家法國的計算機製造商提交了可信的計算機系統以進行“通用標準(CC)”評估,並收到了符合EAL7的評估結果。該系統支持安全政策,允許被核定為密級(confidential)的用戶向具有機密(secret)級別的主管報告。 以下哪個最不可能在本系統的設計中使用,以作為正式模型(formal model)?(Wentz QOTD)
A. Finite state machine
B. Information flow model
C. Non-interference model
D. Mandatory access control

Leave a Reply