Your company is awarded a contract to develop a customized firewall product for a well-known brand security company. As a security professional, you are a member of the integrated product team. After a workshop collecting and elicitating protection needs from the customer and stakeholders, you finished specifying security functional and assurance requirements. Which of the following activities conducted by the quality assurance team ensures the product compliant with the specifications?
Your company develops security products. You are the head of the firewall product line and decide to develop a new firewall model. Formal methods will be used for specification, verification, and other aspects of product development. Which of the following is not a formal method? A. Fagan inspection
B. Delphi method
C. Lattice-based access control
D. Finite-state machine
Your company develops security products. You are the head of the firewall product line and decide to develop a new firewall model based on formal designs. Which of the following best supports the design for the product? A. Use a prescribed system development life cycle (SDLC) compliant with standards
B. Follow the design principle of encapsulation and modulization and best practices
C. Employ a state machine and ensure secure transit between states
D. Gain certification from third-party evaluation for assurance
Your company is implementing the ERP system. As a security professional, you are selecting security controls as a baseline from a well-known security control framework and customizing it according to your company’s specific requirements and constraints. Which of the following is the least concern during the process of scoping and tailoring? A. Compensating controls
B. Common controls
C. The impact level of the ERP system
D. Certification and accreditation
You are implementing a company network for a startup. The IP address of the intranet is 192.168.1.0/24. You split the intranet into two subnets connected by a router: 192.168.1.0/25 and 192.168.128.0/25. Which of the following is the best for the router to forward IP packets from one subnet to the other? A. Relay agent
B. Routing protocols
C. Routed protocols
D. Static routes
Eve was cleared as Top Secret and printed a classified document to a printer. The printer sent a success notification to Eve after printing. The printout has an explicit expression, //TS//SCI, on the header. Which of the following is not true? A. The printed document is labeled as //TS and compartmented as //SCI.
B. Eve has need-to-know of the classified document in the performance of her duties.
C. Eve’s security level dominates that of the classified document.
D. Eve’s security level is higher than or equal to that of the printer.
Eve spying undercover as an employee was cleared as Secret and imposed with the *-security (star) property. She printed a classified document to a printer labeled as Confidential. After printing two pages of the document, the printer ran out of paper. Which of the following best describes the printing work? A. Eve’s clearance dominates that of the printer.
B. The collection of the printer’s non-hierarchical categories is a superset of Eve’s.
C. Eve controls a covert channel to the printer.
D. A trusted channel is established between Eve and the printer.
Your company develops security products. You are the head of the firewall product line and studying well-known evaluation criteria for your products, e.g., TCSEC, ITSEC, Common Criteria, etc. Which of the following is least preferable as the objectives of the evaluation criteria? A. To provide guidance for manufacturers to build trustworthy products
B. To provide users with a yardstick to assess the degree of trust of your products
C. To benchmark products in terms of cost/benefit to inform procurement decisions
D. To provide a basis for specifying security requirements in acquisition specifications
Your company develops security products and competes in the market with the first-mover strategy. Time-to-market and third-party assurance, e.g., Common Criteria, are critical success factors. You lead the firewall development team. Which of the following does not belong to assurance requirements defined in Common Criteria? A. Non-repudiation of origin
B. Security architecture
C. Functional specification
D. Security policy modelling
Your company develops security products and competes in the market with the first-mover strategy. Time-to-market and third-party assurance, e.g., Common Criteria, are critical success factors. You lead the firewall development team. Which of the following is the least priority for the development of a new firewall model? A. Documentation
B. Management commitment
C. Assurance with a formal design
D. Selection of computer languages