Chapter 9: Practice Test 1 413
7 7. B. Class B fire extinguishers use carbon dioxide, halon, or soda acid as their suppression
material and are useful against liquid-based fires. Water may not be used against liquid-
based fires because it may cause the burning liquid to splash, and many burning liquids,
such as oil, will float on water.
- D. Notifications and procedures like the signs posted at the company Chris works for
are examples of directive access controls. Detective controls are designed to operate after
the fact. The doors and the locks on them are examples of physical controls. Preventive
controls are designed to stop an event, and could also include the locks that are present on
the doors. - D. The seven principles that the EU-U.S. Privacy Shield spell out for handling personal
information are notice, choice, accountability for onward transfer, security, data integrity
and purpose limitation, access, and recourse, enforcement, and liability. - C. The DMCA provides safe harbor protection for the operators of Internet service
providers who only handle information as a common carrier for transitory purposes. - B. According to NIST SP 800-18, a system owner should update the system security plan
when the system they are responsible for undergoes a significant change. Classification,
selection of custodians, and designing ways to protect data confidentiality might occur if
new data was added but should have already been done otherwise. - B. Provisioning that occurs through an established workflow, such as through an HR
process, is workflow-based account provisioning. If Alex had set up accounts for his
new hire on the systems he manages, he would have been using discretionary account
provisioning. If the provisioning system allowed the new hire to sign up for an account
on their own, they would have used self-service account provisioning, and if there was a
central, software-driven process, rather than HR forms, it would have been automated
account provisioning. - C. As Alex has changed roles, he retained access to systems that he no longer administers.
The provisioning system has provided rights to workstations and the application servers
he manages, but he should not have access to the databases he no longer administers.
Privilege levels are not specified, so we can’t determine if he has excessive rights. Logging
may or may not be enabled, but it isn’t possible to tell from the diagram or problem. - C. When a user’s role changes, they should be provisioned based on their role and other
access entitlements. De-provisioning and re-provisioning is time-consuming and can lead
to problems with changed IDs and how existing credentials work. Simply adding new
rights leads to privilege creep, and matching another user’s rights can lead to excessive
privileges due to privilege creep for that other user. - B. EAL2 assurance applies when the system has been structurally tested. It is the second-
to-lowest level of assurance under the Common Criteria. - C. Before granting any user access to information, Adam should verify that the user has
an appropriate security clearance as well as a business need to know the information in
question.