Personnel cause more security issues than hacker attacks, outside espionage, or equipment failure.
The following answers are incorrect because:
Outside espionage is incorrect as it is not the best answer. Hackers is also incorrect as it is not the best answer. Equipment failure is also incorrect as it is not the best answer. Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 56

They are responsible for security of the organization and the protection of its assets. The following answers are incorrect because : Data owner is incorrect as data owners should not decide as to what security measures should be applied. Auditor is also incorrect as auditor cannot decide as to what security measures should be applied. The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they should not be in a position of deciding what measures should be applied.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.

It is usually responsible for maintaining and protecting the data. The following answers are incorrect: Data owner is usually a member of management , in charge of a specific business unit and is ultimately responsible for the protection and use of the information. User is any individual who routinely uses the data for work-related tasks. Security administrator’s tasks include creating new system user accounts , implementing new security software.
References : Shon Harris AIO v3 , Chapter -3: Security Management Practices , Pages : 99 -103

Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. The following answers are incorrect answers: Monitoring of system activity is considered to be administrative control. Identification and authentication methods are considered to be a technical control.
Logical access control mechanisms is also considered to be a technical control. Reference(s) used for this question: Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 1280-1282). McGraw-Hill. Kindle Edition.

It is considered to be a ‘Physical Control’
There are three broad categories of access control: administrative, technical, and physical. Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, a partial list is shown here. Not all controls fall into a single category, many of the controls will be in two or more categories. Below you have an example with backups where it is in all three categories:
Administrative Controls Policy and procedures
-A backup policy would be in place
Personnel controls Supervisory structure Security-awareness training Testing Physical Controls Network segregation Perimeter security Computer controls Work area separation
Data backups (actual storage of the media, i:e Offsite Storage Facility)
Cabling Technical Controls System access Network architecture Network access Encryption and protocols Control zone Auditing Backup (Actual software doing the backups)
The following answers are incorrect :
Password and resource management is considered to be a logical or technical control.
Identification and authentication methods is considered to be a logical or technical control.
Intrusion Detection Systems is considered to be a logical or technical control. Reference : Shon Harris , AIO v3 , Chapter -4 : Access Control , Page : 180 -185

It is considered to be a technical control.
Logical is synonymous with Technical Control. That was the easy answer.
There are three broad categories of access control: Administrative, Technical, and Physical.
Each category has different access control mechanisms that can be carried out manually or automatically. All of these access control mechanisms should work in concert with each other to protect an infrastructure and its data.
Each category of access control has several components that fall within it, as shown here:
Administrative Controls
• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing
Physical Controls
Network segregation Perimeter security Computer controls Work area separation Data backups
Technical Controls
System access Network architecture Network access Encryption and protocols Control zone Auditing
The following answers are incorrect :
Screening of personnel is considered to be an administrative control
Development of policies, standards, procedures and guidelines is considered to be an administrative control
Change control procedures is considered to be an administrative control. Reference : Shon Harris AIO v3 , Chapter -3 : Security Management Practices , Page : 52-54

The Answer: A communication channel that allows transfer of information in a manner that violates the system’s security policy.
A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information flow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way.
Receiving information in this manner clearly violates the system’s security policy. The channel to transfer this unauthorized data is the result of one of the following conditions:
• Oversight in the development of the product
• Improper implementation of access controls
• Existence of a shared resource between the two entities
• Installation of a Trojan horse
The following answers are incorrect:
An undocumented backdoor that has been left by a programmer in an operating system is incorrect because it is not a means by which unauthorized transfer of information takes place. Such backdoor is usually referred to as a Maintenance Hook.
An open system port that should be closed is incorrect as it does not define a covert channel.
A trojan horse is incorrect because it is a program that looks like a useful program but when you install it it would include a bonus such as a Worm, Backdoor, or some other malware without the installer knowing about it.
Reference(s) used for this question:
Shon Harris AIO v3 , Chapter-5 : Security Models & Architecture AIOv4 Security Architecture and Design (pages 343 -344) AIOv5 Security Architecture and Design (pages 345 -346)

The test environment must be controlled and stable in order to ensure that development projects are tested in a realistic environment which, as far as possible, mirrors the live environment.
Reference(s) used for this question: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 309).

The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and work upwards until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices refer to advantages of a top down approach which follows the opposite path.
Source: Information Systems Audit and Control Association, Certified Information Systems Auditor 2002 review manual, chapter 6: Business Application System Development, Acquisition, Implementation and Maintenance (page 299).

DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions and supports semi-structured decision-making tasks.
DSS is sometimes referred to as the Delphi Method or Delphi Technique: The Delphi technique is a group decision method used to ensure that each member gives an honest opinion of what he or she thinks the result of a particular threat will be. This avoids a group of individuals feeling pressured to go along with others’ thought processes and enables them to participate in an independent and anonymous way. Each member of the group provides his or her opinion of a certain threat and turns it in to the team that is performing the analysis. The results are compiled and distributed to the group members, who then write down their comments anonymously and return them to the analysis group. The comments are compiled and redistributed for more comments until a consensus is formed. This method is used to obtain an agreement on cost, loss values, and probabilities of occurrence without individuals having to agree verbally.
Here is the ISC2 book coverage of the subject: One of the methods that uses consensus relative to valuation of information is the consensus/modified Delphi method. Participants in the valuation exercise are asked to comment anonymously on the task being discussed. This information is collected and disseminated to a participant other than the original author. This participant comments upon the observations of the original author. The information gathered is discussed in a public forum and the best course is agreed upon by the group (consensus).
EXAM TIP: The DSS is what some of the books are referring to as the Delphi Method or Delphi Technique. Be familiar with both terms for the purpose of the exam.
The other answers are incorrect:
‘DSS is aimed at solving highly structured problems’ is incorrect because it is aimed at solving less structured problems.
‘DSS supports only structured decision-making tasks’ is also incorrect as it supports semi-structured decision-making tasks.
‘DSS combines the use of models with non-traditional data access and retrieval functions’ is also incorrect as it combines the use of models and analytic techniques with traditional data access and retrieval functions.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (p. 91). McGraw-Hill. Kindle Edition. and Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Information Security Governance and
Risk Management ((ISC)2 Press) (Kindle Locations 1424-1426). Auerbach Publications. Kindle Edition.