Clipping level

Organizations usually forgive a particular type, number, or pattern of
violations, thus permitting a predetermined number of user errors before gathering this data
for analysis. An organization attempting to track all violations, without sophisticated
statistical computing ability, would be unable to manage the sheer quantity of such data. To
make a violation listing effective, a clipping level must be established.
The clipping level establishes a baseline for violation activities that may be normal user
errors. Only after this baseline is exceeded is a violation record produced. This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale
computing facilities often track all violations and use statistical routines to cull out the minor
infractions (e.g., forgetting a password or mistyping it several times).
If the number of violations being tracked becomes unmanageable, the first step in
correcting the problems should be to analyze why the condition has occurred. Do users
understand how they are to interact with the computer resource? Are the rules too difficult
to follow? Violation tracking and analysis can be valuable tools in assisting an organization
to develop thorough but useable controls. Once these are in place and records are
produced that accurately reflect serious violations, tracking and analysis become the first
line of defense. With this procedure, intrusions are discovered before major damage occurs
and sometimes early enough to catch the perpetrator. In addition, business protection and
preservation are strengthened.
The following answers are incorrect: All of the other choices presented were simply detractors.
The following reference(s) were used for this question:
Handbook of Information Security Management

 Bell and LaPadula.

In 1973 Bell and LaPadula created the first mathematical model of a multilevel
security system.
The following answers are incorrect:Diffie and Hellman. This is incorrect because Diffie and Hellman was involved with
cryptography.
Clark and Wilson. This is incorrect because Bell and LaPadula was the first model. The
Clark-Wilson model came later, 1987.
Gasser and Lipner. This is incorrect, it is a distractor. Bell and LaPadula was the first
model.

 Access Rules

Controlling access by a subject (an active entity such as individual or
process) to an object (a passive entity such as a file) involves setting up access rules.
These rules can be classified into three access control models: Mandatory, Discretionary,
and Non-Discretionary.
An access matrix is one of the means used to implement access control.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

Skin scans

The following are typical biometric characteristics that are used to uniquely
authenticate an individual's identity:
Fingerprints
Retina scans
Iris scans
Facial scans
Palm scans
Hand geometry
Voice
Handwritten signature dynamics
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39.
And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
2002, chapter 4: Access Control (pages 127-131).

Clark-Wilson model

The Clark-Wilson model differs from other models that are subject- and
object- oriented by introducing a third access element programs resulting in what is called
an access triple, which prevents unauthorized users from modifying data or programs. The
Biba model uses objects and subjects and addresses integrity based on a hierarchicallattice of integrity levels. The non-interference model is related to the information flow
model with restrictions on the information flow. The Sutherland model approaches integrity
by focusing on the problem of inference.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 12).
And: KRAUSE, Micki & TIPTON, Harold F., Handbook of Information Security
Management, CRC Press, 1997, Domain 1: Access Control.

you are.

This is more commonly known as biometrics and is one of the most accurate
ways to authenticate an individual.
The rest of the answers are incorrect because they not one of the three recognized forms
for Authentication

Third floor

You data center should be located in the middle of the facility or the core of a
building to provide protection from natural disasters or bombs and provide easier access to
emergency crewmembers if necessary. By being at the core of the facility the external wall
would act as a secondary layer of protection as well.
Information processing facilities should not be located on the top floors of buildings in case
of a fire or flooding coming from the roof. Many crimes and theft have also been conducted
by simply cutting a large hole on the roof.
They should not be in the basement because of flooding where water has a natural
tendancy to flow down :-) Even a little amount of water would affect your operation
considering the quantity of electrical cabling sitting directly on the cement floor under under
your raise floor.
The data center should not be located on the first floor due to the presence of the main
entrance where people are coming in and out. You have a lot of high traffic areas such as
the elevators, the loading docks, cafeteria, coffee shopt, etc.. Really a bad location for a
data center.
So it was easy to come up with the answer by using the process of elimination where the
top, the bottom, and the basement are all bad choices. That left you with only one possible
answer which is the third floor.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 5th Edition, Page
425.

Iris pattern

The iris pattern is considered lifelong. Unique features of the iris are:
freckles, rings, rifts, pits, striations, fibers, filaments, furrows, vasculature and coronas.
Voice, signature and retina patterns are more likely to change over time, thus are not as
suitable for authentication over a long period of time without needing re-enrollment.
Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1
(derived from the Information Security Management Handbook, 4th Ed., by Tipton &
Krause).

Type 4. Something you are, such as a system administrator or security administrator

Authentication is based on the following three factor types:
Type 1. Something you know, such as a PIN or password
Type 2. Something you have, such as an ATM card or smart card
Type 3. Something you are (Unique physical characteristic), such as a fingerprint or retina
scan
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.
Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne,
2002, chapter 4: Access Control (pages 132-133).

 TCSEC

The Answer: TCSEC; The TCSEC, frequently referred to as the Orange
Book, is the centerpiece of the DoD Rainbow Series publications.
Initially issued by the National Computer Security Center (NCSC) an arm of the National
Security Agency in 1983 and then updated in 1985, TCSEC was replaced with the
development of the Common Criteria international standard originally published in 2005.
References:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 197-199.
Wikepedia
http://en.wikipedia.org/wiki/TCSEC