detection.

By reviewing system logs you can detect events that have occured.
The following answers are incorrect:
avoidance. This is incorrect, avoidance is a distractor. By reviewing system logs you have
not avoided anything.
deterrence. This is incorrect because system logs are a history of past events. You cannot
deter something that has already occurred.
prevention. This is incorrect because system logs are a history of past events. You cannot prevent something that has already occurred

Examples of these types of controls are encryption, smart cards, access lists, and
transmission protocols.

Logical or technical controls involve the restriction of access to systems and
the protection of information. Examples of these types of controls are encryption, smart
cards, access lists, and transmission protocols.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

A single classification and a Compartment Set.

Both are the components of a sensitivity label.
The following are incorrect:
A Classification Set and a single Compartment. Is incorrect because the nomenclature
"Classification Set" is incorrect, there only one classifcation and it is not a "single
compartment" but a Compartment Set.
A single classification and a single compartment. Is incorrect because while there only is
one classifcation, it is not a "single compartment" but a Compartment Set.
A Classification Set and user credentials. Is incorrect because the nomenclature
"Classification Set" is incorrect, there only one classifcation and it is not "user credential" but a Compartment Set. The user would have their own sensitivity label.

C. Kerberos uses public key cryptography.

Kerberos is a trusted, credential-based, third-party authentication protocol
that uses symmetric (secret) key cryptography to provide robust authentication to clients
accessing services on a network.
Because a client's password is used in the initiation of the Kerberos request for the service
protocol, password guessing can be used to impersonate a client.
Here is a nice overview of HOW Kerberos is implement as described in RFC 4556:
1. Introduction
The Kerberos V5 protocol [RFC4120] involves use of a trusted third
party known as the Key Distribution Center (KDC) to negotiate shared
session keys between clients and services and provide mutual authentication between them.
The corner-stones of Kerberos V5 are the Ticket and the
Authenticator. A Ticket encapsulates a symmetric key (the ticket
session key) in an envelope (a public message) intended for a
specific service. The contents of the Ticket are encrypted with a
symmetric key shared between the service principal and the issuing
KDC. The encrypted part of the Ticket contains the client principal
name, among other items. An Authenticator is a record that can be
shown to have been recently generated using the ticket session key in
the associated Ticket. The ticket session key is known by the client
who requested the ticket. The contents of the Authenticator are
encrypted with the associated ticket session key. The encrypted part
of an Authenticator contains a timestamp and the client principal
name, among other items As shown in Figure 1, below, the Kerberos V5 protocol consists of the
following message exchanges between the client and the KDC, and the
client and the application service:
The Authentication Service (AS) Exchange The client obtains an "initial" ticket from the Kerberos
authentication server (AS), typically a Ticket Granting Ticket
(TGT). The AS-REQ message and the AS-REP message are the request
and the reply message, respectively, between the client and the
AS.
The Ticket Granting Service (TGS) Exchange
The client subsequently uses the TGT to authenticate and request a
service ticket for a particular service, from the Kerberos
ticket-granting server (TGS). The TGS-REQ message and the TGS-REP
message are the request and the reply message respectively between
the client and the TGS.
The Client/Server Authentication Protocol (AP) Exchange The client then makes a request with an AP-REQ message, consisting
of a service ticket and an authenticator that certifies the
client's possession of the ticket session key. The server may
optionally reply with an AP-REP message. AP exchanges typically
negotiate session-specific symmetric keys.
Usually, the AS and TGS are integrated in a single device also known
as the KDC.                                                                                                                                                                +-------+
+----->| KDC |
AS-REQ / +----| |
/ / +-------+
/ / ^ |
/ |AS-REP / |
| | / TGS-REQ + TGS-REP
| | / /
| | / /
| | / +-----+
| | / /
| | / /
| | / /
| v / v                                                                                                                                                                              ++----+---+ +---------+
| Client +------>| Application |
| | AP-REQ | Server |
| |<------| |
+--------+ AP-REP +---------+                                                                                                                 Figure 1: The Message Exchanges in the Kerberos V5 Protocol
In the AS exchange, the KDC reply contains the ticket session key,
among other items, that is encrypted using a key (the AS reply key)
shared between the client and the KDC. The AS reply key is typically
derived from the client's password for human users. Therefore, for
human users, the attack resistance strength of the Kerberos protocol
is no stronger than the strength of their passwords.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 40).
And
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002,
chapter 4: Access Control (pages 147-151).
and
http://www.ietf.org/rfc/rfc4556.txt

T1me4g0lF

Explanation: The best passwords are those that are both easy to remember and hard to
crack using a dictionary attack. The best way to create passwords that fulfil both criteria is
to use two small unrelated words or phonemes, ideally with upper and lower case characters, a special character, and/or a number. Shouldn't be used: common names,
DOB, spouse, phone numbers, words found in dictionaries or system defaults.
Source: ROTHKE, Ben, CISSP CBK Review presentation on domain 1.

 The confidentiality property

The Bell-LaPadula model focuses on data confidentiality and access to
classified information, in contrast to the Biba Integrity Model which describes rules for the
protection of data integrity.
In this formal model, the entities in an information system are divided into subjects and
objects.
The notion of a "secure state" is defined, and it is proven that each state transition
preserves security by moving from secure state to secure state, thereby proving that the
system satisfies the security objectives of the model.
The Bell-LaPadula model is built on the concept of a state machine with a set of allowable
states in a system. The transition from one state to another state is defined by transition
functions.A system state is defined to be "secure" if the only permitted access modes of subjects to
objects are in accordance with a security policy.
To determine whether a specific access mode is allowed, the clearance of a subject is
compared to the classification of the object (more precisely, to the combination of
classification and set of compartments, making up the security level) to determine if the
subject is authorized for the specific access mode.  The clearance/classification scheme is expressed in terms of a lattice. The model defines
two mandatory access control (MAC) rules and one discretionary access control (DAC) rule
with three security properties:
The Simple Security Property - a subject at a given security level may not read an object at
a higher security level (no read-up).
The property (read "star"-property) - a subject at a given security level must not write to any
object at a lower security level (no write-down). The property is also known as the
Confinement property.
The Discretionary Security Property - use an access control matrix to specify the
discretionary access control.
The transfer of information from a high-sensitivity document to a lower-sensitivity document
may happen in the Bell-LaPadula model via the concept of trusted subjects. Trusted
Subjects are not restricted by the property. Untrusted subjects are.
Trusted Subjects must be shown to be trustworthy with regard to the security policy. This
security model is directed toward access control and is characterized by the phrase: "no
read up, no write down." Compare the Biba model, the Clark-Wilson model and the
Chinese Wall. With Bell-LaPadula, users can create content only at or above their own security level (i.e.
secret researchers can create secret or top-secret files but may not create public files; no
write-down). Conversely, users can view content only at or below their own security level
(i.e. secret researchers can view public or secret files, but may not view top-secret files; no
read-up).
Strong Property The Strong Property is an alternative to the Property in which subjects may write to objects
with only a matching security level. Thus, the write-up operation permitted in the usual
Property is not present, only a write-to-same level operation. The Strong Property is usually
discussed in the context of multilevel database management systems and is motivated by
integrity concerns.
Tranquility principle
The tranquility principle of the Bell-LaPadula model states that the classification of a
subject or object does not change while it is being referenced. There are two forms to the
tranquility principle: the "principle of strong tranquility" states that security levels do not change during the normal operation of the system and the "principle of weak tranquility"
states that security levels do not change in a way that violates the rules of a given security
policy.
Another interpretation of the tranquility principles is that they both apply only to the period
of time during which an operation involving an object or subject is occurring. That is, the
strong tranquility principle means that an object's security level/label will not change during
an operation (such as read or write); the weak tranquility principle means that an object's
security level/label may change in a way that does not violate the security policy during an
operation.
Reference(s) used for this question:
http://en.wikipedia.org/wiki/Biba_Model
http://en.wikipedia.org/wiki/Mandatory_access_control
http://en.wikipedia.org/wiki/Discretionary_access_control
http://en.wikipedia.org/wiki/Clark-Wilson_model
http://en.wikipedia.org/wiki/Brewer_and_Nash_model

Constrained user interfaces

Constrained user interfaces limit the functions that can be selected by a user.
Another method for controlling access is by restricting users to specific functions based on
their role in the system. This is typically implemented by limiting available menus, data
views, encryption, or by physically constraining the user interfaces.
This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack and system failure
by restricting the processing options that are available to the user.
On an ATM machine, if a user does not have a checking account with the bank he or she
will not be shown the “Withdraw money from checking” option. Likewise, an information
system might have an “Add/Remove Users” menu option for administrators, but if a normal,
non-administrative user logs in he or she will not even see that menu option. By not even
identifying potential options for non-qualifying users, the system limits the potentially
harmful execution of unauthorized system or application commands.
Many database management systems have the concept of “views.” A database view is an
extract of the data stored in the database that is filtered based on predefined user or
system criteria. This permits multiple users to access the same database while only having
the ability to access data they need (or are allowed to have) and not data for another user.
The use of database views is another example of a constrained user interface.
The following were incorrect answers:
All of the other choices presented were bogus answers. The following reference(s) were used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 1989-2002). Auerbach Publications. Kindle
Edition.

public-key certificates

A Kerberos ticket is issued by a trusted third party. It is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key
certificate. However, the ticket is not the key.
The following answers are incorrect:
public keys. Kerberos tickets are not shared out publicly, so they are not like a PKI public
key.
private keys. Although a Kerberos ticket is not shared publicly, it is not a private key.
Private keys are associated with Asymmetric crypto system which is not used by Kerberos.
Kerberos uses only the Symmetric crypto system.
private key certificates. This is a detractor. There is no such thing as a private key
certificate.

determining the data sensitivity or classification level

Making the determination to decide what level of classification the
information requires is the main responsibility of the data owner.
The data owner within classification is a person from Management who has been entrusted
with a data set that belong to the company. It could be for example the Chief Financial
Officer (CFO) who has been entrusted with all financial date or it could be the Human
Resource Director who has been entrusted with all Human Resource data. The information
owner will decide what classification will be applied to the data based on Confidentiality,
Integrity, Availability, Criticality, and Sensitivity of the data.The Custodian is the technical person who will implement the proper classification on
objects in accordance with the Data Owner. The custodian DOES NOT decide what
classification to apply, it is the Data Owner who will dictate to the Custodian what is the classification to apply.
NOTE:
The term Data Owner is also used within Discretionary Access Control (DAC). Within DAC
it means the person who has created an object. For example, if I create a file on my system
then I am the owner of the file and I can decide who else could get access to the file. It is
left to my discretion. Within DAC access is granted based solely on the Identity of the
subject, this is why sometimes DAC is referred to as Identity Based Access Control.
The other choices were not the best answer
Running regular backups is the responsibility of custodian.
Audit the data users is the responsibility of the auditors
Periodically check the validity and accuracy of the data is not one of the data owner
responsibility Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Page 14, Chapter 1: Security
Management Practices.

Physical controls

Controls like guards and general steps to maintain building security, securing
of server rooms or laptops, the protection of cables, and usage of magnetic switches on
doors and windows are all examples of Physical Security. Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 33.