The scenario describes Discretionary Access Control (DAC). In a DAC model, the owner of an object (such as a file or directory) has the discretion to decide which subjects (users or groups) can access it and what privileges they have (e.g., read, write, execute). This control is typically managed through an Access Control List (ACL) associated with the object, which is precisely what the question outlines. The key characteristic is that the control over access is decentralized and lies with the object's owner.

A. RBAC: In Role-Based Access Control (RBAC), access is determined by the user's assigned role within the organization, not by the discretion of an object's owner.

B. MAC: In Mandatory Access Control (MAC), access decisions are made by a central authority and enforced by the system based on security labels, overriding any owner's wishes.

C. CIA: This is the security triad (Confidentiality, Integrity, Availability), which represents the fundamental goals of information security, not a type of access control mechanism.

1. National Institute of Standards and Technology (NIST) Special Publication 800-192

Verification and Test Methods for Access Control Policies/Models.

Section 2.1

Page 3: "In a system with DAC

an individual user

the owner of an object

can grant or deny access to that object to other users. Access control is at the discretion of the owner." This directly supports the correct answer.

2. Ferraiolo

D. F.

& Kuhn

D. R. (1992). Role-Based Access Control. 15th National Computer Security Conference.

Section 2.1

"Discretionary Access Control": The paper contrasts RBAC with traditional models

stating

"With DAC

the owner of an object has the discretion of granting access to that object to other users." This academic source clearly defines the principle described in the question.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278–1308.

Section I.A.3

"Checking Authorization": This foundational paper discusses access control matrices and lists (ACLs) as a mechanism where "the owner of the segment may be permitted to grant and revoke access to others

" which is the essence of DAC. (DOI: https://doi.org/10.1109/PROC.1975.9939)

4. MIT OpenCourseWare

6.858 Computer Systems Security

Fall 2014. Lecture 3: Privilege Separation.

Section on "Access control models": The course materials differentiate between DAC

where users control access to their own files

and MAC

where a system-wide policy dictates access based on security labels. This aligns with the provided explanation.

The question asks to identify a protocol used by a Virtual Private Network (VPN) specifically for tunneling. Layer 2 Tunneling Protocol (L2TP) is designed for this exact purpose. Its primary function is to create a tunnel across an untrusted network to encapsulate Layer 2 Point-to-Point Protocol (PPP) frames. While L2TP does not provide confidentiality or integrity on its own and is almost always paired with IPSec for security, its fundamental role is that of a tunneling protocol. Therefore, it is the most direct and accurate answer to the question posed.

B. HTTPS: This is an application-layer protocol for secure web communication (HTTP over TLS/SSL). It is not a general-purpose network tunneling protocol for site-to-site VPNs.

C. SSL: Secure Sockets Layer (and its successor, TLS) is a cryptographic protocol that provides security for communications. While used in SSL VPNs, its primary role is encryption, not tunneling itself.

D. IPSec: IPSec is a security protocol suite that operates at the network layer. While its "tunnel mode" creates a secure tunnel, its primary purpose is security (confidentiality, integrity, authentication), not solely tunneling.

1. Kaufman

C.

Hoffman

P.

& Eronen

P. (2013). Network Security: Private Communication in a Public World (2nd ed.). Pearson Education. In Chapter 17

which discusses VPNs

L2TP is explicitly defined as a tunneling protocol that encapsulates PPP packets for transport over an IP network. It is distinguished from IPSec

which is presented as the security mechanism.

2. Townsley

W.

Valencia

A.

Rubens

A.

Pall

G.

Zorn

G.

& Palter

B. (1999). RFC 2661: Layer Two Tunneling Protocol "L2TP". IETF. The abstract states

"This document describes a protocol that allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network." This foundational document defines L2TP's primary purpose as tunneling.

3. Frankel

S.

& Krishnan

S. (2011). NIST Special Publication 800-113: Guide to SSL VPNs. National Institute of Standards and Technology. Section 2.1 explains that SSL VPNs use the SSL protocol and its successor

TLS

to provide remote access

distinguishing its typical use case from the site-to-site scenario described in the question.

4. Kurose

J. F.

& Ross

K. W. (2021). Computer Networking: A Top-Down Approach (8th ed.). Pearson. In Section 8.7

"Securing TCP Connections: SSL

" and Section 8.8

"Network Layer Security: IPsec and Virtual Private Networks

" the text differentiates the roles. It notes that L2TP is a tunneling protocol that "does not provide any encryption or confidentiality on its own" and is often paired with IPSec

which provides the security. This supports the distinction that L2TP's specific role is tunneling.

A structured walk-through test, often referred to as a tabletop exercise, is a discussion-based session where recovery team members convene to review the disaster recovery plan. A facilitator presents a specific disaster scenario, and participants verbally walk through their roles and the plan's procedures. This method is highly cost-effective and efficient because it requires no operational downtime or significant resource allocation. Its primary purpose is to familiarize team members with the plan and to identify procedural gaps, inconsistencies, and areas of overlap between different functional teams before committing to more resource-intensive and disruptive testing methods.

A. Evacuation drill: This tests personnel safety and the physical evacuation of a facility, not the procedural or technical overlaps within the disaster recovery plan itself.

B. Walk-through drill: This is a less formal version of a structured walk-through. The term "structured" implies a more rigorous, scenario-based review specifically designed to identify plan weaknesses like overlaps.

D. Full-scale exercise: This is the most comprehensive and expensive test, involving a real-life simulation with actual system failovers. It is performed after less demanding tests have validated the plan's core logic.

1. National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems.

Section 5.3

"Plan Testing

Training

and Exercises

" Page 48: This section describes various testing methods. It explicitly lists "Tabletop Exercise/Structured Walk-Through Test" and states

"A tabletop exercise is a discussion-based exercise that involves discussion of the CP... This type of test is used to identify weaknesses in the plan." This confirms its role in identifying plan issues in a cost-effective manner.

2. National Institute of Standards and Technology (NIST) Special Publication 800-84

Guide to Test

Training

and Exercise Programs for IT Plans and Capabilities.

Section 5.2

"Tabletop Exercise (TTX)

" Page 17: This document describes a tabletop exercise as "a discussion-based exercise where personnel... meet in a classroom setting... to discuss their roles and responses to a particular emergency situation." It highlights that TTXs are effective for "examining or developing plans

policies

and procedures." This aligns with the goal of finding overlaps before more demanding exercises.

3. Carnegie Mellon University

Software Engineering Institute

CERT Resilience Management Model (CERT-RMM) v1.2.

Section: "Validating Plans and Procedures

" Page 229 (in PDF): The model describes the progression of validation activities

starting with less complex methods like tabletop exercises to validate plans and identify gaps before moving to more complex simulations. It emphasizes that tabletop exercises "can be used to validate plans

procedures

and the knowledge and skills of participants in a low-stress

cost-effective environment."

The Programming and Training phase, also known as the Development/Implementation phase in many SDLC models, is where the architectural and design specifications are translated into actual code and system components. Developers build the software, databases, and other elements "faithfully" according to the blueprints created during the design phase. Concurrently, training materials are often developed, and initial training sessions are planned to prepare users for the system's eventual deployment. This phase is the primary point of creation where the conceptual design becomes a tangible product.

B. Evaluation and acceptance: This phase occurs after programming and is focused on testing and formally accepting the completed system, not on building it from design specifications.

C. Definition: This is an early phase focused on gathering and documenting user and system requirements, which occurs before the detailed design and programming work begins.

D. Initiation: This is the first phase where the need for a system is identified and the project is conceived. No design or development work is performed here.

1. National Institute of Standards and Technology (NIST) Special Publication 800-64 Rev. 2

Security Considerations in the System Development Life Cycle. Section 2.1

"The System Development Life Cycle

" describes the Development/Acquisition Phase. This phase explicitly includes the activities of designing

purchasing

programming

developing

or otherwise constructing the information system. This directly corresponds to the act of incorporating components into design specifications.

2. Pfleeger

S. L.

& Atlee

J. M. (2009). Software Engineering: Theory and Practice (4th ed.). In Chapter 3

"The Software Life Cycle

" the "Implementation" or "Coding" phase is described as the stage where the design is translated into source code

which is the essence of faithfully incorporating the design specifications into the software.

3. University of Virginia

Department of Computer Science Course CS 4730: Software Engineering. Lecture notes on "Software Processes" describe the Implementation and testing phase. It is defined as the stage where "the software design is realized as a set of programs or program units

" directly aligning with the question's description.

A simulation test presents a specific disaster scenario to the incident-response and recovery team, who then “role-play” their actions step-by-step while seated in a conference-room setting. The goal is to discuss the scenario, validate that each participant knows the proper response, and reveal gaps in procedures—exactly the task described in the question. No production systems are interrupted; the exercise is discussion-based but driven by the simulated event rather than a simple line-by-line review of the plan.

A. Full-interruption test ‒ Actually shuts down live operations and transfers processing, not a discussion exercise.

B. Parallel test ‒ Runs systems at an alternate site in parallel with production to verify processing; involves technical processing, not tabletop discussion.

D. Structured walk-through test ‒ Team reviews the plan line-by-line without a detailed scenario; focuses on documentation accuracy rather than eliciting response actions to a simulated event.

1. (ISC)² CISSP Official CBK

5th ed.

Domain 7 “Security Operations”

Disaster-Recovery Testing

Simulation Test description

pp. 394-395.

2. (ISC)² CISSP Official Study Guide

9th ed.

§21.5.3 “Simulation (Table-Top) Test”

p. 979.

3. NIST Special Publication 800-84

“Guide to Test

Training

and Exercise Programs”

§2.3.2 Tabletop/Simulation Exercises

pp. 2-9 – 2-10.

4. Stanford Univ. CS Department course notes “CS 155 – Cybersecurity: Incident Response & DR”

Lecture 18 slides 17-18 (Simulation/table-top definition).

A fence that is 3 to 4 feet (approximately 1 meter) high serves primarily as a psychological and demarcation barrier. Its main purpose is to define a property boundary and discourage casual or opportunistic entry. This height is easily surmounted by a determined individual but is generally sufficient to deter someone who is not actively seeking to trespass. It effectively communicates that an area is private property without providing a significant physical obstacle, thus deterring only casual trespassers.

A. 8 feet: This height constitutes a high-security barrier designed to deter and delay determined intruders, not just casual ones.

C. 2 to 2.5 feet: This height is largely ornamental and can be stepped over easily, offering negligible deterrent value even to a casual trespasser.

D. 6 to 7 feet: This height presents a physical challenge that is difficult to climb, intended to prevent entry from more than just casual trespassers.

1. Fennelly

L. J. (2017). Effective Physical Security (5th ed.). Butterworth-Heinemann. In Chapter 10

"Physical Barriers

" it is explained that fences under 4 feet are primarily for marking boundaries

while fences 6 feet or higher are considered true barriers intended to prevent climbing. This aligns with the 3-4 foot fence being a deterrent for casual trespassers.

2. Garcia

M. L. (2007). The Design and Evaluation of Physical Protection Systems (2nd ed.). Butterworth-Heinemann. Chapter 4

"The Physical Protection System

" discusses the functions of deterrence

detection

and delay. A low fence (3-4 ft) primarily serves the deterrence function against an unmotivated adversary (i.e.

a casual trespasser)

as it offers minimal delay.

3. U.S. Army Corps of Engineers. (2019). Unified Facilities Criteria (UFC) 4-010-01: DoD Minimum Antiterrorism Standards for Buildings. Section B-2.2

"Fences and Walls

" notes that for standoff distance credit

fences must be at least 7 ft (2.1 m) high

implying that shorter fences do not meet the standard for deterring determined adversaries

and thus serve a lesser

more demarcation-focused role.

A checklist test is a fundamental and non-disruptive method for validating a disaster recovery plan. In this test, copies of the plan and relevant checklists are distributed to the members of the disaster recovery team. Each member is responsible for reviewing their assigned sections and tasks to ensure the information is accurate, current, and complete. The primary goals are to familiarize team members with their roles and to identify any gaps or errors in the documentation without impacting live operations. This method serves as a preliminary step before more complex and resource-intensive tests are conducted.

A. Parallel test: This test involves activating the alternate recovery site and running its systems in parallel with the primary production site; it is an operational test, not a document review.

B. Simulation test: This is a role-playing exercise where team members walk through the response to a specific disaster scenario to test procedures and decision-making, which is more interactive than a simple checklist review.

C. Full-interruption test: This is the most comprehensive and disruptive test, involving the shutdown of the primary site and a complete failover of operations to the alternate site.

1. National Institute of Standards and Technology (NIST) Special Publication 800-34 Rev. 1

Contingency Planning Guide for Federal Information Systems. Appendix G

"Contingency Plan Testing

" page G-1

describes the "Checklist/Read-through Test" as: "Copies of the plan are distributed to each functional area for review. The manager from each area reads through the plan and provides feedback to the contingency planning coordinator." This directly matches the scenario in the question.

2. National Institute of Standards and Technology (NIST) Special Publication 800-84

Guide to Test

Training

and Exercise Programs for IT Plans and Capabilities. Section 4.3

"Types of Exercises

" and Table 4-1 on page 20 describe a hierarchy of exercises. The checklist test falls into the most basic category

often preceding more complex exercises like tabletop simulations (Simulation test)

functional exercises (Parallel test)

and full-scale exercises (Full-interruption test).

Output Feedback (OFB) mode transforms a block cipher into a synchronous stream cipher. The keystream is generated by encrypting an initialization vector (IV) repeatedly, independent of the plaintext and ciphertext. Encryption is performed by XORing the plaintext with this keystream. Consequently, a bit error introduced in a ciphertext block during transmission will only affect the corresponding bit in the decrypted plaintext block. This property of not propagating errors allows error-correcting codes, which are designed to handle a limited number of bit errors, to function effectively after decryption.

B. CFB mode: A single-bit error in a ciphertext block corrupts the corresponding plaintext bit and also garbles the entirety of the next decrypted plaintext block.

C. CBC mode: A single-bit error in a ciphertext block completely randomizes the corresponding plaintext block and inverts the identical bit in the subsequent plaintext block.

D. PCBC mode: This mode is explicitly designed for error propagation; an error in one ciphertext block renders all subsequent plaintext blocks incorrect after decryption.

1. Dworkin

M. (2001). Recommendation for Block Cipher Modes of Operation: Methods and Techniques (NIST Special Publication 800-38A). National Institute of Standards and Technology.

Page 15

Section 6.3 (OFB Mode): "A distinguishing property of the OFB mode is that the corruption of any bit of the ciphertext block only affects the corresponding bit of the decrypted plaintext block." This directly supports the choice of OFB.

Page 13

Section 6.2 (CBC Mode): "The corruption of a ciphertext block Cj affects the decryption of two plaintext blocks

Pj and Pj+1." This explains why CBC is incorrect.

Page 17

Section 6.4 (CFB Mode): "...a 1-bit error in a ciphertext segment Cj affects the decryption of the corresponding plaintext segment Pj and the s succeeding plaintext segments..." This explains why CFB is incorrect.

2. Katz

J.

& Lindell

Y. (2014). Introduction to Modern Cryptography (2nd ed.). Chapman and Hall/CRC.

Page 93

Section 3.6.4: Discusses modes of operation

noting that for OFB mode

"flipping the i-th bit of c results in flipping the i-th bit of the recovered plaintext m

and has no other effect." This confirms the non-propagating nature of errors in OFB.

3. Stallings

W. (2017). Cryptography and Network Security: Principles and Practice (7th ed.). Pearson.

Chapter 6

Section 6.5 (Output Feedback Mode): "An advantage of the OFB method is that bit errors in transmission do not propagate. For example

if a bit error occurs in C1

only the recovered P1 is affected..." This contrasts with CBC and CFB

where errors propagate to subsequent blocks.

A brownout is an intentional or unintentional drop in voltage in an electrical power supply system. Utility companies may use brownouts as a measure to manage high demand, thereby preventing a complete system failure (a blackout). This condition perfectly matches the scenario described: there is enough power on the grid to avoid a total loss, but not enough to satisfy the current level of demand, necessitating a voltage reduction.

A. Power Surge: This is a prolonged increase in voltage above the normal level, which is the opposite of the condition described.

B. Power Spike: This is a very short, dramatic increase in voltage, not a reduction due to insufficient power supply.

C. Blackout: This is a total loss of electrical power, which the question explicitly states is being prevented by the event in question.

1. IEEE Std 1159-2019

"IEEE Recommended Practice for Monitoring Electric Power Quality." Section 4.4

"Short Duration Voltage Variations

" and its subsections describe sags (often used interchangeably with brownouts in common parlance) as a decrease in the normal voltage level

distinguishing them from interruptions (blackouts) and swells (surges).

2. National Institute of Standards and Technology (NIST)

"Introduction to Computer Security: The NIST Handbook

" Special Publication 800-12. Chapter 12

"Physical and Environmental Security

" Section 12.5

"Supporting Utilities

" discusses various power problems. It defines a brownout (or voltage sag) as a prolonged drop in voltage

contrasting it with a blackout (power loss) and surges/spikes (power increases).

3. Patterson

D. A.

& Hennessy

J. L. (2017). "Computer Organization and Design RISC-V Edition: The Hardware Software Interface." In discussions on dependability (often in appendices or specific chapters on storage and I/O)

the text addresses power failures. It distinguishes between a complete failure (blackout) and a temporary voltage reduction (brownout/sag)

which can cause system reboots or data corruption without a total power loss. (See discussions on power supplies and system reliability).

Tunneling is the process of encapsulating network packets of one protocol inside the packets of another. For secure remote access, this is the fundamental mechanism used by Virtual Private Networks (VPNs). A remote user, already connected to the Internet, initiates a VPN connection which creates a secure, encrypted "tunnel" to the organization's internal network. The user's private network traffic is encapsulated within public Internet packets, protecting its confidentiality and integrity as it traverses the untrusted public network. This allows the remote user to securely access internal resources as if they were directly connected to the local network.

A. Spoofing: This is a malicious technique used to impersonate another device or user by falsifying data, not a method for establishing a legitimate, secure connection.

B. Packet sniffing: This is the act of intercepting and logging traffic passing over a network. It is a form of eavesdropping and a threat that secure tunneling is designed to prevent.

D. Packet filtering: This is a firewall security function that controls network traffic based on rules. It is a network-side control, not a process initiated by a remote user to create a secure session.

1. National Institute of Standards and Technology (NIST) Special Publication 800-77

Guide to IPsec VPNs. (November 2005). Section 2.1

"IPsec VPNs

" page 2-1. The document states

"IPsec can be used to create a secure channel between... a host and a security gateway... This secure channel is often referred to as a security association (SA) or a tunnel."

2. National Institute of Standards and Technology (NIST) Special Publication 800-113

Guide to SSL VPNs. (July 2008). Section 2.2

"SSL VPNs

" page 2-2. It explains

"Once a user connects to the SSL VPN

a secure tunnel is established between the user’s web browser and the SSL VPN."

3. Saltzer

J. H.

& Kaashoek

M. F. (2009). Principles of Computer System Design: An Introduction. Morgan Kaufmann. Chapter 10

"Networking

" Section 10.5.3

"Virtual Private Networks and Tunnels

" page 448. The text describes tunneling as a method to "carry a packet from a guest protocol by encapsulating it within a packet of a host protocol

" which is the core principle of a VPN.

4. Kurose

J. F.

& Ross

K. W. (2017). Computer Networking: A Top-Down Approach (7th ed.). Pearson. Chapter 8

"Security in Computer Networks

" Section 8.7.2

"IPsec and Virtual Private Networks (VPNs)

" page 747. The text describes IPsec's tunnel mode

which is used for VPNs to create a secure connection between a remote host and a security gateway.