The main purposes of a Regulatory policy are as follows:

It ensures that an organization is following the standard procedures or base practices of operation in

its specific industry.

It gives an organization the confidence that it is following the standard and accepted industry policy.

Answer B and A are incorrect. These are the policy elements of Senior Management Statement of

Policy.

The Chinese Wall Model is the basic security model developed by Brewer and Nash. This model

prevents information flow that may cause a

conflict of interest in an organization representing competing clients. The Chinese Wall Model

provides both privacy and integrity for data.

Answer D is incorrect. The Biba model is a formal state transition system of computer security policy

that describes a set of access

control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of

integrity. The model is designed so that

subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from

a lower level than the subject.

Answer C is incorrect. The Clark-Wilson model provides a foundation for specifying and analyzing an

integrity policy for a computing

system. The model is primarily concerned with formalizing the notion of information integrity.

Information integrity is maintained by preventing

corruption of data items in a system due to either error or malicious intent.

The model's enforcement and certification rules define data items and processes that provide the

basis for an integrity policy. The core of the

model is based on the notion of a transaction.

Answer A is incorrect. The Bell-La Padula Model is a state machine model used for enforcing access

control in government and military

applications. The model is a formal state transition model of computer security policy that describes

a set of access control rules which use

security labels on objects and clearances for subjects. Security labels range from the most sensitive

(e.g.,"Top Secret"), down to the least

sensitive (e.g., "Unclassified" or "Public").

The Bell-La Padula model focuses on data confidentiality and controlled access to classified

information, in contrast to the Biba Integrity Model

which describes rules for the protection of data integrity.

The following procedural patterns are defined by the DARPA paper in order to perform secure

software development practices:

Build the server from the ground up: It includes the following features:

Build the server from the ground up.

Identify the default installation of the operating system and applications.

Support hardening procedures to remove unnecessary services.

Identify a vulnerable service for ongoing risk management.

Choose the right stuff: It defines guidelines to select right commercial off-the-shelf (COTS)

components and decide whether to use and

build custom components.

Document the server configuration: It supports the creation of an initial configuration baseline and

tracks all modifications made to

servers and application configurations.

Patch proactively: It supports in applying patches as soon as they are available rather than waiting

until the systems cooperate.

Red team the design: It supports an independent security assessment from the perspective of an

attacker in the quality assurance or

testing stage. An independent security assessment is helpful in addressing a security issue before it

occurs.

Answer A is incorrect. Hidden implementation pattern is not defined in the DARPA paper. This

pattern is applicable to software

assurance in general. Hidden implementation limits the ability of an attacker to distinguish the

internal workings of an application.

Answer E is incorrect. Password propagation is not defined in the DARPA paper. This pattern is

applicable to aspects of authentication

in a Web application. Password propagation provides an alternative by requiring that a user's

authentication credentials be verified by the

database before providing access to that user's data.

It is the evaluation and acceptance phase of the SDLC, which meets the following audit objectives:

System and data are validated.

System meets all user requirements.

System meets all control requirements

Answer D is incorrect. During the initiation phase, the need for a system is expressed and the

purpose of the system is documented.

Answer C is incorrect. During the definition phase, users' needs are defined and the needs are

translated into requirements

statements that incorporate appropriate controls.

Answer B is incorrect. During the programming and training phase, the software and other

components of the system are faithfully

incorporated into the design specifications. Proper documentation and training are provided in this

phase.

BCP is a strategy to minimize the consequence of the instability and to allow for the continuation of

business processes. The goal of BCP is to

minimize the effects of a disruptive event on a company, and is formed to avoid interruptions to

normal business activity.

Business Continuity Planning (BCP) is the creation and validation of a practiced logistical plan for how

an organization will recover and restore

partially or completely interrupted critical (urgent) functions within a predetermined time after a

disaster or extended disruption. The logistical

plan is called a business continuity plan.

Answer B is incorrect. A contingency plan is a plan devised for a specific situation when things could

go wrong. Contingency plans are

often devised by governments or businesses who want to be prepared for anything that could

happen. Contingency plans include specific

strategies and actions to deal with specific variances to assumptions resulting in a particular

problem, emergency, or state of affairs. They also

include a monitoring process and "triggers" for initiating planned actions. They are required to help

governments, businesses, or individuals to

recover from serious incidents in the minimum time with minimum cost and disruption.

Answer C is incorrect. Disaster recovery planning is a subset of a larger process known as business

continuity planning and should

include planning for resumption of applications, data, hardware, communications (such as

networking), and other IT infrastructure. A business

continuity plan (BCP) includes planning for non-IT related aspects such as key personnel, facilities,

crisis communication, and reputation

protection, and should refer to the disaster recovery plan (DRP) for IT-related infrastructure

recovery/continuity.

Answer A is incorrect. The Continuity Of Operation Plan (COOP) refers to the preparations and

institutions maintained by the United

States government, providing survival of federal government operations in the case of catastrophic

events. It provides procedures and

capabilities to sustain an organization's essential. COOP is the procedure documented to ensure

persistent critical operations throughout any

period where normal operations are unattainable.

Non repudiation refers to mechanisms that prevent a party from falsely denying involvement in

some data transaction.

The various categories of root cause analysis (RCA) are as follows:

Safety-based RC

A. It consists of plans from the health and safety areas.

Production-based RCA. It integrates quality control paradigms.

Process-based RCA. It integrates business processes.

Failure-based RCA. It integrates failure analysis processes as employed in engineering and

maintenance.

Systems-based RCA. It integrates the methods from risk and systems analysis.

The Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

is a process defined by the United States

Department of Defense (DoD) for managing risk.

The Certification Determination and Accreditation phase is the third phase in the DIACAP process. Its

subordinate tasks are as follows:

Analyze residual risk.

Issue certification determination.

Make accreditation decision.

Answer A is incorrect. Phase 1 is known as Initiate and Plan IA C&A.

Answer C is incorrect. Phase 2 is used to implement and validate assigned IA controls.

Answer E is incorrect. Phase 3 is used to make certification determination and accreditation

decisions.

Answer B is incorrect. Phase 5 is known as decommission system and is used to conduct activities

related to the disposition of the

system data and objects.

A life cycle model helps to provide an insight into the development process and emphasizes on the relationships among the different activities in this process. This model describes a structured approach to the development and adjustment process involved in producing and maintaining systems. The life cycle model addresses specifications, design, requirements, verification and validation, and maintenance activities.

Programmatic security applies the internal security policies of the software applications when they are deployed. In this type of security, the code of the software application controls the security behavior, and authentication decisions are made based on the business logic, such as the user role or the task performed by the user in a specific security context.