Identify which information is sensitive

In order to protect the confidentiality of the data.
The following answers are incorrect because :
Install a firewall is incorrect as this would come after the information has been identified for
sensitivity levels. Implement encryption is also incorrect as this is one of the mechanisms to protect the data
once it has been identified.
Review all user access rights is also incorrect as this is also a protection mechanism for the
identified information.
Reference : Shon Harris AIO v3 , Chapter-4 : Access Control , Page : 126

hands, face, and eyes

Today implementation of fast, accurate, reliable, and user-acceptable
biometric identification systems are already under way. Because most identity
authentication takes place when a people are fully clothed (neck to feet and wrists), the
parts of the body conveniently available for this purpose are hands, face, and eyes.
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 1, Page 7.

Authenticate the user.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation

Continuous authentication

A continuous authentication provides protection against impostors who can
see, alter, and insert information passed between the claimant and verifier even after the
claimant/verifier authentication is complete. This is the best protection against hijacking.
Static authentication is the type of authentication provided by traditional password schemes
and the strength of the authentication is highly dependent on the difficulty of guessing
passwords. The robust authentication mechanism relies on dynamic authentication data
that changes with each authenticated session between a claimant and a verifier, and it
does not protect against hijacking. Strong authentication refers to a two-factor
authentication (like something a user knows and something a user is).
Source: TIPTON, Harold F. & KRAUSE, Micki, Information Security Management
Handbook, 4th edition (volume 1), 2000, CRC Press, Chapter 3: Secured Connections to
External Networks (page 51).

Is there a process for reporting incidents?

Identification and authentication is a technical measure that prevents
unauthorized people (or unauthorized processes) from entering an IT system. Access
control usually requires that the system be able to identify and differentiate among users.
Reporting incidents is more related to incident response capability (operational control)
than to identification and authentication (technical control).
Source: SWANSON, Marianne, NIST Special Publication 800-26, Security Self-
Assessment Guide for Information Technology Systems, November 2001 (Pages A-30 to
A-32).

Separation of duties

Detective administrative controls warn of administrative control violations.
Rotation of duties, required vacations and security reviews and audits are forms of
detective administrative controls. Separation of duties is the practice of dividing the steps in
a system function among different individuals, so as to keep a single individual from
subverting the process, thus a preventive control rather than a detective control.
Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study
Guide, version 1.0 (march 2002).

 password guessing

Sesame is an authentication and access control protocol, that also supports
communication confidentiality and integrity. It provides public key based authentication
along with the Kerberos style authentication, that uses symmetric key cryptography.
Sesame supports the Kerberos protocol and adds some security extensions like public key
based authentication and an ECMA-style Privilege Attribute Service.
The users under SESAME can authenticate using either symmetric encryption as in
Kerberos or Public Key authentication. When using Symmetric Key authentication as in
Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be.
The Symmetric key being used is based on the password used by the user when he logged
on the system. If the user has a simple password it could be guessed or compromise. Even
thou Kerberos or SESAME may be use, there is still a need to have strong password
discipline.
The Basic Mechanism in Sesame for strong authentication is as follow:The user sends a request for authentication to the Authentication Server as in Kerberos,
except that SESAME is making use of public key cryptography for authentication where the
client will present his digital certificate and the request will be signed using a digital
signature. The signature is communicated to the authentication server through the
preauthentication fields. Upon receipt of this request, the authentication server will verifies
the certificate, then validate the signature, and if all is fine the AS will issue a ticket granting
ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage
attribute server (PAS) when access to a resource is needed.
Users may authenticate using either a public key pair or a conventional (symmetric) key. If
public key cryptography is used, public key data is transported in preauthentication data
fields to help establish identity.
Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged
Attribute Certificates (PAC), which contain the subject’s identity, access capabilities for the
object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the
object can validate that it came from the trusted authentication server, which is referred to
as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within
Kerberos. After a user successfully authenticates to the authentication service (AS), he is
presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access.
Reference(s) used for this question:
http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 43.

 Corrective controls

Corrective controls are concerned with remedying circumstances and
restoring controls.
Detective controls are concerned with investigating what happen after the fact such as logs
and video surveillance tapes for example.
Compensating controls are alternative controls, used to compensate weaknesses in other
controls.
Preventive controls are concerned with avoiding occurrences of risks.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation

 C

C deals with discretionary protection. See matric below:

C:\Users\MCS\Desktop\1.jpg
TCSEC Matric
The following are incorrect answers:
D is incorrect. D deals with minimal security.
B is incorrect. B deals with mandatory protection.
A is incorrect. A deals with verified protection.
Reference(s) used for this question:
CBK, p. 329 – 330  and   Shon Harris, CISSP All In One (AIO), 6th Edition , page 392-393

The pair of elements is the subject and object, and the subject has an upper bound
equal or higher than the upper bound of the object being accessed.

To apply this concept to access control, the pair of elements is the subject
and object, and the subject has to have an upper bound equal or higher than the object
being accessed.
WIKIPEDIA has a great explanation as well:
In computer security, lattice-based access control (LBAC) is a complex access control
based on the interaction between any combination of objects (such as resources,
computers, and applications) and subjects (such as individuals, groups or organizations).
In this type of label-based mandatory access control model, a lattice is used to define the
levels of security that an object may have and that a subject may have access to. The
subject is only allowed to access an object if the security level of the subject is greater than
or equal to that of the object Reference(s) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 34.
andhttp://en.wikipedia.org/wiki/Lattice-based_access_control

 Bell-LaPadula model

The Bell-LaPadula model, mostly concerned with confidentiality, was
proposed for enforcing access control in government and military applications. It supports
mandatory access control by determining the access rights from the security levels
associated with subjects and objects. It also supports discretionary access control by
checking access rights from an access matrix. The Biba model, introduced in 1977, the
Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are
concerned with integrity.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control
Systems and Methodology (page 11).

The Clark-Wilson model

In the Clark-Wilson model, the subject no longer has direct access to objects but instead must access them through programs (well -formed transactions).
The Clark–Wilson integrity model provides a foundation for specifying and analyzing an
integrity policy for a computing system.
The model is primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing corruption of data items in a system due to
either error or malicious intent. An integrity policy describes how the data items in the
system should be kept valid from one state of the system to the next and specifies the
capabilities of various principals in the system. The model defines enforcement rules and
certification rules.
Clark–Wilson is more clearly applicable to business and industry processes in which the
integrity of the information content is paramount at any level of classification.
Integrity goals of Clark–Wilson model:Prevent unauthorized users from making modification (Only this one is addressed by the
Biba model).
Separation of duties prevents authorized users from making improper modifications.
Well formed transactions: maintain internal and external consistency i.e. it is a series of
operations that are carried out to transfer the data from one consistent state to the other.
The following are incorrect answers:
The Biba model is incorrect. The Biba model is concerned with integrity and controls
access to objects based on a comparison of the security level of the subject to that of the
object.
The Bell-LaPdaula model is incorrect. The Bell-LaPaula model is concerned with
confidentiality and controls access to objects based on a comparison of the clearence level
of the subject to the classification level of the object. The information flow model is incorrect. The information flow model uses a lattice where
objects are labelled with security classes and information can flow either upward or at the
same level. It is similar in framework to the Bell-LaPadula model.
References:
ISC2 Official Study Guide, Pages 325 - 327 AIO3, pp. 284 - 287
AIOv4 Security Architecture and Design (pages 338 - 342)
AIOv5 Security Architecture and Design (pages 341 - 344)
Wikipedia at: https://en.wikipedia.org/wiki/Clark-Wilson_model