Which of the following is not classified as “Security and Audit Frameworks and Methodologies”?

A.
Bell LaPadula

B.
Committee of Sponsoring Organizations of the Treadway Commission (COSO)

C.
IT Infrastructure Library (ITIL)

D.
Control Objectives for Information and related Technology (COBIT)

Explanation:
The Bell-LaPadula model is a security model, not a Security and Audit Frameworks and Methodology. The BellLaPadula model is a subject-to-object model. An example would be how you (subject) could read a data
element (object) from a specific database and write data into that database. The Bell-LaPadula model focuses
on ensuring that subjects are properly authenticated—by having the necessary security clearance, need to
know, and formal access approval—before accessing an object.
The Control Objectives for Information and related Technology (CobiT) is a framework and set of control
objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to
ensure that IT maps to business needs.
CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations
(COSO) of the Treadway Commission in 1985 to deal with fraudulent financial activities and reporting.
The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service
management. ITIL is a customizable framework that is provided in a set of books or in an online format.
Incorrect Answers:
B: Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a Security and Audit
Frameworks and Methodology.
C: IT Infrastructure Library (ITIL) is a Security and Audit Frameworks and Methodology.
D: Control Objectives for Information and related Technology (COBIT) is a Security and Audit Frameworks and
Methodology.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 55-60, 369