The User Datagram Protocol (UDP) is implemented at the host-to-host transport layer, not at the internet layer.
Protocol at what layer? Ensure you are familiar with both the OSI model and the DoD TCP/IP model as well. You need to know how to contrast the two side by side and what are the names being used on both side. Below you have a graphic showing the two and how things maps between the two as well as some of the most common protcolos found at each of the layers: Protocols at what layers of the DoD TCP/IP model C:\Users\MCS\Desktop\1.jpg

Graphic from http://technet.microsoft.com/en-us/library/cc958821.aspx
The following are incorrect answers:
All of the other protocols sit at the Internet Layer of the TCP/IP model.
NOTE:
Some reference are calling the Transport layer on the DoD model Host-to-Host.
Reference(s) used for this question:
Shon Harris, CISSP All In One (AIO), 6th edition , Telecommunication and Network
Security, Page 518,534
and
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications
and Network Security (page 85).
and
Microsoft Technet at http://technet.microsoft.com/en-us/library/cc958821.aspx

When an intrusion has been detected and confirmed, if you wish to prosecute the attacker in court, the following actions should be performed in the following order:
Capture and record system information and evidence that may be lost, modified, or not
captured during the execution of a backup procedure. Start with the most volative memory
areas first.
Make at least two full backups of the compromised systems, using hardware-write-
protectable or write-once media. A first backup may be used to re-install the compromised
system for further analysis and the second one should be preserved in a secure location to
preserve the chain of custody of evidence.
Isolate the compromised systems.
Search for signs of intrusions on other systems.
Examine logs in order to gather more information and better identify other systems to which
the intruder might have gained access.
Search through logs of compromised systems for information that would reveal the kind of
attacks used to gain access.
Identify what the intruder did, for example by analyzing various log files, comparing
checksums of known, trusted files to those on the compromised machine and by using
other intrusion analysis tools.
Regardless of the exact steps being followed, if you wish to prosecute in a court of law it
means you MUST capture the evidence as a first step before it could be lost or
contaminated. You always start with the most volatile evidence first.
NOTE:
I have received feedback saying that some other steps may be done such as
Disconnecting the system from the network or shutting down the system. This is true.
However, those are not choices listed within the 4 choices attached to this question, you
MUST avoid changing the question. You must stick to the four choices presented and pick
which one is the best out of the four presented.
In real life, Forensic is not always black or white. There are many shades of grey. In real
life you would have to consult your system policy (if you have one), get your Computer
Incident team involved, and talk to your forensic expert and then decide what is the best
course of action.
Reference(s) Used for this question:
http://www.newyorkcomputerforensics.com/learn/forensics_process.php
and
ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-
Wesley, 2001, Chapter 7: Responding to Intrusions (pages 273-277).

If any server in the cluster crashes, processing continues transparently,
however, the cluster suffers some performance degradation. This implementation is
sometimes called a “server farm.”
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 67.

Section: Network and Telecommunications
Explanation/Reference:
Ethernet uses Carrier Sense Multiple Access with Collision Detection (CSMA/CD) to minimize the effect of broadcast collisions.
The following answers are incorrect:
CSU/DSU Is incorrect because Channel Service Unit/Digital Service Unit(CSU/DSU) is a digital interface normally used to connect a router to a digital circuit.
TCP/IP Is incorrect because Transmission Control Protocol/Internet Protocol(TCP/IP) is a network protocol not an access method.
FIFO Is incorrect as it is a distractor. First In, First Out (FIFO) is typically a processing methodology in which first come, first served.
Ethernet is a frame based network technology.
References:
OIG CBK Telecommunications and Network Security (pages 437 – 438)
Wikipedia http://en.wikipedia.org/wiki/FIFO

Section: Access Control
Explanation/Reference:
The Bell-LaPadula model, mostly concerned with confidentiality, was proposed for enforcing access control in government and military applications. It supports mandatory access control by determining the access rights from the security levels associated with subjects and objects. It also supports discretionary access control by checking access rights from an access matrix. The Biba model, introduced in 1977, the Sutherland model, published in 1986, and the Brewer-Nash model, published in 1989, are concerned with integrity.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 2: Access Control Systems and Methodology (page 11).

They are responsible for security of the organization and the protection of its assets.
The following answers are incorrect because :
Data owner is incorrect as data owners should not decide as to what security measures should be applied.
Auditor is also incorrect as auditor cannot decide as to what security measures should be applied.
The information security specialist is also incorrect as they may have the technical knowledge of how security measures should be implemented and configured , but they
should not be in a position of deciding what measures should be applied.
Reference : Shon Harris AIO v3 , Chapter-3: Security Management Practices , Page : 51.

Explanation/Reference:
Transport. The Layer 4 Transport layer supports the TCP and UDP protocols in the OSI Reference Model. This layer creates an end-to-end transportation between peer hosts. The transmission can be connectionless and unreliable such as UDP, or connection-oriented and ensure error-free delivery such as TCP.
The following answers are incorrect:
Network. The Network layer moves information between hosts that are not physically connected. It deals with routing of information. IP is a protocol that is used in Network Layer. TCP and UDP do not reside at the Layer 3 Network Layer in the OSI Reference Model.
Presentation. The Presentation Layer is concerned with the formatting of data into a standard presentation such as
ASCII. TCP and UDP do not reside at the Layer 6 Presentation Layer in the OSI Reference Model.
Application. The Application Layer is a service for applications and Operating Systems data transmission, for example HTTP, FTP and SMTP. TCP and UDP do not reside at the Layer 7 Application Layer in the OSI Reference Model.
The following reference(s) were/was used to create this question:
ISC2 OIG, 2007 p. 411
Shon Harris AIO v.3 p. 424

SMTP (Simple Mail Transfer Protocol) works as a message transfer agent. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, Page 821.

The Data/Information Owner is ultimately responsible for the protection of the data. It is the Data/Information Owner that decides upon the classifications of that data they are responsible for.
The data owner decides upon the classification of the data he is responsible for and alters
that classification if the business need arises.
The following answers are incorrect:
Security Administrator. Is incorrect because this individual is responsible for ensuring that
the access right granted are correct and support the polices and directives that the
Data/Information Owner defines.
User. Is Incorrect because the user uses/access the data according to how the
Data/Information Owner defined their access.
Auditor. Is incorrect because the Auditor is responsible for ensuring that the access levels
are appropriate. The Auditor would verify that the Owner classified the data properly.
References:
CISSP All In One Third Edition, Shon Harris, Page 121

Explanation/Reference:
My friend JD Murray at Techexams.net has a nice definition of both, see his explanation below:
Oh, I hate these two. It’s like describing the difference between “jealously” and “envy.” Kinda the same thing but not exactly. Here it goes:
Due diligence is performing reasonable examination and research before committing to a course of action.
Basically, “look before you leap.” In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be “haphazard” or “not doing your homework.”
Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is “negligence.” In summary, Due Diligence is Identifying threats and risks while Due Care is Acting upon findings to mitigate risks
EXAM TIP:
The Due Diligence refers to the steps taken to identify risks that exists within the environment. This is base on best practices, standards such as ISO 27001, ISO 17799, and other consensus. The first letter of the word Due and the word Diligence should remind you of this. The two letters are DD = Do Detect.
In the case of due care, it is the actions that you have taken (implementing, designing, enforcing, updating) to reduce the risks identified and keep them at an acceptable level. The same apply here, the first letters of the work Due and the work Care are DC. Which should remind you that DC = Do correct.
The other answers are only detractors and not valid.
Reference(s) used for this question:
CISSP Study Guide, Syngress, By Eric Conrad, Page 419
HARRIS, Shon, All-In-One CISSP Certification Exam Guide Fifth Edition, McGraw-Hill, Page 49 and 110.
and
Corporate; (Isc)² (2010-04-20). Official (ISC)2 Guide to the CISSP CBK, Second Edition ((ISC)2 Press) (Kindle Locations 11494-11504). Taylor & Francis. Kindle Edition.
and
My friend JD Murray at Techexams.net

Accreditation: is an administrative declaration by a designated authority that an information system is approved to operate in a particular security configuration with a prescribed set of safeguards. It is usually based on a technical certification of the system’s security mechanisms.
Certification: Technical evaluation (usually made in support of an accreditation action) of an information system\’s security features and other safeguards to establish the extent to which the system\’s design and implementation meet specified security requirements. Source: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

Section: Access Control
Explanation/Reference:
The ss (simple security) property of the Bell-LaPadula access control model states that reading of information by a subject at a lower sensitivity level from an object at a higher sensitivity level is not permitted (no read up).
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security Architectures and Models (page 202).

Section: Network and Telecommunications
Explanation/Reference:
A series of the same control characters, hexadecimal code, imbedded in the string is usually an indicator of a buffer overflow attack.
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer overflow attacks use long strings of control characters and this is representative of that type of attack.
A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. So, the purpose of a buffer overflow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a specific task, by pushing into the memory segment a carefully crafted set of data that will accomplish a specific task. This task could be to open a command shell with administrative privilege or execute malicious code.
Common threats to system availability, integrity, and confidentiality include hardware failure, misuse of system privileges, buffer overflows and other memory attacks, denial of service, reverse engineering, and system hacking.
Since many vulnerabilities result from insecure design and most threats are well known, it is the responsibility of the security architect to ensure that their designs are addressing security requirements appropriately while also ensuring that the system can continue to perform its intended function.
The following answers are incorrect:
Over-subscription of the traffic on a backbone. Is incorrect because if there was Over-subscription of the traffic on a backbone, that would typically result in not being able to send or receive any packets, more commonly known as Denial of Service or DoS.
A source quench packet. This is incorrect because a source quench packet is an ICMP message that contains the internet header plus 64 bits of the original datagram.
A FIN scan. This is incorrect because a FIN scan is when a packet with the FIN flag set is sent to a specific port and the results are then analyzed.
Reference(s) used for this question:
Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition, Security Architecture and Design, Page
332, for people using the Kindle edition you will find it at Kindle Locations 7310-7315.
Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition : Security Architecture and Design (Kindle Locations 1403-1407). . Kindle Edition.
Wikipedia http://en.wikipedia.org/wiki/Port_scanner
ICMP http://security.maruhn.com/iptables-tutorial/x1078.html
Wikipedia http://en.wikipedia.org/wiki/Buffer_overflow

Is a means of being able to track user actions. Through the use of audit logs
and other tools the user actions are recorded and can be used at a later date to verify what
actions were performed.
Accountability is the ability to identify users and to be able to track user actions.
The following answers are incorrect:
Documented design as laid out in the Common Criteria. Is incorrect because the Common
Criteria is an international standard to evaluate trust and would not be a factor in System
Accountability.
Authorization. Is incorrect because Authorization is granting access to subjects, just
because you have authorization does not hold the subject accountable for their actions.
Formal verification of system design. Is incorrect because all you have done is to verify the
system design and have not taken any steps toward system accountability.
References:
OIG CBK Glossary (page 778)

Section: Network and Telecommunications
Explanation/Reference:
A spoofing attack is when an attempt is made to gain access to a computer system by posing as an authorized user or system. Spamming refers to sending out or posting junk advertising and unsolicited mail. A smurf attack is a type of denial-of-service attack using PING and a spoofed address. Sniffing refers to observing packets passing on a network.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 3: Telecommunications and Network Security (page
77).