Final 9-11
Why is it a good practice to delay naming specific people as resources early in the planning process?
Naming should be avoided early on - the plan should focus on organizational roles or known skills sets. Or else, face tension and resistance and possible panic.
Who is the best judge of effort estimates for project tasks and action steps? Why?
The people who are most familiar with the tasks, because they are more experienced.
What is the value of a statement of vision and objectives? Why is it needed before a project plan is developed?
The value of a statement of vision and objectives is that it tells you what the project is supposed to achieve. It is important because if the project fails to fulfill its intended purpose, then it is most likely a failure.
What can you do to reduce the risk of theft of portable computing devices, such as smartphones, tablets, and notebooks?
- Configure them to send their location if reported lost or stolen, wipe themselves of all user data, or disable themselves completely.- Install software like CompuTrace (laptops)- Install laptop burglar alarms that contain motion detector, GPS tranceiver, and/or RFID tag- Don't leave devices in an unlocked vehicle- Carry devices in nondescript carrying case- Don't leave a meeting room without electronics- Lock device in a safe place when not in use- Apply distinctive paint markings to ID electronics- Maybe buy theft alarm system- Don't use auto logins- Back up info using cloud-based storage or CD, DVD, flash drive, other backup media
List and describe the three fundamental ways that data can be intercepted. How does a physical security program protect against each of these data interception methods?
1. Direct observation: A person is close enough o the information to breach confidentiality; shoulder surfing, for ex.Physical security limits the possibility of a person accessing authorized areas and directly observing info. Emps can be prohibited from removing sensitive info from the office or required to implement strong home security.2. Interception of data transmissions: accessing media transmitting the data; using sniffer software, tapping into a LAN, eavesdroppingNetwork admin can conduct periodic physical inspections of all data ports to ensure no unauthorized taps have occurred; use fiber-optic cables to prevent direct wiretaps3. Electromagnetic interception: Eavesdropping on electromagnetic signals and determining the data carried on the cables without tapping into them.TEMPEST ensures computers are placed far away from outside perimeters, installs special shielding inside CPU case, implements other restrictions (distance from plumbing and other infra components that carry radio waves).
When a task is not being completed according to the plan, what two circumstances are likely to be involved?
1. Estimate is flawed: Plan should be corrected and downstream tasks updated to reflect the change2. Performance has lagged: Add resources, make longer schedules, reduce quality/quantity of deliverable.
What two critical factors are affected when water is not available in a facility? Why are they important to the operation of the organization's information assets?
1. Fire suppression: This is important to stopping fires...2. Air conditioning systems: This is needed to cool systems (and people!) to prevent fires and static electricity.
List and describe the four categories of locks. In which situation is each type of lock preferred?
1. Manual (padlocks/combination locks)--opened with key/combination-- preset and unchangeable 2. Programmable (push-button)--changeable-- computer rooms and wiring closets 3. Electronic--integrated with alarm systems, fire systems, sensor sysems--used where they can be activated/deactivated by a switch 4. Biometric--most sophisticated--reads finger, palm, iris, etc.
List and describe the four primary types of UPS systems. Which is the most effective and the most expensive, and why?
1. Standby (offline) UPS: Detests the interruption of power to equipment and activates a transfer switch that provides power from the batteries through a DC to AC converter until normal power is restored/computer is shut down.- not truly uninterruptible, but a SPS- most cost-effective- suffers switching time- no power conditioning- best suited for home and light office use2. Line-interactive UPS: a UPS in which a pair of inverters and converters draw power from the outside source to both charge the battery and provide power to the internal protected device.- the primary power source = power utility- faster response time- power conditioning- line filtering3. Double conversion online UPS: a UPS in which the protected device draws power from an output inverter. The inverter is powered by the UPS battery, which is constantly recharged from the outside power.- allows use while eliminating power fluctuation- MOST expensive- generates lots of heat- improved model: Delta conversion online UPS4. Standby ferroresonant UPS: a UPS in which the outside power source directly feeds the internal protected device. The UPS serves as a battery backup, incorporating a ferrorresonant transformer instead of a converter switch, providing line filtering and reducing the effect of some power problems, and reducing noise that maybe present in the power as it is delivered.- primary power source = electrical service- ferroresonant transformer replaces UPS transfer switch- stores energy in its coils- many have abandoned this design
List and define the common attributes of tasks within a WBS.
1. Work to Be Accomplished: Activities and deliverables; provide a label and task description (not too specific but not too vague)2. Assignees: Skills or personnel (resources) needed to accomplish task; avoid naming early; focus on roles or known skill sets3. Start and End Dates: Specify completion dates only for major milestones at first; don't assign too many dates too early; add them later as needed4. Amount of Effort: Estimate effort to complete each task; ask those most familiar with tasks to estimate; allow assignees to review, understand, and accept estimates5. Estimate Capital Expenses: Some orgs differentiate between capital outlays and expenses for other purposes6. Estimated Noncapital Expenses: Expenses that are NOT for revenue-producing projects expected to yield a ROI; Determine cost accounting practices7. Task Dependencies: Note predecessors and successors
What are certification and accreditation when applied to information systems security management? List and describe at least two certification or accreditation processes.
> Certification: the comprehensive evaluation of an IT systems technical and nontechnical security controls that establishes the extent to which a particular design and implementation meets a set of predefined security requirements> Accreditation: the process that authorizes an IT system to process store or transmit information> 2 processes: NSTISS & ISO 27001/2
List and describe the four classes of fire described in the text. Does the class of the fire dictate how to control it?
> Class A: Combustible fuels such as wood, paper, textiles, rubber, cloth, and trash. Extinguished by fuel-depleting agents like water and multipurpose dry chemical fire extinguishers.> Class B: Combustible liquids or gases such as solvents, gasoline, paint, lacquer, and oil. Extinguished by oxygen-depleting agents like carbon dioxide, dry chemical, and Halon fire extinguishers> Class C: Energized electrical equipmnt or appliances. Extinguished by nonconducting agents like carbon dioxid, dry chemical, and Halon extinguishers - NEVER USE WATER.> Class D: Combustible metals such as magnesium, lithium, and sodium. Extinguished by special extinguishing agents and techniques.> Class K: Combustible cooking oil and fats in commercial kitchens. Extinguished by special water mist, dry powder, or CO2 agents
What is a deliverable? Name two uses for deliverables.
> Deliverable: A completed document or program module that can either serve as the beginning point for a later task or become an element in the finished project.> 2 uses: Can either serve as the beginning point for a later task or become an element in the finished project
List and describe the four basic conversion strategies that are used when converting to a new system. Under which circumstances is each strategy the best approach?
> Direct Changeover: The conversion strategy that involves stopping the old system and starting the new one without any overlap- Best use: Small changes> Parallel Operations: the conversion strategy that involves running the new system concurrently with the old system-> Phased Implementation: the conversion strategy that involves a measured roll out of the planned system; only part of the system is brought out and disseminated across an organization before the next piece is implemented> Pilot Implementation: The conversion strategy that involves implementing the entire system into a single office, department or division and dealing with the issues that arise before expanding to the rest of the organization.
What categories of constraints to project plan implementation are noted in the chapter? Explain each of them.
> Financial considerations> Priority considerations> Time and scheduling considerations> Staffing considerations> Procurement considerations> Organizational Feasibility Considerations> Training and Indoctrination Considerations> Scope Considerations
What is technology governance? What is change control? How are they related?
> Technology governance: a process organizations use to manage the effects and cost of technology implementation innovation and obsolescence.> Change control: a method of regulating the modification of systems within the organization by requiring formal review and approval for each change> Related: Technology governance figures out how frequently tech needs to change, and change control figures out how to manage the change (?)
What is a mantrap? When should it be used?
A mantrap is a small room or enclosure with separate entry and exit points.It should be used when restraining a person who fails an access authorization attempt.
Describe a physical firewall that is used in buildings. List reasons that an organization might need a firewall for physical security controls.
A physical firewall is one that limits the spread of damage should a fire break out in an office; it isolates the physical spaces of the offices. Reasons: To keep fire from spreading and to keep intruders from climbing through plenum found above standard interior walls or sledge-hammering through the walls. 10. Describe a physical firewall that is used in buildings. List reasons that an organization might need a firewall for physical security controls.
Why is it good practice to assign start and end dates sparingly in the early stages of project planning?
Attempt to specify completion dates only for major project milestones. Assigning too many dates to too many tasks early in the planning process exacerbates projectitis.
Within project management, what is a dependency? What is a predecessor? What is a successor?
Dependency: When tasks cannot be accomplished until something else is, or something that must be done following the task's completion> Predecessor: Tasks or action steps that come before the specific task at hand> Successor: tasks or action steps that come after the specific task at hand
How does physical access control differ from logical access control, which is described in earlier chapters? How are they similar?
Differ: Physical access controls control physical access to company resources, while logical access controls control access to information systems. Similar: They are both of critical importance
What is considered the most serious threat within the realm of physical security? Why is it valid to consider this threat the most serious?
Fire is considered to be the most serious threat to physical security. This reasoning is valid because fire causes "more property damage, personal injury, and death than any other threat" (Whitman 514).
Why are guards considered the most effective form of control for situations that require decisive action in the face of unfamiliar stimuli? Why are they usually the most expensive controls to deploy? What is another issue with human guards, beyond the high cost? When should dogs be used for physical security?
Guards can evaluate each situation as it arises and make reasoned responses. Most have clear SOPs that help them act decisively in unfamiliar situations. They are usually the most expensive because it requires staffing of human resources. Plus, human life is PRECIOUS. > Boredom> Distraction > For orgs protecting valuable resources> When keen sense of smell and hearing are needed> Placed in harm's wayThey should be used in situations where scent and sound are important to pick up to detect an intrusion. They can also be placed in harm's way when necessary to avoid risking the life of a person.
What is Halon and why is its use restricted?
Halon is a clean agent, gas-based system that relies on a chemical reaction with the flame to extinguish it - much safer than carbon dioxide.It's restricted because the EPS classified Halon as an ozone-depleting substance.
How does a planner know when a task has been subdivided to an adequate degree and can be classified as an action step?
Hard-n-fast rule: A task or subtask becomes an action step when it can be completed by one person or skill set and has a single deliverable.
What is a milestone, and why is it significant to project planning?
Milestone: A specific point in the project plan when a task that has a noticeable impact on the plans progress is complete.> It's significant because it has noticeable impact on the plan's progress
What is the most common form of alarm? What does it detect? What types of sensors are commonly used in this type of alarm system?
Most common form: Burglar alarms. They detect intrusions into unauthorized areas and notify either a local or remote security agency to react. The sensors used are motion detectors, thermal detectors, glass breakage detectors, weight sensors, and contact sensors.
What is a negative feedback loop? How is it used to keep a project in control?
Negative feedback loop = gap analysis: The process of comparing measured results against expected results then using the resulting "Gap" as a measure of project success and as feedback for the project management.> How it's used: It ensures that progress is measured periodically; it prompts corrective action OR plan revision when significant deviation occurs.
Define a secure facility. What is the primary objective of designing such a facility? What are some secondary objectives of designing a secure facility?
Physical access controls that are uniquely suited to governing the movement of people with in an organizations facility i.e controlling their physical access to company resources. In concern with internet logical access control play major role. Some of the overlaps involve the use of bio-metrics, smart cards, wireless enables key cards, which are used for controlling access to locked doors information assets, and information system resources.
What is physical security? What are the primary threats to physical security? How are they manifested in attacks against the organization?
Physical security addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization. This means the physical protection of the people, hardware, and the supporting system elements and resources associated with the management of information in all its states: transmission, storage, and processing.The primary threats to physical security include the following:Inadvertent acts, potential acts of human error or failure, potential deviations in quality of service by service providers, and power irregularities.Deliberate acts - acts of espionage or trespass, acts of information extortion, acts of sabotage or vandalism, acts of theft, software attacks, and compromises to intellectual property; acts of God, forces of nature; technical failures technical hardware failures or errors and technical software failures or errors; and management failuresIn the physical environment, a potential act of human error or failure can be represented by an employee accidentally spilling coffee on his or her laptop computer. A compromise to intellectual property can include an employee without an appropriate security clearance copying a classified marketing plan.A deliberate act of espionage or trespass could be exemplified by a competitor sneaking into a facility with a camera. Deliberate acts of sabotage or vandalism can be physical attacks on individuals or property with the intent to sabotage or deface; deliberate acts of theft are perhaps the most common of these threats. Examples include employees stealing computer equipment, credentials, passwords, and laptops.Acts of God include lightning hitting a building and causing a fire. Quality of service deviations from service providers, especially power and water, also represent physical security threats.Technical hardware failures or errors and technological obsolescence both have common examples in physical security.
What is a project plan? List what a project plan can accomplish.
Project plan: The documented instructions for participants and stakeholders of a project that provide details on goals, objectives, tasks, scheduling, and resource management.It describes how to acquire and implement the needed security controls and create a setting in which those controls achieve the desired outcomes.
What is projectitis? How is it cured or its impact minimized?
Projectitis: a situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.> Cure: Use simpler planning tools; "delegating responsibilities, encouraging communication, using lighter project management software, establishing clear start and end dates to components, flexible planning, and proper estimation of effort";- Use simple planning tools (WBS)- Don't name specific names; simple place roles first- Don't assign too many dates too early; assign only key/milestone start/end dates early in the process- Collaborate with teams to estimate amount of effort
What is a resource? What are the two types?
Resource: Components required for the completion of a project, which could include skills, personnel, time, money and material> Two types: Skills and personnel
What is the relationship between HVAC and physical security? What four physical characteristics of the indoor environment are controlled by a properly designed HVAC system? What are the optimal temperature and humidity ranges for computing systems?
The operation of HVAC systems have a dramatic impact on information, info systems, and their protection. Temperature, filtration, humidity, and static electricity Optimal temperature: 70- 74 degreesOptimal humidity: 40-60%
What three elements must be present for a fire to ignite and continue to burn? How do fire suppression systems manipulate the three elements to quell fires?
The three elements are: Temperature, fuel, and oxygenWater and water mist systems work to reduce the temperature and saturate fuels. Carbon dioxide (kill people too) and Halon (don't kill people) systems reduce the oxygen.
What are the two possible modes of locks when they fail? What implications do these modes have for human safety? In which situation is each preferred?
The two possible modes are fail-safe and fail-secure. Fail-safe means it RELEASES in case of a power outage, and is used for fire safety location to secure an exit. Fail-secure means the lock LOCKS in case of a power outage, and is used for safes or nuclear weapons, things like that. Fail-safe = "You'll be safe even if the power goes out" Fail-secure = "These high-value items will be secure even if the power goes out."
List and describe the three fire detection technologies covered in the chapter. Which is the most commonly used?
Thermal detection: Detects the heat from a fire; includes fixed-temperature and rate-of-rise sensors; inexpensive and easy to maintain; don't catch the problem until it's already in progress; not used for important itemsSmoke detection: Detects the smoke from a fire; includes photoelectric sensors, ionization sensors, and air-aspirating detectors; more expensive but better at early detection; used where extremely valuable materials are storedFlame detection: Detects infrared/ultraviolet light produced by an open flame; sensitive and expensive; not used in areas where human lives are at stake.Most commonly used: SMOKE DETECTION SYSTEMS
What are the roles of IT, security, and general management with regard to physical security?
Three entities can play a part in physical security.The security department would have the most direct responsibility for the physical security program and would establish security policies, implement physical security systems, enforce security procedures, and investigate security breaches.The IT department is primarily responsible for computer and network security. However, many of today's physical security systems (cameras, card readers, etc.) are now network based and IT plays an increased role in the deployment and maintenance of these systems.The senior management of the company is ultimately responsible for the protection of the company's assets. Both the security department and IT department work to help senior management achieve this goal, but in the end, it is senior management's job to assure that the company's assets are secure.
What is a work breakdown structure (WBS)? Is it the only way to organize a project plan?
WBS: A list of the tasks to be accomplished in the project, the skill sets or individual employees needed to perform the tasks, the start and end dates for tasks, the estimated resources required, and the dependencies among tasks.> No, it's not the only way. You can use more complex software, but it may lead to projectitis.