Information Security Quiz 1
Who should lead a security team? Should the approach to security be more managerial or technical?
Chief information security officer - Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO. Managerial, the users need to know correct procedures and processes.
How has computer security evolved into modern information security?
Computer security is about protecting the physical location and assets, while information security is about protection of data, operations, and transmitting ,processing, confidentiality, and availability
What type of security was dominant in the early years of computing?
Computer security- physically securing the location of the technology
Describe the critical characteristics of information. How are they used in the study of computer security?
Confidentiality → How data is protected from exposure to unauthorized individuals Integrity → How data is whole/complete and uncorrupted Availability → How data is accessible and correctly formatted without interference Accuracy → Data free from mistakes with no modifications and is what the end user expects Authenticity → Data that is genuine and original ,not a refabrication
What was important about RAND Report R-609?
Considered the basis that started the study of computer security
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
Creates guidelines with a clearly defined goal, and increases probability of success an example of a methodology is SDLC. Also sets policies on how goals will be accomplished
Who is ultimately responsible for the security of information in the organization?
Data Users
How can the practice of information security be described as both an art and a science? How does the view of security as a social science influence its practice?
For art and science the goal is to have just enough security without overly restricting the user and the ability to eliminate and eradicate most threats.
Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
Hardware, Software, data, people, procedures, networks. Hardware is most affected by computer security, software is most associated
What are the three components of the C.I.A. triad? What are they used for? Confidentiality
Integrity Confidentiality Availability Describing the utilities of information
What is the relationship between the MULTICS project and the early development of computer security?
It implemented multiple levels of security and passwords.
What system is the predecessor of almost all modern multiuser systems?
MULTICS
Which paper is the foundation of all subsequent studies of computer security?
Rand Report R 609
How is infrastructure protection (assuring the security of utility services) related to information security?
Securing the physcial location of the technology is what allows the information to not be tampered with or physically destroyed. Assuring the safety of data and assets.
Which members of an organization are involved in the security systems development life cycle? Who leads the process?
Senior management, CIO leads the process CISO reports to CIO
If the C.I.A. triad is incomplete, why is it so commonly used in security?
Standard for computer security, The level of depth of potential security issues is too vast to adopt another system.
Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?
The information security groups leadership monitors and manages all of the organizational structures and processes that safeguard information. The board and executive management are responsible to see objectives are achieved
Why is the top-down approach to information security superior to the bottom-up approach?
Top-down comes from upper level management to establish security policies/practices. Usually has dedicated funding, and a clear implementation process.
What is the difference between vulnerability and exposure? Vulnerability
a potential weakness in an asset or its ability to defend, ex open door, flaw in the software
Threat
anything that has the potential to affect operations or assets also known as a threat source.
What is the difference between a threat agent and a threat? Threat agent
the specific instance of a threat, ex tornado is the threat agent, while nature is the threat source.
Exposure
when a vulnerability is known to an attacker
