Info Security Exam 1
Threats are always present T/F
True
Which members of an organization are involved in the security systems development life cycle? Who leads the process?
Upper management The process is usually led by a senior executive, sometimes called the champion, who promotes the project and secures its financial, administrative, and company-wide backing. A project manager is assigned the task of managing the project.
Describe the critical characteristics of information (7). How are they used in the study of computer security?
1. Availability enables authorized users to access information without interference, and to receive it in the required format. 2. Accuracy occurs when information is free from mistakes or errors and has the value that the end user expects 3. Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is in the same state in which it was created, placed, stored, or transferred. 4. Confidentiality: achieved when disclosure of info is restricted only to authorized individuals or systems. 5. Integrity: maintained when it is whole and not corrupted. 6. Utility: quality or state of the info having value for some purpose or end. 7. Possession: Information is said to be in one's possession if one obtains it, independent of format or other characteristics. The critical characteristics of information define its value.
What are the three components of the C.I.A. triangle? What are they used for?
1. Confidentiality: assurance that information is shared only among authorized people or organizations 2. Integrity: assurance that the info is complete and uncorrupted 3. Availability: assurance that info systems and the necessary data are available for use when needed *Used to conveniently articulate the objectives of a security program that must be used in harmony to make sure an information system is secure and usable.
Who should lead a security team? Should the approach to security be more managerial or technical?
A project manager, who may be a departmental line manager or staff unit manager, would lead a security team. The approach to security should be more managerial than technical, although the technical ability of the resources who perform day-to-day activities is critical
How has computer security evolved into modern information security?
Computer security consisted of securing a system's physical location with badges, keys, and facial recognition. To ensure total security, the information itself, as well as the hardware used to transmit and store it, needed to be protected. Information security developed from this need.
Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?
Data owners, who are responsible for the security and use of a particular set of information. Data custodians, who work directly with data owners and are responsible for the storage, maintenance, and protection of information Data users are end users who work with the information to perform their daily jobs and support the mission of the organization.
How can the practice of information security be described as both an art and a science?
First, information security is a science because it requires various kinds of tools and technologies used for technical purposes. Second, information security is also an art because there are no clear-cut rules for how to install various security mechanisms.
If the C.I.A. triangle is incomplete, why is it so commonly used in security?
It addresses the fundamental concerns of information security: confidentiality, integrity, and availability.
What system is the predecessor of almost all modern multiuser systems?
MULTICS
What is the relationship between the MULTICS project and the early development of computer security?
MULTICS, or Multiplexed Information and Computing Service, was the first operating system created with security as its primary goal. It was a mainframe, time-sharing operating system developed through a partnership among GE, Bell Labs, and MIT. Much of the early focus for research on computer security was centered on this system.
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
Methodology is important in the implementation of information security because it ensures that development is structured in an orderly, comprehensive fashion. The methodology unifies the process of identifying specific threats and the creation of specific controls to counter those threats into a coherent program. First, it entails all the rigorous steps for an organization's employees to follow. Second, a methodology increases the probability of success.
What type of security was dominant in the early years of computing?
Physical security ONLY. (Data and connections was NOT focused on)
Why is the top-down approach to information security superior to the bottom-up approach?
Project is initiated by upper-level managers who issues: policy, procedures, and processes, dictate goals, determine accountability. This approach has strong upper management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture. The most successful kind of top-down approach also involves a formal development strategy referred to as a systems development life cycle.
Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609, sponsored by the Department of Defense paper, is the foundation of all subsequent studies of computer security.
How does the view of security as a social science influence its practice?
Social science deals with people, and information security is primarily about people, not technology. Through the eye of a social scientist, an organization can greatly benefit from the Security Education, Training, and Awareness program (SETA), which can help employees understand how to perform their jobs more securely, be fully aware of the security issues within the organization, and be accountable for their actions.
How is infrastructure protection (assuring the security of utility services) related to information security?
The availability of information assets is dependent on having information systems that are reliable and that remain highly available.
Who is ultimately responsible for the security of information in the organization?
The chief information security officer
What was important about Rand Report R-609?
The movement toward security that went beyond protecting physical locations began with Rand Report R-609. The Rand Report was the first to identify the role of management and policy issues in the expanding arena of computer security
Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
The six components are software, hardware, data, people, procedures, and networks. People would be affected most by the study of computer security. People can be the weakest link in an organization's information security program. Hardware and software are the components that are historically associated with the study of computer security. However, networking is the component that created much of the need for increased computer and information security.
In information security, exposure exists when a vulnerability is known to an attacker. T/F?
True
What is the difference between a threat agent and a threat?
Threat agent: facilitator of an attack. Threat: a category of objects, people, or entities that represents a potential danger to an asset.
What is the difference between vulnerability and exposure?
Vulnerability is a weakness or fault system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed.