Chapter 1 Review
Methodology
A formal approach to solving a problem based on a structured sequence of procedures.
McCumber Cube
A graphical representation of the architectural approach widely used in computer and information security; commonly shown as a cube composed of 3x3x3 cells, similar to a Rubik's Cube.
Community of Interest
A group of people who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.
Bottom-up Approach
A method of establishing security policies that begins as a grassroots effort in which systems administrators attempt to improve the security of their systems.
Software Assurance (SA)
A methodological approach to the development of software that seeks to build security into the development life cycle rather than address it at later stages. SA attempts to intentionally create software free of vulnerabilities and provide effective, efficient software that users can deploy with confidence.
Security Development Life Cycle (SDLC)
A methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phases address the investigation, analysis, design, implementation, and maintenance of an information system.
Security Systems Development Life Cycle (SecSDLC)
A methodology for the design and implementation of security systems based on the systems development life cycle. The two life cycles contain the same general phases.
Top-down Approach
A methodology of establishing security policies that is initiated by upper management.
Project Team
A small functional team of people who are experienced in one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned.
Security
A state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure.
Network Security
A subset of communications security; the protection of voice and data networking components, connections, and content.
Waterfall Method
A type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.
Possession
An attribute if information that describes how the data's ownership or control is legitimate or authorized.
Utility
An attribute of information that describes how data has value or usefulness for an end purpose.
Availability
An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction.
Accuracy
An attribute of information that describes how data is free of errors and has the value that the user expects.
Authenticity
An attribute of information that describes how data is genuine or original rather than reproduced or fabricated.
Confidentiality
An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems.
Integrity
An attribute of information that describes how data is whole, complete, and uncorrupted.
Chief Information Officer (CIO)
An executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access of the organization's information.
What are the critical characteristics of information, also known as the expanded C.I.A. triangle?
Availability, Accuracy, Authenticity, Confidentiality, Integrity, Utility, Possession
The ________________ is primarily responsible for advising the chief executive officer, president, or company owner on strategic planning that affects the management of information in the organization. They translate the strategic plans of the organization as a whole into strategic information plans for the information systems or data processing division of the organization.
CIO (Chief Information Officer)
The _______________ has primary responsibility for the assessment, management, and implementation of information security in the organization. They report directly to the CIO.
CISCO (Chief Information Security Officer)
What member positions are typically found in a project team?
Champion, Team Leader, Security Policy Developers, Risk Assessment Specialists, Security Professionals, Systems Administrators, End Users
The _______________ of 1986 and the ________________ of 1987 defined computer security and specified responsibilities and associated penalties.
Computer Fraud and Abuse Act, Computer Security Act
What are the three pillars of the C.I.A. triangle?
Confidentiality, Integrity, Availability
What are the three types of data ownership?
Data Owners, Data Custodians, Data Users
In 1968, ________________ developed the ARPANET project. ARPANET evolved into what we know as the Internet, and he became known as its founder.
Dr. Larry Roberts
Computer Security
In the early days of computers, this term specified the need to secure the physical location of computer technology from outside threats. This term later came to represent all actions taken to preserve computer systems from losses. It has evolved into the current concept of information security as the scope of protecting information in an organization has expanded.
What are the security considerations for each phase of the SDLC?
Initiation, Development/Acquisition, Implementation/Assessment, Operations and Maintenance, Disposal
What six phases does the traditional SDLC consist of?
Investigation, Analysis, Logical Design, Physical Design, Implementation, Maintenance and Charge
________________ is noteworthy because it was the first operating system to integrate security into its core functions.
MULTICS
The NSTISSI 4011 is now known as the ________________.
McCumber Cube
The definition of information security in this text is based in part on the CNSS document called the ________________. It presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information security.
National Training Standard for Information Systems Security Professionals, NSTISSI No. 4011
Data Custodians
People who are responsible for the storage, maintenance, and protection of information.
Data Owners
People who own the information and thus determine the level of classification for their data and approve its access authorization.
Data Users
People who work with the information to perform their daily jobs and support the mission of the organization.
During the early years, information security was a straightforward process composed predominantly of _______________ security and simple document classification schemes.
Physical
Information Security
Protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology.
_________________ was the first widely recognized published document to identify the role of management and policy issues in computer security.
Rand Report R-609
What are the components of an information system?
Software, Hardware, Data, People, Procedures, Networks
Information System (IS)
The entire set of software, hardware, data, people, procedures, and networks that enable the use of information resources in the organization.
C.I.A. Triangle
The industry standard for computer security since the development of the mainframe. The standard is based on three characteristics that describe the utility of information confidentiality, integrity, and availability.
Communications Security
The protection of all communications media, technology, and content.
Physical Security
The protection of physical items, objects, or areas from unauthorized access and misuse.
Chief Information Security Officer (CISO)
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
In 1969, several developers of MULTICS created a new operating system called _______________, whose primary function was text processing.
UNIX