CP3302 - Chap1
What are the 7 members do the Information security project team consist of?
1) Champion 2) Team Leader 3) Security policy developers 4) Risk assessment specialists 5) Security professionals 6) Systems administrators 7) End Users
Who does senior management usually consist of?
1) Chief Information Officer 2) Chief Information Security Officer
Which SecSDLC phase identifies information assets?
Analysis
______ security addresses the protection of individuals or groups authorized to access an organization. (a) Public (b) Personnel (c) Physical (d) Personal
b
________ examines the behavior of individuals as they interact with systems, whether societal systems or information systems. (a) Community science (b) Social science (c) Societal science (d) Interaction management
b
When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow a(n) approach. (a) executive led (b) trickle down (c) top-down (d) bottom-up
c
In regard to critical characteristics of information, a breach of confidentiality always results in a breach of: (a) availability. (b) accuracy. (c) authenticity (d) integrity (e) possession
e
What is the relationship between the MULTICS project and early development of computer security?
it was the first Operating system with security as a main feature.
When a computer is used as an active tool to conduct an attack on another information asset, that computer is then considered ______.
the Subject of an attack
When a computer is the information asset that is being attacked, it is considered ______.
the object
Name two fundamental problems with ARPANET security?
1) No safety for dial-up connections. 2) Nonexistent user identification and authorization.
What are the 6 Multiple layers of security an organisation should have in place?
1) Physical security 2) Personnel security 3) Operations security 4) Communications security 5) Network security 6) Information security
What tools are used to protect information and its related systems from danger?
1) Policy 2) awareness 3) Training 4) education 5) Technology
Hoe should security/Information security be considered as?
A balance between protection and availability. To achieve balance, level of security must allow reasonable access, yet protect against threats
What is the difference between a threat agent and a threat?
A threat is an ongoing danger to an asset. Whereas a threat agent represents the actual object carrying out the attack by attacking the asset. A threat could be someone being hacking whereas a threat agent would be a particular hacker or a group of hackers.
What is the difference between vulnerability and exposure?
A vulnerability is a flaw or weakness in an existing controlled system. Exposure is when a threat agent become aware of a vulnerability which can lead to it being exploited. A vulnerability could be a software bug or a door lock which is eas. Exposure could be an unauthorised person knowing a password or a lock breaking tool.
How can the practice of information security be described as both an art and a science? How does security as a social science influence its practice?
Art - because there are no hard and fast rules especially with users and policy. Science - because software is developed by computer scientists and engineers. Faults are a precise interaction of hardware and software that can be fixed given enough time.
If information has a state of being genuine or original and is not a fabrication, it has the characteristic of _______.
Authenticity
Describe the critical characteristics of information. How are they used in the study of computer security?
Availability - Where authorised users can easily access the information Accuracy - free from mistakes or errors Authenticity - The data is genuine and original and not a fabrication. Confidentiality - Preventing disclosure(making a secret known) to unauthorised people Integrity - The data is whole complete and uncorrupt. Utility - The information provides value to a user Possession - The individual has ownership or in control of the information.
How has computer security evolved into modern information security?
Before ARPA net computers, security was physical. Nowadays with IP networks , people can access data through a network to obtain access. Physical security is just one part of computer security.
A senior executive who promotes an information security project and ensures its support, both financially and administratively, at the highest levels of the organization is called a(n) ______.
Champion
What is the security that encompasses the protection of an organization's communications media, technology, and content?
Communications security
What type of security was dominant in the early years of computing?
Computer security - The focus is on the physical protection of hardware. Before computers were networked, there were protection mechanisms such as locking doors and physical security policies.
The characteristic of information that deals with preventing disclosure is ______.
Confidentiality
What are the three components of the CIA triangle? What are they used for?
Confidentiality - Making sure only authorised people have access to the data or information. Integrity - Ensuring that the information is in its original state and cannot be edited or deleted by unauthorised users. Accessibility - Ensuring that authorised people can access the information without hassle and that the data is presented to the user in an easy to interpret format which adds value for the user and it can be used in a meaningful way.
True or False: Personnel security addresses the issues needed to protect items, objects, or areas.
False
True or False: With the level of complexity in today's information systems, the implementation of information security has often been described as a combination of art and technology.
False
Identify the six components of an information system. Which are most directly impacted by the study of computer security? Which are most commonly associated with this study?
Hardware Software - commonly have software errors in them Personnel - need training, awareness and education Networks Data Procedures - the instructions to complete a specific task. They may expose vulnerabilities in the system.
Why is the top-down approach to information security superior to the bottom-up approach?
Has funding,m access to resources, better organisation and staying power to see the job through
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
It is a tried and tested method which has proved to deliver results
If the C.I.A. Triangle is incomplete, why is it so commonly used in security?
It is still used because the three items are still the core of information security. There are additional items that now make up a more advanced information security system.
What is Computer security?
It is the protection of physical assets to protect against, physical theft, espionage and sabotage
What was important about Rand Report R-609? Rand report R609
It was the first widely published report to discuss the importance of management and policy in computer security.
What was the name of the now obsolete operating system designed for security objectives?
MULTICS
What system is the father of almost all modern multiuser systems?
Mainframe computer systems. These were not connected via a data network.
Which SecSDLC phase keeps the security systems in a high state of readiness?
Maintenance and Change
What does MULTICS stand for?
Multiplexed Information and Computing Service
What is the security that addresses the protection of individuals or groups authorized to access an organization?
Personnel security
What are the 6 phases in the secSDLC
Phase 1) Investigation Phase 2) Analysis Phase 3) Logical Design Phase 4) Physical Design Phase 5) Implementation Phase 6) Maintenance and Change
What is the security that addresses the issues needed to protect items, objects, or areas?
Physical security
Name three primary threats to security of computers.
Physical threats, espionage and sabotage
Ownership or control of information is called the characteristic of _______.
Possession
what is computer security?
Protection of physical locations, hardware, and software of computers from outside threats.
Which paper is the foundation of all subsequent studies of computer security?
Rand Report R-609
When did Computer security come about?
Right after the first mainframes were developed, WW2 and code breaking machines
Who should lead a security team? Should the approach to security be more managerial or technical?
Security professionals/experts should lead the team. The approach to security should be more managerial because they can make and implement better decisions compared to technology.
Which members of an organization are involved in the security system development life cycle? Who leads the process?
Senior management, the CIO, security project team, data team. Security experts lead the process
A formal approach to solving a problem based on a structured sequence of procedures is called a(n) ________ .
System Development Life Cycle (SDLC) methodology
What is the most successful top-down approach called/formal development strategy?
Systems Development Life Cycel
Who is ultimately responsible for the security of information in the organization?
The Cheif Information Security Officer (CISO)
Who is the person responsible for the storage, maintenance, and protection of the information?
The data custodian
Who is the person responsible for the security and use of a particular set of information?
The data owner
Who decides how and when data in an organization will be used and or controlled? Who is responsible for seeing these wishes are carried out?
The data owners are responsible. Typically senior management. Data workers typically just use the data and data custodians are are responsible for maintaining/storing the data.
What is the definition of Security?
The quality of being free from danger
True or False: Information security programs that begin at a grassroots level by system administrators to improve security are often called a bottom-up approach.
True
What is the Top-Down approach?
When upper management issue policy, procedures, processes and dictate the goals and expected outcomes of the project. (works most of the time)
What is the Bottom-Up approach?
Where security can begin as a grass roots effort when system administrators attempt to improve security of their systems (This seldom works)