CP3302 - Chap1

Ace your homework & exams now with Quizwiz!

What are the 7 members do the Information security project team consist of?

1) Champion 2) Team Leader 3) Security policy developers 4) Risk assessment specialists 5) Security professionals 6) Systems administrators 7) End Users

Who does senior management usually consist of?

1) Chief Information Officer 2) Chief Information Security Officer

Which SecSDLC phase identifies information assets?

Analysis

______ security addresses the protection of individuals or groups authorized to access an organization. (a) Public (b) Personnel (c) Physical (d) Personal

b

________ examines the behavior of individuals as they interact with systems, whether societal systems or information systems. (a) Community science (b) Social science (c) Societal science (d) Interaction management

b

When projects are initiated at the highest levels of an organization and then pushed to all levels, they are said to follow a(n) approach. (a) executive led (b) trickle down (c) top-down (d) bottom-up

c

In regard to critical characteristics of information, a breach of confidentiality always results in a breach of: (a) availability. (b) accuracy. (c) authenticity (d) integrity (e) possession

e

What is the relationship between the MULTICS project and early development of computer security?

it was the first Operating system with security as a main feature.

When a computer is used as an active tool to conduct an attack on another information asset, that computer is then considered ______.

the Subject of an attack

When a computer is the information asset that is being attacked, it is considered ______.

the object

Name two fundamental problems with ARPANET security?

1) No safety for dial-up connections. 2) Nonexistent user identification and authorization.

What are the 6 Multiple layers of security an organisation should have in place?

1) Physical security 2) Personnel security 3) Operations security 4) Communications security 5) Network security 6) Information security

What tools are used to protect information and its related systems from danger?

1) Policy 2) awareness 3) Training 4) education 5) Technology

Hoe should security/Information security be considered as?

A balance between protection and availability. To achieve balance, level of security must allow reasonable access, yet protect against threats

What is the difference between a threat agent and a threat?

A threat is an ongoing danger to an asset. Whereas a threat agent represents the actual object carrying out the attack by attacking the asset. A threat could be someone being hacking whereas a threat agent would be a particular hacker or a group of hackers.

What is the difference between vulnerability and exposure?

A vulnerability is a flaw or weakness in an existing controlled system. Exposure is when a threat agent become aware of a vulnerability which can lead to it being exploited. A vulnerability could be a software bug or a door lock which is eas. Exposure could be an unauthorised person knowing a password or a lock breaking tool.

How can the practice of information security be described as both an art and a science? How does security as a social science influence its practice?

Art - because there are no hard and fast rules especially with users and policy. Science - because software is developed by computer scientists and engineers. Faults are a precise interaction of hardware and software that can be fixed given enough time.

If information has a state of being genuine or original and is not a fabrication, it has the characteristic of _______.

Authenticity

Describe the critical characteristics of information. How are they used in the study of computer security?

Availability - Where authorised users can easily access the information Accuracy - free from mistakes or errors Authenticity - The data is genuine and original and not a fabrication. Confidentiality - Preventing disclosure(making a secret known) to unauthorised people Integrity - The data is whole complete and uncorrupt. Utility - The information provides value to a user Possession - The individual has ownership or in control of the information.

How has computer security evolved into modern information security?

Before ARPA net computers, security was physical. Nowadays with IP networks , people can access data through a network to obtain access. Physical security is just one part of computer security.

A senior executive who promotes an information security project and ensures its support, both financially and administratively, at the highest levels of the organization is called a(n) ______.

Champion

What is the security that encompasses the protection of an organization's communications media, technology, and content?

Communications security

What type of security was dominant in the early years of computing?

Computer security - The focus is on the physical protection of hardware. Before computers were networked, there were protection mechanisms such as locking doors and physical security policies.

The characteristic of information that deals with preventing disclosure is ______.

Confidentiality

What are the three components of the CIA triangle? What are they used for?

Confidentiality - Making sure only authorised people have access to the data or information. Integrity - Ensuring that the information is in its original state and cannot be edited or deleted by unauthorised users. Accessibility - Ensuring that authorised people can access the information without hassle and that the data is presented to the user in an easy to interpret format which adds value for the user and it can be used in a meaningful way.

True or False: Personnel security addresses the issues needed to protect items, objects, or areas.

False

True or False: With the level of complexity in today's information systems, the implementation of information security has often been described as a combination of art and technology.

False

Identify the six components of an information system. Which are most directly impacted by the study of computer security? Which are most commonly associated with this study?

Hardware Software - commonly have software errors in them Personnel - need training, awareness and education Networks Data Procedures - the instructions to complete a specific task. They may expose vulnerabilities in the system.

Why is the top-down approach to information security superior to the bottom-up approach?

Has funding,m access to resources, better organisation and staying power to see the job through

Why is a methodology important in the implementation of information security? How does a methodology improve the process?

It is a tried and tested method which has proved to deliver results

If the C.I.A. Triangle is incomplete, why is it so commonly used in security?

It is still used because the three items are still the core of information security. There are additional items that now make up a more advanced information security system.

What is Computer security?

It is the protection of physical assets to protect against, physical theft, espionage and sabotage

What was important about Rand Report R-609? Rand report R609

It was the first widely published report to discuss the importance of management and policy in computer security.

What was the name of the now obsolete operating system designed for security objectives?

MULTICS

What system is the father of almost all modern multiuser systems?

Mainframe computer systems. These were not connected via a data network.

Which SecSDLC phase keeps the security systems in a high state of readiness?

Maintenance and Change

What does MULTICS stand for?

Multiplexed Information and Computing Service

What is the security that addresses the protection of individuals or groups authorized to access an organization?

Personnel security

What are the 6 phases in the secSDLC

Phase 1) Investigation Phase 2) Analysis Phase 3) Logical Design Phase 4) Physical Design Phase 5) Implementation Phase 6) Maintenance and Change

What is the security that addresses the issues needed to protect items, objects, or areas?

Physical security

Name three primary threats to security of computers.

Physical threats, espionage and sabotage

Ownership or control of information is called the characteristic of _______.

Possession

what is computer security?

Protection of physical locations, hardware, and software of computers from outside threats.

Which paper is the foundation of all subsequent studies of computer security?

Rand Report R-609

When did Computer security come about?

Right after the first mainframes were developed, WW2 and code breaking machines

Who should lead a security team? Should the approach to security be more managerial or technical?

Security professionals/experts should lead the team. The approach to security should be more managerial because they can make and implement better decisions compared to technology.

Which members of an organization are involved in the security system development life cycle? Who leads the process?

Senior management, the CIO, security project team, data team. Security experts lead the process

A formal approach to solving a problem based on a structured sequence of procedures is called a(n) ________ .

System Development Life Cycle (SDLC) methodology

What is the most successful top-down approach called/formal development strategy?

Systems Development Life Cycel

Who is ultimately responsible for the security of information in the organization?

The Cheif Information Security Officer (CISO)

Who is the person responsible for the storage, maintenance, and protection of the information?

The data custodian

Who is the person responsible for the security and use of a particular set of information?

The data owner

Who decides how and when data in an organization will be used and or controlled? Who is responsible for seeing these wishes are carried out?

The data owners are responsible. Typically senior management. Data workers typically just use the data and data custodians are are responsible for maintaining/storing the data.

What is the definition of Security?

The quality of being free from danger

True or False: Information security programs that begin at a grassroots level by system administrators to improve security are often called a bottom-up approach.

True

What is the Top-Down approach?

When upper management issue policy, procedures, processes and dictate the goals and expected outcomes of the project. (works most of the time)

What is the Bottom-Up approach?

Where security can begin as a grass roots effort when system administrators attempt to improve security of their systems (This seldom works)


Related study sets

ATI Engage: Fluid, Electrolytes, and Acid-Based Regulation

View Set

Ch 8 Patient Record Requirements

View Set

Financial Management Exam 1 Whitledge

View Set