Tech 171 quiz 1

Ace your homework & exams now with Quizwiz!

Phases of SDLC

. Investigation 2. Analysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and Change

Phases of SecSDLC

1. Investigation 2. Analysis 3. Logical Design 4. Physical Design 5. Implementation 6. Maintenance and Change

A famous study entitled "Protection Analysis: Final Report" was published in ____.

1978

____ is the predecessor to the Internet

ARPANET

The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems

Analysis

The ____________________ phase consists primarily of assessments of the organization, its current systems, and its capability to support the proposed systems.

Analysis

An organizational resource that is being protected is sometimes logical, such as a Web site, software information, or data. Sometimes the resource is physical, such as a person, computer system, hardware, or other tangible object. Either way, the resource is known as a(n) ___________.

Asset

____ of information is the quality or state of being genuine or original

Authenticity

____________________ enables authorized users — persons or computer systems — to access information without interference or obstruction and to receive it in the required format.

Availability

The CNSS model of information security evolved from a concept developed by the computer security industry known as the ____________________ triangle.

CIA

The ____ is the individual primarily responsible for the assessment, management, and implementation of information security in the organization

CISO

During the ____________________ War, many mainframes were brought online to accomplish more complex and sophisticated tasks so it became necessary to enable the mainframes to communicate via a less cumbersome process than mailing magnetic tapes between computer centers

Cold

A(n) _________________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives.

Community of Interest

The history of information security begins with the history of ____________________ security.

Computer

In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.

Confidentiality

Which of the following is a valid type of data ownership?

Data Users, Data Owners and Data Custodians

Which of the following is a valid type of role when it comes to data ownership

Data owners, custodians, and users

An emerging methodology to integrate the effort of the development team and the operations team to improve the functionality and security of applications is known as __________.

DevOps

A server would experience a(n) __________ attack when a hacker compromises it to acquire information via a remote location using a network connection.

Direct

A(n) ____ attack is a hacker using a personal computer to break into a system

Direct

A(n) ____________________ information security policy outlines the implementation of a security program within the organization.

Enterprise

A breach of possession always results in a breach of confidentiality.

False

A champion is a project manager, who may be a departmental line manager or staff unit manager, and has expertise in project management and information security technical requirements.

False

A(n) hardware system is the entire set of people, procedures, and technology that enable business to use information.

False

An e-mail virus involves sending an e-mail message with a modified field.

False

Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.

False

Direct attacks originate from a compromised system or resource that is malfunctioning or working under the control of a threat.

False

E-mail spoofing involves sending an e-mail message with a harmful attachment

False

Hardware is often the most valuable asset possessed by an organization, and it is the main target of intentional attacks.

False

In general, protection is "the quality or state of being secure—to be free from danger."

False

Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects

False

Information security can be an absolute.

False

Key end users should be assigned to a developmental team, known as the united application development team.

False

Network security focuses on the protection of physical items, objects, or areas from unauthorized access and misuse.

False

Network security focuses on the protection of the details of a particular operation or series of activities.

False

Policies are written instructions for accomplishing a specific task.

False

Risk evaluation is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization's security and to the information stored and processed by the organization.

False

SecOps focuses on integrating the need for the development team to provide iterative and rapid improvements to system functionality and the need for the operations team to improve security and minimize the disruption from software release cycles

False

T/F Applications systems developed within the framework of the traditional SDLC are designed to anticipate a software attack that requires some degree of application reconstruction.

False

T/F Information security can be an absolute.

False

The Analysis phase of the SDLC examines the event or plan that initiates the process and specifies the objectives, constraints, and scope of the project.

False

The Analysis phase of the SecSDLC begins with a directive from upper management

False

The Security Development Life Cycle (SDLC) is a general methodology for the design and implementation of an information system. T/F

False

The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system.

False

The bottom-up approach to information security has a higher probability of success than the top-down approach

False

The bottom-up approach to information security has a higher probability of success than the top-down approach. T/F

False

The implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC).

False

The physical design is the blueprint for the desired solution

False

The physical design is the blueprint for the desired solution.

False

The possession of information is the quality or state of having value for some purpose or end

False

The possession of information is the quality or state of having value for some purpose or end.

False

The water-ski model is a type of SDLC in which each phase of the process flows from the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments.

False

When a computer is the subject of an attack, it is the entity being attacked

False (Object)

MULTICS stands for Multiple Information and Computing Service.

False (multiplexed)

In file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a ____ value.

Hash

Part of the logical design phase of the SecSDLC is planning for partial or catastrophic loss. ____ dictates what steps are taken when an attack occurs.

Incidence Response

The senior technology officer is typically the chief ____________________ officer.

Information

Information has ____________________ when it is whole, complete, and uncorrupted

Integrity

6 phases of SDLC Investigation

Investigation Analysis Logical Design Physical Design Implementation Maintenance & Change

__________ was the first operating system to integrate security as one of its core functions.

MULTICS

Which of the following phases is the longest and most expensive phase of the systems development life cycle?

Maintenance and Change

Which of the following phases is often considered the longest and most expensive phase of the systems development life cycle?

Maintenance and change

A(n) ____________________ is a formal approach to solving a problem by means of a structured sequence of procedures.

Methodology

____ presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems.

NSTISSI No. 4011

The Internet brought connectivity to virtually all computers that could reach a phone line or an Internet-connected local area ____________________.

Network

A computer is the ____________________ of an attack when it is the target entity.

Object

During the early years, information security was a straightforward process composed predominantly of ____________________ security and simple document classification schemes.

Physical

____ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

Physical

__________ security addresses the issues necessary to protect the tangible items, objects, or areas of an organization from unauthorized access and misuse.

Physical

During the ____ phase, specific technologies are selected to support the alternatives identified and evaluated in the logical design.

Physical Design

The ____________________ of information is the quality or state of ownership or control of some object or item.

Possession

A frequently overlooked component of an IS, ____________________ are written instructions for accomplishing a specific task.

Procedures

A frequently overlooked component of an information system, ____________________ are the written instructions for accomplishing a specific task

Procedures

The ____ is a methodology for the design and implementation of an information system in an organization.

SDLC

A variation of n SDLC that can be used to implement information security solutions in an organizations with little or no formal security in place is the __________.

SecSDLC

Organizations are moving toward more ____-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product.

Security

People with the primary responsibility for administering the systems that house the information used by the organization perform the role of ____.

Security Administrators

The ____________________ component of the IS comprises applications, operating systems, and assorted command utilities

Software

____________________ carries the lifeblood of information through an organization.

Software

An information system is the entire set of __________, people, procedures, and networks that enable the use of information resources in the organization.

Software, Hardware, and Data

A computer is the ____ of an attack when it is used to conduct the attack.

Subject

A methodology and formal development strategy for the design and implementation of an information system is referred to as a __________.

System Development Life Cycle (SDLC)

The most successful kind of top-down approach involves a formal development strategy referred to as a ____.

Systems Development life cycle

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.

T/F True

In the ____________________ approach, the project is initiated by upper-level managers who issue policy, procedures and processes, dictate the goals and expected outcomes, and determine accountability for each required action.

Top-Down

A breach of possession may not always result in a breach of confidentiality.

True

A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information.

True

A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas.

True

Confidentiality ensures that only those with the rights and privileges to access information are able to do so.

True

During the early years of computing, the primary threats to security were physical theft of equipment, espionage against the products of the systems, and sabotage.

True

Hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system.

True

In information security, salami theft occurs when an employee steals a few pieces of information at a time, knowing that taking more would be noticed — but eventually the employee gets something complete or useable.

True

Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems, which is often referred to as a bottom-up approach

True

Of the two approaches to information security implementation, the top-down approach has a higher probability of success.

True

Recently, many states have implemented legislation making certain computer-related activities illegal.

True

T/F Using a methodology increases the probability of success

True

The investigation phase of the SDLC involves specification of the objectives, constraints, and scope of the project.

True

The investigation phase of the SecSDLC begins with a directive from upper management.

True

The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage.

True

The roles of information security professionals are aligned with the goals and mission of the information security community of interest.

True

The value of information comes from the characteristics it possesses

True

To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats

True

To achieve balance — that is, to operate an information system that satisfies the user and the security professional — the security level must allow reasonable access, yet protect against threats. T/F

True

To achieve balance—that is, to operate an information system that satisfies the user and the security professional—the security level must allow reasonable access, yet protect against threats.

True

Using a methodology increases the probability of success

True

When unauthorized individuals or systems can view information, confidentiality is breached. T/

True

When unauthorized individuals or systems can view information, confidentiality is breached. _________________________

True

A type of SDLC in which each phase has results that flow into the next phase is called the __________ model

Waterfall

The ____ model consists of six general phases

Waterfall

hash value

a fingerprint of the author's message that is compared with the recipient's locally calculated has of the same message

methodology

a formal approach to solving a problem based on a structural sequence of procedures

metholodgy

a formal approach to solving a problem based on structured sequence of procedures

McCumber Cube

a graphical representation of the architectural approach widely used in computer and information security

community of interest

a group of people who are united by similar interests or values within an organization and who share a common goal of helping the organization to meet its objectives

bottom-up approach

a method of establishing security policies that begin as a grassroots effort in which systems administrators attempt to improve the security of their systems

systems development life cycle (SDLC)

a methodology for the design and implementation of an information system

security systems development life cycle (SecSDLC)

a methodology for the design and implementation of an information system. The SDLC contains different phases depending on the methodology deployed, but generally the phase address the investigation, analysis, design, implementation, and maintenance of an information system

top-down approach

a methodology of establishing security policies that is initiated by upper management

object

a passive entity in an information system that receives or contains information

operations security

a process used by an organization to deny an adversary information (generally not confidential information) about its intentions and capabilities by identifying, controlling, and protecting the organization's planning processes or operations

availability

a quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction

authenticity

a quality or state of information characterized by being genuine or original rather than reproduced or fabricated

champrion

a senior executive who promotes a security project and ensures its support

exposure

a single instance of a system being open to damage

loss

a single instance of an information asset suffering damage or unintended or unauthorized modification or disclosure

project team

a small functional team of people who are experienced in one one or multiple facets of the required technical and nontechnical areas for the project to which they are assigned

security professional

a specialist in the technical and nontechnical aspect of security information

threat agent

a specific instance or component that represents a danger to an organisation's asset. Threats can be accidental or purposeful, for example lightning strikes or hackers.

security

a state of being secure and free from danger or harm. Also, the actions taken to make someone or something secure

rand report r-609

a study sponsored by the department of defense which attempted to define multiple controls and mechanisms necessary for the protection of multilevel computer system

network security

a subset of communication security; the protection of voice and data networking components, connections, and content

exploit

a technique used to compromise a system

waterfall model

a type of SDLC in which each phase of the process "flows from" the information gained in the previous phase, with multiple opportunities to return to previous phases and make adjustments

APRANET

advanced research project agency (ARPA) began to examine feasibility of redundant networked communications. (The predecessor to the internet)

salami theft

aggregation of information used with criminal intent

computer security

all action taken to preserve computer systems from losses

enterprise information security policy (EISP)

also known as the general security policy, IT security policy, or information security policy, this policy is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.

attack

an act that takes advantage of a vulnerability to compromise a controlled system

subject

an activity entity that interacts with an information system and causes information to move through the system for a specific purpose. Examples include individuals, technical components, and computer processes

subject of an attack

an agent entity that is used as an active tool to conduct an attack

phising

an attempt to obtain personal or financial information using fraudulent means, usually be posing as a legitimate entity

accuracy

an attribute of information in which the data is free of error and has the value that the user expects

utility

an attribute of information that describes how data has value or usefulness for an end purpose

availability

an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction

accuracy

an attribute of information that describes how data is free of errors and has the value that the user expects

confidenality

an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems

integrity

an attribute of information that describes how data is whole, complete, uncorrupted

possession

an attribute of information that describes how the data's ownership or control is legitimate or authorized

chief information officer (CIO)

an executive-level position that oversees that organization's computing technology and strives to create efficiency in the processing and access of the organization's information

systems administrator

an individual responsible for administering information system

risk assessment specialist

an individual who understands financial risk assessment techniques, the value of organization assets, and security moethod

security policy developer

an individual who understands the organizational culture, existing policies, and requirements for develop and implementing security policies

threat

an object, person, or other entity that represents a constant danger to an asset

Implementation Phase (SDLC)

any needed software, hardware, or components are purchased, revived and tested

software (IS component)

application OS, and command utilities. Most difficult to serve

investigation phase (SecSDLC)

begins with a directive from upper management, dictating the processing, outcomes, and goals of the project, as well as the constraints placed on the activity.

In an organization, the value of ____________________ of information is especially high when it involves personal information about employees, customers, or patients.

confidentiality

Analysis phase (SDLC)

consists primarily of assessments of the organization, its current systems, and its capability to support the

Logical design (SecSDLC)

devolves the blueprint for security. Examines and implements key policies. Develops incident response plan

Analysis (SecSDLC)

document from the investigation phase are studied, existing security is examined, threats are documented, and existing controls are assesed

MULTICS

first operating system created with security as its primary goal

team leader

for information security, a project manager who understands project management, personnel management, and technical requirements

CIA triangle

industry standard for computer security since the development of the mainframe wit three characteristic: confidentiality, integrity, and availability

The protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy, education, training and awareness, and technology is known as ___________.

information Security

maintenance and change phase (SDLC)

longest and most expensive phase. Consists of the tasks necessary to support and modify the system for the remainder of its useful life cycle

maintenance and change phase (SecSDLC)

longest and most important phase, Adapt the security plan to new and evolving threats to maintain security

the protection of all communications media, technology, and content is known as ___________. communications

media

file hashing

method for ensuring information validity. Involves a file being read by a special algorithm that uses the value of the bits in the file tom computer a single large number called a hash value

data custodians

people who are responsible for storage, maintenance, and protection of information

data owners

people who own the information and thus determine the level of classification for their data and approve its access authorization

data user

people who work with the information to perform their daily jobs and support the mission of the organization

During the __________ phase, specific technologies are selected to support the alternatives identified and evaluated in the prior phases.

physical design

communication security

protection of all communication media, technology, and content

information security

protection of the confidentiality, integrity, and availability of information assets, whether in storage, processing, or transmission, via the application of policy education, training and awareness, and technology

community security

securing information in transmit using tools such as cryptographic systems, as well as its associated media and technology

Organizations are moving toward more __________-focused development approaches, seeking to improve not only the functionality of the systems they have in place, but consumer confidence in their product

security

implementation phase (SecSDLC)

security solutions are acquired, tested, implemented, and tested again

physical design (SDLC)

specific technologies are selected to support the alternatives identified and evaluated in the logical design phase

end user

synonymous with data user. An individual who uses computer application for his daily work.

security posture

synonymous with protection profile. The implementation of an organisation's security policies, procedure, and programs

control

synonymous with safeguard and countermeasure. A security mechanism, policy, or procedure that can counter system attack, reduce risks, and resolve volnerabilities

A methodology for the design and implementation of an information system that is a formal development strategy is referred to as a __________.

systems development life cycle

physical design phase (SecSDLC)

technologies are chosen to support the blueprint from the logical design phase. Plan is presented to all involved to all involved parties

access

the ability to use, manipulate, modify, or affect an object

components information systems (IS)

the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organization

c.i.a. triangle

the industry standard for computer security since the development of the mainframe. It is based on three characteristics that describe the utility of information: confidentiality, integrity, and availability.

logical design phase (SDLC)

the information gained from the analysis phase is used to begin creating a solution system for a business problem

object of an attack

the object or entity being attacked

asset

the organizational resource that is being protected. An asset can be logical, such as a web site or information or other tangible object

Investigation phase (SDLC)

the phase is used to outline the scope and goals of implementing a security system. It will also cover the budget, time frames, and feasibility of the system

risk

the probability that something can happen

e-mail spoofing

the process of sending an email with a modified field. The modified field is often the address of the originator

information security

the protection of information and the systems and hardware that use, store, and transmits that information

physical security

the protection of physical items, object, or areas from unauthorize access and misuse

posession

the quality or state of having ownership or control of some object or item

Risk Appetite & Risk Tolerance

the quantity and nature of risk that organization are willing to accept

organizational culture

the specific social and political atmosphere within an given organization that determines the organization's procedures and policies and willingness to adapt to changes

security

to be protected from adversaries- from those who would do harm, intentionally or otherwise

personnel security

to protection the individuals or group of individuals who are authorized to access the organization and its operations.

chief information security officer (CISO)

typically considered the top information security office in an organization. The CISO is usually not an execute-level position, and frequently the person in this role reports to the CIO

vulnerability

weakness in a controlled system, where controls are not present or no longer effective

procedures

written instructions for accomplishing a specific task


Related study sets

Hesi Case Study, John Morris, Cerivcal Neck Injury

View Set

One Party and Multiparty Government

View Set

Chapter 5: Consumer and Business Buyer Behavior

View Set

Chapter 3 Collecting Objective data

View Set

physical activity and public health

View Set