Assurance, Security and Prvy - Chapter 1

Information security is a concept that predates modern computers

Information security is a concept that came along with modern computers

People encrypted messages well before any computer was created

Encrypted messages is a new invention that can be only be done on computers.

Caesar Cipher is an example of ______

Enigma was a critical component in WWII

Enigma was a PC component that was invented in WWI

ARPA stands for...

Redundant networked communications

Security issues were identified in ARPAnet

No issue was identified in ARPAnet

First operating system created with security as its primary goal was a system called ______

More computers lead to the need for more networks of computers

More computers lead to the need for less networks of computers

Internet became first global network of networks

Intranet became second global network of networks

In early Internet days, security was treated as low priority

In early Internet days, security was treated as high priority

More connectivity means bigger need for security

More connectivity means smaller need for security

The quality or state of being secure—to be free from danger

______ involves the protection of information and its critical elements, including systems and hardware that use, store, and transmit that information.

What are the necessary tools for the implementation of security?

A successful organization should have multiple layers of security in place.

A successful organization should have only one layer of security in place

A successful organization should have multiple layers of security in place:

______ was standard based on confidentiality, integrity, and availability

______ now expanded into list of critical characteristics of information

What does C.I.A stand for?

Enables users who need to access information to do so without interference or obstruction and in the required format. The information is said to be available to an authorized user when and where needed and in the correct format.

Free from mistake or error and having the value that the end user expects. If information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

The quality or state of being genuine or original, rather than a reproduction or fabrication. Information is authentic when it is the information that was originally created, placed, stored, or transferred.

The quality or state of preventing disclosure or exposure to unauthorized individuals or systems.

The quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when the information is exposed to corruption, damage, destruction, or other disruption of its authentic state.

The quality or state of having value for some purpose or end. Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

The quality or state of having ownership or control of some object or item. Information is said to be in possession if one obtains it, independent of format or other characteristic. While a breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

What are the components of information system?

What are the components of information system?

Which one is the subject of attack?

Which one is the object of attack?

More security means less functionality and usability.

More security means more functionality and usability.

What are the two kinds of approaches to Information Security Implementation?

Grassroots effort: systems administrators attempt to improve security of their systems

Key advantage: technical expertise of individual administrators

Seldom works, as it lacks a number of critical features, such as participant support and organizational staying power.

What are the two critical features that Bottom-up approach lacks?

Which approach has higher chance of success?

Initiated by upper management

Issue policy, procedures, and processes

Dictate goals and expected outcomes of project

Determine accountability for each required action

The most successful top-down approach also involves a formal development strategy referred to as a ______

______ is methodology for design and implementation of information system within an organization

What are the stages of SDLC? (In-order)

The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS security project

The same phases used in traditional SDLC may not be adapted to support specialized implementation of an IS security project, as IS security projects tend to be more complicated and more advanced than civilian projects.

Identification of specific threats and creating controls to counter them

______ is a coherent program rather than a series of random, seemingly unconnected actions

Planning: What problem is the system being developed to solve?

Planning: What security issues do we face?

Planning: Objectives, constraints, and scope of project are specified

Planning: Identifies process, outcomes, goals, and constraints of the project

Planning: Involves a feasibility study

Planning: Begins with high-level Enterprise Information Security Policy (EISP

Analysis: Consists of analysing business needs and requirements

Analysis: Involves describing what the system does

Analysis: Ends with a requirements document

Analysis: Analysis of existing security policies or programs, along with documented current threats and associated controls

Analysis: Includes analysis of relevant legal issues that could impact design of the security solution

Analysis: Risk management begins

Design: The start of the “solution” for the identified problem (A logical solution/design)

Design: Moves into a technical description of “how” the solution will be implemented

Design: Produces a design specifications document

Design: Creates and develops blueprints for information security (logical)

Design: Includes contingency planning (IRP, DRP, BCP)

Design: Needed security technology is evaluated, alternatives are generated, and final design is selected (physical)

Implementation: Software is created; components are ordered, received, assembled, and tested

Implementation: Users trained and documentation created

Implementation: Security solutions are acquired, tested, implemented, and tested again

Implementation: Personnel issues evaluated; specific training and education programs conducted

Implementation: Entire tested package is presented to management for final approval

Maintenance: Consists of tasks necessary to support and modify system for remainder of its useful life

Maintenance: Perhaps the most important phase, given the ever-changing threat environment

Maintenance: As threats evolve, we must adapt and evolve as well

It takes a wide range of professionals to support a diverse information security program.

It does not take a wide range of professionals to support a diverse information security program.

To develop and execute specific security policies and procedures ______ is required.

Senior technology officer

Primarily responsible for advising senior executives on strategic planning

Primarily responsible for assessment, management, and implementation of IS in the organization

A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.

A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

Individuals who understand the organizational culture, policies, and requirements for developing and implementing successful policies.

Individuals who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

Dedicated, trained, and well-educated specialists in all aspects of information security from both technical and nontechnical standpoints.

Individuals with the primary responsibility for administering the systems that house the information used by the organization.

Those the new system will most directly impact. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Responsible for the security and use of a particular set of information.

Responsible for storage, maintenance, and protection of information

End users who work with information to perform their daily jobs supporting the mission of the organization