-
8/10/2019 INSY4900 Ch01
1/4
Review Questions
1. List and describe an organizations three communities of
interest that engage in
efforts to solve InfoSec problems. Give two or three eamples of
who might be in
each communit!.
Information securit!"professionals could include the Security
Analyst, the Security
Architect, and the CISO.
Information technolog! #I$%"professionals could include the
Database
Administrator, the Systems Administrator, and the CIO.
$he rest of the organization" professionals could include
non-technical staff, such
as, the Director of Human Resources, the CFO, and the CO.
&. 'hat is the definition of Information Securit! #InfoSec%(
It is the protection of
information and its critical characteristics !confidentiality,
inte"rity, and a#ailability$,includin" the systems and hard%are
that use, store, and transmit that information, throu"h
the application of policy, trainin" and a%areness pro"rams, and
technolo"y. 'hatessential protections must be in place to protect
information s!stems from danger(
&he essential protections that must be in place includes'
physical security, operationssecurity, communications security and
net%or( security.
). 'hat is the triangle( *efine each of its components.
Confidentiality' only those %ho are "ranted access can "et
in
Inte"rity' data is true and uncorrupted
A#ailability' if "ranted access, data is a#ailable %ithout
obstruction
+panded to")ri#acy, Identification, Authentication,
Authori*ation and Accountability
,. 'hat is the definition of -privac!- as it relates to InfocSec
#information
securit!%( It is information that is collected, used and stored
by an or"ani*ation is
intended only for the purposes stated by the data o%ner at the
time it %as collected. ow
is this definition of privac! different from the ever!da!
definition( &he dictionarydescribes pri#acy as the state of
bein" free from intrusion or disturbance in one+s pri#ate
life or affairs. 'h! is this difference significant( &he
epectation of pri#acy does not
etend into the Information Security model it does not "uarantee
freedom fromobser#ation, only that any data "athered %ill be used
in an epected and declared manner.
/. 'hat is management and what is a manager( ana"ement is the
process of
achie#in" ob/ecti#es usin" a "i#en set of resources, and a
mana"er is someone %ho%or(s %ith and throu"h other people by
coordinatin" their %or( acti#ities in order to
accomplish or"ani*ational "oals0. 'hat roles do manager pla! as
the! eecute theirresponsibilities( ana"ers use different roles to
accomplish ob/ecti#es. In aninformational role, mana"ers collect
process and use information. In an interpersonal
role, mana"ers %or( %ith people to achie#e "oals. In a
decisional role, mana"ers ma(e
choices as to the best path to ta(e and address issues that
arise %hile usin" problem
sol#in" s(ills.
-
8/10/2019 INSY4900 Ch01
2/4
10. 'hat are the three t!pes of general planning( *efine
each.
Strate"ic )lannin"' lon" term "oals, 1 or more years
&actical )lannin"' production plannin", one to fi#e years,
smaller scope then
enterprise plannin"
Operational )lannin"' day to day operations, short term
"oals.
11. List and describe the five steps of the general
problemsolving process. &hey are
reco"ni*in" and definin" the problem, "atherin" facts and ma(in"
assumptions,
de#elopin" possible solutions, analy*in" and comparin" possible
solutions, and selectin",
implementin", and e#aluatin" a solution.
1). 'h! are pro2ect management s3ills important to the InfoSec
professional(
Information security is a process, not a pro/ect. Ho%e#er, each
element of an information
security pro"ram must be mana"ed as a pro/ect, e#en if the
o#erall pro"ram is perpetuallyon"oin". It is essential that InfoSec
professionals posses pro/ect mana"ement s(ill, so
they can identify and control resource applied to a pro/ect, as
%ell as messure thepro"ress and ma(e ad/ustments to the process
!ob/ecti#es$ in order to complete the "oal.
14. 'hat is a wor3 brea3down structure #'5S% and wh! is it
important( It is a
plannin" tool !as simple as a spreadsheet in some cases$ %hich
helps brea( do%n tas(s.23S can further di#ide tas(s into action
steps.
&0. ow do 6+R$7869 methods help to manage a pro2ect(
&hese t%o dia"rammin"
techni4ues are desi"ned to identify and mana"e the se4uence of
tas(s that ma(e up theshortest time to complete a pro/ect.
+ercises
5. Assume that a security model is needed for the protection of
information in your class
you are ta(in"--say, the information found in your course6s
learnin" mana"ement system!if your class uses one$. 7se the C8SS
model to identifyeach of the 9: cells needed for
complete information protection. 2rite a brief statement on ho%
you %ould address the
components represented in the of the 9: cells.
a% 6ersonal Information
5; Confidentiality ; Stora"e
-
8/10/2019 INSY4900 Ch01
3/4
5; Confidentiality
-
8/10/2019 INSY4900 Ch01
4/4
Scan icrosoft Security ssentials on )C 5-= #ar nd 7ser
DeleteEremo#e all 4uarantine and infected findin" from )C 91 nd
7ser
8ase +ercises
1. 5ased on !our reading of the chapter and what !ou now 3now
about the issues;list at least three other things 8harle! could
recommend to Iris.
&ry to clearly define the ne% CISO position %ith R22.
&ry to tac(fully o#ercome resistance from I& and
non-technical mana"ers. &his may
be accomplish byinitiatin" education, trainin", and a%areness
pro"rams. It this fails,
she may need to "et upper mana"ement ine#oled in the process
!"roup meetin"s$.
&ry to de#elop and implement an information security policy
ASA).
&. 'hat do !ou thin3 is the most important piece of advice
8harle! gave to Iris;( Isto "ain some consensus from hi"her
mana"ement to fund the ne% Security Analyst
position. 'h!(Currently, Iris is o#er%helmed %ith the ne% and
undefined CISO
position. Also, a 4ualified Secuity Analyst %ould free her to
%or( on plannin" strate"es
to de#elop a more secure, stable information security e#ironment
for the company.
