Discuss the different types of management approaches, and what type of management would work best for your organization or university.
Module 1 discussion Discuss the different types of management approaches, and what type of management would work best for your organization or university. Justify your answer. Module 2 discussion Research different disaster response plans of major organizations that have had to respond to fairly recent disasters. Discuss the results of the organization's recovery efforts. Module 3 discussion Discuss possible ways to influence and motivate employees within an organization in regard to information security. Module 4 discussion Discuss various security architectures. Which provides the best balance between simplicity and security? Justify your answer. Module 5 discussion Discuss how threat identification should be performed within your organization or university. Should every threat be planned for? Why or why not? Module 6 discussion Discuss some of the cryptosystems that have been used to secure email. In your opinion, what are some of the biggest challenges in securing Web activity. Why? Module 7 discussion Discuss the application of ethics in the workplace. How do you enforce ethics in the workplace? Give examples. Module 8 discussion Do you feel that information systems to fight terrorism should be developed and used even if they infringe on privacy rights or violate the Privacy Act of 1974 and other such statutes? Post your question in the Module 8 Discussion Board no later than Thursday 11:59 PM EST/EDT. Respond to at least two questions posted by your fellow students by no later than Sunday 11:59 PM EST/EDT. Module 1 Ch-1 Ex 1. Assume that a security model is needed to protect information used in the class you are taking—say, the information in your course’s learning management system. Use the CNSS model to identify each of the 27 cells needed for complete information protection. Write a brief statement that explains how you would address the components represented in each of the 27 cells. Ex 2. Consider the information stored in your personal computer. Do you currently have information stored in your computer that is critical to your personal life? If that information became compromised or lost, what effect would it have on you? Ex 4. Search the Web for “The Official Phreaker’s Manual.” What information in this manual might help a security administrator to protect a communications system? Module 2 Chapter 3, Exercises 1, 2, and 3 in the Management of Information Security textbook Chapter 10, Exercises 3, and 4 in the Management of Information Security textbook Module 3 Ch-4 Ex 2. Search your institution’s intranet or Web site for its security policies. Do you find an enterprise security policy? What issue-specific security policies can you locate? Are all of these policies issued or coordinated by the same individual or office, or are they scattered throughout the institution? Ex 3. Using the framework presented in this chapter, evaluate the comprehensiveness of each policy you located in Exercise 2. Which areas are missing? Ex 4. . Using the framework presented in this chapter, draft a sample issue-specific security policy for an organization. At the beginning of your document, describe the organization for which you are creating the policy and then complete the policy using the framework. Ch-5 Ex 1. Search the term “security awareness” on the Internet. Choose two or three sites that offer materials and services and describe what they offer? Ex 2. Choose one of the Web sites you found in Exercise 1 that you think might work for a security awareness program at your institution. Write a short essay about how you would go about getting that awareness material or service into place on your campus. Ex 6. Draft a work breakdown structure for the task of implementing and using a PC-based virus detection program (one that is not centrally managed). Don’t forget to include tasks to remove or quarantine any malware it finds. Module 4 Ch-8 Ex 2. Compare the ISO/IEC 27001 outline with the NIST documents discussed in this chapter. Which areas, if any, are missing from the NIST documents? Identify the strengths and weaknesses of the NIST programs compared to the ISO standard. Ex 3. Search the Internet for the term security best practices. Compare your findings to the recommended practices outlined in the NIST documents. Ex 4. Search the Internet for the term data classification model. Identify two such models and then compare and contrast the categories those models use for the various levels of classification. Ch-9 Ex 2. Visit the NIST Federal Agency Security Practices Web site at csrc.nist.gov/groups/SMA/fasp/index.html. Review some of the listed FASPs and identify five drawbacks to adopting the recommended practices for a typical business. Ex 4. Download and review “NIST SP 800-55, Rev. 1: Performance Measurement Guide for Information Security.” Using this document, identify five measures you would be interested in finding the results from based on your home computing systems and/or network. Ex 5. Using the template provided in Table 9-2, develop documentation for one of the performance measurements you selected in Exercise 4. Module 5 Chapter 6, Exercises 1, 2, and 5 in the Management of Information Security textbook Chapter 7, Exercises 1, 3, and 4 in the Management of Information Security textbook Module 6 Ch-11 Ex 3. Using the Internet, search for three different employee hiring and termination policies. Review each and look carefully for inconsistencies. Does each have a section addressing the requirements for the security of information? What clauses should a termination policy contain to prevent disclosure of the organization’s information? Create your own variant of either a hiring or termination policy. Ex 5. Using the description given in this chapter, write a job description for Iris’s new position, which is described in the following case scenario. What qualifications and responsibilities should be shoulb be associated with this position. (Closing case on page 515-516). Ch-12 Ex 1. Create a spreadsheet that takes eight values that a user inputs into eight different cells. Then create a row that transposes the cells to simulate a transposition cipher, using the example transposition cipher from the text. Remember to work from right to left, with the pattern 1 > 3, 2 > 6, 3 > 8, 4 > 1, 5 > 4, 6 > 7, 7 > 5, 8 > 2 where 1 is the rightmost of the eight cells. Input the text ABCDEFGH as single characters into the first row of cells. What is displayed? Ex 3. Go to the Web site of VeriSign, one of the market leaders in digital certificates. Determine whether VeriSign serves as a registration authority, certificate authority, or both. Download its free guide to PKI and summarize VeriSign’s services. Ex 4. Go to csrc.nist.gov and locate “Federal Information Processing Standard (FIPS) 197.” What encryption standard does this address use? Examine the contents of this publication and describe the algorithm discussed. How strong is it? How does it encrypt plaintext? Ex 5. Search the Internet for vendors of biometric products. Find one vendor with a product designed to examine each characteristic mentioned in Figure 12-4. What is the crossover error rate (CER) associated with each product? Which would be more acceptable to users? Which would be preferred by security administrators? Module 7 Ch-2 Ex 3. Using resources available in your library, find out what laws your state has passed to prosecute computer crime. Ex 5. Consider each ethical scenario presented in this chapter and note your response. Ring your answer to class to compare them with those of your peers. Plus Closing Case (all discussion questions) Module 1 Summary paper Using sources such as the Internet, newspaper, magazine, journal, or Saint Leo online library resources, find a recent article (less than six months old) on cyber attack or on an information security breach. Submit at least a 1,000 word summary of the article. Describe the issue and cause, and give recommendations for how such an incident can be prevented in the future. The source of the article must be cited following APA format. Submit your paper to the Summary Paper Assignment box no later than Sunday 11:59 PM EST/EDT. (This Assignment box maybe linked to Turnitin.). Module 7 Security Assessment Project COM 510 – Management of Information Security Carry out a security self-assessment of an organization of your current or previous employer or your own organization. You must seek permission from the individual responsible for the information security of that organization. You may use any NIST Special Publications (e.g. SP800-171, SP1800), or any other national framework to assist in your report. Report Write a report based on the self-assessment of an organization. It should be 5-7 pages long, 12 point character size, double line spacing, and have 1” margins on all sides. It is recommended that you do not use the actual name of the organization in the report; use a title, such as “ABC, Inc.” Your report should include a brief description of the organization, nature of the business, analysis of the results, and recommendations for improvement in the form of an action plan. Deliverables: A single Word document Submit your project to the Security Assessment Dropbox no later than 11:59 PM Sunday Midterm exam Question 1 The macro virus infects the key operating system files located in a computer’s start up sector. Question 1 options: True False Question 2 Which function of InfoSec Management encompasses security personnel as well as aspects of the SETA program? Question 2 options: Projects Policy Protection People Question 3 Which of the following is NOT a primary function of Information Security Management? Question 3 options: Projects Performance Planning Protection Question 4 According to the C.I.A. triad, which of the following is a desirable characteristic for computer security? Question 4 options: Authentication Authorization Availability Accountability Question 5 Which of the following is NOT a step in the problem-solving process? Question 5 options: Gather facts and make assumptions Select, implement and evaluate a solution Analyze and compare possible solutions Build support among management for the candidate solution Question 6 A worm may be able to deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected. Question 6 options: True False Question 7 "Shoulder spying" is used in public or semi-public settings when individuals gather information they are not authorized to have by looking over another individual’s shoulder or viewing the information from a distance. Question 7 options: True False Question 8 As frustrating as viruses and worms are, perhaps more time and money is spent on resolving virus __________. Question 8 options: hoaxes polymorphisms false alarms urban legends Question 9 The first step in solving problems is to gather facts and make assumptions. Question 9 options: True False Question 10 Blackmail threat of informational disclosure is an example of which threat category? Question 10 options: Compromises of intellectual property Espionage or trespass Information extortion Sabotage or vandalism Previous PageNext Page Page 1 of 4 ________________________________________ Question 11 Which of the following is the best example of a rapid-onset disaster? Question 11 options: Famine Environmental degradation Flood Pest infestation Question 12 Which type of document grants formal permission for an investigation to occur? Question 12 options: Forensic concurrence Affidavit Evidentiary report Search warrant Question 13 In which contingency plan testing strategy do individuals participate in a role-playing exercise in which the CP team is presented with a scenario of an actual incident or disaster and expected to react as if it had occurred? Question 13 options: Structured walk-through Desk check Parallel testing Simulation Question 14 ISO 27014:2013 is the ISO 27000 series standard for __________. Question 14 options: information security management policy management governance of information security risk management Question 15 Which document must be changed when evidence changes hands or is stored? Question 15 options: Affidavit Search warrant Evidentiary material Chain of custody Question 16 Which of the following allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental? Question 16 options: Forensics E-discovery Digital malfeasance Evidentiary procedures Question 17 Individuals who control, and are therefore responsible for, the security and use of a particular set of information are known as __________. Question 17 options: data users data generators data owners data custodians Question 18 What is the final stage of the business impact analysis when using the NIST SP 800-34 approach? Question 18 options: Identify resource requirements Identify recovery priorities for system resources Determine mission/business processes and recovery criticality Identify business processes Question 19 Which level of planning breaks down each applicable strategic goal into a series of incremental objectives? Question 19 options: Operational Strategic Organizational Tactical Question 20 Which of the following has the main goal of restoring normal modes of operation with minimal cost and disruption to normal business activities after an adverse event? Question 20 options: Risk management Contingency planning Disaster readiness Module 3 Business response Question 21 Which of the following are instructional codes that guide the execution of the system when information Question 21 options: configuration rules user profiles access control lists capability tables Question 22 A detailed outline of the scope of the policy development project is created during which phase of the SecSDLC? Question 22 options: Analysis Implementation Design Investigation Question 23 In addition to specifying the penalties for unacceptable behavior, what else must a policy specify? Question 23 options: The proper operation of equipment What must be done to comply Legal recourse Appeals process Question 24 Which of the following is NOT a step in the process of implementing training? Question 24 options: Motivate management and employees Administer the program Identify target audiences Hire expert consultants Question 25 Which of the following is an element of the enterprise information security policy? Question 25 options: Information on the structure of the InfoSec organization Access control lists Articulation of the organization’s SDLC methodology Indemnification of the organization against liability Question 26 Which of the following is the most cost-effective method for disseminating security information and news to employees? Question 26 options: Security-themed Web site Distance learning seminars Conference calls Security newsletter Question 27 Which of the following is NOT among the three types of InfoSec policies based on NIST’s Special Publication 800-14? Question 27 options: Enterprise information security policy User-specific security policies System-specific security policies Issue-specific security policies Question 28 Which of the following would be responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems? Question 28 options: A security analyst The security manager A security technician A security consultant Question 29 Which policy is the highest level of policy and is usually created first? Question 29 options: USSP ISSP EISP SysSP Question 30 Which of the following is NOT among the functions typically performed within the InfoSec department as a compliance enforcement obligation? Question 30 options: Centralized authentication Policy Risk management Compliance/audit Previous PageNext Page Question 31 Which of the following is the primary purpose of ISO/IEC 27001:2005? Question 31 options: Use within an organization to ensure compliance with laws and regulations Use within an organization to formulate security requirements and objectives Implementation of business-enabling information security To enable organizations that adopt it to obtain certification Question 32 Which security architecture model is part of a larger series of standards collectively referred to as the “Rainbow Series”? Question 32 options: Bell-LaPadula ITSEC TCSEC Common Criteria Question 33 Under the Common Criteria, which term describes the user-generated specifications for security requirements? Question 33 options: Security Functional Requirements (SFRs) Security Target (ST) Protection Profile (PP) Target of Evaluation (ToE) Question 34 Which type of access controls can be role-based or task-based? Question 34 options: Nondiscretionary Constrained Discretionary Content-dependent Question 35 Which access control principle specifies that no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary? Question 35 options: Need-to-know Separation of duties Eyes only Least privilege Question 36 The InfoSec measurement development process recommended by NIST is is divided into two major activities. Which of the following is one of them? Question 36 options: Identification and definition of the current InfoSec program Regularly monitor and test networks Compare organizational practices against organizations of similar characteristics Maintain a vulnerability management program Question 37 Which piece of the Trusted Computing Base's security system manages access controls? Question 37 options: Trusted computing base Verification module Covert channel Reference monitor Question 38 Which of the following is a possible result of failure to establish and maintain standards of due care and due diligence? Question 38 options: Legal liability Baselining Certification revocation Competitive disadvantage Question 39 Which access control principle limits a user’s access to the specific information required to perform the currently assigned task? Question 39 options: Need-to-know Eyes only Least privilege Separation of duties Question 40 Which of the following specifies the authorization classification of information asset an individual user is permitted to access, subject to the need-to-know principle? Question 40 options: Task-based access controls Discretionary access controls Sensitivity levels Security clearances Previous PageNext Page Final exam Question 1 What should you be armed with to adequately assess potential weaknesses in each information asset? Question 1 options: Intellectual property assessment Properly classified inventory List of known threats Audited accounting spreadsheet Question 2 Which of the following is a network device attribute that may be used in conjunction with DHCP, making asset-identification using this attribute difficult? Question 2 options: IP address Part number MAC address Serial number Question 3 Which of the following is NOT a valid rule of thumb on risk control strategy selection? Question 3 options: When the attacker’s potential gain is less than the costs of attack: Apply protections to decrease the attacker’s cost or reduce the attacker’s gain, by using technical or operational controls. When a vulnerability can be exploited: Apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent the occurrence of an attack. When the potential loss is substantial: Apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss. When a vulnerability exists: Implement security controls to reduce the likelihood of a vulnerability being exploited. Question 4 By multiplying the asset value by the exposure factor, you can calculate which of the following? Question 4 options: Value to adversaries Annualized cost of the safeguard Annualized loss expectancy Single loss expectancy Question 5 The Microsoft Risk Management Approach includes four phases. Which of the following is NOT one of them? Question 5 options: Implementing controls Evaluating alternative strategies Conducting decision support Measuring program effectiveness Question 6 What does FAIR rely on to build the risk management framework that is unlike many other risk management frameworks? Question 6 options: Qualitative assessment of many risk components Quantitative valuation of safeguards Subjective prioritization of controls Risk analysis estimates Question 7 Which of the following affects the cost of a control? Question 7 options: Maintenance Liability insurance CBA report Asset resale Question 8 Strategies to limit losses before and during a realized adverse event is covered by which of the following plans in the mitigation control approach? Question 8 options: Disaster recovery plan Business continuity plan Damage control plan Incident response plan Question 9 The identification and assessment of levels of risk in an organization describes which of the following? Question 9 options: Risk reduction Risk management Risk identification Risk analysis Question 10 Determining the cost of recovery from an attack is one calculation that must be made to identify risk, what is another? Question 10 options: Cost of prevention Cost of identification Cost of litigation Cost of detection Question 11 Which of the following provides an identification card of sorts to clients who request services in a Kerberos system? Question 11 options: Ticket Granting Service Authentication Server Authentication Client Key Distribution Center Question 12 Which of the following is a commonly used criteria used to compare and evaluate biometric technologies? Question 12 options: False accept rate False reject rate Crossover error rate Valid accept rate Question 13 To move the InfoSec discipline forward, organizations should take all but which of the following steps? Question 13 options: Learn more about the requirements and qualifications for InfoSec and IT positions Learn more about InfoSec budgetary and personnel needs Insist all mid-level and upper-level management take introductory InfoSec courses Grant the InfoSec function an appropriate level of influence and prestige Question 14 Which of the following InfoSec positions is responsible for the day-to-day operation of the InfoSec program? Question 14 options: Security technician Security officer Security manager CISO Question 15 The intermediate area between trusted and untrusted networks is referred to as which of the following? Question 15 options: Demilitarized zone Unfiltered area Proxy zone Semi-trusted area Question 16 Which technology has two modes of operation: transport and tunnel? Question 16 options: Secure Sockets Layer Secure Hypertext Transfer Protocol Secure Shell IP Security Question 17 Which of the following is NOT a typical task performed by the security technician? Question 17 options: Develop security policy Coordinate with systems and network administrators Configure firewalls and IDPSs Implement advanced security appliances Question 18 Temporary hires called contract employees - or simply contractors - should not be allowed to do what? Question 18 options: Work on the premises Wander freely in and out of buildings Compensated by the organization based on hourly rates Visit the facility without specific, prior coordination Question 19 Which tool can best identify active computers on a network? Question 19 options: Packet sniffer Port scanner Honey pot Trap and trace Question 20 Which of the following is typically true about the CISO position? Question 20 options: Accountable for the day-to-day operation of all or part of the InfoSec program Frequently reports directly to the Chief Executive Officer Technically qualified individual who may configure firewalls and IDPSs Business managers first and technologists second Previous PageNext Page Question 21 The penalties for offenses related to the National Information Infrastructure Protection Act of 1996 depend on whether the offense is judged to have been committed for one of the following reasons except which of the following? Question 21 options: For political advantage For private financial gain In furtherance of a criminal act For purposes of commercial advantage Question 22 There are three general categories of unethical behavior that organizations and society should seek to eliminate. Which of the following is NOT one of them? Question 22 options: Intent Accident Ignorance Malice Question 23 Which of the following is the best method for preventing an illegal or unethical activity? Examples include laws, policies and technical controls. Question 23 options: Persecution Remediation Rehabilitation Deterrence Question 24 Which of the following is an international effort to reduce the impact of copyright, trademark and privacy infringement, especially via the removal of technological copyright protection measures? Question 24 options: DMCA European Council Cybercrime Convention U.S. Copyright Law PCI DSS Question 25 Which of the following ethical frameworks is the study of the choices that have been made by individuals in the past; attempting to answer the question, what do others think is right? Question 25 options: Descriptive ethics Normative ethics Deontological ethics Applied ethics Question 26 Deterrence is the best method for preventing an illegal or unethical activity. Question 26 options: True False Question 27 Which law requires mandatory periodic training in computer security awareness and accepted computer security practice for all employees who are involved with the management, use, or operation of each federal computer system? Question 27 options: The Telecommunications Deregulation and Competition Act National Information Infrastructure Protection Act The Computer Security Act Computer Fraud and Abuse Act Question 28 Which of the following is compensation for a wrong committed by an employee acting with or without authorization? Question 28 options: Jurisdiction Due diligence Liability Restitution Question 29 The Secret Service is charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes. Question 29 options: True False Question 30 Which entity is not exempt from the Federal Privacy Act of 1974? Question 30 options: U.S. Congress Hospitals Credit agencies Bureau of the Census
- Assignment status: Resolved by our Writing Team .
Comments
Post a Comment