Chapter 1: Information Security Is Important


Download 108.4 Kb.
NameChapter 1: Information Security Is Important
A typeDocumentation
Chapter 1: Information Security Is Important
TRUE/FALSE
1. A SYN flood is characterized by the brute force transmission of requests for access to the target network, with the aim of overwhelming its capacity to receive them.

ANS: T PTS: 1 REF: 1
2. Computerized information is so tightly bound within the fabric of our society that its trustworthiness and availability has to be assured in order for our basic social functions to operate properly.

ANS: T PTS: 1 REF: 2
3. There is general agreement about what legitimately constitutes the right set of actions to deter hostile activity in cyberspace.

ANS: F PTS: 1 REF: 2
4. There been a standard definition of what constitutes due care in the information protection realm since the beginning of the discipline.

ANS: F PTS: 1 REF: 9
5. FISMA is a piece of legislation; therefore, as is the usual case with legislation, the actual means of implementing the federal law is left up to the National Institute of Standards and Technology (NIST).

ANS: T PTS: 1 REF: 14
MULTIPLE CHOICE
1. ____ bundles mutually supporting government initiatives into a single coordinated effort to ensure the security of cyberspace and includes the establishment of a coordinated national capability to identify and remediate computer vulnerabilities.

a.

CHCI, 2008

c.

CNCI, 2008

b.

CCNI, 2008

d.

CICN, 2008


ANS: C PTS: 1 REF: 2
2. Under the ____ rule, protection isn’t adequate if any part of it can be exploited.

a.

complete protection

c.

complete coverage

b.

complete inspection

d.

complete system


ANS: A PTS: 1 REF: 3
3. The normal way to make certain that a compromise does not happen is to put technical or ____ controls in place to ensure the security of all items that have to be protected.

a.

psychological

c.

personal

b.

behavioral

d.

barrier


ANS: B PTS: 1 REF: 3
4. In order to operate properly, technical and behavioral controls have to be coordinated from within a single consistent ____.

a.

foundation

c.

resource

b.

landscape

d.

framework


ANS: D PTS: 1 REF: 3
5. The problem with protecting information is that it is nothing more than a(n) ____ for something of value in the real world.

a.

parasite

c.

substitute

b.

proxy

d.

analog


ANS: B PTS: 1 REF: 5
6. The first step in any cybersecurity process is to ____.

a.

get it properly organized

c.

make the controls as strong as possible

b.

get as much information as possible

d.

move as fast as possible


ANS: A PTS: 1 REF: 5
7. It is essential that the people responsible for assuring information follow a disciplined and well-defined ____.

a.

evacuation

c.

hierarchy

b.

pattern

d.

process


ANS: D PTS: 1 REF: 5
8. In order for a defense to be effective, all of the requisite ____ have to be in place and properly coordinated.

a.

assets

c.

countermeasures

b.

intrusions

d.

backup controls


ANS: C PTS: 1 REF: 5
9. The ____ of a piece of information might be derived from the importance of the idea, or the criticality of the decision, or it can represent simple things like your bank account number.

a.

value

c.

effectiveness

b.

cost

d.

assessment


ANS: A PTS: 1 REF: 5
10. A(n) ____ that only reflects the focus and interests of a single field will almost certainly have exploitable holes in it.

a.

offense

c.

control

b.

defense

d.

mitigation


ANS: B PTS: 1 REF: 5
11. IT departments install technical countermeasures, but ____ have the responsibility to deploy accompanying physical security controls.

a.

often

c.

rarely

b.

routinely

d.

frequently


ANS: C PTS: 1 REF: 5
12. In most organizations, physical and electronic security involve ____ entirely separate and independent areas.

a.

two

c.

four

b.

three

d.

five


ANS: A PTS: 1 REF: 5
13. A reasonably accurate ____ of the important information that the organization considers valuable and where it is kept is important.

a.

inventory

c.

hierarchy

b.

survey

d.

map


ANS: A PTS: 1 REF: 6
14. Any workable solution has to be ____.

a.

elegant

c.

detailed

b.

practical

d.

complex


ANS: B PTS: 1 REF: 6
15. A security infrastructure should reflect the ____ needs of the business as well as its business requirements.

a.

technical

c.

maturation

b.

monetary

d.

assurance


ANS: D PTS: 1 REF: 6
16. The role of ____ is to ensure that information resources that are needed to underwrite a particular business strategy are kept confidential, correct, and available.

a.

governance

c.

risk analysis

b.

assurance

d.

cybersecurity


ANS: D PTS: 1 REF: 8
17. The aim of ____ is to maintain an optimum and secure relationship between each of the company’s business processes and their respective information security functions.

a.

formal governance

c.

formal auditing

b.

informal governance

d.

formal planning


ANS: A PTS: 1 REF: 8
18. Instead of being motivated by a desire to prove their art, hackers today are motivated by ____ and political ends.

a.

financial loss

c.

financial gain

b.

reputation

d.

notoriety


ANS: C PTS: 1 REF: 9
19. ____ is nothing more than the ability to demonstrate that all reasonable precautions were taken to prevent harm resulting from something that you are legally responsible for.

a.

Due care

c.

Due cause

b.

Due security

d.

Due justice


ANS: A PTS: 1 REF: 9
20. The EBK is a product of the Department of Homeland Security’s ____.

a.

National Security Division

c.

National Cyber Protection Division

b.

National Cyber Analysis Division

d.

National Cyber Security Division


ANS: D PTS: 1 REF: 11
21. The specific purpose of the ____ is to implement the education and training requirements of the National Strategy to Secure Cyberspace.

a.

TBK

c.

ABK

b.

EBK

d.

NBK


ANS: B PTS: 1 REF: 13
COMPLETION
1. The field of ____________________ is concerned with creating and sustaining processes that will identify emerging threats as well as provide the most practical and cost-effective countermeasures to address them.

ANS: cybersecurity

PTS: 1 REF: 2
2. In its simplest form, ____________________ ensures that the company is able to manage all of its information-related functions through a single coordinated approach.

ANS: governance

PTS: 1 REF: 3
3. Effective control of access requires the ability to ensure that access is only granted to ____________________ people.

ANS: trusted

PTS: 1 REF: 6
4. The concept of “due care” is sometimes called “due ____________________.”

ANS: diligence

PTS: 1 REF: 9
5. Ideally, a model for good cybersecurity practice would be ____________________ in its application.

ANS: universal

PTS: 1 REF: 11
MATCHING
Match each term with the correct statement below.

a.

Software engineering

f.

Networking

b.

Governance

g.

Ethics

c.

Business management

h.

Traditional technical studies

d.

Behavioral studies

i.

FISMA

e.

Law and law enforcement



1. Contributes concepts like security policy and procedure, continuity planning, personnel management, and contract and regulatory compliance to cybersecurity
2. Contributes knowledge about ways to safeguard the processing of information in its electronic form to cybersecurity
3. Adds essential recommendations about how to safeguard the electronic transmission and storage of information to cybersecurity
4. Adds process considerations like configuration management and lifecycle process security to cybersecurity
5. Contributes important ideas about intellectual property rights and copyright protection, privacy legislation, cyber law and cyber litigation, and the investigation and prosecution of computer crimes to cybersecurity.
6. Address essential human factors like discipline, motivation, training, and certification of knowledge in cybersecurity
7. Considers the personal and societal implications of information use and information protection with respect to cybersecurity
8. The process of establishing and maintaining the security framework.
9. An omnibus regulation for the federal government and its agencies.
1. ANS: C PTS: 1 REF: 2
2. ANS: H PTS: 1 REF: 2
3. ANS: F PTS: 1 REF: 2
4. ANS: A PTS: 1 REF: 3
5. ANS: E PTS: 1 REF: 3
6. ANS: D PTS: 1 REF: 3
7. ANS: G PTS: 1 REF: 3
8. ANS: B PTS: 1 REF: 3
9. ANS: I PTS: 1 REF: 14
SHORT ANSWER
1. Why is it important that all locations where a piece of information might exist be secured?

ANS:

If the same piece of information can exist on a number of local paper records and also be present in several central databases. The problem for security is that every one of those places has to be identified and secured in order to ensure that particular generic item of information is kept safe. Otherwise, a compromise of an instance of the item in one location will compromise all other instances of the same item in all other places.

PTS: 1 REF: 3
2. Discuss why having a defense that only reflects the focus and interests of a single field is a bad idea for an organization.

ANS:

A defense that only reflects the focus and interests of a single field will almost certainly have exploitable holes in it. This can be a fatal flaw for any organization, because any competent attacker will simply scout around for the holes that they know must exist. That is why it is important to involve all of the fields necessary for electronic, personnel, and physical security in the design process. If a number of disparate fields are involved, it is important to ensure a comprehensive approach to security within the organization as a whole.

PTS: 1 REF: 5
3. Discuss how to make sustainment of cybersecurity practicable.

ANS:

In order to make sustainment practicable, the coordination and management of the overall cybersecurity should be located at the policy development and enforcement level of the organization. Executive-level decision makers are the only people who have the authority to create, administer, and enforce policies and procedures across the entire organization.

PTS: 1 REF: 8
4. Explain why it is a mistake to shift the responsibility for cybersecurity from senior management to the managerial level.

ANS:

That is a mistake, because nobody at the managerial level has the authority to enforce security outside of their own areas. As a result, the assurance measures that are implemented by managers for their areas are likely to represent a piecemeal, and therefore exploitable, defense.

PTS: 1 REF: 9
5. What was a typical cyberattack like in the 1990s?

ANS:

In the 1990s, a typical attack was something like a criminal trespass, or website defacement. The victims tended to be entities such as government institutions, and attackers themselves were inclined to be counterculture types who worked alone and on the fringes of society.

PTS: 1 REF: 9
6. List 5 of the 14 areas of common practice standardized in the EBK.

ANS:

Data security

Digital forensics

Enterprise continuity

Incident management

IT security training and awareness

IT systems operation and maintenance

Network security and telecommunications

Personnel security

Physical and environmental security

Procurement

Regulatory and standards compliance

Risk management

Strategic security management

System and application security

PTS: 1 REF: 12
7. What was the main objection to the EBK?

ANS:

The main objection to the EBK was that it was too new and untested for the company to stake its continuing survival on. That was considered a valid point, so the committee decided to investigate further. It formed a small task group from its members. The aim of the group was to identify any evidence that the EBK might potentially fit into emerging regulatory or statutory trends or might have a broader application.

PTS: 1 REF: 13
8. Discuss the National Security Professional Development Program (NSPD).

ANS:

The other important national initiative to which the EBK contributes is the National Security Professional Development Program (NSPD). The Program was created by executive order on May 17, 2007. Its specific aim is to “promote the education, training, and experience of current and future professionals in national security positions in executive departments and agencies.”
The Program embodies a national strategy, which is meant to ensure that all people who work in security are exposed to “integrated education, training, and professional experience opportunities” (NSPD, 2007). Thus, the practical aim of this initiative is to ensure that security professionals are capable of performing their duties by enhancing the level of their general knowledge, skills, and experience. As such, the National Security Professional Development program is meant to apply to a range of security disciplines, not just electronic security professionals.

PTS: 1 REF: 13-14
9. Describe FISMA.

ANS:

FISMA is an omnibus regulation for the federal government and its agencies. Its intent is to define all of the necessary controls and procedural protections required to ensure information security in all of the federal space. FISMA requires every federal agency to develop, document, and implement an enterprise-wide program to secure information and information systems that support the operations and assets of every federal agency. The scope of that mandate includes those systems provided or managed by agency contractors, or other sources. FISMA is a piece of legislation; therefore, as is the usual case with legislation, the actual means of implementing the federal law is left up to the National Institute of Standards and Technology (NIST).

PTS: 1 REF: 14
10. Discuss the role of NIST in the FISMA legislation.

ANS:

NIST is charged with developing and issuing standards, guidelines, and other publications to direct how federal agencies will implement applicable federal laws.

NIST’s role is to establish the specific form of the response. Under that mandate, it has developed several Federal Information Processing Standards (FIPS) to specify and elaborate on the implementation requirements for FISMA. The primary applicable Standard is entitled FIPS 200. This Standard, along with the accompanying FIPS that is used to classify the material that falls under FISMA, entitled FIPS 199, defines all of the general requirements for satisfying FISMA requirements. The controls that underlie those general requirements are specified in the NIST 800-53 Standard.

PTS: 1 REF: 14

Share in:

Related:

Chapter 1: Information Security Is Important iconAbstract : Security on the Web continues to be a significant concern...

Chapter 1: Information Security Is Important iconChapter 1: An Overview of Information Security and Risk Management

Chapter 1: Information Security Is Important iconThis ReadMe file contains important and useful information regarding...

Chapter 1: Information Security Is Important iconImportant note: If any of the information in this section should...

Chapter 1: Information Security Is Important iconChapter 02: The Need for Security

Chapter 1: Information Security Is Important iconChapter 2: Windows Security

Chapter 1: Information Security Is Important iconChapter 1: Introduction to Security

Chapter 1: Information Security Is Important iconChapter 02 Planning for Security

Chapter 1: Information Security Is Important iconChapter 2: e-mail Security

Chapter 1: Information Security Is Important iconChapter 2: Planning for Security




forms and shapes


When copying material provide a link © 2017
contacts
filling-form.info
search