Review Questions

1. List and describe an organizations three communities of interest that engage in

efforts to solve InfoSec problems. Give two or three examples of who might be in
each community.

Information security: professionals could include the Security Analyst, the Security
Architect, and the CISO.

Information technology (IT): professionals could include the Database

Administrator, the Systems Administrator, and the CIO.

The rest of the organization: professionals could include non-technical staff, such
as, the Director of Human Resources, the CFO, and the CEO.

2. What is the definition of Information Security (InfoSec)? It is the protection of

information and its critical characteristics (confidentiality, integrity, and availability),
including the systems and hardware that use, store, and transmit that information, through
the application of policy, training and awareness programs, and technology. What
essential protections must be in place to protect information systems from danger?
The essential protections that must be in place includes: physical security, operations
security, communications security and network security.
3. What is the triangle? Define each of its components.

Confidentiality: only those who are granted access can get in

Integrity: data is true and uncorrupted

Availability: if granted access, data is available without obstruction

Expanded to: Privacy, Identification, Authentication, Authorization and Accountability

5. What is the definition of "privacy" as it relates to InfocSec (information
security)? It is information that is collected, used and stored by an organization is
intended only for the purposes stated by the data owner at the time it was collected. How
is this definition of privacy different from the everyday definition? The dictionary
describes privacy as the state of being free from intrusion or disturbance in ones private
life or affairs. Why is this difference significant? The expectation of privacy does not
extend into the Information Security model; it does not guarantee freedom from
observation, only that any data gathered will be used in an expected and declared manner.
7. What is management and what is a manager? Management is the process of
achieving objectives using a given set of resources, and a manager is someone who
works with and through other people by coordinating their work activities in order to
accomplish organizational goals. What roles do manager play as they execute their
responsibilities? Managers use different roles to accomplish objectives. In an
informational role, managers collect process and use information. In an interpersonal
role, managers work with people to achieve goals. In a decisional role, managers make
choices as to the best path to take and address issues that arise while using problem
solving skills.

10. What are the three types of general planning? Define each.

Strategic Planning: long term goals, 5 or more years

Tactical Planning: production planning, one to five years, smaller scope then
enterprise planning

Operational Planning: day to day operations, short term goals.

11. List and describe the five steps of the general problem-solving process. They are
recognizing and defining the problem, gathering facts and making assumptions,
developing possible solutions, analyzing and comparing possible solutions, and selecting,
implementing, and evaluating a solution.
13. Why are project management skills important to the InfoSec professional?
Information security is a process, not a project. However, each element of an information
security program must be managed as a project, even if the overall program is perpetually
ongoing. It is essential that InfoSec professionals posses project management skill, so
they can identify and control resource applied to a project, as well as messure the
progress and make adjustments to the process (objectives) in order to complete the goal.
18. What is a work breakdown structure (WBS) and why is it important? It is a
planning tool (as simple as a spreadsheet in some cases) which helps break down tasks.
WBS can further divide tasks into action steps.
20. How do PERT/CPM methods help to manage a project? These two diagramming
techniques are designed to identify and manage the sequence of tasks that make up the
shortest time to complete a project.

Exercises
1. Assume that a security model is needed for the protection of information in your class
you are taking--say, the information found in your course's learning management system
(if your class uses one). Use the CNSS model to identifyeach of the 27 cells needed for
complete information protection. Write a brief statement on how you would address the
components represented in the of the 27 cells.
a) Personal Information
1] Confidentiality the public should not have access to this info.
2] Integrity my personal info should be accurate at all times.
3] Availability I am able to access my personal info and change it.
4] Storage my personal info is stored in a secure server storage.
5] Processing if I change my info it would reflect the changes I made.
6] Transmission my personal information should be encrypted.
7] Policy access to my info are only available to me and Admin.
8] Educationtraining staff in the security of personal information.
9] Technology encryption software is used to transmit my info.
b) Exams and Tests

1] Confidentiality students should not have access to this initially.

2] Integrity tests should be accurate and not been tampered with.
3] Availability students are able to access tests at the allotted time.
4] Storage tests are stored in a secure server storage.
5] Processing students are able to provide answers to the tests.
6] Transmission the tests are transmitted intact when done.
7] Policy students are only able to access the tests during test time.
8] Education training staff and students regarding tests policies.
9] Technology tests are delivered on secure web browser software.
c) CSU on-class
1] Confidentiality only CSU students and staff can access this.
2] Integrity on-line class information should always have accurate info.
3] Availability when students login they are able to access eLearn.
4] Storage on-line class software is stored in a secure server storage.
5] Processing students are able to access assignments and tests.
6] Transmission all tests and assignments are able to be transmitted.
7] Policy Instructors can change info here but students cannot.
8] Education training students how to access and use on-class.
9] Technology on-class is a sophisticated software provided by CSU.
2. Consider the information stored in your personal computer. Do you, at this
moment, have information stored in your computer that is critical to your personal
life? Yes. If that information became compromised or lost, what effect would it have
on you?
Identity Theft

Documentation confidential exposed and losted (SSN, Taxes, etc)

Recovery from identity theft involves complicated laws and cost

Cost Implication in recovery

Time Consuming

Personal items (document) no longer available

Class assignments losted.

3. Draft a work breakdown structure for the task of implementing and using a PCbased virus detection program (one that is not centrally managed). Don't forget to
include tasks to remove or quarantine any malware it finds
Task

Effort (hours) Skill

Download Microsoft Security Essentials to desktop

Install to PC
Configure setting

.25
.

50
.

25

End User
End User
End User

Scan Microsoft Security Essentials on PC

1-3 var

Delete/remove all quarantine and infected finding from PC

End User

25

End User

Case Exercises
1. Based on your reading of the chapter and what you now know about the issues,
list at least three other things Charley could recommend to Iris.

Try to clearly define the new CISO position with RWW.

Try to tackfully overcome resistance from IT and non-technical managers. This may
be accomplish by initiating education, training, and awareness programs. It this fails,
she may need to get upper management inevoled in the process (group meetings).

Try to develop and implement an information security policy ASAP.

2. What do you think is the most important piece of advice Charley gave to Iris,? Is
to gain some consensus from higher management to fund the new Security Analyst
position. Why? Currently, Iris is overwhelmed with the new and undefined CISO
position. Also, a qualified Secuity Analyst would free her to work on planning strateges
to develop a more secure, stable information security evironment for the company.