Questions and Answers of Principles Of Information Security

Explain that this threat represents a well-known and broad category of electronic and human activities that breach the confidentiality of information.Establish that when an unauthorized individual
Present the fact that trespassing often leads to unauthorized, real, or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter.Discuss
Discuss the term privilege escalation. Explain that a common example of privilege escalation is called jailbreaking or rooting.Justify that according to the U.S. Copyright Office, the practice of
Describe that there are other terms for system rule breakers as mentioned in the text:Crackers are now commonly associated with an individual who “cracks” or removes software protection that is
Discuss how forces of nature, force majeure, or acts of God pose some of the most dangerous threats, because they are unexpected and can occur with little warning.Emphasize that pandemics, such as
Recognize that solar flares or extremes in radiation can affect power grids and power lines, blow out transformers, and shut down power stations.Emphasize that businesses that rely on satellites
Describe this category and comment to students that it includes the possibility of acts performed without intent or malicious purpose by an individual who is an employee of an organization.Discuss
Define within the context of information security that social engineering is the process of using social skills to convince people to reveal access credentials or other valuable information to the
Compare and contrast one of most common social engineering attacks, known as the advance-fee fraud (AFF) and phishing.Stress that AFF is also known as 4-1-9 fraud due to it being named after a
Distinguish phishing as an attempt to gain personal or financial information from an individual, usually by posing as a legitimate entity.Emphasize that a variant is spear phishing, a label that
Point out another form of social engineering is called pretexting, which is sometimes referred to as phone phishing.Emphasize that VOIP phone services have made it easy to spoof caller IDs and hence
Explain that the latest type of attack in this category is known as ransomware, which is a malware attack on the host system that denies access to the user and then offers to provide a key to allow
Summarize that this type of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organization.Emphasize
Explain that security experts are noticing a rise in another form of online vandalism, hacktivist or cyber activist operations. A more extreme version is referred to as cyberterrorism (which is
Describe malware as malicious code or malicious software. Point out that other attacks that use software, such as redirect attacks and denial-of-service attacks, also fall under this threat. Note
State that a computer virus consists of code segments that perform malicious actions. Point out to students that one of the most common methods of virus transmission is via e-mail attachments.Mention
Explain that worms are viruses that replicate themselves like bunnies until all available resources have been exhausted.Relate to the speed that worms can spread by applying the examples of the Nimda
Discuss how by using a known or previously unknown and newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Point out that these doors
Recall that spam is unsolicited commercial e-mail. While many consider spam a nuisance rather than an attack, it is emerging as a vector for some attacks. Explain that mail bombing is another
Explain that common software-based communications attacks include several subcategories designed to intercept and collect information in transit. Point out to students that the emergence of the
Emphasize that technical hardware failures or errors occur when a manufacturer distributes a user’s equipment containing a known or unknown flaw. These defects can cause the system to perform
Compare and contrast the differences between mean time between failure (MTBF) and mean time to failure (MTTF).Explain that in hardware terms, failures are measured in mean time between failure (MTBF)
Explain that in hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). Point out that MTBF and MTTF are sometimes used interchangeably.Also note
List the top 10 Web application security risks, as outlined by the Open Web Application Security Project (OWASP):InjectionBroken authenticationSensitive data exposureXML external entities (XXE)Broken
Explain that some software development problems result in software that is difficult or impossible to deploy in a secure fashion. There are at least two dozen problem areas or categories in software
Discuss how antiquated or outdated infrastructure leads to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of loss of data
Define theft as the illegal taking of another’s property. Within an organization, that property can be physical, electronic, or intellectual.Summarize how physical theft can be controlled quite
Stress that an information security program begins with policies, standards, and practices that are the foundation for the program and its blueprint. This will require coordinated planning, and it
What type of planning occurs where the actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals are followed by
Outline that within the planning stage of the InfoSec model are activities that are necessary to support the design, creation, and implementation of strategies within the planning environments of an
According to the text and the information security governance roles and responsibilities graphic, who is responsible for policy implementation, reporting security vulnerabilities, and breaches?a.
Review the three categories of policy that are presented here. Enterprise information security policy (EISP): Developed within the context of the strategic IT plan, this sets the tone for the InfoSec
The ________ process entails the review and assessment of organizational information security performance toward goals and objectives by the governing body. a. Evaluateb. Directc. Monitord.
Relate that InfoSec operations that are specifically managed are often known as programs (or entities). Apply the example of security education, training, and awareness (SETA) programs or a risk
True or False: ISO 27014:2021 is the ISO 27000 series standard for Governance of Information Security.
True or False: Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. It should also guide organizational efforts and focus resources toward
Emphasize that people are the most critical link of the InfoSec program. State that people may include security personnel (professional information security employees), the security of personnel in
Which of the following terms best describes a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls?a.
Which document is an excellent reference for security managers involved in the routine management of information security?a. SP 800-12, “An Introduction to Computer Security”b. SP 800-14,
Recognize that whatever will be implemented in the InfoSec space, it must be managed as a project.Identify that project management involves the application of a project management discipline to all
True or False: SP 800-18, “Guide for Developing Security Plans for Federal Information Systems,”is considered the foundation for a comprehensive security blueprint and framework.
Explain that long-term strategic planning is critical to the information security program and that the planning effort should have specific clearly defined goals for the organization.Discuss the
As indicated earlier, one of the foundations of security architectures is the requirement to implement security in layers. This layered approach is referred to as which of the following?a.
Which of the following defines the edge between the outer limit of an organization’s security and the beginning of the outside world?a. Frameworkb. Security perimeterc. Security domaind. Defense in
Explain to students that strategic plans and objectives are used to create tactical plans, which are used to develop operational plans.Compare and contrast tactical planning (one-to two-year
Remind students that the primary objective of the CISO and the Information Security (IS) management team is to create the security strategic plan. Explain that this plan is an evolving statement of
Establish how management from all communities of interest must consider policies as the basis for all information security planning, design, and deployment.Explain how policies direct how issues
Detail how an enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. This policy
Detail the purpose of a statement of policy. Emphasize that it should begin with a clear statement and purpose.Comment that within the introductory section, the following questions should be
Explain that each policy should have a procedure and a timetable for a periodic review.
Recall that this section is often the final section of a policy and has a general statement of liability or disclaimers.Summarize that the policy should state that if employees violate a company
Emphasize that while issue-specific policies are formalized as written documents to be distributed to users and agreed to in writing, SysSPs are frequently codified as standards and procedures to be
Discuss the managerial guidance SysSPs. Note that a managerial guidance SysSP document is created by leadership to guide the implementation and configuration of technology, as well as to address the
Discuss that while a manager can work with a systems administrator to create managerial policy as described in the preceding section, the system administrator may need to create a policy to implement
Explain that many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. This often is confusing to casual users but is practical
Develop the six tasks that must be done properly in order for a policy to be legally defensible:Development: Policies must be written using industry-accepted practices and formally approved by
Outline that in most cases, policy development is comprised of three parts:Designed and writtenSenior management or an executive along with legal counsel reviews and approves the documentManagement
Compare and contrast the options of providing hard copy policy documents and electronic ones.Stress that distribution of materials, regardless of method, may still not get to individuals. Unlike in
Identify that one of the common barriers of employees reading policies arises from literacy or language issues. Provide the fact that, according to Macrotrends, 1 in 15 adults cannot read and write
Record that an employee must agree to policies by act or affirmation with respect to policies developed within an organization.Emphasize that through direct collection of a signature or the
Comment that a simple action of not including a date on a policy can cause mass confusion for an organization.Stress that without the dates, it will be nearly impossible to determine which version of
Recognize that the final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand
Describe the purpose of policy management and stress that they are living documents that must be managed and nurtured, as they constantly change and grow. These documents must be properly
Detail that a policy administrator is the person that is responsible for the creation, revision, distribution, and storage of a policy in an organization.Stress that this person does not have to have
Organize understanding that policies can be only so effective provided they are kept current. Hence, an organization must actively seek to meet the requirements of the market they operate in.Justify
Explain that to facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an
Present that this provides the best practices and security principles that can direct the security team in the development of a security blueprint.Assess and discuss the philosophical principles that
Introduce how to establish the context, which includes understanding the organization’s internal and external operating environments and other factors that could impact the RM process.Identify the
State that this document can be used for a comprehensive security blueprint and framework. It can also be a useful guide to the activities described in this module and as an aid in the planning
Analyze the following with respect to NIST’s approach to managing risk in the organization.Building information security capabilities into federal information systems through the application of
Review the text, as it offers several professional societies and organizations that have Websites and resources that can assist with building strong security frameworks.
Examine the overview of different types of security architectures that can help with blueprint construction, implementation, and maintenance. These include spheres of security, levels of controls,
Summarize that information security safeguards offer three levels of controls: managerial, operational, and technical.Managerial controls are security processes that are designed by strategic
Distinguish that a basic tenet of security architectures is layered implementation of security. Thus, an organization must establish multiple layers of security controls and safeguards, which can be
Describe the purpose a security perimeter. This is the boundary between the outer limit of an organization’s security and the beginning of the outside world. It is the level of security that
Risk identification is performed within a larger process of identifying and justifying risk controls that is called which of the following?a. Risk assessmentb. Risk managementc. Risk controld. Risk
Emphasize how as aspiring information security professionals your students will have a key role to play in risk management.Remind your students that the IT community must serve the information
The application of controls that reduce the risks to an organization’s information assets to an acceptable level is known as which of the following?a. Risk assessmentb. Risk managementc. Risk
Explain how risk management is the process of identifying vulnerabilities in an organization’s information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and
For information security purposes, which of the following terms is used to describe the systems that use, store, and transmit information?a. Inventoryb. Threatsc. Controlsd. Assets
Emphasize how we must first know ourselves by identifying, examining, and understanding the information and systems currently in place.Explain how in order to protect our assets, defined here as the
True or False: The information technology community of interest must assist in risk management by configuring and operating information systems in a secure fashion.
Emphasize how for information security knowing the enemy means identifying, examining, and understanding the threats that most directly affect our organization and the security of our
True or False: The information technology community of interest must ensure sufficient resources are allocated to the risk management process.
Explain how to identify the risk.Explain how to determine the current level of risk (risk analysis).Discuss how to determine if the current level of risk is acceptable (risk evaluation).Determine how
True or False: The process an organization uses to assign a risk rating or score to each information asset is a risk evaluation.
Explain how each community of interest must manage the risks the organization encounters.Explain how information security understands the threats and attacks that introduce risk into the
The probability that a specific vulnerability within an organization will be the target of an attack is known as which of the following?a. Probabilityb. Manageabilityc. Likelihoodd. Practicality
Explain that the RM policy is a strategic document that formalizes much of the intent of the governance group.Explain that the RM policy must include purpose and scope, RM intent and objectives,
Which risk control strategy attempts to reduce the impact of a successful attack through planning and preparation?a. Transferenceb. Defensec. Acceptanced. Mitigation
Explain that designing the RM program means defining and specifying the details tasked to be performed by the framework team and the process team.Understand that the framework team must also formally
Which risk control strategy attempts to shift residual risk to other assets, other processes, or other organizations?a. Transferenceb. Defensec. Acceptanced. Mitigation
Explain that the RM Framework team needs to understand and determine residual risk.Document risk appetite.
The calculation of the value associated with the most likely loss from an attack is called which of the following?a. AROb. ALEc. CBAd. SLE
Explain how the organization may distribute the plan to managers for a desk check prior to deployment.Understand that the organization could pilot-test the plan and use a phased approach to implement
Which of the following terms best describes comparing an organization’s efforts against practices of a similar organization or an industry-developed standard to produce results it would like to
Introduce that the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the success of the framework planning.Understand that the framework team is
Introduce the RM process as preparing for the risk process by performing the following tasks:Identify the purpose of the assessment.Identify the scope of the assessment.Identify the assumptions and
Understand that the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives:The business environment and its
Understand the internal factors that could impact or influence the RM process:The organization’s governance structure (or lack thereof).The organization’s internal stakeholders.The

Showing 600 - 700 of 746