$17.$ We often hear people talk about the need for information systems to be safe and reliable. Is this the same as saying that they need to be secure$?$

A$.$ No$,$ because reliability has to do with failures of equipment, errors in software design or use, or bad data used as input, whereas security is focused on keeping the systems and their data safe from intrusion or unwanted change.

B$.$ Yes, because the objective of information security is to increase our confidence that we can make sound and prudent decisions based on what those information systems are telling us$,$ and in doing so cause no harm.

C$.$ Yes, because all information and information systems are built by humans, and humans make mistakes, so we need strong safety rules and procedures to keep from causing harm.

D$.$ No$,$ but they have ideas in common. For example, data integrity can lead to unsafe operation, but information security by itself cannot identify possible safety consequences.

$18.$ As an SSCP$,$ you work at the headquarters of a retail sales company that has many stores around the country. Its training department has prepared different training materials and operations manuals for in$-$store sales, warehouse staff, and other team members to use in their jobs. Most of these describe procedures that people do as they work with one another or with customers. From an information security standpoint, which of the following statements are correct?

A$.$ Since these all describe people$-$to$-$people interactions and processes, they are not implemented by the IT department, and so they're not something that information security is concerned with.

B$.$ Most of their content is probably common practice in business and retail sales and so would not be trade secrets$,$ company proprietary, or private to the company.

C$.$ Although these processes are not implemented in IT systems, the documents and videos themselves are hosted in company$-$provided IT systems, and so information security requirements apply.

D$.$ If the company has decided that the content of these training materials is proprietary or company confidential, then their confidentiality must be protected. They must also be protected from tampering or unauthorized changes and be available to staff in the stores to use when they need them, if the company is to do business successfully. Therefore, information security applies.

$19.$ What do we use protocols for? $($Choose all that apply.$)$

A$.$ To conduct ceremonies, parades, or how we salute superiors, sovereigns, or rulers

B$.$ To have a conversation with someone and keep disagreement from turning into a hostile, angry argument

C$.$ To connect elements of computer systems together so that they can share tasks and control each other

D$.$ As abstract design tools when we are building systems, although we don't actually build hardware or software that implements a protocol

E$.$ None of the above

$20.$ Do the terms cybersecurity, information assurance, and information security mean the same thing? $($Choose all that apply.$)$

A$.$ No$,$ because cyber refers to control theory, and therefore cybersecurity is the best term to use when talking about securing computers, computer networks, and communications systems.

B$.$ Yes, but each finds preference in different markets and communities of practice.

C$.$ No$,$ because cybersecurity is about computer and network security, information security is about protecting the confidentiality and integrity of the information, and information assurance is about having reliable data to make decisions with.

D$.$ No$,$ because different groups of people in the field choose to interpret these terms differently, and there is no single authoritative view.