ch01

True/False Indicate whether the statement is true or false. ____ ____ ____ ____ ____ ____ ____ ____ ____ 1. The primary threats to security during the early years of computers were physical theft of equipment, espionage against the products of the systems, and sabotage. 2. Network security focuses on the protection of the details of a particular operation or series of activities. 3. The value of information comes from the characteristics it possesses. 4. An E-mail virus involves sending an e-mail message with a modified field. 5. The possession of information is the quality or state of having value for some purpose or end. 6. A breach of possession always results in a breach of confidentiality. 7. When a computer is the subject of an attack, it is the entity being attacked. 8. Information security can be an absolute. 9. The bottom-up approach to information security has a higher probability of success than the top-down approach.

____ 10. A methodology increases the probability of success. ____ 11. The investigation phase of the SecSDLC begins with a directive from upper management. ____ 12. A champion is a project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements. ____ 13. A data custodian works directly with data owners and is responsible for the storage, maintenance, and protection of the information. ____ 14. The concept of the security artesan is based on the way individuals have perceived systems technologists since computers became commonplace. ____ 15. Applications systems developed within the framework of the traditional SDLC are designed to anticipate a vicious attack that would require some degree of application reconstruction. ____ 16. The physical design is the blueprint for the desired solution. ____ 17. The SDLC process may be initiated in response to specific conditions or combinations of conditions. ____ 18. To achieve balance — that is, to operate an information system to the satisfaction of the user and the security professional — the level of security must allow reasonable access, yet protect against threats. ____ 19. Hardware is often the most valuable asset possessed by an organization and it is the main target of intentional attacks. ____ 20. The Implementation phase is the longest and most expensive phase of the systems development life cycle (SDLC). Modified True/False Indicate whether the statement is true or false. If false, change the identified word or phrase to make the statement true.

1998 . the top-down approach has a higher probability of success. A famous study entitled “Protection Analysis: Final Report” was published in ____. FIPS b. 1868 c. Of the two approaches to information security implementation. and provides interfaces for the entry and removal of information from the system. Direct attacks originate from a system or resource that itself has been attacked. known as the united application development team. The Security Development Life Cycle (SDLC) is a methodology for the design and implementation of an information system in an organization. MULTICS b. ARPANET ____ 38. Key end users should be assigned to a developmental team. _________________________ ____ 29. a. ____ 36. Policies are written instructions for accomplishing a specific task. Hardware is the physical technology that houses and executes the software. _________________________ ____ 28. _________________________ ____ 33. DES ____ 37. a. Multiple Choice Identify the choice that best completes the statement or answers the question. MULTICS stands for Multiple Information and Computing Service. ____ is the origin of today’s Internet. 1988 b. _________________________ ____ 32. _________________________ ____ 30. ____ 35. Information security can begin as a grassroots effort in which systems administrators attempt to improve the security of their systems. A(n) project team should consist of a number of individuals who are experienced in one or multiple facets of the technical and nontechnical areas. knowing that taking more would be noticed — but eventually the employee gets the whole thing. and evaluating the levels of risk facing the organization. salami theft occurs when an employee steals a few pieces of information at a time. _________________________ ____ 34. Risk evaluation is the process of identifying. and is malfunctioning or working under the control of a threat. ARPANET d. a. _________________________ ____ 31. specifically the threats to the organization’s security and to the information stored and processed by the organization. The Analysis phase of the SecSDLC begins with a directive from upper management. In general. _________________________ ____ 26. 1978 d.____ 21. protection is “the quality or state of being secure—to be free from danger.” _________________________ ____ 23. NIST c. UNIX c. assessing. ____ was the first and only operating system created with security as its primary goal. Confidentiality ensures that only those with the rights and privileges to access information are able to do so. _________________________ ____ 27. _________________________ ____ 24. DOS d. stores and carries the data. Information has redundancy when it is free from mistakes or errors and it has the value that the end user expects. _________________________ ____ 25. _________________________ ____ 22. In information security. This is often referred to as a bottom-up approach.

4011 d. implementation b. indirect c.____ 39. systems schema ____ 46. IEEE 802. hashing d. Personal d. ____ presents a comprehensive model for information security and is becoming the evaluation standard for the security of information systems. All of the above . and networks necessary to use information as a resource in the organization. Data owners c. A(n) ____ attack is when a hacker uses his or her personal computer to break into a system. software c. objects. The ____ is the individual primarily responsible for the assessment. a. The ____ is a methodology for the design and implementation of an information system in an organization. 5SA&D d. selected. a. DSLC c. In file hashing. Which of the following phases is the longest and most expensive phase of the systems development life cycle? a. All of the above ____ 44. NIST SP 800-12 c. Object b. code ____ 42. systems development life cycle b. investigation c. Which of the following is a valid type of data ownership? a. a. hash b. Authenticity c. CTO ____ 51. a. investigation c. CIO d. Authorization ____ 41. The ____ model consists of 6 general phases. An Information System is the entire set of ____. and acquired through a make-or-buy process.11 (g) b. ____ security addresses the issues necessary to protect the tangible items. Spoofing d. physical design ____ 49. management. Data custodians d. a. ____ of information is the quality or state of being genuine or original. solutions are evaluated. a. hardware d. NSTISSI No. implementation d. CLSD ____ 47. hardware ____ 45. maintenance and change ____ 50. Data users b. a. software b. logical design d. systems design c. ISO 17788 ____ 43. people. key c. a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a(n) ____ value. development life project d. waterfall b. Standard ____ 40. Confidentiality b. The most successful kind of top-down approach involves a formal development strategy referred to as a(n) ____. pitfall c. a. analysis b. and implementation of information security in the organization. Physical c. ISO c. data b. SDLC d. a. LCSD b. CISO b. SysSP ____ 48. direct d. procedures. In the ____ phase of the systems development life cycle. a. a. or areas of an organization from unauthorized access and misuse.

A(n) ____________________ is a formal approach to solving a problem based on a structured sequence of procedures. Incident response d. availability ____ 54. system administrators b. but the confidence of the consumer in their product. Part of the Logical Design phase of the SecSDLC is planning for partial or catastrophic loss. procedures and processes. subject b. The ____________________ of information is defined as having ownership or control of some object or item. 67. 59. reliability d. target d. Individuals with the primary responsibility for administering the systems that house the information used by the organization perform the ____ role. 64. accessability b. A computer is the ____________________ of an attack when it is used as an active tool to conduct the attack. object Completion Complete each statement. a. facilitator . the project is initiated by upper-level managers who issue policy. In the ____________________ approach. seeking to improve not only the functionality of the systems they have in place. 63. Organizations are moving toward more ____-focused development approaches. A computer is the ____ of an attack when it is used to conduct the attack. A(n) ____________________ information security policy outlines the implementation of a security program within the organization. Continuity planning c. The history of information security begins with the history of ____________________ security. and in the required format. The senior technology officer is typically the chief ____________________ officer. The NSTISSC model of information security evolved from a concept developed by the computer security industry known as the _____________________________________________ triangle. a. 56. c. 58. The Internet brought connectivity to virtually all computers that could reach a phone line or an Internetconnected Local Area ____________________. security c. Information has ____________________ when it is whole. Security response ____ 55. and assorted command utilities. complete. a. 65. 61. and determine who is accountable for each of the required actions. Disaster recovery b. end users ____ 53. and uncorrupted. ____________________ ensures authorized users — persons or computer systems — can access information without interference or obstruction.____ 52. 57. The ____________________ component of the information system comprises applications. 62. a. security policy developers c. ____ dictates what steps are taken when an attack occurs. security professionals d. dictate the goals and expected outcomes of the project. 66. operating systems. 60.

the status of current systems. The ____________________ project is the origin of today’s Internet. 70. The final axis consists of storage. rather than a reproduction or fabrication. 77. The second contains policy. and the capability to support the proposed systems. ____________________ of information is the quality or state of being genuine or original. Essay 76. A frequently overlooked component of information systems. The first axis consists of confidentiality. During the early years. The ____________________ phase consists primarily of assessments of the organization. List and describe the six phases of the security systems development life cycle. 69. information security was a straightforward process composed predominantly of ____________________ security and simple document classification schemes. 72.68. Describe the multiple types of security systems present in many organizations. 74. 75. In an organization. The McCumber Cube consists of 27 cells representing areas that must be addressed to secure today’s information systems. A(n) ____________________ is a group of individuals who are united by similar interests or values within an organization and who share a common goal of making the organization function to meet its objectives. integrity and availability. ____________________ are written instructions for accomplishing a specific task. ____________________ and transmission. 73. the value of ____________________ of information is especially high when it involves personal information about employees. 71. . education and technology. customers. or patients.

16. Multiplexed PTS: 1 22. Indirect PTS: 1 . 11. ANS: F. 18. 20. 8. 3. 27. 12. 15. 26. 19. 7. 17. 10. 2. 25. Procedures REF: 16 REF: 17 PTS: 1 PTS: 1 PTS: 1 REF: 10 REF: 12 REF: 15 PTS: 1 28. security PTS: 1 23. Outline types of data ownership and their respective responsibilities. ANS: F. 6. PTS: ANS: ANS: ANS: ANS: REF: 7 REF: 8 1 REF: 10 T T T F. 14.78. 9. ANS: F. 4. ch01 Answer Section TRUE/FALSE 1. accuracy 24. 13. ANS: F. 5. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: T F T F F F F F F T T F T T F F T T F F PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 4 8 9 10 12 13 17 17 19 20 25 29 30 31 27 21 20 17 15 22 MODIFIED TRUE/FALSE 21.

51. 50. ANS: computer PTS: 1 57. 52. joint PTS: 1 REF: 19 31. 38. 40. 42.29. ANS: F. ANS: F. 45. 43. ANS: T 33. ANS: T 34. 53. 48. 49. 55. Systems REF: 26 PTS: 1 REF: 18 PTS: 1 PTS: 1 REF: 29 REF: 19 PTS: 1 REF: 20 35. 37. ANS: Network PTS: 1 REF: 3 REF: 7 . Investigation PTS: 1 REF: 25 MULTIPLE CHOICE 36. ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: ANS: B C B A A C B D B C B C D D C D C A B A PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: PTS: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: REF: 5 7 5 8 10 12 13 14 17 19 20 20 22 22 29 29-30 29 25 26 17 COMPLETION 56. ANS: F. management PTS: 1 32. 39. 54. ANS: F. 44. 41. 47. 46. ANS: T 30.

ANS: ARPANET PTS: 1 71. ANS: processing REF: 11 . ANS: Availability PTS: 1 60. ANS: possession PTS: 1 62. ANS: Authenticity REF: 30 REF: 4 REF: 5 PTS: 1 REF: 10 72.58.A. ANS: software PTS: 1 63. ANS: top-down REF: 8 REF: 9 REF: 12 REF: 13 REF: 15 REF: 17 PTS: 1 REF: 19 65. ANS: community of interest PTS: 1 69. Integrity and Availability PTS: 1 59. ANS: subject PTS: 1 64. Confidentiality. ANS: confidentiality PTS: 1 73.I. ANS: information REF: 20 REF: 25 PTS: 1 REF: 28 68. ANS: enterprise PTS: 1 67. ANS: CIA C. ANS: methodology PTS: 1 66. ANS: integrity PTS: 1 61. ANS: physical PTS: 1 70.

Information security is the protection of information and its critical elements. and the scope of the project. are defined. Frequently. ANS: Physical security addresses the issues necessary to protect the physical items. and evaluating the levels of risk facing the organization. connections. and any additional constraints not covered in the program policy. dictating the process. assessing. and contents. ANS: Investigation The investigation phase of the SecSDLC begins with a directive from upper management. which outlines the implementation of a security program within the organization. and content. as well as specific goals and objectives. Logical Design The logical design phase creates and develops the blueprints for information security. the documents from the investigation phase are studied. Network security is the protection of networking components. store. This phase also includes an analysis of relevant legal issues that could affect the design of the security solution. Operations security focuses on the protection of the details of a particular operation or series of activities. Risk management is the process of identifying. The planning answers the following questions: . Finally. and goals of the project. Communications security encompasses the protection of an organization’s communications media. Analysis In the analysis phase. technology. employees. Teams of responsible managers. this phase begins with an enterprise information security policy. privacy laws have become a major consideration when making decisions about information systems that manage personal information. and transmit that information. Increasingly. many states have implemented legislation making certain computer-related activities illegal. along with that of documented current threats and associated controls. The risk management task also begins in this stage. PTS: 1 REF: 8 77. specifically the threats to the organization’s security and to the information stored and processed by the organization. A detailed understanding of these issues is vital. outcomes. problems are analyzed. an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design. The development team conducts a preliminary analysis of existing security policies or programs. ANS: analysis PTS: 1 ESSAY REF: 14 REF: 16 REF: 21 76. objects. including the systems and hardware that use. and contractors are organized. and examines and implements key policies that influence later decisions. Personal security involves the protection of the individual or group of individuals who are authorized to access the organization and its operations. Recently. the team plans the incident response actions to be taken in the event of partial or catastrophic loss. as well as its budget and other constraints. or areas of an organization from unauthorized access and misuse. Also at this stage.PTS: 1 74. ANS: procedures PTS: 1 75.

Maintenance and Change The maintenance and change phase. implemented. Implementation The implementation phase in of SecSDLC is also similar to that of the traditional SDLC. Often.Continuity planning: How will business continue in the event of a loss? . This constant vigilance and security can be compared to that of a fortress where threats from outside as well as from within must be constantly monitored and checked with continuously new and more innovative technologies. though last. the information security technology needed to support the blueprint outlined in the logical design is evaluated. and a final design agreed upon. As new threats emerge and old threats evolve. the battle for stable. The information security blueprint may be revisited to keep it in line with the changes needed when the physical design is completed. Finally. repairing damage and restoring information is a constant effort against an unseen adversary. all parties involved have a chance to approve the project before implementation begins. The duties of a data custodian often include overseeing data storage and backups. Today’s information security systems need constant monitoring. reliable systems is a defensive one. a feasibility analysis determines whether or not the project should be continued or be outsourced. testing. the entire tested package is presented to upper management for final approval. Physical Design In the physical design phase.Incident response:What steps are taken when an attack occurs? . The security solutions are acquired (made or bought). the information security profile of an organization requires constant adaptation to prevent threats from successfully penetrating sensitive data. In information security. Included at this time are the designs for physical security measures to support the proposed technological solutions. and protection of the information. a feasibility study should determine the readiness of the organization for the proposed project. is perhaps most important. Data custodians: Working directly with data owners. PTS: 1 REF: 29-30 . and repairing. Personnel issues are evaluated. At this time.Disaster recovery:What must be done to recover information and vital systems immediately after a disastrous event? Next. tested. maintenance. and reporting to the data owner. updating. They are usually members of senior management and could be CIOs. and specific training and education programs conducted. ANS: Data owners: Those responsible for the security and use of a particular set of information. alternative solutions generated.. and tested again. Data users are included as individuals with an information security role. data custodians are responsible for the storage. as well as the changes to that classification required by organizational change. Data users: End users who work with the information to perform their daily jobs supporting the mission of the organization. given the current ever-changing threat environment. Traditional applications systems developed within the framework of the traditional SDLC are not designed to anticipate a vicious attack that would require some degree of application reconstruction. Criteria for determining the definition of successful solutions are also prepared during this phase. At the end of this phase. The data owners usually determine the level of data classification associated with the data. PTS: 1 REF: 25-28 78.modification. and then the champion and sponsors are presented with the design. implementing the specific procedures and policies laid out in the security policies and plans.

Sign up to vote on this title
UsefulNot useful