Principles of Information Security, 2nd Edition

Chapter 1
Review Questions 1. What is the difference between a threat agent and a threat A threat agent is the specific instance or component of a threat, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat however a fire that has begun in a building is an attac!. "f an arsonist set the fire then the arsonist is the threat#agent. "f an accidental electrical short started the fire, the short is the threat#agent. 2. What is the difference between !ulnerability and e"posure $%posure is an actual instance when the information system is compromised and is open to potential danger. &ulnerability is a wea!ness in the system or protection mechanism that allows information to be compromised or an attac! to cause damage. $%amples of vulnerabilities are flaws in software that can allow hac!ers to enter and manipulate system resources such as a flaw in 'S "nternet $%plorer. &ulnerability may lead to e%posure. $%posure is the actual instance that a systems security is open to potential damage. #. $ow has the definition of %hac&' e!ol!ed o!er the last #( years "n the early days of computing, computer enthusiasts could tear apart the computer instruction code, or the computer itself, to manipulate its output. This was often called hac!ing the computer or hac!ing the program, as in hac!ing it to bits. (ac!ers had the ability to ma!e computing technology wor! as desired in the face of adversity. Today, the usage of the word hac! is perceived as part of a culture of illegal activities using computers and telecommunications systems. ). What type of security was dominant in the early years of computing "n the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data or connections between the computers. This led to circumstances where most information being stored on computers to be vulnerable since information security was often left out of the design phase of most systems.

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / *. What are the three components of the CI+ triangle What are they used for

The three components of the ,.".A. are0 confidentiality 1assurance that the information is shared only among authori2ed persons or organi2ations3 integrity 1assurance that the information is complete and uncorrupted3 and availability 1assurance that the information systems and the necessary data are available for use when they are needed3. These three components are fre4uently used to conveniently articulate the objectives of a security program that must be used in harmony to assure an information system is secure and useable. ,. If the C.I.+. triangle is incomplete, why is it so commonly used in security The ,"A triangle is commonly used in security because it addresses the fundamental concerns of information0 confidentiality, integrity, and availability. "t is still used when not complete because it addresses all of the major concerns with the vulnerability of information systems. -. .escribe the critical characteristics of information. $ow are they used in the study of computer security The critical characteristics of information define the value of information. ,hanging any one of its characteristics changes the value of the information itself. There are seven characteristics of information0 Authenticity is the 4uality or state of being genuine or original, rather than a reproduction or fabrication. ,onfidentiality is the 4uality or state of preventing disclosure or e%posure to unauthori2ed individuals or systems. "ntegrity is the 4uality or state of being whole, complete, and uncorrupted. 5tility is the 4uality or state of having value for some purpose or end. "nformation has value when it serves a particular purpose. 6ossession is the 4uality or state of having ownership or control of some object or item. ,onfidentiality is ensuring that only those with rights and privileges to access a particular set of information are able to do so, and those who are not are prevented from doing so. "ntegrity is the 4uality or state of being whole, complete, and uncorrupted Availability is enables users who need to access information to do so without interference or obstruction, and to receive it in the re4uired format. /. Identify the fi!e components of an information system. Which are most directly impacted by the study of computer security Which are most commonly associated with this study The five components are software, hardware, data, people, and procedures. 6eople would be impacted most by the study of computer security. 7hen hardening security, people dealing with the system could be a wea!est lin! because they can often
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 8

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / become a threat. 6olicy, education and training, awareness and technology should be understood properly in order to !eep those people from obtaining unauthori2ed access. 6rocedures, written instructions for accomplishing a specific tas!, could be another component, which will be impacted. The information system will be effectively secured by educating employees about safeguarding the procedures. Also, provision of proper education on the protection of those procedures can avoid unauthori2ed access gained using social engineering. The hardware and software components are the components that are historically associated with the study of computer security. 0. In the history of the study of computer security, what system is the father of almost all multi1user systems '59T",S 1(. 11. What paper is the foundation of all subse2uent studies of computer security Rand Report R#:+;, sponsored by the <epartment of <efense. $ow is the top down approach to information security superior to the bottom up approach The top down approach is superior because it typically has the bac!ing of the entire organi2ation behind it. 'anagement is the !ey to this approach. 'ost successful projects must have a champion. =See page 8+ of the te%t> This champion is usually a top e%ecutive that can guarantee financial as well as, administrative bac!ing for the life of the project. Another success factor to the top down approach is that most of the time a methodology such as the secS<9, is put in place in order to ensure that the proper steps are ta!en to !eep the project efficient, organi2ed and on schedule. The bottom up approach is sometimes used. 5sually in the bottom up approach a systems administrator is involved in trying to secure his?her own systems. This can be good because the systems administrator has a very comprehensive understanding of their system, but without a champion or top management behind the project they usually do not succeed. 12. Why is a methodology important in the implementations of information security $ow does a methodology impro!e the process A methodology is a formal techni4ue that has a structured se4uence of procedures that is used to solve a problem. 'ethodology is important in the implementation of information security because it ensures that development is structured in an orderly, comprehensive fashion. The methodology unifies the process of identifying specific threats and the creation of specific controls to counter those threats into a coherent program. Thus, a methodology is important in the implementation of information security for two main reasons. First, it entails all the rigorous steps for the organi2ations@ employees to follow, therefore avoiding any unnecessary mista!es that may compromise the end goal 1i.e., to have a comprehensive security posture3. An e%ample of this is that a methodology guides an organi2ation to solve the root cause of information security problem, not just its symptoms.
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 )

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / Second, methodology increases the probability of success. Ance a methodology is adopted, the personnel selected will be responsible for establishing !ey milestones and ma!e accountable to achieve the project goals.

The methodology can greatly improve the process. For e%ample, following the si% steps of the S<9, 1Systems <evelopment 9ife ,ycle3 1investigation, analysis, logical design, physical design, implementation, and maintenance and change3 allows developments to proceed in an orderly, comprehensive fashion. "ndividuals or groups assigned to do the analysis step do not have to initiate their wor! until the investigation step is completely finished. 'oreover, each step of the methodology may determine whether the project should be continued, outsourced, or postponed. For e%ample, the physical design step may need to be postponed or outsourced if the organi2ation does not possess the technology needed. 1#. Who is in!ol!ed in the security de!elopment life cycle Who leads the process "nitiation and control of the SecS<9, is the responsibility of upper management. Responsible managers, contractors and employees are then utili2ed to e%ecute the SecS<9,. The process is usually led by a senior e%ecutive, sometimes called the champion, that promotes the project and secures financial, administrative, and company wide bac!ing of the project, then a project manager is assigned the tas! of managing the project. 1). $ow does the practice of information security 2ualify as both an art and a science $ow does security as a social science influence its practice The practice of information security is a never#ending process. A good effective information security practice must be considered as a tripod that relates to three important aspects 1science, art, and social science30 First, information security is science because it re4uires various !inds of tools and technologies used for technical configurations. "t can also include sound information security plans and policies that may dictate the needs of particular technologies. Second, information security is also an art because there are no clear#cut rules on how to install various security mechanisms. <ifferent factors such as budgets, time, threats, ris!s, vulnerabilities, and asset values can significantly affect the numbers and types of passive and active controls an organi2ation needs. The overall goal is for the organi2ation to have a good sound information security posture that can reduce the ris!s of being attac!ed as much as possible. Third, and most importantly, information security must be loo!ed at as a social science mainly because social science deals with people, and information security is a people issue, not a technology issue. Through the eye of a social scientist, an organi2ation can greatly benefit from the Security $ducation, Training, and Awareness program 1S$TA3, which can ma!e employees 1*3 !now how to perform their job more securely, 183 be fully aware of the security issues within the organi2ation, and 1)3 be accountable for their actions.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 B

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / Therefore, information security must be viewed as having all three natures, with the most emphasis on the social science perspective. After all, people are the ones who ma!e other four components of information assets 1data, procedures, software, and hardware3 possible. 1*. Who is ultimately responsible for the security of information in the organi3ation The ,hief "nformation Security Affice is primarily responsible for the security of information. (is recommendations are important to the ,hief "nformation Afficer who advises the ,hief $%ecutive Afficer therefore, the ,$A is ultimately responsible for the security of information in the organi2ation. 1,. What is the relationship between the 4567ICS pro8ect and early de!elopment of computer security '59T",S, 'ultiple%ed "nformation and ,omputing Service, was the first and only operating system created with security as its primary goal. "t was a mainframe, time# sharing operating system developed through a partnership with -$, Cell 9abs and '"T. This mainframe operating system was a major focus for most research on computer security in the early stages. 1-. $ow has computer security e!ol!ed into modern information security Cefore the creation and use of networ!ing technologies computer security consisted of securing the physical location of the system by the use of badges, !eys and facial recognition. As networ!ing came into use and with the creation of AR6AD$T it was no longer safe to just physically secure a system. At this point it was not ade4uate to just physically secure a system. "n order to insure total security the information itself and the hardware used to transmit and store the information needed to be addressed. "nformation security arouse from this need and adopted computer security as just one of its components. 1/. What was important about 9and 9eport 91,(0 The move toward security relating to protect data integrity was the basis of this report from the <epartment of <efense. This report attempted to address the multiple controls and mechanisms necessary for the protection of a multilevel computer system. "n addition, the Rand Report was the first to identify the role of management and policy issues in the e%panding arena of computer security. 10. What does it mean to disco!er an e"ploit $ow does an e"ploit differ from !ulnerability <iscovering an e%ploit means to find a way to perform an illegal use or misuse of a system. &ulnerability is a wea!ness or fault in a system that has the potential of being attac!ed by a hac!er. 2(: Who should lead a security team Should the approach to security be more managerial or technical The project manager or team leader would lead a security team. Typically, that person would understand project management, personnel management, and information security
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 E

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / technical re4uirements and report up the chain of command to the ,"A. The approach to security should be more managerial than technical although the technical ability of the resources actually doing the day#to#day maintenance is critical. The top#down approach to security implementation is by far the best. "t has strong upper management support, a dedicated champion, dedicated funding, clear planning and the opportunity to influence organi2ational culture.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 :

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / $%ercises 1. 6oo& up %the paper that started the study of computer security.' Prepare a summary of the &ey points. What in this paper specifically addresses security in areas pre!iously une"amined Rand Report R#:+; noted that security for computers had moved beyond the physical security of loc!ing the computers behind closed doors. 7ith the rise in computer networ!ing, multiple users using resource#sharing systems could gain access to confidential information. Dew forms of security had to be implemented that could protect the safety of data, limit access, and handle different levels of personnel accessing the system. "n order to accomplish this, R#:+; pointed out that a tas! force was being implemented by AR6A in order to focus on the potential security ris!s of multi#access computer systems. The paper points out that security is no longer as simple as moving the system to a secure location, and new measures must be implemented to provide acceptable security. The !ey points are security control in resource#sharing systems increase in the number of resource#sharing systems protection of information in multi#access, resource#sharing computer systems and necessity for the application of security rules and regulations. The growing need to have resources available to a larger number of users, led in the *;:+Fs to the implementation of resource#sharing computer systems. Sharing data among a bigger number of users highlighted the need for an appropriate security system because data, in a multi#access computer environment, started not being any longer considered secure. Above all, the lac! of control on random and unauthori2ed access to shared data started being seen as one of the biggest threats to the data itself. Another important issue that specifically addressed security was the lac! of security rules and regulations. Rand Report R#:+; was the first report to identify the important role of management and police issues in computer security. The <epartment of <efense, the Rand Report G R#:+; attempted to cover the broader aspect of protecting a computer system. The Rand Report, R#:+; was the first to identify the role of management and policy issues in computer security. R#:+; focused on the protection of information in a multi#access, resource sharing computer system, more specifically safety of data, limiting random and unauthori2ed access as well as the involvement of personnel from multiple levels of the organi2ation. 2. +ssume that a security model is needed for protection of information in your class. 5sing the ;S7ISSC model, e"amine each of the cells and write a brief statement on how you would address the three components represented in that cell. "n general, ,"A represents ,onfidentiality, "ntegrity, and Availability. ,onfidentiality0 Allow only those students access that have registered and paid for the "SA )*++ course at HS5 for the Fall Semester 8++8 to attend class. The controls in place to prevent unauthori2ed access to class would be to ta!e roll call and learn each students name to match student@s faces, and verify against the computeri2ed print out of each student registered.
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 I

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / "ntegrity0 Re4uire the students to carry and present on demand their picture "< card. 6rovide each student with a syllabus on the policy and procedures that contain the course description, course objectives, and instructors contact information to include office hours and phone number. The syllabus must also include information on withdrawal policy, grading, and an integrity statement that must be read and signed to receive a final grade for the semester. Availability0 $nsure that the classroom is accessible and provide a secured environment from harm and danger to promote a well#organi2ed learning environment. The controls to put in place would be for the professor to be present at the beginning of class and have e4uipment operational so that students can ma!e use of their laptops for note ta!ing "n detail0 ,onfidentiality G 6olicy G Storage0 An e%ample of protecting the confidentiality of class information in storage by means of policy could be simply issuing rules to !eep unauthori2ed viewers access restricted, such as a rule to loc! file cabinets that contain the information. ,onfidentiality G 6olicy G 6rocessing0 An e%ample of protecting the confidentiality of class information in processing by means of policy could be simply issuing rules to !eep unauthori2ed viewers access restricted while information is being processed, such as only allowing registered students in the class to attend and listen to lecture. ,onfidentiality G 6olicy G Transmission0 An e%ample of protecting the confidentiality of class information in transmission by means of policy could be simply issuing rules to !eep unauthori2ed viewers access restricted while information is being processed, such as only allowing registered students in the class to attend and listen to lecture. ,onfidentiality G $ducation G Storage0 An e%ample of protecting the confidentiality of class information in storage by means of education could be accomplished by training students and faculty, such as teaching them what people are authori2ed access to the information in storage. ,onfidentiality G $ducation G 6rocessing0 An e%ample of protecting the confidentiality of class information that is being processed by means of education could be accomplished by training students and faculty, such as training how to verify if the people are authori2ed to get the information before class starts by something such as a student "< or schedule. ,onfidentiality G $ducation G Transmission0 An e%ample of protecting the confidentiality of class information that is being transmitted by means of education could be accomplished by training students and faculty, such as training the students and faculty to close doors to the classroom while in lecture so that others outside would not hear the lecture. ,onfidentiality G Technology G Storage0 An e%ample of protecting the confidentiality of class information that is being stored by means of technology could be accomplished by something as simple as loc!s on file cabinets that contain the information while not in use.
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 .

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / ,onfidentiality G Technology G 6rocessing0 An e%ample of protecting the confidentiality of class information that is being processed by means of technology could be accomplished by forcing the use of electronic "<@s during classes. ,onfidentiality G Technology G Transmission0 An e%ample of protecting the confidentiality of class information that is being transmitted by means of technology could be accomplished by having a password on a class website. "ntegrity G 6olicy G Storage0 An e%ample of protecting the integrity of class information that is being stored by means of policy could be accomplished by simply ma!ing rules that state that only certified people may alter the information "ntegrity G 6olicy G 6rocessing0 An e%ample of protecting the integrity of class information that is being processed by means of policy could be accomplished by ma!ing a rule that forces students to study in only 4uiet areas without the help of other people not in the class. "ntegrity G 6olicy G Transmission0 An e%ample of protecting the integrity of class information that is being processed by means of policy could be accomplished by ma!ing a rule that the teacher is not allowed to drin! alcohol before class. "ntegrity G $ducation G Storage0 An e%ample of protecting the integrity of class information that is being stored by means of education could be accomplished by teaching those who store the information who is authori2ed to change it. "ntegrity G $ducation G 6rocessing0 An e%ample of protecting the integrity of class information that is being processed by means of education could be accomplished by informing the students that studying with other non students will give incorrect information. "ntegrity G $ducation G Transmission0 An e%ample of protecting the integrity of class information that is being transmitted by means of education could be accomplished by teaching the teachers effective ways to teach. "ntegrity G Technology G Storage0 An e%ample of protecting the integrity of class information that is being stored by means of technology could be accomplished by electronically storing all the data that forces authori2ation to modify it. "ntegrity G Technology G 6rocessing0 An e%ample of protecting the integrity of class information that is being processed by means of technology could be accomplished by ma!ing 6ower6oint presentations to verify what the teacher says. "ntegrity G Technology G Transmission0 An e%ample of protecting the integrity of class information that is being transmitted by means of technology could be accomplished by printing the 6ower6oint presentations and giving a copy to each student. Availability G 6olicy G Storage0 An e%ample of protecting the availability of class information that is being stored by means of policy could be accomplished by ma!ing certain that those who need access to the information get it.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 ;

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / Availability G 6olicy G 6rocessing0 An e%ample of protecting the availability of class information that is being processed by means of policy could be accomplished by ma!ing a rule that only those authori2ed are allowed to enter the classroom. Availability G 6olicy G Transmission0 An e%ample of protecting the availability of class information that is being transmitted by means of policy could be accomplished by ma!ing a rule that allows only students into the classroom and none other. Availability G $ducation G Storage0 An e%ample of protecting the availability of class information that is being stored by means of education could be accomplished by teaching those who store the information the correct process of storage so that things don@t get lost. Availability G $ducation G 6rocessing0 An e%ample of protecting the availability of class information that is being processed by means of education could be accomplished by teaching those who teach the information the to spea! up so that everyone in the classroom can hear what is being taught. Availability G $ducation G Transmission0 An e%ample of protecting the availability of class information that is being processed by means of education could be accomplished by teaching the students to remain 4uiet in the classroom so that all can hear the information. Availability G Technology G Storage0 An e%ample of protecting the availability of class information that is being stored by means of technology could be accomplished by ma!ing the information available on the internet via a database. Availability G Technology G 6rocessing0 An e%ample of protecting the availability of class information that is being processed by means of technology could be accomplished by the teacher providing the 6ower6oint files available to the student on the internet to study. Availability G Technology G Transmission0 An e%ample of protecting the availability of class information that is being transmitted by means of technology could be accomplished by the teacher using a microphone to spea! into enabling it to be loud enough for all students to hear. #: Consider the information stored on your personal computer. <or each of the terms listed, find an e"ample and document it: threat, threat agent, !ulnerability, e"posure, ris&, attac&, and e"ploit. Threat G The hundreds of people?machines that attempt to breach my security and gain access to my system via my <S9 connection. Threat agent0 A specific attac!er could compromise my system. &ulnerability0 " run 7indows ;. on my 6, with file sharing enabled. "f " leave the 6, connected to an always#on connection without a firewall control, it can be accessed by anyone who connects to it. $%posure G A security e%posure for personal system occurred last night when " reduced my firewall settings in order to run a specific software application.
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *+

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / Ris! # Cased on the fact that my firewall logs appro%imately E+ attempts for unauthori2ed access a day, the ris! for each minute that " am connected to my <S9 and the firewall is down is .).)J. Attac!0 'y house was once stuc! my lightening and my 6,@s motherboard and modem were destroyed. $%ploit G 'y machine was a victim of an e%ploit when it was utili2ed for K"6 hopping K allowing hac!ers to use my system to connect to other systems. ). 5sing the Web, identify the CI=, CIS= and S+. Who represents the data owner, data custodian $ach organi2ation will have its own specific answer set. *. 5sing the web, find out who >e!in 4itnic& was. What did he do Who caught him Write a short summary of his acti!ities and why he is famous. Hevin 'itnic! was one of the most notorious computer hac!ers in computer history. (e began his Lhac!ingL career by using a personal computer and a modem to gain access to a digital central office switch of a local telephone company. (e as well as several other members of a phone phrea! gang would ma!e pran! calls, answer operator assisted calls and eavesdrop on conversations. This however, didnFt satisfy them for long. "n *;.* over 'emorial <ay wee!end, Hevin and his gang tal!ed their way past a security guard at 6acific CellFs ,AS'AS center. Ance inside they stole passwords, operating manuals and combinations to doors at other 6acific Cell offices. They also did a little Lsocial engineeringL while inside and left fa!e names and phone numbers for later use. The gang was eventually caught when a girlfriend of one of the gang members went to the police. The gang was charged with stealing and destroying data. Hevin 'itnic! was only *I at the time and was sentenced to three months in juvenile detention and one year probation. "n *;;), Hevin was arrested again, but this time by the campus police at the 5niversity of Southern ,alifornia. This time he used one of the schoolFs computers to brea! into the 6entagon using AR6Anet. (is sentence was si% months in a juvenile prison. "n *;.I, he received three years probation for stealing software from the Santa ,ru2 Aperation he was caught by the use of illegal telephone credit card numbers. "n *;.;, he was again arrested and charged with one count of possession of illegal long distance access codes and one count of computer fraud. (e and a friend tried to gain access to <igital $4uipmentFs 6alo Alto research laboratory with the hope of ac4uiring a copy of the &'S minicomputer operating system. (e was later caught when his accomplice became frustrated with him and turned him in to the FC" and <$,. Hevin received jail time and was re4uired to undergo counseling at a halfway house. "n *;;8, an arrest warrant was issued on him for violating the terms of his probation. (e violated probation by associating with members of his original phone phrea! gang, and illegally accessing a computer. Hevin was arrested in *;;E. +lternate +nswer Hevin 'itnic!, a.!.a. ,ondor, is one of the most famous computer hac!ers in the history of computers. This famous hac!er was so prolific that it earned him a place on the FC"@s
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 **

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / 'ost 7anted 9ist. 'itnic! started out as a phone phrea!er someone who brea!s into phone switches, but later turned his attention to computer systems. 'itnic! was brought up on charges numerous times, but it was not until he went on a computer hac!ing spree in *;;E that he made national attention. 'itnic! was finally trac!ed down after two years on the run as a fugitive. Tsutomu Shimomura played a major role in the capture of 'itnic!, after 'itnic! hac!ed into Shimomura@s computer system. 'itnic! was jailed for E years without a trial or bond, and is said to be the longest held prisoner without a trial. 'itnic! was later released in Sept. of 8+++, but was not allowed to use any type of electronic device as part of his terms of probation. M Question * E out of E points 7hen a computer is the subject of an attac!, it is the entity being attac!ed. Answer Selected Answer0 False ,orrect Answer0 False M Question 8 E out of E points The roles of information security professionals are aligned with the goals and mission of the information security community of interest. Answer Selected Answer0 True ,orrect Answer0 True M Question ) E out of E points To achieve balance N that is, to operate an information system that satisfies the user and the security professional N the security level must allow reasonable access, yet protect against threats. Answer Selected Answer0 True ,orrect Answer0 True M Question B E out of E points The bottom#up approach to information security has a higher probability of success than the top#down approach.
///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *8

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / Answer Selected Answer0 ,orrect Answer0 M Question E E out of E points An e#mail virus involves sending an e#mail message with a modified field. Answer Selected Answer0 False ,orrect Answer0 False M Question : + out of E points The //// is the individual primarily responsible for the assessment, management, and implementation of information security in the organi2ation. Answer Selected Answer0 ,orrect Answer0 M Question I E out of E points The value of information comes from the characteristics it possesses. Answer Selected Answer0 True ,orrect Answer0 True M Question . E out of E points Applications systems developed within the framewor! of the traditional S<9, are designed to anticipate a software attac! that re4uires some degree of application reconstruction. Answer Selected Answer0 False ,orrect Answer0 False b. ,"A d. ,"SA

False False

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *)

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / M Question ; E out of E points //// security addresses the issues necessary to protect the tangible items, objects, or areas of an organi2ation from unauthori2ed access and misuse. Answer Selected Answer0 ,orrect Answer0 M Question *+ + out of E points The investigation phase of the SecS<9, begins with a directive from upper management. Answer Selected Answer0 False ,orrect Answer0 True M Question ** E out of E points The most successful !ind of top#down approach involves a formal development strategy referred to as a ////. Answer Selected Answer0 ,orrect Answer0 M Question *8 E out of E points The //// is a methodology for the design and implementation of an information system in an organi2ation. Answer Selected Answer0 ,orrect Answer0 d. S<9, d. S<9, d. systems development life cycle d. systems development life cycle d. 6hysical d. 6hysical

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *B

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / M Question *) E out of E points //// presents a comprehensive information security model and has become a widely accepted evaluation standard for the security of information systems. Answer Selected Answer0 ,orrect Answer0 M Question *B E out of E points The physical design is the blueprint for the desired solution. Answer Selected Answer0 False ,orrect Answer0 False M Question *E E out of E points Argani2ations are moving toward more ////#focused development approaches, see!ing to improve not only the functionality of the systems they have in place, but consumer confidence in their product. Answer Selected Answer0 ,orrect Answer0 M Question *: E out of E points //// of information is the 4uality or state of being genuine or original. Answer Selected Answer0 ,orrect Answer0 d. Authenticity d. Authenticity c. security c. security a. DST"SS" Do. B+** a. DST"SS" Do. B+**

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *E

"SA )*++ # ,hapter * Questions for -roup +. ///////////////////////////////////////////////////////////////////////////// / M Question *I E out of E points (ardware is often the most valuable asset possessed by an organi2ation and it is the main target of intentional attac!s. Answer Selected Answer0 False ,orrect Answer0 False M Question *. E out of E points A famous study entitled K6rotection Analysis0 Final ReportO was published in ////. Answer Selected Answer0 ,orrect Answer0 M Question *; E out of E points 6art of the logical design phase of the SecS<9, is planning for partial or catastrophic loss. //// dictates what steps are ta!en when an attac! occurs. Answer Selected Answer0 ,orrect Answer0 M Question 8+ E out of E points 7hich of the following is a valid type of data ownershipP Answer Selected Answer0 ,orrect Answer0 d. All of the above d. All of the above c. "ncident response c. "ncident response b. *;I. b. *;I.

///////////////////////////////////////////////////////////////////////////////////////////// 6age0 *: