Recent Question/Assignment

Management of Information Security, 4th Edition
Chapter 1 – Introduction to the Management of Information Security
Review Questions
1. List and describe an organization’s three communities of interest that engage in efforts to solve InfoSec problems. Give two or three examples of who might be in each community.
2. What is the definition of information security? What essential protections must be in place to protect information systems from danger?
3. What is the CIA triangle? Define each of its component parts.
4. Describe the CNSS security model. What are its three dimensions?
5. What is the definition of privacy as it relates to information security? How is this definition of privacy different from the everyday definition? Why is this difference significant?
6. Define the InfoSec processes of identification, authentication, authorization, and accountability.
7. What is management and what is a manager? What roles do managers play as they execute their responsibilities?
8. How are leadership and management similar? How are they different?
9. What are the characteristics of management based on the popular approach to management? Define each characteristic.
10. What are the three types of general planning? Define each.
11. List and describe the five steps of the general problem-solving process.
12. Define project management. Why is project management of particular interest in the field of information security?
13. Why are project management skills important to the information security professional?
14. How can security be both a project and a process?
15. What are the nine areas that make up the component process of project management?
16. What are the three planning parameters that can be adjusted when a project is not being executed according to plan?
17. Name and briefly describe some of the manual and automated tools that can be used to help manage projects.
Management of Information Security, 4th Edition
Chapter 2 – Planning for Security
Review Questions
1. Describe the essential parts of planning. How does the existence of resource constraints affect the need for planning?
2. What are the three common layers of planning? How do they differ?
3. Who are the stakeholders? Why is it important to consider their views when planning?
4. What is a mission statement? What is a vision statement? What is a values statement? Why are they important? What do they contain?
5. What is strategy?
6. What is information security governance?
7. What should a Board of Directors recommend as an organization’s information security objectives?
8. What are the five basic outcomes that should be achieved through information security governance?
9. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?
10. How does the SecSDLC differ from the more general SDLC?
11. What is the primary objective of the SecSDLC? What are its major steps, and what are the major objectives of each step?
12. What is a threat in the context of information security? How many categories of threats exist as presented in this chapter?
13. What is the difference between a threat and an attack?
14. How can a vulnerability be converted into an attack? What label would we give to the entity that performs this transformation?
15. What name is given to an attack that makes use of viruses and worms? What name is given to an attack that does not actually cause damage other than wasted time and resources?
16. What questions might be asked to help identify and classify information assets? Which is the most useful question in the list?
17. What name is given to the process of assigning a comparative risk rating to each specific information asset? What are the uses of such a rating?
18. What term is used to describe the provision of rules intended to protect the information assets of an organization?
19. What term is used to describe the control measure that reduces security incidents among members of the organization by familiarizing them with relevant policies and practices in an ongoing manner?
Management of Information Security, 3rd Edition
Chapter 3 – Planning for Contingencies
Review Questions
1. What is the name for the broad process of planning for the unexpected? What are its three primary components?
2. Which two communities of interest are usually associated with contingency planning? Which community must give authority to ensure broad support for the plans?
3. What percentage of businesses that do not have a disaster plan go out of business after a major loss, according to The Hartford Insurance Company?
4. List the seven-step CP process as defined by the NIST. What is it the recommended standard approach to the process?
5. List and describe the four teams that perform the planning and execution of the CP plans and processes. What is the primary role of each?
6. Define the term incident as used in the context of IRP. How is it related to the concept of incident response?
7. List and describe the three criteria used to determine whether an actual incident is occurring.
8. List and describe the three sets of procedures used to detect, contain, and resolve an incident.
9. List and describe the four IR planning steps.
10. List and describe the actions that should be taken during an incident response.
11. What is an alert roster? What is an alert message? Describe the two ways they can be used when activated.
12. List and describe several containment strategies given in the text. On which two tasks do they focus?
13. What is an incident damage assessment? What is it used for?
14. What criteria should be used when considering whether or not to involve law enforcement agencies during an incident?
15. What is a disaster recovery plan, and why is it important to the organization?
16. List and describe two rapid-onset disasters. List and describe one slow-onset disaster. How would you respond differently to the two types of disasters?
17. What is a business continuity plan, and why is it important?
18. What is a business impact analysis and what is it used for?
19. Why should continuity plans be tested and rehearsed?
Management of Information Security, 3rd Edition
Chapter 4 – Information Security Policy
Review Questions
1. What is information security policy? Why it is critical to the success of the information security program?
2. Of the controls or countermeasures used to control information security risk, which is viewed as the least expensive? What are the primary costs of this type of control?
3. List and describe the three challenges in shaping policy.
4. List and describe the three guidelines for sound policy, as stated by Bergeron and Bérubé.
5. Describe the bull’s-eye model. What does it say about policy in the information security program?
6. Are policies different from standards? In what way?
7. Are policies different from procedures? In what way?
8. For a policy to have any effect, what must happen after it is approved by management? What are some ways to accomplish this?
9. Is policy considered static or dynamic? Which factors might determine this status?
10. List and describe the three types of information security policy as described by NIST SP 800-14.
11. For what purpose is an enterprise information security program policy (EISP) designed?
12. For what purpose is an issue-specific security policy (ISSP) designed?
13. For what purpose is a system-specific security program policy (SysSP) designed?
14. To what degree should the organization’s values, mission, and objectives be integrated into the policy documents?
15. List and describe four elements that should be present in the EISP.
16. List and describe three purposes that the ISSP serves in the organization.
17. What should be the first component of an ISSP when it is presented? Why? What should be the second major heading, in your opinion? Why?
18. List and describe three common ways in which ISSP documents are created and/or managed.
19. List and describe the two general groups of material included in most SysSP documents.
Management of Information Security, 4th Edition
Chapter 6 – Security Management Models
Review Questions
1. What is an information security framework?
2. How does an information security framework relate to the information security blueprint?
3. What is a security model?
4. How might an information security professional use a security model?
5. What is access control?
6. What are the essential processes of access control?
7. What are the key principles on which access control is founded?
Management of Information Security, 4th Edition
Chapter 7 – Security Management Practices
Review Questions
1. What is the standard of due care? How does it relate to due diligence?
2. What is a recommended security practice? What is a good source for finding such best practices?
3. What is a gold standard in information security practices? Where can you find published criteria for it?
4. When selecting recommended practices, what criteria should you use?
5. When choosing recommended practices, what limitations should you keep in mind?
6. What is baselining? How does it differ from benchmarking?
7. What is baselining? How does it differ from benchmarking?
Management of Information Security, 4th Edition
Chapter 8 – Risk Management: Identifying and Assessing Risk
Review Questions
1. What is risk management?
2. List and describe the key areas of concern for risk management.
3. Why is identification of risks, through a listing of assets and their vulnerabilities, so important to the risk management process?
4. Who is responsible for risk management in an organization?
5. Which community of interest usually takes the lead in information asset risk management?
6. Which community of interest usually provides the resources used when undertaking information asset risk management?
7. In risk management strategies, why must periodic review be a part of the process?
Management of Information Security, 4th Edition
Chapter 9 – Risk Management: Assessing and Controlling Risk
Review Questions
1. What is competitive advantage? How has it changed over the years since the IT industry began?
2. What is competitive disadvantage? Why has it emerged as a factor?
3. What are the four risk control strategies presented in this chapter?
4. Describe the strategy of risk avoidance
5. Describe the strategy of risk transference
6. Describe the strategy of risk mitigation
7. Describe the strategy of risk acceptance
8. Describe residual risk.
9. What is the difference between organizational feasibility and operational feasibility?
10. What is the difference between qualitative measurement and quantitative measurement?
11. What is the difference between operational feasibility and technical feasibility?

Looking for answers ?