Module 1 discussion

Discuss the different types of management approaches, and
what type of management would work best for your organization or university.
Justify your answer.

Module 2 discussion

Research different disaster response plans of major organizations
that have had to respond to fairly recent disasters. Discuss the results of the
organization’s recovery efforts.

Module 3 discussion

Discuss possible ways to influence and motivate employees
within an organization in regard to information security.

Module 4 discussion

Discuss various security architectures. Which provides the
best balance between simplicity and security? Justify your answer.

Module 5 discussion

Discuss how threat identification should be performed within
your organization or university. Should every threat be planned for? Why or why
not?

Module 6 discussion

Discuss some of the cryptosystems that have been used to
secure email. In your opinion, what are some of the biggest challenges in
securing Web activity. Why?

Module 7 discussion

Discuss the application of ethics in the workplace. How do
you enforce ethics in the workplace? Give examples.

Module 8 discussion

Do you feel that information systems to fight terrorism
should be developed and used even if they infringe on privacy rights or violate
the Privacy Act of 1974 and other such statutes?

Post your question in the Module 8 Discussion Board no later
than Thursday 11:59 PM EST/EDT.

Respond to at least two questions posted by your fellow
students by no later than Sunday 11:59 PM EST/EDT.

Module 1

Ch-1

Ex 1. Assume that a security model is needed to protect
information used in the class you are taking—say, the information in your
course’s learning management system. Use the CNSS model to identify each of the
27 cells needed for complete information protection. Write a brief statement
that explains how you would address the components represented in each of the
27 cells.

Ex 2. Consider the information stored in your personal
computer. Do you currently have information stored in your computer that is
critical to your personal life? If that information became compromised or lost,
what effect would it have on you?

Ex 4. Search the Web for “The Official Phreaker’s Manual.”
What information in this manual might help a security administrator to protect
a communications system?

Module 2

Chapter 3, Exercises 1, 2, and 3 in the Management of
Information Security textbook

Chapter 10, Exercises 3, and 4 in the Management of
Information Security textbook

Module 3

Ch-4

Ex 2. Search your
institution’s intranet or Web site for its security policies. Do you find an

enterprise security
policy? What issue-specific security policies can you locate? Are all of

these policies issued
or coordinated by the same individual or office, or are they scattered

throughout the
institution?

Ex 3. Using the
framework presented in this chapter, evaluate the comprehensiveness of each
policy you located in Exercise 2. Which areas are missing?

Ex 4. . Using the framework presented in this chapter, draft
a sample issue-specific security

policy for an organization. At the beginning of your
document, describe the organization for

which you are creating the policy and then complete the
policy using the framework.

Ch-5

Ex 1. Search the term
“security awareness” on the Internet. Choose two or three sites that

offer materials and services and describe what they offer?

Ex 2. Choose one of the Web sites you found in Exercise 1
that you think might work for a security awareness program at your institution.
Write a short essay about how you would go about getting that awareness
material or service into place on your campus.

Ex 6. Draft a work breakdown structure for the task of
implementing and using a PC-based

virus detection program (one that is not centrally managed).
Don’t forget to include tasks to

remove or quarantine any malware it finds.

Module 4

Ch-8

Ex 2. Compare the ISO/IEC 27001 outline with the NIST
documents discussed in this chapter.

Which areas, if any, are missing from the NIST documents? Identify
the strengths and

weaknesses of the NIST programs compared to the ISO
standard.

Ex 3. Search the Internet for the term security best
practices. Compare your findings to the

recommended practices outlined in the NIST documents.

Ex 4. Search the
Internet for the term data classification model. Identify two such models and
then compare and contrast the categories those models use for the various
levels of classification.

Ch-9

Ex 2. Visit the NIST Federal Agency Security Practices Web
site at csrc.nist.gov/groups/SMA/fasp/index.html. Review some of the listed
FASPs and identify five drawbacks to adopting the recommended practices for a
typical business.

Ex 4. Download and
review “NIST SP 800-55, Rev. 1: Performance Measurement Guide for Information
Security.” Using this document, identify five measures you would be interested
in finding the results from based on your home computing systems and/or
network.

Ex 5. Using the
template provided in Table 9-2, develop documentation for one of the performance
measurements you selected in Exercise 4.

Module 5

Chapter 6, Exercises 1, 2, and 5 in the Management of
Information Security textbook

Chapter 7, Exercises 1, 3, and 4 in the Management of Information Security textbook

Module 6

Ch-11

Ex 3. Using the
Internet, search for three different employee hiring and termination policies.
Review each and look carefully for inconsistencies. Does each have a section
addressing the requirements for the security of information? What clauses
should a termination policy contain to prevent disclosure of the organization’s
information? Create your own variant of either a hiring or termination policy.

Ex 5. Using the description given in this chapter, write a
job description for Iris’s new position, which is described in the following
case scenario. What qualifications and responsibilities should be shoulb be
associated with this position. (Closing case on page 515-516).

Ch-12

Ex 1. Create a spreadsheet that takes eight values that a
user inputs into eight different cells. Then create a row that transposes the
cells to simulate a transposition cipher, using the example transposition
cipher from the text. Remember to work from right to left, with the pattern 1
> 3, 2 > 6, 3 > 8, 4 > 1, 5 > 4, 6 > 7, 7 > 5, 8 > 2
where 1 is the rightmost of the eight cells. Input the text ABCDEFGH as single
characters into the first row of cells. What is displayed?

Ex 3. Go to the Web site of VeriSign, one of the market
leaders in digital certificates. Determine whether VeriSign serves as a
registration authority, certificate authority, or both. Download its free guide
to PKI and summarize VeriSign’s services.

Ex 4. Go to csrc.nist.gov and locate “Federal Information
Processing Standard (FIPS) 197.” What encryption standard does this address
use? Examine the contents of this publication and describe the algorithm
discussed. How strong is it? How does it encrypt plaintext?

Ex 5. Search the
Internet for vendors of biometric products. Find one vendor with a product
designed to examine each characteristic mentioned in Figure 12-4. What is the
crossover error rate (CER) associated with each product? Which would be more
acceptable to users? Which would be preferred by security administrators?

Module 7

Ch-2

Ex 3. Using resources available in your library, find out
what laws your state has passed to prosecute computer crime.

Ex 5. Consider each
ethical scenario presented in this chapter and note your response. Ring your
answer to class to compare them with those of your peers.

Plus Closing Case (all discussion questions)

Module 1 Summary
paper

Using sources such as the Internet, newspaper, magazine,
journal, or Saint Leo online library resources, find a recent article (less
than six months old) on cyber attack or on an information security breach.
Submit at least a 1,000 word summary of the article. Describe the issue and
cause, and give recommendations for how such an incident can be prevented in
the future. The source of the article must be cited following APA format.

Submit your paper to the Summary Paper Assignment box no
later than Sunday 11:59 PM EST/EDT. (This Assignment box maybe linked to
Turnitin.).

Module 7 Security
Assessment Project

COM 510 – Management of Information Security

Carry out a security self-assessment of an organization of
your current or previous employer or your own organization. You must seek
permission from the individual responsible for the information security of that
organization. You may use any NIST Special Publications (e.g. SP800-171,
SP1800), or any other national framework to assist in your report.

Report

Write a report based on the self-assessment of an
organization. It should be 5-7 pages long, 12 point character size, double line
spacing, and have 1” margins on all sides. It is recommended that you do not
use the actual name of the organization in the report; use a title, such as
“ABC, Inc.” Your report should include a brief description of the organization,
nature of the business, analysis of the results, and recommendations for
improvement in the form of an action plan.

Deliverables: A single Word document Submit your project to
the Security Assessment Dropbox no later than 11:59 PM Sunday

Midterm exam

Question 1

The macro virus infects the key operating system files
located in a computer’s start up sector.

Question 1 options:

True

False

Question 2

Which function of InfoSec Management encompasses security
personnel as well as aspects of the SETA program?

Question 2 options:

Projects

Policy

Protection

People

Question 3

Which of the following is NOT a primary function of
Information Security Management?

Question 3 options:

Projects

Performance

Planning

Protection

Question 4

According to the C.I.A. triad, which of the following is a
desirable characteristic for computer security?

Question 4 options:

Authentication

Authorization

Availability

Accountability

Question 5

Which of the following is NOT a step in the problem-solving
process?

Question 5 options:

Gather facts and make assumptions

Select, implement and evaluate a solution

Analyze and compare possible solutions

Build support among management for the candidate solution

Question 6

A worm may be able to deposit copies of itself onto all Web
servers that the infected system can reach, so that users who subsequently
visit those sites become infected.

Question 6 options:

True

False

Question 7

“Shoulder spying” is used in public or semi-public
settings when individuals gather information they are not authorized to have by
looking over another individual’s shoulder or viewing the information from a
distance.

Question 7 options:

True

False

Question 8

As frustrating as viruses and worms are, perhaps more time
and money is spent on resolving virus __________.

Question 8 options:

hoaxes

polymorphisms

false alarms

urban legends

Question 9

The first step in solving problems is to gather facts and
make assumptions.

Question 9 options:

True

False

Question 10

Blackmail threat of informational disclosure is an example
of which threat category?

Question 10 options:

Compromises of intellectual property

Espionage or trespass

Information extortion

Sabotage or vandalism

Previous PageNext Page

Page 1 of 4

________________________________________

Question 11

Which of the following is the best example of a rapid-onset
disaster?

Question 11 options:

Famine

Environmental degradation

Flood

Pest infestation

Question 12

Which type of document grants formal permission for an
investigation to occur?

Question 12 options:

Forensic concurrence

Affidavit

Evidentiary report

Search warrant

Question 13

In which contingency plan testing strategy do individuals
participate in a role-playing exercise in which the CP team is presented with a
scenario of an actual incident or disaster and expected to react as if it had
occurred?

Question 13 options:

Structured walk-through

Desk check

Parallel testing

Simulation

Question 14

ISO 27014:2013 is the ISO 27000 series standard for
__________.

Question 14 options:

information security management

policy management

governance of information security

risk management

Question 15

Which document must be changed when evidence changes hands
or is stored?

Question 15 options:

Affidavit

Search warrant

Evidentiary material

Chain of custody

Question 16

Which of the following allows investigators to determine
what happened by examining the results of an event—criminal, natural,
intentional, or accidental?

Question 16 options:

Forensics

E-discovery

Digital malfeasance

Evidentiary procedures

Question 17

Individuals who control, and are therefore responsible for,
the security and use of a particular set of information are known as
__________.

Question 17 options:

data users

data generators

data owners

data custodians

Question 18

What is the final stage of the business impact analysis when
using the NIST SP 800-34 approach?

Question 18 options:

Identify resource requirements

Identify recovery priorities for system resources

Determine mission/business processes and recovery
criticality

Identify business processes

Question 19

Which level of planning breaks down each applicable
strategic goal into a series of incremental objectives?

Question 19 options:

Operational

Strategic

Organizational

Tactical

Question 20

Which of the following has the main goal of restoring normal
modes of operation with minimal cost and disruption to normal business
activities after an adverse event?

Question 20 options:

Risk management

Contingency planning

Disaster readiness

Module 3

Business response

Question 21

Which of the following are instructional codes that guide
the execution of the system when information

Question 21 options:

configuration rules

user profiles

access control lists

capability tables

Question 22

A detailed outline of the scope of the policy development
project is created during which phase of the SecSDLC?

Question 22 options:

Analysis

Implementation

Design

Investigation

Question 23

In addition to specifying the penalties for unacceptable
behavior, what else must a policy specify?

Question 23 options:

The proper operation of equipment

What must be done to comply

Legal recourse

Appeals process

Question 24

Which of the following is NOT a step in the process of
implementing training?

Question 24 options:

Motivate management and employees

Administer the program

Identify target audiences

Hire expert consultants

Question 25

Which of the following is an element of the enterprise
information security policy?

Question 25 options:

Information on the structure of the InfoSec organization

Access control lists

Articulation of the organization’s SDLC methodology

Indemnification of the organization against liability

Question 26

Which of the following is the most cost-effective method for
disseminating security information and news to employees?

Question 26 options:

Security-themed Web site

Distance learning seminars

Conference calls

Security newsletter

Question 27

Which of the following is NOT among the three types of
InfoSec policies based on NIST’s Special Publication 800-14?

Question 27 options:

Enterprise information security policy

User-specific security policies

System-specific security policies

Issue-specific security policies

Question 28

Which of the following would be responsible for configuring
firewalls and IDPSs, implementing security software, and diagnosing and
troubleshooting problems?

Question 28 options:

A security analyst

The security manager

A security technician

A security consultant

Question 29

Which policy is the highest level of policy and is usually
created first?

Question 29 options:

USSP

ISSP

EISP

SysSP

Question 30

Which of the following is NOT among the functions typically
performed within the InfoSec department as a compliance enforcement obligation?

Question 30 options:

Centralized authentication

Policy

Risk management

Compliance/audit

Previous PageNext Page

Question 31

Which of the following is the primary purpose of ISO/IEC
27001:2005?

Question 31 options:

Use within an organization to ensure compliance with laws
and regulations

Use within an organization to formulate security
requirements and objectives

Implementation of business-enabling information security

To enable organizations that adopt it to obtain
certification

Question 32

Which security architecture model is part of a larger series
of standards collectively referred to as the “Rainbow Series”?

Question 32 options:

Bell-LaPadula

ITSEC

TCSEC

Common Criteria

Question 33

Under the Common Criteria, which term describes the
user-generated specifications for security requirements?

Question 33 options:

Security Functional Requirements (SFRs)

Security Target (ST)

Protection Profile (PP)

Target of Evaluation (ToE)

Question 34

Which type of access controls can be role-based or
task-based?

Question 34 options:

Nondiscretionary

Constrained

Discretionary

Content-dependent

Question 35

Which access control principle specifies that no unnecessary
access to data exists by regulating members so they can perform only the
minimum data manipulation necessary?

Question 35 options:

Need-to-know

Separation of duties

Eyes only

Least privilege

Question 36

The InfoSec measurement development process recommended by
NIST is is divided into two major activities. Which of the following is one of
them?

Question 36 options:

Identification and definition of the current InfoSec program

Regularly monitor and test networks

Compare organizational practices against organizations of
similar characteristics

Maintain a vulnerability management program

Question 37

Which piece of the Trusted Computing Base’s security system
manages access controls?

Question 37 options:

Trusted computing base

Verification module

Covert channel

Reference monitor

Question 38

Which of the following is a possible result of failure to
establish and maintain standards of due care and due diligence?

Question 38 options:

Legal liability

Baselining

Certification revocation

Competitive disadvantage

Question 39

Which access control principle limits a user’s access to the
specific information required to perform the currently assigned task?

Question 39 options:

Need-to-know

Eyes only

Least privilege

Separation of duties

Question 40

Which of the following specifies the authorization
classification of information asset an individual user is permitted to access,
subject to the need-to-know principle?

Question 40 options:

Task-based access controls

Discretionary access controls

Sensitivity levels

Security clearances

Previous PageNext Page

Final exam

Question 1

What should you be armed with to adequately assess potential
weaknesses in each information asset?

Question 1 options:

Intellectual property assessment

Properly classified inventory

List of known threats

Audited accounting spreadsheet

Question 2

Which of the following is a network device attribute that
may be used in conjunction with DHCP, making asset-identification using this
attribute difficult?

Question 2 options:

IP address

Part number

MAC address

Serial number

Question 3

Which of the following is NOT a valid rule of thumb on risk
control strategy selection?

Question 3 options:

When the attacker’s potential gain is less than the costs of
attack: Apply protections to decrease the attacker’s cost or reduce the
attacker’s gain, by using technical or operational controls.

When a vulnerability can be exploited: Apply layered
protections, architectural designs, and administrative controls to minimize the
risk or prevent the occurrence of an attack.

When the potential loss is substantial: Apply design
principles, architectural designs, and technical and non-technical protections
to limit the extent of the attack, thereby reducing the potential for loss.

When a vulnerability exists: Implement security controls to
reduce the likelihood of a vulnerability being exploited.

Question 4

By multiplying the asset value by the exposure factor, you
can calculate which of the following?

Question 4 options:

Value to adversaries

Annualized cost of the safeguard

Annualized loss expectancy

Single loss expectancy

Question 5

The Microsoft Risk Management Approach includes four phases.
Which of the following is NOT one of them?

Question 5 options:

Implementing controls

Evaluating alternative strategies

Conducting decision support

Measuring program effectiveness

Question 6

What does FAIR rely on to build the risk management
framework that is unlike many other risk management frameworks?

Question 6 options:

Qualitative assessment of many risk components

Quantitative valuation of safeguards

Subjective prioritization of controls

Risk analysis estimates

Question 7

Which of the following affects the cost of a control?

Question 7 options:

Maintenance

Liability insurance

CBA report

Asset resale

Question 8

Strategies to limit losses before and during a realized
adverse event is covered by which of the following plans in the mitigation
control approach?

Question 8 options:

Disaster recovery plan

Business continuity plan

Damage control plan

Incident response plan

Question 9

The identification and assessment of levels of risk in an
organization describes which of the following?

Question 9 options:

Risk reduction

Risk management

Risk identification

Risk analysis

Question 10

Determining the cost of recovery from an attack is one
calculation that must be made to identify risk, what is another?

Question 10 options:

Cost of prevention

Cost of identification

Cost of litigation

Cost of detection

Question 11

Which of the following provides an identification card of
sorts to clients who request services in a Kerberos system?

Question 11 options:

Ticket Granting Service

Authentication Server

Authentication Client

Key Distribution Center

Question 12

Which of the following is a commonly used criteria used to
compare and evaluate biometric technologies?

Question 12 options:

False accept rate

False reject rate

Crossover error rate

Valid accept rate

Question 13

To move the InfoSec discipline forward, organizations should
take all but which of the following steps?

Question 13 options:

Learn more about the requirements and qualifications for
InfoSec and IT positions

Learn more about InfoSec budgetary and personnel needs

Insist all mid-level and upper-level management take
introductory InfoSec courses

Grant the InfoSec function an appropriate level of influence
and prestige

Question 14

Which of the following InfoSec positions is responsible for
the day-to-day operation of the InfoSec program?

Question 14 options:

Security technician

Security officer

Security manager

CISO

Question 15

The intermediate area between trusted and untrusted networks
is referred to as which of the following?

Question 15 options:

Demilitarized zone

Unfiltered area

Proxy zone

Semi-trusted area

Question 16

Which technology has two modes of operation: transport and
tunnel?

Question 16 options:

Secure Sockets Layer

Secure Hypertext Transfer Protocol

Secure Shell

IP Security

Question 17

Which of the following is NOT a typical task performed by
the security technician?

Question 17 options:

Develop security policy

Coordinate with systems and network administrators

Configure firewalls and IDPSs

Implement advanced security appliances

Question 18

Temporary hires called contract employees – or simply
contractors – should not be allowed to do what?

Question 18 options:

Work on the premises

Wander freely in and out of buildings