CSE 3100: Introduction to Information Assurance

Questions and Answers

Which principle emphasizes the importance of understanding and securing a connection before it is made?

Principle 9: Prepare for the worst

Principle 8: Before connecting, understand and secure (correct)

Principle 2: Trust No One

Principle 6: Make security part of the initial design

What is a primary focus of Information Assurance as it relates to non-repudiation?

Guaranteeing data integrity

Preventing denial of actions from involved parties (correct)

Facilitating efficient access control

Ensuring confidentiality of data

Which of the following risks involves accepting the possibility of loss without any preemptive action?

Risk Avoidance

Risk Reduction

Risk Transfer

Risk Retention (correct)

Which of the following frameworks is not typically associated with Information Security Management Systems (ISMS)?

GRC

What aspect does the CIA triad specifically address within information security?

Confidentiality, Integrity, and Availability

Which of the following best describes a key principle of confidentiality in information assurance?

Access to sensitive data should be restricted based on user roles.

What is a primary purpose of implementing integrity measures within information systems?

To ensure that data remains accurate and unaltered during storage and transmission.

Which of the following strategies is crucial for maintaining availability in information assurance?

Conducting regular backups and disaster recovery planning.

Non-repudiation in information assurance primarily ensures which of the following?

That a party cannot deny the authenticity of their signature or the sending of a message.

Which type of threat is especially concerning for information assurance in an organization?

Vulnerabilities in legacy systems.

What is a significant impact of failing to address human factors in information security?

Higher risks of accidental breaches and data leaks.

Which of the following is essential for an effective incident response planning?

Recognizing potential threats and establishing clear policies.

What role does legal, ethical, and social implications play in information assurance?

They guide the development of policies and procedures that protect data and users.

Which principle of Information Assurance ensures that data remains unchanged from its original intended form?

Integrity

What is the primary focus of non-repudiation in Information Assurance?

To verify the identity of the message originator

Which measure primarily relates to ensuring that data is accessible when needed within defined operational parameters?

Availability

Which of the following is NOT a core principle of Information Assurance as defined in the provided content?

Discretion

In the context of risk management in Information Assurance, which factor assesses the likelihood and consequences of identified vulnerabilities?

Risk Analysis

Which aspect of Information Assurance focuses specifically on unauthorized access and compliance with laws regarding personal data?

Privacy

Which component of the Information Assurance Architecture Framework is considered the root driver?

Risk

What role does 'Utility' play in the context of Information Assurance principles?

Provides a usable state for information

Which of the following best describes the purpose of the Information Assurance Model's focus on 'Process'?

To establish procedures for data handling and security

In Information Assurance, which strategy is primarily used to prevent unauthorized denial of actions taken in electronic communications?

Non-repudiation

What is the primary focus of information assurance?

Managing information-related risks

Which of the following best describes non-repudiation in information assurance?

The assurance that transactions cannot be denied by the originator

Which of the following is NOT a characteristic of information security?

Protocol complexity

In the context of information systems, integrity primarily refers to:

Maintaining the original state of information

What is a key component of recovery capabilities in information assurance?

Regular data backups

What aspect of information assurance addresses ensuring that only authorized users have access to specific information?

Confidentiality

Which of the following phrases captures the essence of availability in information systems?

Information should be accessible to authorized users when needed

Why is risk management an essential part of information assurance?

It helps in identifying and mitigating vulnerabilities

What does authentication in information assurance primarily ensure?

That users are who they claim to be

Which measure would best aid in the detection of information security threats?

Utilizing monitoring tools and intrusion detection systems

Which principle is most closely associated with ensuring that information is not altered or tampered with during processing?

Integrity

What is the purpose of non-repudiation in information security?

To provide proof of the origin and integrity of data

In the context of information assurance, which aspect focuses on ensuring that data is available to authorized users when needed?

Availability

Which security principle is primarily concerned with the protection of sensitive information from unauthorized access?

Confidentiality

Which of the following is NOT a goal of information assurance as outlined in the framework?

Efficiency

What are the four security goals mentioned that need to be met for a successful implementation in information assurance?

Integrity, availability, confidentiality, accountability

Which common misconception about information assurance is incorrect?

It only focuses on preventing unauthorized access.

What does the assurance measure in an information system reflect?

The degree of confidence in security features and policies

Which term best describes the condition created by protective measures that enables an enterprise to withstand threats?

Security

What characteristic of information ensures it can be trusted and verified against errors?

Verifiability

Study Notes

Course Information

• Course: CSE 3100: Information Assurance and Security
• Session: 01 - September 04, 2024
• Lecturer: Jerome Allicock

Session Outline

• Introduction to Information Assurance (IA)
• IA Learning Objectives & Core Principles
• IA Process & Model
• Scope of Information Assurance
• Risk Assessment
• IA Architecture Framework & Views
• IA vs InfoSec
• The Security Paradigm
• Security Big Picture

CSE 3100 Description

• Third-year first semester course for full-time degree program
• Equips students with analytical knowledge for applying information security
• Introduces students to current, real-world cases reviewed in the practitioner community

CSE 3100 Description (Continued)

• Focuses on Information Assurance (IA) & Security
• Equips students with the knowledge and skills to:
  • Assess risks
  • Recognize threats and vulnerabilities in various computing technologies
  • Reduce risks associated with data access, storage, transmission, and processing
  • Implement plans for service restoration and business continuity

Security Concepts

• Security encompasses:
  • Computer security
  • Communications security
  • Operations security
  • Physical security
• Core elements:
  • Risk assessment
  • Data and systems protection
  • Threat & vulnerability detection
  • Reaction/response plans

Learning Objectives

• Describe security risk in business and IT contexts
• Compare and apply security risk assessment models
• Facilitate risk assessment processes and gain consensus on risk-based decisions
• Incorporate risk assessments into IT security plans.

Required Readings

• "Information Assurance: Security in the Information Environment" by Andrew Blyth and Gerald L. Kovacich
• "Information Assurance: Managing Organizational IT Security Risks" by Joseph Boyce and Daniel Jennings
• "Information Assurance and Security Technologies for Risk Assessment and Threat Management: Advances" by Te-Shun Chou

Lecture Sessions

• Wednesdays 06:15PM – 09:15PM
• 3 hours of lecture time weekly
• 2 hours of tutorial sessions weekly

Weekly Topics

• Introduction to Information Assurance / Risk Assessment
• Networking and Cryptography
• Information Assurance Planning and Deployment
• Vulnerabilities and Protection
• Identity and Trust Technologies
• Verification and Evaluation
• Incident Response
• Human Factors / Cultural Anthropology
• Legal, Ethical, and Social Implications

Course Assessment

• Coursework: 40% (Two tests (20%), Assignment (10%), Labs (10%))
• Finals: 60%

Course Requirements

• Attend all class sessions and labs
• Review slides and required readings before class
• Participate in class discussions
• Submit all assignments within the submission period

Passwords

• Passwords are like underwear; don't let people see it, change it very often, and you shouldn't share it with strangers. (Chris Pirillo)
• Understand the concept of information assurance

Learning Objectives (Continued)

• Understand the concept of IA
• Understand the need and importance of IA
• Understand the core principles of IA
• IA architecture; framework, process, and model
• Understand the difference between IA and information security
• Overview of risk management

Information Assurance and Security Models

• CIA Triad (Confidentiality, Integrity, Availability)
• Committee on National Security Systems (CNSS) McCumber Cube
• Business Model for Information Security (BMIS)
• A Reference Model for Information Assurance & Security (RMIAS)

IA vs InfoSec

• IA is a process/model that includes infoSec elements
• Both involve people, processes, techniques, technology (administrative, technical, physical controls)
• InfoSec focuses on CIA triad (confidentiality, integrity, availability)
• IA includes reliability, access control, non-repudiation, strategic risk management
• ISMS are closely aligned with IA

Security Paradigm

• Principle 1: Hacker likely someone known
• Principle 2: Trust no one
• Principle 3: Make the hacker believe they'll be caught
• Principle 4: Protect in layers
• Principle 5: Plan for complete failure in a single layer
• Principle 6: Make security part of the initial design
• Principle 7: Disable unneeded services
• Principle 8: Understand & secure before connecting
• Principle 9: Prepare for the worst

Risk Treatment

• Risk Avoidance
• Risk Transfer
• Risk Reduction
• Risk Retention
• Risk Assessment
• Risk Treatment Options

IA Core Principles

• Confidentiality – disclosure to authorized users
• Integrity – original intended form
• Availability – ready for use within stated parameters
• Possession – remains in custody of authorized personnel
• Authenticity – conforms to reality
• Utility – fit for a purpose
• Privacy – protection of personal information
• Authorized Use – available only to authorized personnel
• Nonrepudiation – ensure the originator of a message cannot deny action

IA Architecture Framework

• IA root driver is Risk
• IA drivers include business drivers, technical drivers
• Perspectives include People, Policy, Business process, Systems & Application, Information/data, Infrastructure
• This describes an IA architecture

Information Assurance Process

• Enumeration & Classification of data/information assets
• Value, state, location, sensitivity, form for evaluating assets
• Assessing vulnerabilities and threats
• Analyzing probability and impact of risks
• Managing risks through treatment and systems

Information Assurance Model

• IA tools are dedicated to defending key elements
  • People – training, ethics, culture, education, motivation
  • Process – procedures, rules, standards, security guidelines
  • Technology – tools to mitigate attacks (firewalls, anti-viruses, encryption)

Risk Treatment Decision Making Process

• Steps in the process: Risk Assessment, Risk Assessment Results, Risk Treatment Options, Risk Avoidance, Risk Transfer, Risk Reduction, Risk Retention, Risks Acceptable, and Risk Acceptance
• The risk model is based on ISO/IEC 27005:2008 standards

Risk Treatment Options

• Risk Avoidance - avoiding actions that may lead to risk.
• Risk Transfer - shifting risk from one party to another (contractually).
• Risk Reduction - measures to decrease the risk
• Risk Retention – accepting risks

Points to Note

• IA requires integration from inception
• Weak link in security is often the human element
• Holistic security includes people, organization, governance, processes, and technology
• Security programs should prevent trouble.
• Implementing firewalls isn't enough; operational issues need attention.
• Risk management balances cost and risk.

Additional Information

• Information is data endowed with meaning and purpose
• IA is the degree of confidence that security features, practices, procedures, and architecture meet policy
• Security is about asset protection, including elements of deterrence, avoidance and prevention, detection, recovery, correction

Description

This quiz covers the foundational concepts of Information Assurance (IA) as taught in CSE 3100. Students will explore IA principles, risk assessment, and the differences between IA and InfoSec. Get ready to test your understanding of the security landscape and its key components.