Information Security Top-Down Approach Quiz

Questions and Answers

What approach is initiated by upper management who issue policy, procedures, and processes?

Lateral Approach

Bottom-Up Approach

Random Approach

Top-Down Approach (correct)

Which phase of the Security Systems Development Life Cycle (SecSDLC) identifies specific threats and creates controls to counter them?

Logical Design

Investigation

Physical Design

Analysis (correct)

What does the Investigation phase do in the Security Systems Development Life Cycle (SecSDLC)?

Performs feasibility analysis

Identifies process, outcomes, goals, and constraints (correct)

Analyzes existing security policies

Identifies specific threats and controls

Which action is planned during the Logical Design phase of the Security Systems Development Life Cycle (SecSDLC)?

Incident response planning

What is performed during the Physical Design phase of the Security Systems Development Life Cycle (SecSDLC)?

Generating alternatives for design

What task begins during the Analysis phase of the Security Systems Development Life Cycle (SecSDLC)?

Risk management analysis

What is the key difference between law and ethics in information security?

Law is enforced by the state, while ethics are not.

What is the legal standard that requires a prudent organization to act legally and ethically and know the consequences of its actions?

Due Care

What is the legal standard that requires a prudent organization to maintain the standard of due care and ensure its actions are effective?

Due Diligence

What is the court's right to hear a case if the wrong was committed in its territory or involved its citizenry?

Jurisdiction

What is the legal obligation of an entity extending beyond criminal or contract law, including the legal obligation to make restitution?

Organizational Liability

What functions as organizational laws that must be crafted and implemented with care to ensure they are complete, appropriate, and fairly applied to everyone?

Policy

What is the responsibility of the Data Custodian?

Responsible for storage, maintenance, and protection of information

Which of the following is NOT a type of security professional mentioned in the text?

Data security analysts

What is the main responsibility of the Data Owner?

Responsible for the security and use of a particular set of information

What is the purpose of CAPEC (Common Attack Pattern Enumeration and Classification)?

To provide a tool for security professionals to understand attacks

Which of the following is a technical mechanism used for copyright protection?

All of the above

What is the term used for the unauthorized duplication, installation, or distribution of copyrighted computer software?

Software piracy

Which of the following can lead to deviations in the quality of service for an organization?

All of the above

What is the term used for an unauthorized person who gains access to information an organization is trying to protect?

Both A and B

Which of the following best describes an expert hacker?

All of the above

What is the purpose of determining the 'Loss Event Frequency' in a risk assessment?

To calculate the probability that an organization will be the target of an attack

Which of the following is NOT one of the 5 basic risk control strategies mentioned in the text?

Eliminate

What is the purpose of the 'Likelihood' factor in a risk assessment?

To determine the probability that a specific vulnerability within an organization will be successfully attacked

What is the purpose of the 'Loss Magnitude' factor in a risk assessment?

To determine the monetary value of information assets that could be lost in a successful attack

What is the purpose of the 'Risk-rating factor' calculation in a risk assessment?

To rank the identified vulnerabilities based on their potential impact and likelihood of exploitation

What is the purpose of the 'Attack Success Probability' factor in a risk assessment?

To assess the likelihood of a specific vulnerability being successfully exploited

Study Notes

Need for Security

• Common Attack Pattern Enumeration and Classification (CAPEC) is a website hosted by Mitre that serves as a tool for security professionals to understand attacks.
• 12 categories of threats include:
  • Compromises to Intellectual Property
  • Software Piracy
  • Deviations in Quality of Service
  • Communications and other Provider Issues
  • Power Irregularities
  • Espionage or Trespass
  • Hackers
• Expert Hackers are masters of several programming languages, networking protocols, and operating systems, exhibiting a mastery of the technical environment of the targeted system.

Risk Assessment

• Likelihood is the probability that a specific vulnerability within an organization will be successfully attacked, assigned a number between 0.1 and 1.
• Attack Success Probability is the probability that an organization's information assets will be successfully compromised if attacked.
• Loss Event Frequency is the probability that an organization will be the target of an attack, multiplied by the probability that the organization's information assets will be successfully compromised if attacked.
• Loss Magnitude determines how much of an information asset could be lost in a successful attack.
• Documenting Results of Risk Assessment involves summarizing the risk assessment results in a report, including asset impact, vulnerability, and likelihood.

Risk Control Strategies

• 5 basic strategies for controlling risk include:
  • Defend: Attempt to prevent the exploitation of the vulnerability.
  • Transfer: Shift the risk to other areas or outside entities.
  • Mitigate: Reduce the impact should the vulnerability be exploited.
  • Accept: Choose to do nothing.
  • Terminate: Avoid those business activities that introduce uncontrollable risk.

Legal, Ethical, and Professional Issues in Information Security

• Laws are rules that mandate or prohibit certain behavior and are enforced by the state.
• Ethics regulate and define socially acceptable behavior.
• Organizational Liability and the Need for Counsel involve liability beyond criminal or contract law, including the legal obligation to make restitution.
• Due Care is the legal standard requiring a prudent organization to act legally and ethically and know the consequences of actions.
• Due Diligence is the legal standard requiring a prudent organization to maintain the standard of due care and ensure actions are effective.

Security Systems Development Life Cycle (SecSDLC)

• It is adapted to support the implementation of an IS project.
• It identifies specific threats and creates controls to counter them.
• It involves a coherent program, not a series of random, seemingly unconnected actions.
• It begins with Enterprise Information Security Policy (EISP) and involves an organizational feasibility analysis.

Information Security Project Team

• A team of individuals experienced in one or more facets of required technical and nontechnical areas.
• 3 types of data ownership include:
  • Data Owner: responsible for the security and use of a particular set of information.
  • Data Custodian: responsible for storage, maintenance, and protection of information.
  • Data Users: end users who work with information to perform their daily jobs.

Security as Art, Science, and Social Science

• Security as Art: no hard and fast rules, nor many universally accepted complete solutions.
• Security as Science: dealing with technology designed to operate at high levels of performance, with specific conditions causing virtually all actions that occur in computer systems.
• Security as a Social Science: security begins and ends with the people that interact with the system, and security administrators can greatly reduce levels of risk caused by end users, and create more acceptable and supportable security profiles.

Description

Test your knowledge on the Top-Down Approach in Information Security, where upper management initiates policies and dictates project goals. Explore concepts like Security Systems Development Life Cycle (SecSDLC) and threat identification.