Introduction to Computer Security Quiz

Questions and Answers

What is a key focus of organizational requirements?

Environmental impact

Employee satisfaction

Organizational mission (correct)

Market share

What is a major component of IT security governance?

Cost reduction programs

Risk-based threat analysis (correct)

Market analysis

Employee training metrics

Which of the following is NOT considered a security governance process?

Mandatory vacations

Job rotation

Hiring practices (correct)

Leadership involvement

Which of the following illustrates the importance of security blueprints?

They provide a structure for organizing security requirements.

What is a primary function of security policy?

Provide management goals and objectives in writing

Which practice is referred to as a part of the security governance processes?

Separation of duties

How should management address the operational environment regarding security?

Develop comprehensive security strategies

What is critical for a security-oriented organizational culture?

Clearly defined accountability

What is defined as the risk that remains after countermeasures and safeguards have been applied?

Residual Risk

What is the primary purpose of risk analysis in an organization?

To identify and justify risk mitigation

Which of the following is NOT listed as a benefit of risk analysis?

Decreasing employee workload

Which of the following best describes the term 'risk'?

The probability that some event can occur

What must a risk assessment consider regarding new threats?

Changes in organizational culture

What is the role of mitigating controls in risk management?

To reduce identified risks to an acceptable level

Which of the following could be a source of identity threats according to the content?

Community and government records

Why is periodic risk assessment important?

To address new threats that may emerge

What is a primary objective of the Introduction to Computer Security course?

To understand roles and responsibilities in a security program

Which book is primarily used in the first part of the course syllabus?

Computer Security Art and Science by Matt Bishop

What are the two requirements that security should be designed for?

Functional and Assurance

What is NOT one of the differences outlined in the course objectives?

Protocols and frameworks

Which of the following is an example of a functional security control?

A network Firewall

What role does assurance play in security requirements?

Assurance provides confidence that security functions perform as expected

The purpose of information security is to protect which resource types?

Data, hardware, and software

Why should security properties not depend on another control?

To maintain security during a system failure

What is the main duty of executive management in organizational security?

Establish goals and objectives

Which of the following is NOT a role associated with information security?

IS Developer

What is one of the responsibilities of an information custodian?

Protect the information

Which process is essential during the hiring of staff for security-sensitive positions?

Conducting background checks

What is a primary responsibility of the IS security professionals?

Review organization security policies

Why is it important to include vendors and contractors in security considerations?

They have access to sensitive information

Which of the following is a critical step in the termination or dismissal procedure?

Consult with HR Department

What is the significance of signing employment agreements in personnel security?

Establishes non-disclosure terms

What is a key principle for selecting countermeasures in terms of potential loss?

Cost must be justified by the potential loss

Which principle emphasizes the need for involvement from auditors in countermeasure implementation?

Audit capability

What is a significant consequence of failing to adhere to the 'universal application' principle?

Inequity and potential security gaps

Which strategy aims to improve security by using layers of protective measures?

Compartmentalization and defense in depth

What principle suggests that controls should avoid placing unreasonable constraints on personnel?

Acceptance and tolerance by personnel

Which ethical theory focuses on duty as the basis for ethical behavior?

Deontology

What is a common ethical fallacy related to the misconception of the security of systems?

Shatterproof

Which of the following actions is considered unethical by the Internet Activities Board?

Seeking unauthorized access to internet resources

Which principle states that safeguards should be applied without exceptions?

Universal application

What is a key feature of countermeasures that must be activated in response to an incident?

They should capture information about the attack

Study Notes

Course Information

• Introduction to Computer Security course offered at North South University, Bangladesh, by Dr. Hafiz Abdur Rahman, on January 27, 2022.
• The course is at the graduate level and covers topics related to the CISSP exam but is not a CISSP course itself.
• The required textbooks are "Computer Security Art and Science" by Matt Bishop and the "Official ISC2 Guide to the CISSP CBK".

Course Objectives

• The course aims to equip students with knowledge about roles and responsibilities in security programs, planning for security within organizations, and fostering security awareness.
• Students will learn about the differences between policies, standards, guidelines, and procedures, as well as risk management practices and tools.

Course Content

• The first portion of the course relies on Bishop's book, while the latter part utilizes the ISC2 book.
• Some classes may incorporate relevant academic papers.

Information Security Purpose

• The primary purpose of information security is to safeguard an organization's information resources, encompassing data, hardware, and software.
• Effective information security practices contribute to an organization's success by protecting critical assets essential for its mission.

Information Security Triad

• The Information Security Triad represents the three key components: Confidentiality, Integrity, and Availability.

Information Security Requirements

• Security design must address two fundamental requirements: Functional and Assurance.
• Functional requirements define the behavior of security controls based on risk assessments. They prioritize independence and fail-safe mechanisms to maintain security during system failures.
• Assurance requirements ensure that security functions operate as expected. This includes internal and external audits, third-party reviews, and compliance with best practices.

Organizational & Business Requirements

• Security solutions should be aligned with an organization's mission, business objectives, and goals.
• Security needs vary depending on the organization's type, whether military, government, or commercial.
• Solutions must be sensible, cost-effective, and tailored to the organization's mission and environment.

IT Security Governance

• IT Security Governance forms an integral part of corporate governance. It involves fully integrating security into an overall risk-based threat analysis.
• Ensuring that IT infrastructure meets all requirements and supports the company's strategic objectives is crucial.
• Service level agreements are essential when IT services are outsourced.

Security Governance: Major Parts

• Leadership: Security leaders must be part of company leadership to ensure their voices are heard and security is prioritized.
• Structure: Security governance should occur at various levels using a layered approach.
• Processes: Organizations should follow internationally recognized best practices, including job rotation, separation of duties, least privilege, mandatory vacations, and adopting standards like ISO 17799 and ISO 27001:2005.

Security Blueprints

• Security blueprints provide a framework for organizing requirements and solutions.
• They ensure a holistic approach to security and facilitate the identification and design of security requirements.

Policy Overview

• The operational environment is a complex network of laws, regulations, requirements, and agreements with partners and competitors. These elements are constantly changing and inter-connected.
• Management must develop and publish security statements addressing policies and supporting elements including standards, baselines, and guidelines.

Functions of Security Policy

• Goals and Objectives: Policies should clearly express management goals and objectives in writing.
• Compliance: Policies ensure adherence to established guidelines and procedures.
• Security Culture: Policies help to shape a strong security culture within the organization.
• Anticipation and Protection: Policies anticipate and protect against potential security threats and surprises.
• Security Function: Policies establish the security activity/function.
• Responsibility and Accountability: Policies hold individuals accountable for their actions and adherence to security protocols.

Organizational Roles and Responsibilities

• Every member of an organization has a role in security, with responsibilities clearly communicated and understood.
• Responsibilities are assigned to individuals, ranging from securing email to reviewing violation reports and attending awareness training.

Specific Roles and Responsibilities

• Executive Management: Publishes and endorses security policy, establishes goals and objectives, and bears overall responsibility for asset protection.
• IS Security Professionals: Responsible for security design, implementation, management, and reviews of organization security policies.
• Owner: Responsible for information classification, setting user access conditions, and deciding on business continuity priorities.
• Custodian: Holds responsibility for the security of information.
• IS Auditor: Audits and ensures security assurance guarantees.
• User: Complies with procedures and policies.

Personnel Security: Hiring Staff

• A rigorous hiring process includes background checks, security clearance verification, reference checks, educational record reviews, and employment agreements.
• Employers often require non-disclosure agreements and non-compete agreements.
• Standard checks, consultations with HR departments, and termination/dismissal procedures are established for employee security.

Third Party Considerations

• Organizations must have established security procedures for third parties including vendors/suppliers, contractors, temporary employees, and customers.

Risk Management

• Risk management seeks to identify potential problems before they occur, enabling the planning and implementation of risk-handling activities throughout the lifecycle of a product or project.

The Risk Equation

• The risk equation involves multiplying the probability of a threat occurring with the impact of the threat if it materializes.

Risk Management Objectives

• Risk management aims to identify and reduce risks through mitigating controls, safeguards, and countermeasures.
• Residual risk refers to the remaining risk after countermeasures are applied.

Purpose of Risk Analysis

• Risk analysis provides a framework for identifying and justifying risk mitigation efforts.
• It assesses threats to business processes and information systems.
• It helps to justify the use of countermeasures.
• It describes security based on the organization's overall risk tolerance levels.

Benefits of Risk Analysis

• Resource Allocation: Risk analysis helps to focus policy and resources on areas with high risk.
• Specific Risk Identification: Risk analysis identifies specific areas with elevated risk, helping to improve IT governance.
• Supporting Business Continuity: Risk analysis helps to ensure business continuity by identifying vulnerabilities.
• Insurance and Liability Decisions: Risk analysis provides valuable information for insurance and liability decisions.
• Legitimizing Security Awareness: Risk analysis helps to legitimize security awareness programs by demonstrating the importance of security.

Emerging Threats

• Risk assessment must address emerging threats arising from new technologies, changes in organizational culture, or unauthorized use of technology.
• Periodic risk assessments are essential for identifying emerging threats and implementing appropriate measures.

Sources of Identity Threats

• Users, systems administrators, security officers, and auditors can pose identity threats.
• Facility records, community and government records, and vendor/security provider alerts can be sources of identity threats.
• Natural disasters, such as floods and tornadoes, can also create vulnerabilities.
• Vulnerabilities and the resulting risk, including risk tolerance, must be addressed through effective security measures.

Countermeasures Selection Principles

• Cost/Benefit Analysis: Countermeasures must be cost-justified by the potential loss they prevent.
• Accountability: Each safeguard should have at least one designated individual responsible for its implementation and performance.
• Absence of Design Secrecy: Openly designing countermeasures allows for better security assessment and refinement.
• Audit Capability: Countermeasures should be auditable and tested regularly.
• Vendor Trustworthiness: Thoroughly review the past performance of vendors supplying security solutions.
• Independence of Control and Subject: Ensure that safeguards are managed independently from the subjects they are intended to protect. -Universal Application: Implement countermeasures uniformly to minimize exceptions and optimize effectiveness.

Countermeasures Selection Principles (Cont.)

• Compartmentalization and Defense in Depth: Employ multiple layers of safeguards to enhance security.
• Isolation, Economy, and Least Common Mechanism: Isolate safeguards from each other and prioritize simplicity for cost-effectiveness and reliability.
• Acceptance and Tolerance by Personnel: Design countermeasures that are acceptable to employees and minimize intrusive measures.
• Minimize Human Intervention: Reduce dependence on administrative staff to maintain controls to minimize potential errors.

Countermeasures Selection Principles (Cont.)

• Sustainability: Countermeasures must be sustainable over time and adaptable to evolving threats.
• Reaction and Recovery: Activated countermeasures should prevent further damage, avoid asset destruction, prevent disclosure of sensitive information, maintain confidence in system security, and capture information about the attack and attacker.
• Override and Fail-Safe Defaults: Implement fail-safe mechanisms that activate safeguards automatically in case of failures.
• Residual and Reset: Consider the residual risk after applying countermeasures and implement reset mechanisms for restoring security following incidents.

Basis and Origin of Ethics

• Ethics can be rooted in various sources: religion, law, tradition, culture, national interest, individual rights, enlightened self-interest, common good, professional ethics, and standards of good practice.

Ethics

• Formal Ethical Theories:
  • Teleology: Ethical behavior is based on goals, purposes, or ends.
  • Deontology: Ethical behavior is driven by duty.
• Common Ethical Fallacies:
  • Computers are a game: This fallacy downplays the seriousness of computer security breaches.
  • Law-abiding citizen, Gentlemanly conduct, Free information: These fallacies misinterpret the application of ethical principles in a digital context.
  • Shatterproof: This belief that systems are impenetrable and secure is often unfounded.
  • Candy-from-a-baby: This fallacy suggests that ethical hackers are taking something trivial from systems with minimal consequences.
  • Hackers: This generalization often unfairly labels all individuals who engage in hacking activities.
  • Difficult to define: Defining and enforcing ethical behavior in online environments can be challenging.
  • Start with senior management: Ethical behavior starts with the commitment and leadership of senior management to model ethical conduct.

Professional Codes of Ethics

• Internet Activities Board (IAB): The IAB condemns activities that seek unauthorized access, disrupt internet usage, waste resources, damage information integrity, compromise privacy, or demonstrate negligence in conducting internet experiments.
• ACM and IEEE: These professional organizations have established codes of ethics for their members addressing responsible technology use.
• (ISC)2: This organization's code of ethics emphasizes protecting society, the commonwealth, and infrastructure, and providing competent services to principals.
• Auditors: Professional auditing bodies have ethical codes that guide their work and may have legal implications.

Description

Test your knowledge on key concepts from the Introduction to Computer Security course. This quiz covers information security roles, responsibilities, and risk management practices as outlined in the course textbooks. Assess your understanding of security policies and standards in an organizational context.