Principles of Information Security 4th Ed Chapter 1 Review Questions

In: Computers and Technology

Submitted By kevy1988
Words 801
Pages 4
Kevin Kovack

Chapter 1 Review Questions

1. What is the difference between a threat agent and a threat? A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack.

2. What is the difference between vulnerability and exposure?
Vulnerability is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure.

3. How is infrastructure protection (assuring the security of utility services) related to information security? You need to have infrastructure protection in order to have effective information security.

4. What type of security was dominant in the early years of computing?
Security was entirely physical in the early years because physical access was the primary threat.

5. What are the three components of the C.I.A. triangle? What are they used for?
Confidentiality: Information should only be accessible to its intended recipients.
Integrity: Information should arrive the same as it was sent.
Availability: Information should be available to those authorized to use it.

6. If the C.I.A. triangle is incomplete, why is it so commonly used in security?

The CIA triangle is still used because it addresses the major concerns with the vulnerability of information systems.

7. Describe the critical characteristics of information. How are they used in the study of computer security?
- Availability: Authorized users can access the information.
- Accuracy: free from errors.
- Authenticity: genuine.
- Confidentiality: preventing disclosure to unauthorized individuals.
- Integrity: whole and not corrupted.
- Utility: has a value for some purpose.
- Possession: Ownership.

8.…...

Similar Documents

Pricinples of Information Security, Chapter 5 Review Questions

...1. How can a security framework assist in the design and implementation of a security infrastructure? Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets.  A framework is the outline from which a more detailed blueprint evolves.  The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies.  The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years.  The blueprint is used to plan the tasks to be accomplished and the order in which to proceed. What is information security governance? Governance is “the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”1 Governance describes the entire process of governing, or controlling, the processes used by a group to accomplish some objective. Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination......

Words: 4589 - Pages: 19

Review Questions: Chapter 1

...Review Questions: Chapter 1 1.1. Define the following terms: data, database, DBMS, database system, database catalog, program-data independence, user view, DBA, end user, canned transaction, deductive database system, persistent object, meta-data, and transaction-processing application. • Data – known facts that can be recorded and that have implicit meaning. • Database – a collection of related data with an implicit meaning. • DBMS – a collection of programs that enables users to create and maintain a database • Database system – not only contains the database itself bit also a complete definition or description of the database structure and constrains. • Database catalog – the information about the database structure is stored in the Database Catalog which contains the structure of each file, the type and storage format of each data item, and various constrains of the data. • Program-Data Independence – DBMS access programs do not require changes in all programs due to the change in the structure of a file because the structure of data files is stored in the DBMS catalog separately from the access programs. • User View – a database typically has many users, and each of whom may require a different perspective or view of the database. A view may be a subset of the database or it may contain virtual data the is derived from the database files but is not explicitly stored. • DBA – a database administrator (short form DBA) is a......

Words: 2493 - Pages: 10

Principles of Information Security: Chapter 1 End-of-Chapter Questions

...Chapter 1 Assignmnet Ryan M. Kethcart INFOST-491 SEC-OL Exercises 1. Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this paper specifically addresses security in areas previously unexamined? a. A paper titled the “Rand Report R-609” was sponsored by the Department of Defense and initiated the movement toward security that went beyond protecting physical locations. It attempted to define multiple controls and mechanisms necessary for the protection of a multilevel computer system; identifying the role of management and policy issues in computer security. This report/paper significantly expanded the scope of computer security to include the following: securing the data, limiting random and unauthorized access to said data, and involving personnel from multiple levels of the organization in matters pertaining to information security. 3. Consider the information stored on your personal computer. For each of the terms listed, find an example and document it: threat, threat agent, vulnerability, exposure, risk, attack, and exploit. a. Threat: i. Theft of Media b. Threat Agent: ii. Hacker (Ex: Ima Hacker) c. Vulnerability: iii. Unprotected system port d. Exposure: iv. Using a website monitored by malicious hackers, reveals a vulnerability – i.e. Unprotected system port e. Risk: v. Low level risk – The probability......

Words: 790 - Pages: 4

Principles of Information Security Chapter 3 Review

...Chapter 3 Review 1. What is the difference between law and ethics? The difference between law and ethics is that law is a set of rules and regulations that are universal and should be accepted and followed by society and organizations. Ethics on the other hand was derived from the latin word mores and Greek word Ethos means the beliefs and customs that help shape the character of individuals and how people interact with one another 2. What is civil law, and what does it accomplish? A wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organisational and entities and people. 3. What are the primary examples of public law? Criminal, administrative and constitutional law. 4. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change? The National Information Infrastructure Protection of 1996 amended the Computer Fraud and Abuse Act of 1986. It modified several sections of the CFA Act, and increased the penalties for selected crime. 5. Which law was specifically created to deal with encryption policy in the United States? The Security and Freedom through Encryption Act of 1999. 6. What is privacy in an information security context? Privacy is not absolute freedom from observation, but rather it is a more precise “State of being free from unsanctioned intrusion”. 7. What is another name for the Kennedy-Kassebaum Act(1996), and why is it important to organisations......

Words: 1285 - Pages: 6

Principles of Information Security Chapter 2 Review Questions

...1. Management is responsible for implementing information security to protect the ability of the organization to function. They must set policy and operate the organization in a manner that complies with the laws that govern the use of technology. Technology alone cannot solve information security issues. Management must make policy choices and enforce those policies to protect the value of the organization’s data. 2. Data is important to an organization because without it an organization will lose its record of transactions and/or its ability to furnish valuable deliverables to its customers. Other assets that require protection include the ability of the organization to function, the safe operation of applications, and technology assets. 3. Both general management and IT management are responsible for implementing information security. 4. The implementation of networking technology has created more risk for businesses that use information technology because business networks are now connected to the internet and other networks external to the organization. This has made it easier for people to gain unauthorized access to the organization’s networks. 5. Information extortion is when an attacker steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. One example could be someone that gains access to PII such as SSN’s through a company’s database and ransoms the information for money. If not paid, he......

Words: 1112 - Pages: 5

Chapter 1 Review Questions

...1. Which of the following is true about 1 bit? a. Can represent decimal values 0 through 9 b. Can be used to represent one character in the lowercase English alphabet | c. Represents one binary digit d. Represents four binary digits 2. Which of the following terms means approximately 106 bytes? a. Terabyte | b. Megabyte c. Gigabyte d. Kilobyte 3. Which answer lists the correct number of bits associated with each term? a. 8 bits per double word b. 32 bits per word | c. 64 bits per quadruple word d. 4 bits per byte 4. Which of the following answers are true about random-access memory (RAM) as it is normally used inside a personal computer? (Choose two answers.) | a. Used for short-term memory b. Used for long-term memory c. Used to process data d. Connects to the CPU over a bus using a cable |e. Is installed onto the motherboard 5. This chapter describes the concepts behind how a CPU reads the contents from RAM. Which of the following is true about the process of read data, as described in the chapter? a. The CPU tells the RAM which address holds the data that the CPU wants to read. b. The CPU reads all RAM sequentially, beginning with the first byte, until it happens to read the byte that the CPU wanted to read. c. The smallest unit of data that RAM supplies back to the CPU is 1 bit. |d. The CPU must first find the file in the file system before reading the data. 6. A user has......

Words: 1372 - Pages: 6

Chapter 1-Introduction to Information Security: Principles of Information Security

...Chapter 1-Introduction to Information Security: 1. What is the difference between a threat and a threat agent? A threat is a constant danger to an asset, whereas a threat agent is the facilitator of an attack. 2. What is the difference between vulnerability and exposure? Vulnerability: is a fault within the system, such as software package flaws, unlocked doors or an unprotected system port. It leaves things open to an attack or damage. Exposure: is a single instance when a system is open to damage. Vulnerabilities can in turn be the cause of exposure. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The organization needs to have clear parameters and set regulation when it comes to the protection of itself. Clear goals and objectives when it comes to protection will lead to a better protection on regards to the information security. 4. What type of security was dominant in the early years of computing? Early security was entirely physical security. - EX: Lock and Key 5. What are the 3 components of the CIA triangle and what are they used for? Confidentiality: Information should only be accessible to its intended recipients. Integrity: Information should arrive the same as it was sent. Availability: Information should be available to those authorized to use it. 6. If the CIA triangle is incomplete, why is it so commonly used in security? The CIA triangle is still......

Words: 965 - Pages: 4

Chapter 1 Information Security

...event that has an effect on an asset. In the context of IT security, an asset can be a computer, a database, or a piece of information. Examples of risk include the following: • Losing data • Losing business because a disaster has destroyed your building • Failing to comply with laws and regulations A threat is any action that could damage an asset. Information systems face both natural and human-induced threats. The threats of flood, earthquake, or severe storms require organizations to have plans to ensure that business operation continues and that the organization can recover. A business continuity plan (BCP) gives priorities to the functions an organization needs to keep going. A disaster recovery plan (DRP) defines how a business gets back on its feet after a major disaster like a fire or hurricane. Human-caused threats to a computer system include viruses, malicious code, and unauthorized access. A virus is a computer program written to cause damage to a system, an application, or data. Malicious code or malware is a computer program written to cause a specific action to occur, such as erasing a hard drive. These threats can harm an individual, business, or organization. ability Availability is a common term in everyday life. For example, you probably pay attention to the availability of your satellite TV service, your cell phone service, or a business colleague for a meeting. In the context of information security, availability is generally expressed as the......

Words: 12482 - Pages: 50

Principles of Information Security Ch. 1 Questions

...Review Questions 1. What is the difference between a threat agent and a threat? 2. What is the difference between vulnerability and exposure? 3. How is infrastructure protection (assuring the security of utility services) related information security? 4. What type of security was dominant in the early years of computing? 5. What are the three components of the C.I.A. triangle? What are they used for? 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? 7. Describe the critical characteristics of information. How are they used in the study computer security? 8. Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study? 9. What system is the father of almost all modern multiuser systems? 10. Which paper is the foundation of all subsequent studies of computer security? 11. Why is the top-down approach to information security superior to the bottom-up approach? 12. Why is a methodology important in the implementation of information security? How does a methodology improve the process? 13. Which members of an organization are involved in the security system development life cycle? Who leads the process? 14. How can the practice of information security be described as both an art and a science? How does security as a social science influence its practice? ...

Words: 326 - Pages: 2

Chapter 2 Review Questions Principles of Information Security

...1. Information security is more of a management issue because it is up to management to decide what end users should have access to and what they should not. Also technology can only do what it is told to do but if management sets up training to teach end users about the threats of say opening an unknown email then the company is safer. 2. Without data an organization loses its record of transactions and/or its ability to deliver value to its customers. Page 42 Principles of Information Security 3. Both general and It management 4. It has created more and the reason why is it is much easier to spread viruses, worms, etc. now that the can get from system to system without having to attach to a physical disc. 5. Information extortion occurs when an attacker or trusted insider steals information from a computer system and demands compensation for its return or for an agreement not to disclose it. Page 60 Principles of Information Security. An example would be if someone would steal the latest album from a well-known artist before its release date and demanded to be paid or it would be released onto the internet. 6. Employees are one of the biggest threats for several reasons the can accidently allow someone access to the system by installing a back door or it is possible for them to become angry with the company and just hand out IP to rival companies. It is also possible that they could accidently delete valuable data from the system that has no backup. 7. Make sure......

Words: 908 - Pages: 4

Principles of Information Security Chapter 1

...Principles of Information Security, 4th Edition 1 Chapter 1 1 Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is the facilitator of an attack, whereas a threat is a category of objects, persons, or other entities that represents a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences and others are purposeful. Fire is a threat; however, a fire that has begun in a building is an attack. If an arsonist set the fire then the arsonist is the threat agent. If an accidental electrical short started the fire, the short is the threat agent. 2. What is the difference between vulnerability and exposure? Vulnerability is a weaknesses or fault in a system or protection mechanism that opens it to attack or damage. Exposure is a condition or state of being exposed. In information security, exposure exists when a vulnerability known to an attacker is present. 3. How is infrastructure protection (assuring the security of utility services) related to information security? The availability of information assets is dependent on having information systems that are reliable and that remain highly available. 4. What type of security was dominant in the early years of computing? In the early years of computing when security was addressed at all, it dealt only with the physical security of the computers themselves and not the data......

Words: 4896 - Pages: 20

Chapter 1 Review Questions

...1. What is the difference between a threat agent and a threat? A. A threat agent is the person who facilitates the attack while the threat is a constant danger to something. 2. What is the difference between vulnerability and exposure? A. Vulnerability is a flaw within the system or a weakness, usually where the attackers attack. While Exposure is a single situation when the system is prone to be harmed. 3. How is infrastructure protection (assuring the security of utility services) related to information security? A. Both infrastructure protection and information security share the same overall goal, which is to ensure that data is available when, where and how it is needed. 4. What type of security was dominant in the early years of computing? A. Early security was entirely physical security. 5. What are the three components of the C.I.A. Triangle? What are they used for? A. Confidentiality: Information should only be accessible to its intended recipients. B. Integrity: Information should arrive the same as it was sent. C. Availability: Information should be available to those authorized to use it. 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? A. The triangle would still be used because it addresses the major concerns with the vulnerability of information systems. 7. Describe the critical characteristics of information. How are they used in the study of computer security? A. Availability: Authorized users......

Words: 855 - Pages: 4

Chapter 1 Review Questions

...CHAPTER 1 REVIEW QUESTIONS 1. Define each of the following terms: a) Data: raw data not processed. This usually includes telephone numbers, a date of birth, customer name etc. It has little meaning until it is turned into information. b) Field: A character or group of characters that has a specific meaning. A field is used to define and store data. c) Record: A logically connected set of one or more fields that describes a person, place, or thing.  d) File: A collection of related records. 2. What is data redundancy, and which characteristics of the file system can lead to it? a. Data redundancy is when the same data are stored unnecessarily at different places. This can lead to poor data security, and data inconsistency. 3. What is data independence, and why is it lacking in file systems? b. Data independence is when you change the data storage characterizes and it doesn’t affect the program’s ability to access the data. 4. What is a DBMS, and what are its functions? c. A DBMS (database management system) is a collection of program that stores and manages data and control access to the data in the collection. It is responsible for creating, editing, deleting and maintain all the data inserted. 5. What is structural independence, and why is it important? d. Access to a file is dependent on the structure of the database. Without structural independence new changes such as adding a field, or a decimal in a......

Words: 1121 - Pages: 5

Pricinples of Information Security, Chapter 3 Review Questions

...Week 2, Chapter 3 Name: ------------------------------------------------- Review Questions p. 114 Assignment 3          1. What is the difference between law and ethics? Laws are formally adopted rules for acceptable behavior in modern society. Ethics are socially acceptable behaviors. The key difference between laws and ethics is that laws carry the authority of a governing body, and ethics do not. Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group. Some ethical standards are universal. For example, murder, theft, assault, and arson are actions that deviate from ethical and legal codes throughout the world. 2. What is civil law, and what does it accomplish? Civil law comprises a wide variety of laws that govern a nation or state and deal with the relationships and conflicts between organizational entities and people. 3. What are the primary examples of public law? criminal, administrative, and constitutional law 4. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change? the National Information Infrastructure Protection Act of 1996, which modified several sections of the amended the Computer Fraud and Abuse Act of 1986 and increased the penalties for selected crimes. The punishment for offenses prosecuted under this statute varies from fines to imprisonment up to 20 years, or both. The severity of the penalty depends on the value of the information obtained and...

Words: 1517 - Pages: 7

Principles of Security 5th Edition Chapter 1 Review Questions

...Review Questions 1. What is the difference between a threat agent and a threat? A threat agent is a specific component that represents a danger to an organization’s assets. And a threat is an object, person or entity that represents a constant danger. 2. What is the difference between vulnerability and exposure? Vulnerability is a weakness is a system that leaves the system open to attacks. Exposure is the known vulnerabilities that make a system weak and open to attacks without protection. 3. How is infrastructure protection (assuring the security of utility services) related to information security? If the infrastructure of a network is exposed and accessible to anyone this leaves the network vulnerable to damage both to hardware and software. The infrastructure must be protected to allow only authorized user to have access to the network. 4. What type of security was dominant in the early years of computing? Physical security. 5. What are the three components of the C.I.A. triangle? What are they used for? Confidentiality, Integrity and availability are the three components of the C.I.A triangle. They are used as a standard for computer security. 6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? The C.I.A triangle provides a basic standard of what is needed to keep information secured. 7. Describe the critical characteristics of information. How are they used in the study of computer security?......

Words: 829 - Pages: 4