Mahube Podile

Chapter 1

Review questions

1. What is the difference between a threat agent and a threat? * Threat: An object, person, or other entity that represents a constant danger to an asset.

* Threat Agent: A specific instance or component that represents a danger to an organization's assets.

2. What is the difference between vulnerability and exposure?

3. How is infrastructure protection (assuring the security of utility services) related to information security?

4. What type of security was dominant in the early years of computing?

5. What are the three components of the C.I.A. triangle? What are they used for? * Confidentiality - The quality or state of information that prevents disclosure or exposure to unauthorized individuals or systems.

* Integrity - The quality or state of being whole, complete, and uncorrupted.

* Availability - A quality or state of information characterized by being accessible and correctly formatted for use without interference or obstruction.

6. If the C.I.A. triangle is incomplete, why is it so commonly used in security? * The C.I.A triangle is still used because it addresses major concerns with the vulnerability of information systems.

7. Describe the critical characteristics of information. How are they used in the study of computer security? * Availability

* Accuracy

* Authenticity

* Confidentiality

* Integrity

* Utility

* Possession

8. Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?

9. What system is the father of almost all modern multiuser systems?

10. Which paper is the foundation of all subsequent studies of computer security?

11. Why is the top-down approach to information security superior to the bottom-up approach?

12. Why is a methodology important in the implementation of information security? How does a methodology improve the process?

13. Which members of an organization are involved in the security system development life cycle? Who leads the process?

14. How can the practice of information security be described as both an art and a science?

How does security as a social science influence its practice?

Who is ultimately responsible for the security of information in the organization?

15. What is the relationship between the MULTICS project and the early development of computer security?

16. How has computer security evolved into modern information security?

17. What was important about Rand Report R-609?

18. Who decides how and when data in an organization will be used or controlled?

Who is responsible for seeing that these

...