INFA questions - Assignment Example

Computer Security Computer Security Data confidentiality Short timeliness- one time passwords Long timeliness – user details like email, home address, telephone 2. EAL 4 versus EAL 7FALSE. As much as lower EALs cost less, they however do not provide increased assurance. Rather higher level EALs provide high assurance although they come at increased cost due to the more detailed documentation required, analysis and testing. Therefore EAL4 though cheaper does not provide high assurance.3. It is TRUE that a business continuity plan explains how an organization will maintain operational capabilities during an incident, while an incident response describes how the organization will handle the security incident itself.4. Defense in DepthTRUE.

Defense in dense entails use of several layers of security. It does not dictate how many or which tool to use in improving the security of system. Rather, the choice on what number of layers and technologies to use depends upon the risk analysis done by the organization (Cisco).5. TRUE. Physical security and information security are often managed by different organizations. However, risk analysis for information security still needs to address physical security6. TRUE. In conducting a risk analysis, it is often not possible to directly estimate the probability of an event (attack).7. Not a security architecture framework     (a.) Sherwood Applied Business Security Architecture (SABSA)8.

     g. (a), (b), (c) and (d)9. TRUE. Security controls are the (main) mechanisms/means used to reduce risk consequence and risk likelihood.10. FALSE. Denial of service attacks primarily affect confidentiality whereas inference attacks primarily affect availability. Part 2: Short Answers (15 points each). Please answer briefly and completely, and cite all sources of information. Please restrict your answer for each question to one (1/2) page (double spaced). 1. Explain the difference between a vulnerability, threat, and control.

Define each and please provide an example of each. (1/2 page)Management control Concerned with the way authority is assigned and organized (Northcutt). Entails formulating security policies, guidelines and planning in order to reduce loss (Stallings & Brown). Basically involves setting what employees may do, must always do, or cannot do. Examples include changing of policies, installing motion detectors, security awareness training among others.Operational controlInvolves enforcing the implementation of security policies, standards and also maintaining consistency in operations together with executing corrective measures in case of deficiencies (Stallings & Brown).

The procedures are effected on both hardware and software. Examples include recovery actions like system reboot, data backup and access control to data (Slideshare).Technical ControlIt involves utilizing the security capabilities of the hardware and software. The security once set up is managed entirely by the computer system. Examples include setting up firewalls and access tokens, password encryptions.2. Most security models categorize controls into three types: management, operational, and technical.

Describe each of these categories, and provide two examples of controls that would fall within each category. (1/2 page)VulnerabilityA characteristic of a technology that someone can take advantage of to orchestrate a security incident (Stallings & Brown). Example is when a program unintentionally allows ordinary users to execute commands that can only be executed by privileged users.ThreatA potential for violation of a security policy that comes into play when there is an event or circumstance that could trigger breaching of security and therefore cause harm.

It can be explained as a possible danger that could result in someone taking advantage of a vulnerability to breach security. Example is when an individual gains access to data that they are not supposed to thus there comes in a threat where sensitive data is exposed to unauthorized persons. (Stallings & Brown)ControlA means of managing risk by laying down policies, procedures, guidelines, practices and organizational structures. These can be effected in administrative, management or technical manner.

Examples of control include installation of security cameras, motion sensors and guards in order to effect physical access to the system.BibliographyAnciaux, N., Bauganim, L. & Pucheral, P. Data Confidentiality. Retrieved from http://www- caravel.inria.fr/dataFiles/ABP06b.pdf Cisco. Understanding Operations Security. Retrieved from http://www.cisco.com/web/about/security/intelligence/opsecurity.htmlMicrosoft. Data Confidentiality. Retrieved from https://msdn.microsoft.com/en- us/library/ff650720.

aspxNorthcutt, S. Security Controls. Retrieved from http://www.sans.edu/research/security- laboratory/article/security-controls Slideshare. Operations Security. Retrieved from http://www.slideshare.net/7wounders/8- operations-securityStallings, W. & Brown, L. Computer Security Principles and Practice. Retrieved from http://www.ebookandpdf.com/security-info/40252-computer-security-principles-and- practice-2nd_2.htmlUniversity of Washington. Administrative Policies. Retrieved from http://www.

washington.edu/admin/rules/policies/APS/02.06.htmlU.S.NRC. Defense in Depth. Retrieved from http://www.nrc.gov/reading-rm/basic-ref/glossary/defense-in-depth.htmlWhatIs.com. Security Management. Retrieved from http://whatis.techtarget.com/glossary/Security-Management