Chapter 1 Answers, Engineering a Secure ICT Organization
Review Questions
1. How does a process for ICT lifecycle management underwrite trust? Cite a
specific example.
A coherent and complete process for ICT lifecycle management underwrites trust
by establishing a common basis for understanding and communicating best
practice among participants.
2. Explain the concept of reliability as it pertains to lifecycle management. More
important, explain why a reliable process is essential for creating a secure ICT
product.
Reliability implies that the same result will occur every time an action is taken.
Reliability is important because unpredictable outcomes make effective
management impossible.
3. The term tailoring describes adapting or fitting the recommendations of the
12207 standard to an individual application. Given that definition, outline the
general steps for creating a formal approach to lifecycle management.
Tailoring involves selecting a rational lifecycle model, fitting the execution of each
step to the environment, defining and documenting the processes to implement
the steps of the model, and then implementing and revising as needed to ensure
continued alignment with the environment.
4. Each lifecycle process serves as a template that helps an IT organization define
some aspect of what it does. How is that process accomplished and what factors
should be considered during the work?
The process defines a generic set of activities and tasks. It also explains who will
do the work, describes when and where it will be done, and sometimes provides a
reason for each step, depending on the situation.
5. Explain how process entropy works and then explain why it provides a
reasonable justification for lifecycle management.
, Process entropy is the natural tendency toward disorganization brought on by
competitive pressure and technological change. Lifecycle management provides
an antidote to process entropy by ensuring that an organization’s actions are
rationally planned, monitored, and controlled based on a standard model of best
practice.
6. What is the difference between process assessment and process definition?
Process definition ensures an unambiguous statement of the work to be done.
Process assessment evaluates work performance against the statement of desired
outcomes in the process definition.
7. The essence of lifecycle management is the use of a proper set of policies and
procedures. Specifically, how do policies and procedures aid security?
Policies and procedures provide a statement of direction and accountability for
executing a given process. A clear statement of direction prevents workers from
misinterpreting or failing to execute required actions.
8. Why are policies essential to establishing and implementing ICT and system
assurance? What would happen if a policy were not available to guide
implementation?
Policies and procedures define the specific actions to be taken and a rationale for
executing a process. The proper execution of a process is essential for security, and
policies that define the precise steps are essential for assigning accountability.
Without policies, workers could “do their own thing” without accountability.
Case Project
Answers will vary.
Chapter 2 Answers, Engineering a Secure ICT Organization
Review Questions
1. What is the special problem with ICT purchases? Why are they more difficult
than conventional product acquisitions?
, ICT products are primarily abstract functions that cannot easily be seen or
evaluated. Therefore, special processes are needed to ensure that the required
functions are present and operating properly.
2. Why is it important to involve stakeholders in the process? What can they
contribute?
Stakeholders provide a wide range of attitudes and perspectives in evaluating an
ICT purchase. They can identify issues that might not occur to the technical staff.
3. What are constraints, and how can they be related to each other to achieve a
good solution?
Constraints are factors such as cost and performance that could affect the function
of the product. If constraints conflict—for example, if the product is too expensive
to provide the level of security required—they must be traded off against each
other to provide the best solution.
4. What is the role of the RFP?
The request for proposals (RFP) is the primary mechanism for communicating
product requirements, deadlines, and resource considerations to all prospective
suppliers.
5. What differentiates the RFP from the contract?
The RFP can be considered a pre-contract in that it communicates all
requirements, but its contents are not legally enforceable. The contract specifies
the legally enforceable obligations of the acquiring organization and supplier.
6. What is the role of subcontractors and how can they be controlled?
Subcontractors are important to ICT product development because they can create
components that are integrated into a complete product by the supplier.
Subcontractors can create problems if they contribute components that harm the
overall integrity of an integrated system. Therefore, they must follow the same
Review Questions
1. How does a process for ICT lifecycle management underwrite trust? Cite a
specific example.
A coherent and complete process for ICT lifecycle management underwrites trust
by establishing a common basis for understanding and communicating best
practice among participants.
2. Explain the concept of reliability as it pertains to lifecycle management. More
important, explain why a reliable process is essential for creating a secure ICT
product.
Reliability implies that the same result will occur every time an action is taken.
Reliability is important because unpredictable outcomes make effective
management impossible.
3. The term tailoring describes adapting or fitting the recommendations of the
12207 standard to an individual application. Given that definition, outline the
general steps for creating a formal approach to lifecycle management.
Tailoring involves selecting a rational lifecycle model, fitting the execution of each
step to the environment, defining and documenting the processes to implement
the steps of the model, and then implementing and revising as needed to ensure
continued alignment with the environment.
4. Each lifecycle process serves as a template that helps an IT organization define
some aspect of what it does. How is that process accomplished and what factors
should be considered during the work?
The process defines a generic set of activities and tasks. It also explains who will
do the work, describes when and where it will be done, and sometimes provides a
reason for each step, depending on the situation.
5. Explain how process entropy works and then explain why it provides a
reasonable justification for lifecycle management.
, Process entropy is the natural tendency toward disorganization brought on by
competitive pressure and technological change. Lifecycle management provides
an antidote to process entropy by ensuring that an organization’s actions are
rationally planned, monitored, and controlled based on a standard model of best
practice.
6. What is the difference between process assessment and process definition?
Process definition ensures an unambiguous statement of the work to be done.
Process assessment evaluates work performance against the statement of desired
outcomes in the process definition.
7. The essence of lifecycle management is the use of a proper set of policies and
procedures. Specifically, how do policies and procedures aid security?
Policies and procedures provide a statement of direction and accountability for
executing a given process. A clear statement of direction prevents workers from
misinterpreting or failing to execute required actions.
8. Why are policies essential to establishing and implementing ICT and system
assurance? What would happen if a policy were not available to guide
implementation?
Policies and procedures define the specific actions to be taken and a rationale for
executing a process. The proper execution of a process is essential for security, and
policies that define the precise steps are essential for assigning accountability.
Without policies, workers could “do their own thing” without accountability.
Case Project
Answers will vary.
Chapter 2 Answers, Engineering a Secure ICT Organization
Review Questions
1. What is the special problem with ICT purchases? Why are they more difficult
than conventional product acquisitions?
, ICT products are primarily abstract functions that cannot easily be seen or
evaluated. Therefore, special processes are needed to ensure that the required
functions are present and operating properly.
2. Why is it important to involve stakeholders in the process? What can they
contribute?
Stakeholders provide a wide range of attitudes and perspectives in evaluating an
ICT purchase. They can identify issues that might not occur to the technical staff.
3. What are constraints, and how can they be related to each other to achieve a
good solution?
Constraints are factors such as cost and performance that could affect the function
of the product. If constraints conflict—for example, if the product is too expensive
to provide the level of security required—they must be traded off against each
other to provide the best solution.
4. What is the role of the RFP?
The request for proposals (RFP) is the primary mechanism for communicating
product requirements, deadlines, and resource considerations to all prospective
suppliers.
5. What differentiates the RFP from the contract?
The RFP can be considered a pre-contract in that it communicates all
requirements, but its contents are not legally enforceable. The contract specifies
the legally enforceable obligations of the acquiring organization and supplier.
6. What is the role of subcontractors and how can they be controlled?
Subcontractors are important to ICT product development because they can create
components that are integrated into a complete product by the supplier.
Subcontractors can create problems if they contribute components that harm the
overall integrity of an integrated system. Therefore, they must follow the same
