CSE 4471 Midterm Exam Information Security, Ohio
State University-Main Campus \complete questions and
correct detailed answers \verified answers
practices, procedures, effectively explain how to comply with standards
guidelines
must be properly disseminated, read, understood, and
for a policy to be effective
agreed to by all members of an organization
individual responsible
to remain viable, security for reviews a
policies must have schedule of reviews
method for making
recommendations for reviews
specific policy issuance and
revision date
Security Education, Training, and Awareness Program
SETA
control measure to reduce accidental breaches
Information People
Sphere of use System
s
Network
s
Interne
t
device that selectively discriminates against
Firewall
information flowing into or out of organization
no-man's land between inside and outside networks
DMZ
where some organizations place web servers
an effort to detect unauthorized activity within inner
Intrusion Detection System
(IDS) network, or on individual machines, organization may
wish to implement IDS
Risk management process of identifying and controlling risks facing an organization
, process of examining an organization's current
Risk Identification
information technology security situation
process of determining the extent to which given risks
risk assessment
may impact organizational assets
risk control applying controls to reduce risks to an organizations data and
information systems
know yourself identify, examine, and understand the information and systems
currently in place
know the enemy identify, examine, and understand threats facing organization
identify, inventory and
categorize assets classify,
risk identification steps
value and prioritize assets
identify and prioritize
threats
specify asset vulnerabilities
, determine loss
frequency
risk assessment steps
evaluate loss
magnitude
calculate risk
assess risk acceptability
select control
risk control steps strategies justify
controls
implement, monitor, and assess controls
Iterative process - begins with identification of assets,
including all elements of an org.'s system
Asset Identification and
Valuation
assets are then classified and categorized
data classification schemes must be specific to allow
Information and Asset
Classification determination of priority levels must be comprehensive
and mutually exclusive
is most critical to
organization's success?
Information Asset Valuation
generates the most
revenue?
would be the most expensive to
replace or protect? most
embarrassing if revealed?
Info owners responsible for
Data Classification and
Management classifying their assets
classifications must be reviewed
periodically
part of risk identification
weighted factor analysis
assets - criterion (revenue, profitability, public image) - weighted
score
examine how each threat could be a perpetrated and
list organization's assets and vulnerabilities
Vulnerability identification
list of assets and their
vulnerabilities
threat/vulnerability/ass
et matrix
State University-Main Campus \complete questions and
correct detailed answers \verified answers
practices, procedures, effectively explain how to comply with standards
guidelines
must be properly disseminated, read, understood, and
for a policy to be effective
agreed to by all members of an organization
individual responsible
to remain viable, security for reviews a
policies must have schedule of reviews
method for making
recommendations for reviews
specific policy issuance and
revision date
Security Education, Training, and Awareness Program
SETA
control measure to reduce accidental breaches
Information People
Sphere of use System
s
Network
s
Interne
t
device that selectively discriminates against
Firewall
information flowing into or out of organization
no-man's land between inside and outside networks
DMZ
where some organizations place web servers
an effort to detect unauthorized activity within inner
Intrusion Detection System
(IDS) network, or on individual machines, organization may
wish to implement IDS
Risk management process of identifying and controlling risks facing an organization
, process of examining an organization's current
Risk Identification
information technology security situation
process of determining the extent to which given risks
risk assessment
may impact organizational assets
risk control applying controls to reduce risks to an organizations data and
information systems
know yourself identify, examine, and understand the information and systems
currently in place
know the enemy identify, examine, and understand threats facing organization
identify, inventory and
categorize assets classify,
risk identification steps
value and prioritize assets
identify and prioritize
threats
specify asset vulnerabilities
, determine loss
frequency
risk assessment steps
evaluate loss
magnitude
calculate risk
assess risk acceptability
select control
risk control steps strategies justify
controls
implement, monitor, and assess controls
Iterative process - begins with identification of assets,
including all elements of an org.'s system
Asset Identification and
Valuation
assets are then classified and categorized
data classification schemes must be specific to allow
Information and Asset
Classification determination of priority levels must be comprehensive
and mutually exclusive
is most critical to
organization's success?
Information Asset Valuation
generates the most
revenue?
would be the most expensive to
replace or protect? most
embarrassing if revealed?
Info owners responsible for
Data Classification and
Management classifying their assets
classifications must be reviewed
periodically
part of risk identification
weighted factor analysis
assets - criterion (revenue, profitability, public image) - weighted
score
examine how each threat could be a perpetrated and
list organization's assets and vulnerabilities
Vulnerability identification
list of assets and their
vulnerabilities
threat/vulnerability/ass
et matrix
