Module 2 Topic 5: Security Management Tutorial Questions
1) Identify the three most probable threats to a personal computing system in an office with fewer than ten employees. That is, identify the three vulnerabilities most likely to be exploited. Estimate the number of times each vulnerability is exploited per year; justify your estimate.
Companies with that small a staff will typical not carry policies, stop gaps, and proven implementation strategies to widen margin between success and failure Companies of that size will be in the budding stage and in the process of development.
Vulnerability 2 – Natural disaster
Natural disaster doesn’t affect the largest companies as much because of sophisticated back-up systems and physical structure that can help it to recover quickly if not avert the effects outright.
Vulnerability 3 – Deviations in Quality Service from Service Providers
Lack of priority from server houses and other service providers can also hurt the smaller venue. While companies fight to keep their larger client a smaller company will suffer from the setbacks caused by delays in service.
Attack count for smaller companies would occur on a more regular basis. Although it is not as big a target as larger companies one or two of their clients or service providers will a large vendor or recipient. Smaller companies may be the access points for harder to reach larger companies. Thus, making them the larger target of the two.
2) List three factors that should be considered when developing a security plan.
Factor 1 – Strategic
Factor 2 – Tactical
Factor 3 - Operational
3) What is the difference between Policy, Standards, and Practices? What is one thing management can do to make sure that policies are effective?
Policy is the foundational structure of standards and standards are the basis for practices. Policies are the ethical and operational ideas of the company; standards are required behavioural expectations based on company policy; practices are a part and parcel of how the standards are carried out and enforced in day-to-day operations.
4) When developing a security plan what organisational elements should be included?
The mission and vision statements, organizational profile, core values and etc. should all be included.
5) For an airline, what are its most important assets? What are the minimal computing resources it would need to continue business for a limited period (up to two days). What other systems or processes could it use during the period of the disaster?
One valuable asset of airline is that of its frequent flyer programs. These programs are designed to boost customer or partner buy-ins which in turn create back door revenue for the airline. Minimally, an airline would need a solid tracking system and database to maintain records; but having a real-time updating system would be a close second if not a primary necessity in and of itself. Back-up files and secondary operational procedure would help in case of a disaster. Larger airlines would suffer from great set back and abrasive customer backlash if frequent flyer-mile information were lost or not tracked for a day.
6) Describe the major phases on the Sec SDLC ?
Phase 1 – Investigation
This is basically the developmental stage of the process. Directives are handed down from senior management, teams scouted and assembled, and the ground work for the planning of the project begins.
Phase 2 – Analysis
Documentation is developed to help quantify the risks and assets of the project. Company policies will be invoked and the project will be scrutinized against them. This stage is the actual qualification process for the project.
Phase 3 – Logical Design
Simply put, this the actual structuring process of the project. This is where the architectural structure of the program or project helps the team members to consistently assess it’s effectiveness and liability.
Phase 4 – Physical Design
Here is the ‘meat,’ if you will, of the plan. Here is where the personnel and necessary materials are put in place.
Phase 5 – Implementation
This is point “go.” Once everything is in place and all of the offensive ‘huddles’ have been broken the project is primed for movement.
Phase 6 – Maintenance
Here security solutions are tested and hashed out. Personnel issues are worked and reworked, and management of the plan is utilized to keep things moving.
References
Meier J.D., Mackman, A., Dunner M., Vasireddy S., Escamilla R., Murukan A. (June 2003) Threat Modeling MSDN Library. Retrieved from http://msdn.microsoft.com/en-us/library/ff648644.aspx
Olzak T. (December 2012) Enterprise Security: A practitioner’s guide. Retrieved from http://resources.infosecinstitute.com/enterprise-security-book-chapter-1/
Author (Unknown) UMS Security Risk Assessment Guidelines (August 2011). Retrieved from http://www.maine.edu/pdf/RiskAssessmentGuideforFacilities10-25-11.pdf
U S Department of Homeland Security (Date Unknown). Retrieved from http://www.us-cert.gov/reading_room/home-network-security/#appendix
Navqi, M (April 2011) Asset, Vulnerability, Threat & Control Retrieved from http://www.slideshare.net/mfnaqvi/asset-vulnerability-threat-risk-control
(Author Unknown) (Date Unknown) Keeping Information Safe and Secure. Retrieved from http://www.connectingsomerset.co.uk/tips/for%20website%20owners/Information%20Security%20-%20protecting%20your%20business%20assets.pdf
