-
Why does the book focus on defence instead of offense? [51-52]
- Master the principles and practices of defence = a detailed knowledge of attacks (offence).
- Main purpose of infocomm is to defend.
-
For what reasons is security management hard? [52]
- It is abstract.
- Can't just refer to pictures or names of hardware and sofware, need processes.
- Processes must be detailed, indepth and well defined.
-
What is comprehensive security, and why is it needed? [52]
- Comprehensive security closes all routes (chances) of attack on a system.
- Needed because attackers are constantly looking for weaknesses in order to attack, gain initial access leading to greater system control.
- Important for companies to know all vulnerabilities of their system in order to know how to defend.
-
What are weakest link failures? [53]
Occur when a single security element failure defeats the overall security of a system.
-
Why are processes necessary in security management?
[54]
- Too complicated to be managed informally.
- Companies must develop and follow formal processes (planned series of events).
-
What is driving firms to use formal governance frameworks to guide their security processes? [55]
- Compliance laws and regulations motivate companies to formalize security processes.
- Many compliance regimes require firms to adapt formal governance frameworks to drive security planning and operational management.
-
List the three stages in the plan-protect-respond cycle. [55-57]
Plan - Protect - Response
-
Is there a sequential flow between the stages? [55-56]
No, they interact constantly.
-
What stage consumes the most time? [56]
Protection
-
What is the definition of 'protection'? [56]
Protection is defined as the plan-based creation of operation and countermeasures.
-
What is the definition of 'response'?
Response is defined as recovery according to plan.
-
How can good security be an enabler? [57]
- Good security provides confidence in network reliability.
- Also allows safe and effective implementation of progressive business tactics, such as inter-organizational system connectivity.
- By having good security, firms are enabled to innovate their business practices without having to incur as significant material risk.
-
What is the key to being an enabler? [58]
Being involved early within the project.
-
Why is having a negative view of users bad? [59]
- Users must not be seen as an enemy.
- They are the first to see security problems.
- They can give early warnings to the security staff.
- Also, users need to be trained in security self defense so that they can protect their own assets from threats.
- If “stupid” means “poorly trained,” this is the security department’s fault.
-
Why is viewing the security function as a police force or military organization a bad idea? [59]
- Police and military organizations are often considered oppressive in enforcing their policies.
- Creating a police-like security atmosphere relies upon fear of internal reprisal in enforcing policy, vice fostering a proactive partnership between employees and security personnel to protect the organization from the real bad guys that seek to harm everyone in the firm.
-
In developing an IT security plan, what should a company do first? [59]
Access its current level/state of security.
-
What are the major categories of driving forces that a company must consider for the future? [59-60]
- Companies must consider:
- - The threat environment
- - Growth of compliance laws and regulations
- - Changes in corporate structure
- - Mergers
- - Etc.
-
What should the company do for each resource? [60]
- Classify them in terms of importance - not all are equal importance.
- With limited budgets, they must be prioritised.
-
For what should a company develop remediation plans? [60]
- All security gaps.
- Every resource unless it is very well protected.
-
How should the IT security staff view its list of possible remediation plans as a portfolio? [60]
- By viewing it as a portfolio, security staff can access which remediation plans should get funding and action first.
- Also which will provide greatest gains in security investment.
|
|