NS&S - Introduction

  1. Why does the book focus on defence instead of offense? [51-52]
    • Master the principles and practices of defence = a detailed knowledge of attacks (offence).
    • Main purpose of infocomm is to defend.
  2. For what reasons is security management hard? [52]
    • It is abstract.
    • Can't just refer to pictures or names of hardware and sofware, need processes.
    • Processes must be detailed, indepth and well defined.
  3. What is comprehensive security, and why is it needed? [52]
    • Comprehensive security closes all routes (chances) of attack on a system.
    • Needed because attackers are constantly looking for weaknesses in order to attack, gain initial access leading to greater system control.
    • Important for companies to know all vulnerabilities of their system in order to know how to defend.
  4. What are weakest link failures? [53]
    Occur when a single security element failure defeats the overall security of a system.
  5. Why are processes necessary in security management?
    [54]
    • Too complicated to be managed informally.
    • Companies must develop and follow formal processes (planned series of events).
  6. What is driving firms to use formal governance frameworks to guide their security processes? [55]
    • Compliance laws and regulations motivate companies to formalize security processes.
    • Many compliance regimes require firms to adapt formal governance frameworks to drive security planning and operational management.
  7. List the three stages in the plan-protect-respond cycle. [55-57]
    Plan - Protect - Response
  8. Is there a sequential flow between the stages? [55-56]
    No, they interact constantly.
  9. What stage consumes the most time? [56]
    Protection
  10. What is the definition of 'protection'? [56]
    Protection is defined as the plan-based creation of operation and countermeasures.
  11. What is the definition of 'response'?
    Response is defined as recovery according to plan.
  12. How can good security be an enabler? [57]
    • Good security provides confidence in network reliability.
    • Also allows safe and effective implementation of progressive business tactics, such as inter-organizational system connectivity.
    • By having good security, firms are enabled to innovate their business practices without having to incur as significant material risk.
  13. What is the key to being an enabler? [58]
    Being involved early within the project.
  14. Why is having a negative view of users bad? [59]
    • Users must not be seen as an enemy.
    • They are the first to see security problems.
    • They can give early warnings to the security staff.
    • Also, users need to be trained in security self defense so that they can protect their own assets from threats.
    • If “stupid” means “poorly trained,” this is the security department’s fault.
  15. Why is viewing the security function as a police force or military organization a bad idea? [59]
    • Police and military organizations are often considered oppressive in enforcing their policies.
    • Creating a police-like security atmosphere relies upon fear of internal reprisal in enforcing policy, vice fostering a proactive partnership between employees and security personnel to protect the organization from the real bad guys that seek to harm everyone in the firm.
  16. In developing an IT security plan, what should a company do first? [59]
    Access its current level/state of security.
  17. What are the major categories of driving forces that a company must consider for the future? [59-60]
    • Companies must consider:
    • - The threat environment
    • - Growth of compliance laws and regulations
    • - Changes in corporate structure
    • - Mergers
    • - Etc.
  18. What should the company do for each resource? [60]
    • Classify them in terms of importance - not all are equal importance.
    • With limited budgets, they must be prioritised.
  19. For what should a company develop remediation plans? [60]
    • All security gaps.
    • Every resource unless it is very well protected.
  20. How should the IT security staff view its list of possible remediation plans as a portfolio? [60]
    • By viewing it as a portfolio, security staff can access which remediation plans should get funding and action first.
    • Also which will provide greatest gains in security investment.
Author
kikikaze
ID
142221
Card Set
NS&S - Introduction
Description
Defence, Management Processes, The Need for a Disciplined Security Management Process, The Plan–Protect–Respond Cycle, Vision in Planning, Strategic IT Security Planning
Updated