This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Review Questions 1-Why is information security a management problem? What can management do that technology cannot? Implementing information security has more to do with management than with technology. Managing information security has more to do with policy and its enforcement than with technology of its implementation. Organizations communities of interest must address information security in terms of business impact and the cost of business interruption, rather than focusing on security as a technical problem. 2-Why is data the most important asset an organization possesses? What other assets in the organization require protection? Without data, an organization loses its record of transactions and its ability to deliver value to its customer. Hardware, software, goods and network also require protection. 3-It is important to protect data in motion (transmission) and data at rest (storage). In what other state must data be protected? In which of the three states is data most difficult to protect? Data must also be protected when in use. This is probably the most difficult state in which to protect data. Data in use is susceptible to human errors as well as other natural accidents. Data in use is the most difficult to protect because in this state it must be able to be manipulated. It must be accessible and is therefore more vulnerable as the first levels of protection are already bypassed 4-How does a threat to information security differ from an attack? How can the two overlap? A threat to information security differs from an attack in that a threat is the potential to use or exploit vulnerability within the information system. The threat is the weakness in the system that is used for the attack. An attack is the realization of the threat that causes damage to the information system. The two overlap in that the threat agent actually causes the attack on the system. 5-How can dual controls, such as two-person confirmation, reduce the threats from acts of human error and failure? What other controls can reduce this threat? Employees constitute one of the greatest threats to information security. To prevent such acts of human error or failure, dual controls are effective in a way that a second party can verify commands that they wish to execute. Requiring the user to type a critical command twice is another example of dual control. Dual control reduce the threats from human error because the additional people required confirming the task would check for any error, which will prevent mistakes, and in the event of malfeasance, would require collaboration by two individuals.would require collaboration by two individuals....
View Full Document
- Spring '12
- Information Security