Chapter Exercises below ex 1 –
Exercise 1 -Q2. Search the Web for several
InfoSec-related job postings. Do the postings comply with the concerns outlined
in this chapter? Why or why not?
refers to the tools and processes developed and deployed to protect sensitive
information from inspection, destruction, disruption and modification (Cisco
2018). Naukri (2019) identifies numerous job opportunities associated with
information technology, and related with InfoSec. The opportunities include
Information Security Manager, Senior Engineer (Information Security), AVP-
Information Security Officer, and Information SecurityAnalysis. Others are
Information Security-lead Auditor and Information Security Engineer.
These postings comply with
the concerns defined in this chapter. The concerns include protection and
securing of data and ensure credibility and confidentiality is championed. An
information Security job description based on the website include vulnerability
assessment, application security, penetration testing and managing and
enforcing information and networksecurity policies and procedures (Naukri,
2019). For an Information Security Engineer, some of the responsibilities
include risk assessment, information security, processes improvement and
application of various techniques such as auditing and risks management. The
posting identifies the importance of the different parties working together
towards protecting the data.
(2018). What is information security.
Retrieved from https://www.cisco.com/c/en/us/products/security/what-is-information-security-infosec.html
(2019). Information security. Retrieved
Exercise 2 – Q3. – Using the list of threats to InfoSec
presented in this chapter, identify and describe three instances of each that
were not mentioned in the chapter.
to intellectual property
Selling the private informationSpecificities of the intellectual property sold to a third
partyUsing copyrighted information for financial and
in quality of service from service providers
Unreliable internet servicesFluctuation in speed of InternetUnreliable power to power the equipment
Persons not authorized to access data uses anteriormotives
to access the dataPaying employees to steal the dataThe data can be compromised to meet specific
Lightning can strike the building (Peltier, 2016)Water can spill into the electronicsshort-circuiting
it Earthquakes might lead networking devices damage
error or failure
The employees might compromise the details because of
lack of following policyEmployees might employ the wrong procedures and
processes in analyzing the dataAccidents can occur such as inability to secure the
Thievesmight access some crucial information and use
for blackmail purposes (Kim
& Solomon, 2016).Criminal activity can be committed and one of the employees
forced to compromise the information One of the employee can be compromised by other
Some networking devices can be stoleSome illegal connections can be madeIllegal system adjustments can be made
External players can implement denial of servicesIntroduction of illegal software such as worms and
viruses Readjustment of the software to meet internal objectives
hardware failures and errors
Acquiring equipmentinappropriate for the taskIneffective attachments and fitting of the hardwareHardware can be stolen
software failures or errors
Ineffective design of the softwareAvailability of back doors leading to hackingIneffective debugging of the software
Outdated software leads to various risksDue to obsolescence, the productivity is affectedThe obsolete components might not work appropriately
with the new systems
Employees can steal proprietary informationEmployees can partner with other people to steal the
information (Chang & Ramachandran, 2016)Stealing some hardware components
Chang, V., & Ramachandran, M.
(2016). Towards achieving data security with the cloud computing adoption
framework. IEEE Trans. Services Computing, 9(1), 138-151.
Kim, D., & Solomon, M. G.
(2016). Fundamentals of information systems security. Jones &
Peltier, T. R. (2016). Information
Security Policies, Procedures, and Standards: guidelines for effective
information security management. Auerbach Publications.
3 – Q4. Ch 6 ex 4Using
the data classification scheme presented in this chapter, identify and classify
the information contained in your personal computer or personal digital
assistant. Based on the potential for misuse or embarrassment, what information
is confidential, sensitive but unclassified, or suitable for public release?
Objective/purpose of the data classification scheme: to
assist in securing my personal information with a focus onconfidentiality and integrity
– proprietary or sensitive – it is important data (Rowley & Hartley,2017)
– allowing authorized persons to view – risk is mid-level
– can easily be realized to the public (Haixiang et al. 2017)
Personal review of data classificationscheme:
– Myself and one additional person (only permitted for emergency cases) – the
one person would be authorize to access unencrypted password, which might lead
to other encrypted passwords (Elhag
et al. 2015)
– individuals that I have give express permission to view the data
– the general public can see the information including information that I have
Elhag, S., Fernández, A., Bawakid,
A., Alshomrani, S., & Herrera, F. (2015). On the combination of genetic
fuzzy systems and pairwise learning for improving detection rates on intrusion
detection systems. Expert Systems with Applications, 42(1), 193-202.
Haixiang, G., Yijing, L., Shang, J.,
Mingyun, G., Yuanyue, H., & Bing, G. (2017). Learning from class-imbalanced
data: Review of methods and applications. Expert Systems with Applications,
Rowley, J., & Hartley, R.
(2017). Organizing knowledge: an introduction to managing access to
4 –Q3. Using a web search engine, visit one of the
popular disaster recovery/business continuity sites, such as www.disasterrecoveryworld.com, www.drj.com, www.drie.org, www.drii.org,
or csrc.nist.gov. Search for the terms hot site, warm site and cold site. Do
The purpose of hot sites mirrors
the activities of a datacenter infrastructure. The backup site has all the
resources that are similar to the workplace, which includes office space,
power, cooling and servers depending on the specific objectives. The hot site operates
through providing complementary services to the main datacenter (Aronis & Stratopoulos, 2016).
The syncing of the data means that the business is protected and any technical
or disaster, the business operations would continue. The problem of such strategy
is expensive and it is important for any business establishment to weigh the
cost benefit analysis of the hot site.
Cold site is a datacenter
or office that lacks server related equipment. The cold site provides office
space, cooling and power in situations of inconveniences (Hansen, 2016).
The cold site needs the support of IT personnel and engineering to set
equipment and services to meet the operational and functional requirements.
Cold site are the most appropriate for business continuity.
A warm site lies between
cold site and hot site. A warm site hasdatacenter or office space with already
installed server hardware (Mattei
& Satterly, 2016). The difference of warm site from hot
site is that it provides a platform for installation of productionenvironments.
Such an approach is appropriate for business that requires certain levels of redundancy.
The perceived missing part
sites indicates the importance of the activity being performed. Some business might
not require continued redundancy meaning the best strategy is the cold site (Cook, 2015). For example, businesses located in safe environments are less
susceptible of disruptions meaning mirroring is not important. However, a
business that operates across numerous jurisdictions and provides services to
millions of people requires the warm site and sometimes hot site.
Aronis, S., & Stratopoulos, G.
(2016). Implementing business continuity management systems and sharing best practices
at a European bank. Journal of business continuity & emergency planning,
Cook, J. (2015). A six-stage
business continuity and disaster recovery planning cycle. SAM Advanced
Management Journal, 80(3), 23.
Hansen, E. C. (2016). Next generation
enterprise network business continuity: maintaining operations in a compromised
environment (Doctoral dissertation, Monterey, California: Naval
Mattei, M. D., & Satterly, E.
(2016). Integrating Virtualization and Cloud Services into a Multi-Tier,
Multi-Location Information System Business Continuity Plan. Journal of
Strategic Innovation & Sustainability, 11(2).
Make change to ex 5 q4
5 – Q4. Using the format provided in the text, design an incident response plan
for your home computer. Include actions to be taken if each of the following
Before an Attack
I will check the system continuouslyI
will be aware of the sites and online platforms I will accessI
will review any application before I installI
will partner with my ISP to prevent any failureEffective
engagement with ISP providersImplement
risk aversion strategiesEffective maintenance
modern applications and technologies are in placeInstall
right electrical systems Using the right tools and equipment
After an Attack
Frequently scanning my computerVerifying
and checking right applications Obsolete
software and hardware has to be replaced Creating a documentation of the problems
that have occurred
Ensuring all the applications are working
antivirus and other firewall systems in placeReaching
the maintenance program and whether the equipment and tools were replaced
accordingly Creating a scheduled system to continuously
maintain the systems including the site
During an Attack
Reviewing the antivirus/antimalware software
especially after any attackDetermining
whether the antivirus is effectiveReviewing the location of the systems to
prevent potentials of fire and bursts water pipes
Sell off the leaking pipes and call
Rahman et al. 2017)Replace
any susceptible applications and hardware Create an incident report for future
- What other scenarios do you think are
important to plan for?
Risks are inevitable depending on the conditions and
scenarios. Fire incidents and water problem can be addressed easily (Ab Rahman & Choo, 2015).
Planning should also target the physical component. For example, thieves can
come and steal the equipment and computer systems. It means the location of the
system should have the right security including authorizing the persons who can
enter the space (Soomro,
Shah & Ahmed, 2016). In addition, authorization extends to
persons who are permitted to access the computer system. Categorizing the data
and encrypting the data ensures even if unauthorized persons access the
information such individuals cannot benefit.
Ab Rahman, N. H., & Choo, K. K.
R. (2015). A survey of information security incident handling in the cloud. computers
& security, 49, 45-69.
Soomro, Z. A., Shah, M. H., &
Ahmed, J. (2016). Information security management needs more holistic approach:
A literature review. International Journal of Information Management, 36(2),
Ab Rahman, N. H., Cahyani, N. D. W.,
& Choo, K. K. R. (2017). Cloud incident handling and forensic‐by‐design: cloud storage as a case
study. Concurrency and Computation: Practice and Experience, 29(14),
6 – Q5. Using the components of risk assessment documentation presented in the
chapter, draft a tentative risk assessment of a lab, department, or office at
your university. Outline the critical risks you found and discuss them with
of Information Technology: Risk Assessment Documentation
The purpose of the
assessment is to identifyvulnerabilities and threats related to the Department
of Information Technology. The application of the risk assessment is
identification of risk mitigation plans.
of this Risk Assessment
The system is made of numerous
components. It includes students inputting and receiving information from the
application. The design of the system is based on Active Server Pages in addition
to Internet Information Server. IT Department houses the applications and
Some of the players
include Risk Assessment Team, Network Manager, Database Administrator and
Security Administrator. In addition, the users of the information systems are
involved in contributing towards improving the safety and security measures.
The techniques employed
are risk assessment questionnaire, assessment tools, vulnerability sources, and
site visit. Others are interviews, review of documentation, and transaction
walkthrough (Abbasi, Sarker
& Chiang, 2016). Reviewing document including checking
the system documentation, security policies, operational manuals and network
diagrams are crucial for advancing security requirements. In addition, visiting
the site informs about the physical access measures and other environmental
The risk model takes the
form of threat likelihood versus magnitude of impact. The calculation leads to
high, medium and low risk likelihood. The threat source is high and control
measures are absent when the risk level is high (Modarres, 2016). Themedium aspect identifies
the potential of threat source and there are measures in place to control the vulnerability.
The low risk implies threat source is absent while measures are in place to
prevent any problem from occurring.
The components are grouped
into application, databases, operating systems, networks, interconnections and
protocols. The protocols include web server and SSL used for protecting and
transmitting data (Abbasi,
Sarker & Chiang, 2016). The networks used are Cisco routers and checkpointfirewall.
The operatingsystem isMicrosoft Windows NT while the database isMicrosoft SQL
Server 2000. Various applications are used including Microsoft Active Server
Pages and other applications.
vulnerabilities include cross-site scripting, SQL injection, password strength,
unnecessary services, disaster recovery, lack of documentation, and integrity
checks (Abbasi, Sarker & Chiang, 2016).
Operating processes, design and system specifications are not documented. Absences
of effective disaster recovery strategy while the application server and web
servercontains various unnecessary services such as anonymous ftp and telnet.
Any successful attack can attack the local machine, user’s session token and spoofing
The potential threat sources
include hacking, cybersecurity, insiders and environment. Threats associated
with hacking include unauthorized system access, break-ins, system intrusion,
social engineering and web defacement. Computer criminal includes system
intrusion, spoofing and identity theft (McIlwraith, 2016). Insiders refer to
targets from the employees and can be associated with dishonest and negligence
of the employees. The consequences from the employees include unauthorized
system access, system bugs, malicious code and access personal information.
Abbasi, A., Sarker, S., &
Chiang, R. H. (2016). Big data research in information systems: Toward an
inclusive research agenda. Journal of the Association for Information Systems,
McIlwraith, A. (2016). Information
security and employee behaviour: how to reduce risk through employee education,
training and awareness. Routledge.
Modarres, M. (2016). Risk
analysis in engineering: techniques, tools, and trends. CRC press.