Lecture 9

Question 1

Assurance deals with security features of IT products applies to:

Answer 1

• Requirements
• Security policy
• Product design Product Implementation
• System operation

Question 2

CC Assurance Levels and why is it needed?

Answer 2

EAL 1: Functionally Tested

EAL 2: Structurally tested

EAL 3: Methodically tested and checked

EAL 4: Methodically designed, tested and reviewed

EAL 5: Semi-formally designed and tested

EAL 6: Semi-formally verified design and tested

EAL 7: Formally verified design and tested

Question 3

Evaluation Parties and Phases, who is it monitored and operated by?

Answer 3

Parties:

• Sponsor – customer or vendor
• Developer – provides evidence for evaluation
• Evaluator – confirms requirements are satisfied
• Certifier – agency monitoring evaluation process

Monitored and regulated by a government agency in each country

• Operated by NIST and NSA

Question 4

Phases of Evaluation

Answer 4

Preparation: Initial contact between sponsor and developer

Conduct of evaluation: Confirms satisfaction of security target

**Conclusion: ** Final report to the certifiers for **acceptance **

Question 5

The three fundamental questions IT security management tries to address

Answer 5

• IT security requirements
• Assignment of responsibilities
• Risk management approach

Question 6

What is IT Security Management?

Answer 6

A process used to achieve and maintain appropriate levels of confidentiality, integrity, availability, accountability, authenticity and **reliability **

Question 7

Four steps in security iterative security management process

Answer 7

• PLAN – Security policy assessment
• DO – Implementation
• CHECK – Assessment
• ACT – Preventive actions

Question 8

Examines organisation’s IT security

Answer 8

• Objectives – wanted IT security outcomes
• Strategies – How to meet objectives
• Polices – Identify what needs to be **done **

Question 9

The Approaches to identify and mitigate risks to an organisation’s IT infrastructure

Answer 9

• Baseline - Implements agreed controls to provide protection against the most common threats
• **Informal - **Involves conducting an informal, pragmatic risk analysis on organisation’s IT systems
• Detailed risk
• Combined

Question 10

The final stage of risk assessment will be the risk treatment alternatives:

Answer 10

• Risk acceptance
• Risk avoidance
• Risk transfer
• Risk consequence
• Reduce likelihood

Question 11

What is Intellectual Property?

Answer 11

Is the ownership of ideas: names, designs, symbols, and literal, used in commerce.

• Patents: Obtaining rights over invention
• Trademarks: obtaining rights over brand identity
• Copyright: Unauthorised use

Question 12

Copyright and its exclusive rights

Answer 12

Legal right that protects published work from being published or sold

Has copyright rights:

• Reproduction rights
• Modification rights
• Distribution right
• Public-performance right
• Public-display right

Question 13

Patent and types

Answer 13

Granting property right to the inventor

Types:

• Utility
• Design
• Plant

Question 14

What is Trademark?

Answer 14

A word, symbol, or device used in trade with goods

Used to prevent others from using a confusingly similar mark, selling the same goods under a different mark

Question 15

What is Digital rights Management?

Answer 15

Systems and procedures that ensure that holders of digital rights are clearly identified and receive payment for their works