Part 2

Question 1

What are the security planning principles?

Answer 1

1) Risk Analysis
2) Comprehensive security
3) Defense in Depth

Question 2

What is Risk Analysis?

Answer 2

The process of balancing threat and protection costs for individual assets.

Annual cost of protection should not exceed the expected annual damage. Goal is not to eliminate risk but to reduce it to an economically rational level

Question 3

What does comprehensive security mean?

Answer 3

Comprehensive security means closing off all avenues of attack

Attackers only has to find one weaknesses to succeed. Therefore, we need to cover all bases

Question 4

What does defense in depth mean?

Answer 4

Defense in depth means having several layers of defense.

Such that if one protection layer breaks down, the attack will not succeed.

Question 5

What are the 2 aspects of cyber security?

Answer 5

Technical and Managerial

Question 6

What is the focus of the technical aspect of cyber security?

Answer 6

The main focus is on developing technical expertise and technologies for computer security. These include: encryption techniques, firewalls, biometric-based security technologies

Question 7

What is the focus of the managerial aspect of cyber security?

Answer 7

The main focus is on developing security policies and procedures. These include: policies and mechanisms, operational issues and human issues.

Question 8

What does cyber security implementation rely on?

Answer 8

Process, Technology and People

Process: Policies must be developed, communicated, maintained and enforced. Processes must be developed that show how policies will be implemented.

Technology: Systems must be built to technically adhere to policy.

People: People must understand their responsibilities regarding policy

Question 9

What are policies?

Answer 9

Policies are statements of **what **should be done under specific circumstances.

Question 10

Why do policies need to be acceptable to users?

Answer 10

If policies are not acceptable (sensible) then users will ignore and bypass it, which will be dangerous.

Question 11

Why is implementation important?

Answer 11

Implementation helps to make sense of policies in the local context with local and technical expertise.

Question 12

What are the 2 forms of implementation guidance?

Answer 12

Standards and Guidelines

Question 13

Distinguish Standards and Guidelines

Answer 13

Standards are mandatory but guidelines are discretionary - optional but must be considered carefully.

Question 14

Why is oversight important in policy-based security?

Answer 14

Oversight checks that policies are being implemented successfully. It may uncover implementation problems or problems with the specification of the policy.

Oversight staff are separate from implementers. Policies are given to implementers and oversight staff independently.

Question 15

What are the different ways of oversight in policy-based security?

Answer 15

1) Auditing
2) Log files
3) Vulnerability analysis

Question 16

What makes good protection in policy-based security?

Answer 16

Good implementation and good oversight

Question 17

What is the bottom-up approach to cyber security, its advantages and disadvantages?

Answer 17

The bottom-up approach entails the system administrators (such as security, systems and network technicians) improving the system security themselves.

Advantages: They have the technical expertise, and understand the users’ behaviour.

Disadvantages: They are at the bottom of the company hierarchy and have no power. Hence, they may not have the support of their superiors.

Question 18

What is the top-down approach to cyber security and why is it advantageous?

Answer 18

The top-down approach entails policies, procedures and processes initiated by the upper management. They 1) dictate the goals and expected outcomes of the project, and 2) determine who is accountable for each required action.

Advantages:
- Dedicated funding
- Clear planning