¶ … Security The following will look at case review questions based on the book known as Principles of Information Security by Michael E. Whitman. Chapters 4, 5, 6, and 7 were read through and case questions were given for each of these chapters. Case review question answers will be incorporated with material from the chapter reading that accompanies it.

Chapter 4's introduction has a scenario of a man known as Charlie. He is giving key reminders for everyone in the asset identification project. They are to complete their asset lists while keeping in mind certain priorities. It ties into the idea of chapter 4 which is known as risk management and identifying risks along with assessing them (Whitman and Mattord, 2011-page 116). It also explains how one can perpetuate risk control. Risk management itself refers to a process that identifies risk or vulnerabilities to the organization and taking steps to reduce the risks (Whitman and Mattord, 2001-page 116).

Three undertakings are attached to risk management and they are known as risk assessment, risk identification, and risk control. (Whitman and Mattord, 2011-page 116) As part of being an information security professional one needs a risk management strategy. Asset identification is a part of that strategy (Whitman and Mattord, 2011-page 116). When doing asset identification one should consider the following attributes such as people, data, and procedures.

(a)

Charlie did an organization of the work that was quite effective before the meeting with a little bit of flaws. He brings about the idea before the meeting is to begin that participation from all departments is needed. This shows that everyone is an equal to the company and it will not be that everything is to go through one department that controls all (Whitman and Mattord, 2011 Case Study Question page). The issues that should be covered by the work plan include addressing people and their positions. Everyone needs to know what their role will be in the work plan and they part they need to contribute (Whitman and Mattord, 2011-page 121). When sorting through this avoid names and stick with identifying the positions. Another thing the work plan should include is procedures (Whitman and Mattord, 2011-page 121). Procedures include the purpose of each task and how they are to be performed (Whitman and Mattord, 2011-page 121). They also include relationships between hardware and networking elements as well as software.

(b)

The company will get useful information from the team it has assembled. The information packets provided at the beginning of the meeting aim to give all of the information needed (Whitman and Mattord, 2011 Case Study question Page). This includes info on all the information technology risks faced by the organization such as fires and floods. Legal requirements faced in the industry and background articles are provided as well (Whitman and Mattord, pg 115).

(c)

Some attendees might resist the goals of a meeting if they feel like their department or position has nothing to do with any of the goals to be accomplished (Whitman and Mattord, 2011-page 115). For example in the chapter introduction with case of Charlie the manager of sales says something quite interesting (Whitman and Mattord, 2011-page 115). He says, "Why is my department here? Isn't security a problem for the IT department?" There is that sense of resistance already there as a result of not knowing things to come.

Key notes to make out of chapter 4 are that the goal of information security is to reduce risk which is the amount of risk that is not accounted for control applications and other risk management strategies to a level that is acceptable (Whitman and Mattord, 2011-page 164). One needs to also fully understand each threat that can be presented and the impact it can have on the organization (Whitman and Mattord, 2011-page 164). It also should be known on how each individual threat should be examined as a result of using a threat assessment process. It should be known that the goal of a risk assessment is the assignment of a risk score to represent the risk of a specific vulnerability.

Case Study Chapter 5

For the chapter 5 case study we see Charles sitting at his desk and answering an important email. He has a notepad ready and is prepared to make notes on what should be done in case his "nightmare" occurs (Whitman and Mattord, 2011 Case Study question). The case study asks on what should be written down on the notepad in order to address the situation and deal it with in a way that is effective and takes care of the problem completely (Whitman and Mattord, 2011 Case Study Question).

A single comprehensive ISSP document is centrally managed and controlled (Whitman and Mattord, 2011-page 176). It is known as an issue specific security policy and it aims to address specific areas of technology, it requires updates frequently, and contains a statement on the organizations position on a specific issue (Whitman and Mattord, 2011-page 176). It can cover topics such as email, internet use, use of personal equipment on company networks, and prohibition against hacking or testing in any form of organization security controls.
The ISSP document is what will give him the guidelines to follow for the contingency plan. Contingency plans prepare for action if any successful attack occurs (Whitman and Mattord, 2011-page 176). Many types of contingency plans exist such as business contingency plans and incident response plans.

(a)

The first thing that should be written on Charlie's list should be the rough draft of the business impact analysis. This is the assessment and examination of any impact that various problems can cause (Whitman and Mattord, 2011-page 209). Charlie should have written down all the problems that can occur and what their effect would be on the business if they were to happen. He will have the answers to the question on what to do now if an attack succeeds. For example what is to happen when an electric blackout occurs or if a malicious code attack occurs that is massive.

(b)

The other items that should be included are incident response planning, disaster recovery planning, and business continuity planning. Incident response planning includes the classification, identification, and response to an incident (Whitman and Mattord, 2011-page 212). It consists of four phases known as planning, detection, reaction, and recovery. Disaster recovery planning looks at crisis management procedures and recovery operations. It gives very detailed guidance in the event of a disaster (Whitman and Mattord, 2011-page 220) It establishes priorities and roles and responsibilities that are delineated. Everyone is to be aware of their expected actions in case of disaster (Whitman and Mattord, 2011-page 226). Business continuity will allow Charlie to have guidelines that allow the preparation of reestablishing business operations during disaster time. It has the steps the organization can take in order to function if business cannot be done at the main work site (Whitman and Mattord, 2011-page 226). There has to be a plan in motion that will allow the business to continue if certain things are unable as a result of disaster. There are a number of strategies that one can do to bring forth a continuation plan. Cost tends to be the determining factor.

Once Charlie has everything written down on the notepad he will have the model needed that will become the official contingency plan.

Case Study for Chapter 6

The case study for chapter 6 sees a character known as Kelvin calling a meeting to order. The meeting is called in order to settle a design issue over the network. Susan Hamir reviews key points and certain tradeoffs. Kelvin then starts a slide presentation with a list of discussion questions.

Chapter 6 itself looks at concepts such as filtering technology, describing technology that enables the use of virtual private networks, and describing firewall technology. The idea of access control is looked at as well. Access control is the method by which systems can determine how to adapt into a trusted section of the organization itself (Whitman and Mattord, 2011-page 237). Categorized firewalls such as first generation firewalls, second generation firewalls, and third generation firewalls are explained.

(a)

The questions that should be addressed in the slide presentation are what is going to be the architecture of the firewall. For example will it be a packet-filtering router, screened-host firewall, and dual-homed host firewalls (Whitman and Mattord, 2011 pages 255-256). Answer question to be asked includes if the firewall design will adapt to the growing network of the organization (Whitman and Mattord, 2011-page 259). Another thing to take into account is what is included in the base price. Are all of the costs of the design known? What additional features can be received at an extra cost? To what extent will the firewall design give the required protection needed? Will the firewall design be one that is easy to setup and configure (Whitman and Mattord, 2011-page 259)? Is there an adequate number of staff technicians who are competent of setting up the design for the firewall and…