Principles Information Security, 4th Edition Chapter 11 Review Questions 1.

Who in an organization should decide where in the organizational structure the information security function should be located? Why? There is not a specific department or individual that decides where the information security function should go. It is the entire organization (the different communities of interest) that has to find a rational compromise by placing the information security function where it can best balance the needs of enforcement of organization policy with the education, training, awareness, and customer service needed to make information security part of the organizational culture. 2. List and describe the options available for the location of the information security functions within the organization. Discuss the advantages and disadvantages of each option. The security function can be placed within the: 1. IT function as a peer of other functions such as networks, applications development, and the help desk. 2. Physical security functions as a peer of physical security or protective services 3. Administration services function as a peer of human resources or purchasing 4. Insurance and risk management function because compromising of security can be of great risk to the company.

18. List and describe the typical relationships that organizations have with nonemployees. What are the special security precautions that an organization must consider for workers involved in these associations, and why are they significant? Temporary Employees access to information should be limited to that necessary to perform their duties. _____________________________________________________________________________________ ________ Page: 8 _____________________________________________________________________________ _ Contract Employees Most contracted employees should not have access to information or information resources (unless they are contracted to service computing resources). Also contracted employees should be escorted in secured facilities. Consultants consultants should be handled the same as contract employees, with special requirements for information or facility access requirements integrated into the contract before these individuals are allowed outside the conference room. Business Partners there must be a meticulous deliberate process of determining what information is to be exchanged, in what format, and to whom. All of these considerations must be taken into account to prevent accidental or intentional breaches of confidentiality, integrity, or availability that could negatively affect the organization. 19. What is separation of duties? How can it be used to improve an organizations information security practices? Separation of duties is a control used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of the information. It is used to improve an organizations information security practices by requiring two people to complete a significant task that involves sensitive information. If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises. 20. What is job rotation, and what benefits does it

offer an organization? Job rotation or task rotation is the requirement that every employee be able to perform the work of another employee. If it is not feasible that one employee learn the entire job of another, then the organization should at least try to ensure that for each critical task it has multiple individuals on staff who are capable of performing it. Job or task rotations such as these can greatly increase the chance that an employees misuse of the system or abuse of the information will be detected by another. They also ensure that no one employee is performing actions that cannot be physically audited by another employee. In general, this method makes good business sense.