Answer to Tutorial 12 Information Security

1. List and describe the three major steps in executing the project plan. Answer: Three major steps are: (i) Planning the project involves the creation of a detailed project plan. Creating a project plan to implement the information security blueprint is often assigned to either a project manager or the project champion. (ii) Supervising tasks and action steps to designate a suitable person from the information security community of interest to lead the implementation. (iii) Project wrap-up is handled as a procedural task assigned to a mid-level IT or information security manager. These managers collect documentation, nalize status reports, and deliver a nal report and a presentation at a wrap-up meeting. 2. What is a work breakdown structure (WBS)? Answer: The WBS is a planning tool that allows you to break the project plan into several major tasks to be accomplished that are placed on the WBS task list. Each one of these major tasks is then further divided into either smaller tasks or specic action steps. 3. How does a planner know when a task has been subdivided to an adequate degree and can be classied as an action step? Answer: When the task can be completed by one individual or skill set and when it includes a single deliverable. 4. What is a deliverable? Answer: A deliverable is a completed document or program module that can serve either as the beginning point for a later task or become an element in the nished project.

5. What is a milestone and why is it signicant to project planning? Answer: A milestone is a specic point in the project plan when a task and its action steps are complete and have a noticeable impact on the progress of the project plan as a whole. For example, the date for sending the nal RFP (request for proposal) to vendors is considered a milestone because it signals all RFP preparation is complete. 6. Within project management, what is a dependency? What is a predecessor? What is a successor? Answer: A dependency is a relationship between a task or action step where one is dependent on the completion of the other for the task to begin. A predecessor is a task or action step that precedes the one at hand. A successor is a task or action step that comes after the one at hand. 7. What is a negative feedback loop? How is it used to keep a project in control? Answer: A negative feedback is a process to manage a project to completion. The measured results are compared to the expected results. When a signicant deviation occurs, corrective action is taken to bring the task that is deviating from plan back into compliance with the projection, or else the estimate is revised in light of the new information. 8. List and describe the four layers of the bulls-eye. Answer: (i) Policies: The foundation of all eective information security programs is sound information security and information technology policy. (ii) Networks: The threats from public networks meet the organizations networking infrastructure.

(iii) Systems: This layer includes computers used as servers, desktop computers, and systems used for process control and manufacturing systems. (iv) Applications: This layer includes packaged applications, such as oce automation and e-mail programs as well as high end enterprise resource planning (ERP) packages than span the organization. 9. Why is it important to use specic and clearly dened job descriptions for hiring information security professionals? Answer: It is important to use standard job descriptions for hiring information security professionals because it can increase the degree of professionalism in the information security eld and also improve upon the consistency of roles and responsibilities between organizations. 10. List and describe the standard personnel practices that are part of the information security function when they are integrated with information security concepts. Answer:

Reviewing and updating all job descriptions to verify that access privileges are not revealed to prospective employees when advertising positions. Educate HR to limit the information provided which is provided to the candidate on the responsibilities and access rights the new hire would have during an interview. Discuss with HR Manager what (if any) background checks should be performed against prospective new hires. Have new employees sign the fair and responsible use policies regarding information and information resources. Explain all major policies and procedures during new hire orientation. On the job security training. Verify that all access to the organizations systems are disabled, hard drives secured, le cabinet locks are changed, oce door locks changed, keycard access revoked, and personal eects removed after the termination of an employee. 11. Why shouldnt you show an employee candidate secure areas during interviews? Answer: Candidates who are shown around can retain enough information about the operations or information security functions to represent a potential threat.

12. What is separation of duties? How can it be used to improve an organizations information security practices? Answer: Separation of duties is a control used to reduce the chance of an individual violating information security and breaching the condentiality, integrity, or availability of the information. It is used to improve an organizations information security practices by requiring two people to complete a signicant task that involves sensitive information. If one person has the authorization to access a particular set of information, there may be nothing to prevent this individual from copying it and removing it from the premises. 13. What is collusion? How does the separation of duties impact collusion? Answer: Collusion is the idea that the completion of a signicant task that involves sensitive information should require two people. This measure of checks and balances is meant to require two or more people to conspire to commit an incident, thus reducing the likelihood of the incident from occurring. Separation of duties is a control used to reduce the chance of an individual violating information security and breaching the condentiality, integrity, or availability of the information.