Noah Couslar Chapter 2 2. What are three common layers of planning? How do they differ?

Strategic, Tactical, Operational planning. Strategic planning begins with a transformation from general and sweeping statements into more specific objectives they are also used to create tactical plans. Tactical planning has a short term focus than strategic planning it breaks down each applicable strategic goal into a series of incremental objectives. Operational plans are used to organize day to day performance tasks 4. What is a mission statement? What is a vision statement? What is a values statement? Why are the important? What do they contain? A Mission statement expresses what the organization is, the vision statement expresses what the organization wants to become. The both are important because they give consumer or any potential investors an idea of what they are now and what they would like to be. 6. What is information security governance? Governance of information security is a strategic planning responsibility whose importance has grown in recent years. 8. What are the five basic outcomes that should be achieved through information security governance? 1. Strategic alignment of information security with business strategy to support organizational objectives. 2. Risk Management by executing appropriate measures to manage and mitigate threats to information resources. 3. Resource management by utilizing information security knowledge and infrastructure efficiently and effectively. 4. Performance measurement by measuring monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved. 5. Value delivery by optimizing information security investments in support of organizational objectives. 10. How does SecSDLC differ from the general SDLC? general SDLC is a methodology that is an formal approach to solving a problem based on a structured sequence of procedures. SecSDLC involves the identification of specific threats and the risks that the represent and the subsequent design and implementation of specific controls to counter those threats and manage the risk.

12. What is a threat in the context of information security? How many categories of threats exists as presented in this chapter? A threats is a category of objects, persons or other dangers that represents a constant danger to the asset. There are 12 categories of threats in this chapter. 14. How can vulnerability be converted into an attack? What label would we give to the entity that performs this transformation? A vulnerability can be exploited to gain information from the database. Threat agents is what this entity called. 16. What questions might be asked to help identify and classify information assets? Which is the most useful question in the list? 1. Which information asset is the most critical to the success of the organization? 2. Which information asset generates the most revenue? 3. Which information asset generates the most profitability? 4. Which information asset would be the most expensive to replace? 5. Which information asset would be the most expensive to protect? 6. Which information asset would be the most embarrassing or cause the greatest liability if revealed? 18. What term is used to describe the provision of rules intended to protect the information assets of an organization? Information security policy. 20. What are the three categories of information security controls? How is each used to reduce for the organization? Managerial, Operational, Technical controls. Managerial controls are used to cover security processes that are designed by the strategic planners and executed by the security administration of the organization they set a direction and scope of the security types and provide detailed instructions for its conduct. Operational controls deal with the operational functionality of security in the organization they cover management functions and lower level planning. Technical Controls address those tactical and technical approaches to implementing security in the organization.