Question 1
Discuss the different categories that can be used for sensitive information. When designing a system, how do you determine how many categories are necessary? Are there downsides to systems with too many or too few categories?
Question 2
Describe a scenario where the best security architecture would be the Brewer-Nash model. Give reasons why this would be the best and discuss if other models would be suitable.
Question 3
Make a list of information security metrics that could be collected for a small internet commerce company with ten employees. The company uses an outside vendor for packaging and distribution. To whom should the metrics be reported?
Question 4
Identify threats to the information security of a small internet commerce company with ten employees. This company uses an outside vendor for its order fulfillment. Once the list of threats has been generated, assign a likelihood score to each threat.
Question 5
Research the Microsoft risk management approach and write a report describing each of the four phases in the security risk management process. Make a list of questions or concerns you may have with the described approach.
Question 6
Discuss the difficulty in estimating the probability of a threat or attack occurring. Describe methods that can be used to make these estimates?
Question 7
Investigate the Project Management Body of Knowledge (PMBoK). Write a report on one of the knowledge areas.
Question 8
Discuss the task of understanding potential threats which is part of the analysis phase of the SecSDLC. What are some ways to truly understand the enemy? How can you be sure you've covered all the bases?
Question 9
Find an example of a disaster recovery plan. Write a report on the elements included in the plan. Is there anything missing that you think should have been included?
Question 10
Find an example of an enterprise information security policy. What are four important aspects of this policy? Determine how the policy might be used.
Question 11
Research three recent information security breaches. Do the main targets seem to be larger or smaller companies? Is there a particular industry that seems predominately targeted? Do you think breaches at smaller companies are just as likely to occur but not as likely to make the news? Explain your reasoning.