Please answer these questions as fully as possible
1. In terms of focus, what is the difference between the selection of the controls for information assurance and the deployment of the actual response? Why should these be considered different aspects?
The selection of controls for information assurance focuses on information identification and risk identification and analysis
The deployment of the actual response focuses on establishing a sustainable security infrastructure
Specific understanding of the assets and associated risks is a pre-condition to establishing a relevant response
2. What is the role of the change control process and why might it be the single most important success factor?
The change control process has to do with establishing accountability for change. This might be the single most important success factor because there has to be an organizational process to rationally manage the natural evolution or control of the asset base will quickly move out of the grip of the organization
3. Why is it necessary to conduct operational risk assessment on an ongoing basis? How are the outcomes of this process used?
It is necessary to conduct risk assessments on an ongoing basis to identify threats and ensure the long-term survival of the information asset base
The outcomes of this process are used to develop and put into place the appropriate countermeasures to prevent the threats from happening or contain them if they do
4. What are the business issues and constraints involved in control selection? Why are these critical determinants of the ongoing effectiveness of the security system and how can they be affected by change?
The Business Issues and Constraints involved in control selection are:
- Information assets are always evolving
- Items are continuously added to baselines and the form and content of the individual element changes as the business model evolves
- Control structure changes in accordance with alterations in policy
These are critical determinants of the ongoing effectiveness of the security system because there has to be an organizational process to rationally manage the nature evolution or control of the asset base will quickly move out of the grip of the organizaation
5. Why is it necessary to maintain a classic change management process for the information asset baseline? What is the role of the information baseline accounting ledger in this process and why is it important?
Baselines are dynamic because information is a constantly changing resource
Therefore, all baselines are evolved over time, as the form of the asset changes
Baselines are dynamic because information is a constantly changing resource
Therefore, all baselines are evolved over time, as the form of the asset changes
The ledger is utilized by the change control function to perform the impact analysis prior to the change authorization
The point of the prior two functions is to establish and maintain a correct and continuously evolving picture of the form and content of the information base
6. What is the point of the impact analysis? Discuss ways that the impact analysis can feed into the formulation decisions about the control baseline.
7. Why is it necessary to value controls to implement security? What does the organization lose by not doing this (for example, what would be the situation if this were not done)?
8. What is the role of threat assessment in the overall control formulation process? Why is threat assessment a primary success factor for operational implementation?
9. What is the purpose of a beta test of operational security control? What does this provide in terms of ongoing value to the security scheme?
10. Why is it necessary to follow the steps in the process? What is the likely consequence of jumping ahead a few steps to bring things to a faster conclusion?
Fill In the Blanks - Complete each statement by writing one of the terms from this list in each blank.
1. Testing to refine the control set in its operational environment is called Asset Evaluation
2. Each information item is identified by a unique and appropriatelabel.
3. Essentially, 6 types of baselines are involved in asset management.
4. The baseline that provides the specific assurance function is called the component.
5. The goal of authorization is to ensure that the designated stakeholder authorizes all changes to information and controlsets.
Multiple Choice
1. Information management:B. Implementspolicy
A. Is irrelevant to security B. Implements policy C. Involves AT&E D. Is unnecessary
2. Baselines:C. Are hierarchical
A. Are abstract B. Are intangible C. Are hierarchical D. Must be programmed
3. The process of formulating the control set should be based on:C. Iteration
A. Best guess B. Confidence C. Iteration D. A sense of humor
4. To do its work properly, the status accounting function relies on the use of:C. Controls
A. Code reviews B. Repositories C. Controls D. Verifications
5. Information asset management is always based on: A. Plan
A. A plan B. An analysis C. Best guess D. Best practice
Limited Response Questions - In your own words, briefly answer the following:
1. Why is it important to control changes to asset baselines?
Change control is a continuous process. It assures that the documentation of the items that exist within the baseline is accurate and that their precise status is known at all times. Its aim is to manage the natural evolution of an entity in such a way that it preserves its overall integrity
2. Why is the labeling process approached hierarchically?
The actual asset base typically contains multiple representations (versions). Once the high-level understanding is achieved, a second pass is required to detail each of the large components. The labeling employed to characterize the relationship of each individual component to all other components is based on and reflects the hierarchical structure. The labeling must always correlate to the element's location in the hierarchy of the identification scheme
3. Differentiate asset baselines from control baselines.
Asset baselines identifies and records the content and interrelationships of the information items (element) considered valuable
Control baseline identifies and documents the countermeasures established to mitigate threats to each individual information element
4. How do the asset management procedures relate to overall security policy?
Asset management assures that the documentation is accurate and that all security policies are correctly implemented
5. Why is organizational buy-in so important to good asset management?
It is important to keep the baseline properly aligned with the evolution of the operating infrastructure of the organization. Therefore, effectiveness implies a commitment to continuous monitoring, adjustment, and updating of the baseline. This process should entail solicitation of continual and regular feedback from the operational environment. The feedback is important because, in addition to providing guidance, a well-executed feedback system generates a high degree of organizational buy-in (universal acceptance) which assures disciplined performance (implementation) of the security work
Case Exercise for Asset Identification
Refer to the Heavy Metal Technology Case in Appendix (A) of your book. You have been assigned the baseline management responsibility for the project to upgrade the target acquisition and display (TADS) for the AH64-D Apache Longbow attack helicopter. To start the process, you know you must first inventory and array a complete and coherent baseline of high-level documentation items. Using the project materials outlined in the case (and others you want to add because you feel they are appropriate), perform the following tasks:
1. Identify all distinct types of documentation.
2. Relate these documentation items to each other. If there are implicit parent child relationships, what are they?
3. Provide unique labels for each item that reflect their relationship to each other and through which another reader could easily see that relationship.
4. Formulate these items into a coherent baseline.
5. Define a change control system to ensure that the integrity of each of these items will be preserved over time
6. Justify the effectiveness of that control scheme.