Question

Review Questions (1 to 2 paragraphs on each question)

1. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?
2. What is the primary objective of the SecSDLC? What are its major steps, and what are the major objectives of each step?
3. What questions might be asked to help identify and classify information assets? Which is the most useful question in the list
4. What are the three categories of information security controls? How is each used to reduce risk for the organization?

Exercises (1 to 2 paragraphs on each questions)

1. Using a Web search engine, find an article from a reputable source published within the past six months that reports on the relative risk that comes from inside the organization as opposed to risk that comes from external sources. If the article notes that this relative risk is changing, how is it changing and to what does the article attribute the change?
2. Search your institution’s published documents, including its Web pages. Locate its mission statement, vision statement, and strategic goals. Identify any references to information security. Also look for any planning documents related to information security.
3. Using a Web browser, go to http://gocsi.com. Search for the link offering a free copy of the latest CSI/FBI study. Summarize the key points and bring your summary to class to discuss with your fellow students.

Please answer all of them if you can and know.I found some here,but i would like new ones. Thank you!

Answer 1

Answer:

1. Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?

Top-down strategic planning involves high-level managers providing resources and giving directions. Directors issue policies, procedures, and processes and dictate the goals and expected outcomes of the project, as well as determine who is accountable for each of the required actions. In top-down planning, managers give directions on how projects should be handled, while in bottom-up planning, system administrators give directions on how projects should be handled. Of the two, top-down planning is the more effective security strategy, because it encompasses critical features such as coordination between departments, coordinated plans from top management, provision of sufficient resources, and support from end users.

What is the primary objective of the SecSDLC? What are its major steps, and what are the major objectives of each step?

The primary objective of the SecSDLC is the identification of specific threats and the risks that they represent, and the subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk. The major steps and their objectives are:
• Investigation—Beginning with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints, investigation involves validating the directive and the affirmation or creation of security policies on which the organization's security program is or will be founded.
• Analysis—The documents from the investigation phase are studied.
• Logical design—The team members create and develop the blueprint for security, and examine and implement key policies that influence later decisions.
• Physical design—Team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final decision.
• Implementation—The security solutions are acquired, tested, implemented, and tested again.
• Maintenance—Information systems are constantly monitored, tested, modified, updated, and repaired. This is the most important phase.

What questions might be asked to help identify and classify information assets? Which is the most useful question in the list

Which information asset is the most critical to the success of the organization? Which information asset generates the most revenue?Which information asset has the highest profitability?Which information asset would be the most expensive to replace?Which information asset would be the most expensive to protect?

What are the three categories of information security controls? How is each used to reduce risk for the organization?

Answer: Managerial Controls – covers strategic planning Operational Controls – covers operational planning Technical Controls – covers tactical planning