Topic 1: Risks
Topic 1: Risks
Think carefully about how you live your life and how you go about planning for the future. How do you manage risks? What threats might you face? How do you think about them? There is health, economic, physical security, home security, and other types of risks. You will also face rewards. What is the relationship between risk and reward? You probably do not have a written plan, but there may be things you do every day with realizing it that mitigate or eliminate those risks. Discuss these and how they relate and are different from the risks businesses and other organizations may face.
Topic 2: Security policy acceptance and enforcement
Discuss the characteristics of security policy acceptance and enforcement and the factors that may make those processes difficult. Discuss how security policies are different from other (non-security) policies business generally have. Are they inherently more difficult to design and implement? Why or why not?
Deeply examine the determinants of successful security policies, including but not limited to the legal and regulatory environments in which these policies are developed. Categorize the various security issues an organization might face and prioritize some of the potential security issues.
Contrast post implementation activities with those leading up to policy implementation. Explain how post-implementation activities are or are not as important as those leading to policy implementation?
Using one of the case studies in Chapter 8, illustrate how implementing a policies framework to control risk prevents breaches and ensures compliance.
What are some of the primary characteristics of policies and standards that make them easy to understand? Why is it important that security policies are understandable?
What is “Risk Management” and why is it important? How are QA and QC techniques used to measure the effectiveness of risk management policies?
Contrast any two possible approaches to creating security standards.
Examine best practices for implementing security policies. Pick one of the case studies in Chapter 13 of the book, and use the details from that case as reference points for your discussion.
Discuss the need for, importance of, and various approaches that can be utilized when setting up “Incident Response Teams”. Analyze the importance of teamwork and team cohesion when operating an incident response utilizing a team approach.
Compliance is one of the most important areas in security policy effectiveness. Fully evaluate the following statement:
“The most important way to stay compliant is to be aware of your environment, manage to a solid set of policies, and use tools that will be effective in keeping you up with changes.”
Evaluate the following statement:
“Many automated tools are available to IT administrators today. These tools can examine systems to ensure the baseline security settings have not changed. They can also scan systems for vulnerabilities such as ensuring the computers have current patches. Many tools include the ability to scan for issues, and deploy changes to correct the issues. NIST published standards for SCAP in SP 800-126. These standards are resulting in a wealth of available tools to increase security for networks today.”
Throughout your degree program, you have identified and received practice on several important tools essential to the security of various organizations. Identify one such tool and explain exactly how it works to satisfy the evaluation you provided above.
What is culture and how is it different than awareness? What role does training have in establishing culture? Is culture only about training, or is there more to it?
Identify and discuss the important elements of a security culture. Which element is most import? Justify you choice.
How does culture relate to awareness? Is it the same thing? Complimentary? Contradictory? Explain
Assess the following challenge:
“Unless the security department has dedicated resources who themselves are dedicated to awareness and culture, the training efforts delivered will miss the target.”
Identify two groups to which you belong and contrast the differences in group psychology that may exist. If the group psychology were changed or were somehow different, can you identify how the group could achieve its’ objectives in a better way?
Discuss the methodology and importance of establishing baseline behavior through measuring culture elements. How would these measures be utilized to improve the security of the culture?
Using personal knowledge gained from school or work experience, evaluate and discuss the following statement:
“Building and maintaining culture is not something you do once and then you’re done. It’s an ongoing, never-ending process. Either you are in charge of it, or it controls you.”