Question

Q1. Define information security

Q2. Describe the information security roles of professionals within an organization

Q3. Explain these Necessary tools: policy, awareness, training, education, technology

Q4. Explain why a successful information security program is the responsibility of both an organization’s general management and IT management

Q5. Identify the threats posed to information security and differentiate threats to the information within systems from attacks against the information within systems

Q6. Differentiate between laws and ethics

Q7. Explain the role of culture as it applies to ethics in information security

Answer 1

Ans1. Information security, to protect the confidentiality, integrity, and availability of information
assets, whether in storage, processing, or transmission.
It is achieved via the application of policy, education, training, and awareness, and
technology.

Ans2. There are various types of roles in an organization.

The chief information security officer (CISO) has primary responsibility for the assessment,
management, and implementation of information security in the organization.
1.Champion: A senior executive who promotes the project and ensures its support, both
financially and administratively, at the highest levels of the organization.
2.Team leader: A project manager, who may be a departmental line manager or staff
unit manager, who understands project management, personnel management, and
information security technical requirements.
3.Security policy developers: People who understand the organizational culture,
existing policies, and requirements for developing and implementing successful
policies.
4.Risk assessment specialists: People who understand financial risk assessment techniques,
the value of organizational assets, and the security methods to be used.
5. Security professionals: Dedicated, trained, and well-educated specialists in all aspects
of information security from both a technical and nontechnical standpoint.
6.Systems administrators: People with the primary responsibility for administering the
systems that house the information used by the organization.
7. End users: Those whom the new system will most directly affect. Ideally, a selection of
users from various departments, levels, and degrees of technical knowledge assist the
team in focusing on the application of realistic controls applied in ways that do not
disrupt the essential business activities they seek to safeguard.

Ans3. The primary tools needed to achieve the goals of reducing occupational injuries and illnesses
and promoting occupational safety and health have been characterized as the
“three E’s”—engineering, enforcement, and education. The three are interdependent and receive
varying levels of emphasis within different national systems. The overall rationale for
training and education is to improve awareness of safety and health hazards, to expand knowledge
of the causes of occupational illness and injury and to promote the implementation
of effective preventive measures. The specific purpose and impetus for training
will, however, vary for different target audiences.
Security awareness training is a formal process for educating employees about computer
security.

A good security awareness program should educate employees about corporate policies
and procedures for working with information technology (IT).

Ans 4. This is because there are roles to be taken care of which leads to the involvement of both
general management and IT management.
AS quoted in Ans2
Various roles of general management and IT management are such as time management
, resource mangement & team management comes under general management & all
technical job comes under IT management.

Ans. 5 A threat is an object, person, or other entity that represents a constant danger to an asset
. By examining each threat category in turn, management effectively protects its
information through policy, education and training, and technology controls.

An attack is the deliberate act that exploits the vulnerability
It is accomplished by a threat-agent to damage or steal an organization’s information or
physical asset.
An exploit is a technique to compromise a system.
A vulnerability is an identified weakness of a controlled system whose controls are not
present or are no longer effective.
An attack is then the use of an exploit to achieve the compromise of a controlled system.

Ans 6. Law- constitution, statutes, regulations, codes, cases.
Ethics- systems of acceptable behavior adopted by a group or profession.

Firstly, ethics comes from people’s awareness of what is right and what is wrong while
laws are written and approved by governments. It means that ethics may vary from people
to people because differentpeople may have different opinions on a certain issue, but laws
describe clearly what is illegal no matter how people arguing.

Nobody will be punished when they violate ethics; but whoever violates laws is going to
receive punishment carried out by relevant authorities.

Ethics and laws and closely related since laws represent minimum ethical
behaviors of human beings; but they are distinct from many aspects.

Ans 7.working with other cultures, it is important to recognize differences in values.
Cultural differences can make it difficult to determine what is and is not ethical—especially
when it comes to the use of computers. Studies on ethics and computer use reveal that people
of different nationalities have different perspectives; difficulties arise when one nationality’s
ethical behavior violates the ethics of another national group.