1. Why is security of operation useful to overall information assurance
2. Backups are an essential part of operational security. What other elements of information assurance do they support? Are there other activities within operational security that are part of other aspects of the information assurance process
3. How would you differentiate operation security from incident response? Is there a difference
4. How does discipline relate to secure housekeeping
5. Why should the issue of free patches or fixes be controversial? What element of the overall IT/organization process makes it that way?
6. Why is there a need to perform routine sensing of the environment? How does the regular staff figure into this?
7. What is the role of operational testing? Why is it needed to ensure security?
8. What is the function of the verification function in configuration management? What would happen if this function was not performed?
9. Why is a corrective action function necessary? What would happen without one?
10. What are the vulnerabilities associated with secure disposal? Name the two considerations that must be kept in mind when doing secure disposal?
Essay Quiz Chapter 6
1. Why is the identity management function necessary
2. Bell-LaPadula is hierarchical. What does this achieve and what is it based on?
3. Differentiate content-dependent versus context-dependent access control methods. What are the advantages of each
4. How does account management relate to the overall access control process? Specifically, what would be missing without it?
5. Why are analysis engine methodologies potentially more effective than signature file approaches?
6. Why is social engineering part of pen testing? Why is it important there?
7. What is reason for content based access control techniques? Why is it particularly important for large corporations?
8. What is the purpose of a classification scheme? How does it apply to access control
9. Why are transaction processes controlled rather than itself in the clark-Wilson model?
10. Where does the "no-write-down" rule apply? What does it ensure?