Answer Each Question in At Least 75 Words Per Question:

1. NIST 800-14 presents a significant point that “Security Should Be Periodically Reassessed”; what are the benefits of periodic review of security policy and how often should policy be reviewed?

2. In reference to risk management strategy and the security life cycle, what benefit does Certification and Accreditation provide to an information system? Is an Information with a Certification and Accreditation more secure than an information system without one?

3. Assessing Threats is a key element in Risk Assessment. In review of your home computing network answer the following assessment questions:

· Which threats are Internal and which are External?

· Which threats have the highest probability of success?

· Which threats could result in the greatest loss if successful?

· Which threats cost the most to protect against?

4. Select and provide an analysis of the Risk Control Practices and include why you would or would not choose this Risk Control Practice for your organization.

5. Select and provide an analysis of the Statement of Strategy and include how you would define/create a strategic statement for your organization.

6. Discuss the phases of the Security Systems Development Life Cycle to include the deliverables in each phase.

7. Select, review and discuss a Computer Fraud and Abuse Act (CFAA) charge/case. How does CFAA counter threats from computer related acts and offenses?

8. Describe the security practices implemented when hiring personnel to prevent the misuse of information and information technology. How is this information provided to existing company personnel to ensure retention?

9. Incident Response Planning involves the creation of three sets of standard operating procedures (SOP); During the Incident, After the Incident and Before the Incident. As the CISO of a small manufacturing business what are the tasks you would assign to both the Users and Technology Services in the SOP for During the Incident? Who are the key personnel that need to be notified?

10. Business Continuity is key in a major organization, discuss the differences between Hot sites, Warm sites and Cold sites to include: the benefits and disadvantages of each, what factors must be considered in choosing between each service and which service you would choose for a small manufacturing business?

11. The sphere of security shows how access controls can be implemented to defend against threats. Firewalls have been a significant control mechanism to control the flow of information. Select and discuss a firewall type from this week’s reading. Include what factors you would include in a brief to your organizational leadership in selecting this firewall for your organization’s network.

12. Discuss the difference between Symmetric and Asymmetric Encryption to include the process each uses to secure the information between the sender and receiver. Which is more secure?

13. As the CIO, your Information Security Policy (ISP) is set forth at your organization. The new policy was distributed three months ago, has been provided to each department in written text format and is available on the company’s website. You have held mandatory training with each department to explain the policy and highlight the changes that have occurred. What if an employee refuses to explicitly agree to comply with the policy? Is there any laws an employee breaks by not complying with a company’s ISP?