Chapter 4 Exercises
1. Using a graphics program, design several security awareness posters on the following themes: updating antivirus signatures, protecting sensitive information, watching out for e-mail viruses, prohibiting the personal use of company equipment, changing and protecting passwords, avoiding social engineering, and protecting software copyrights.
What other themes can you imagine?
Some other themes could include information security planning policies, contingency planning, recovery plans, incident response plans, business continuity plans, disaster recovery planning, crisis management, online and cloud backup storage planning, data recovery methods, business impact analysis, security domain and perimeter, maximum tolerable downtime, security training and awareness, and spheres of security.
2. Search the Web for security education and training programs in your area. Keep a list and see which category has the most examples. See if you can determine the costs associated with each example. Which do you think would be more cost-effective in terms of both time and money?
When I searched the Web for security education and training jobs, I found that at LSC there is a Cyber Security certificate that is $4,000 and takes 1 year to complete. You can also complete a similar degree at WITC. There are not too many other programs offered that I can find. I think that completing a cyber security degree at LSC would be the most cost-effective and worth the money because you complete the degree in a short amount of time.
3. Search the Web for examples of issue-specific security policies. What types of policies can you find? Using the format provided in this chapter, draft a simple issue-specific policy that outlines fair and responsible use of computers at your college, based on the rules and regulations of your institution. Does your school have a similar policy? Does it contain all the elements listed in the text?
4. Use your library or the Web to find a reported natural disaster that happened at least 6 months ago. From the news accounts, determine whether local or national officials had prepared disaster plans and if the plans were used. See if you can determine how the plans helped officials improve disaster response. How do the plans help the recovery?
During hurricane Katrina in August of 2005, local and national officials had prepared disaster plans but they were not prepared or expecting the terrible disaster that Katrina was. According to VOA News, “Disaster response plans drawn up by cities and states are integrated into a larger federal master plan, which is administered by the Federal Emergency management Agency, or FEMA. Government operations analyst Elaine Kamarck at Harvard University says the agency must look more closely at those plans before the next disaster strikes.” https://www.voanews.com/a/a-13-2005-09-16-voa63-67541507/285971.html. The plans are supposed to help in the recovery process but the plans for hurricane Katrina were extremely flawed.
5. Classify each of the following occurrences as an incident or a disaster. If an occurrence is a disaster, determine whether business continuity plans would be called into play.
a) A hacker breaks into the company network and deletes files from a server.
This is a disaster because the hacker deleted files from a company server. If the files were backed up to some sort of recovery system, then it may just be an incident. Business continuity plans would go into play if the files were extremely important and were not backed up on a recovery system. Law enforcement may be involved, depending on the types of files deleted.
b) A fire breaks out in the storeroom and sets of sprinklers on that floor. Some computers are damaged, but the fire is contained.
This is an incident because the computers were damaged, but the fire was eventually contained. Business continuity plans may go into place if the files of all the computers were destroyed and none of the files were saved to a recovery system. Law enforcement would not be involved in this case because no one broke the law.
c) A tornado hits a local power station, and the company will be without power for three to five days.
This would be an incident because it does not threaten the company’s viability. It would be a disaster if they were to lose power and lose all their data. Nothing was lost in this case, so neither business continuity nor law enforcement would be involved.
d) Employees go on strike, and the company could be without critical workers for weeks.
This could lead up to being a disaster because without critical workers, the company may be in danger of surviving. Business continuity plans would go into play because the company may start looking for new employees or make an agreement with their critical workers in order to end their strike. Law enforcement may be involved depending on the type of strike.
e) A disgruntled employee takes a critical server home, sneaking it out after hours.
This scenario could also lead to a disaster because the employee is angry so he might damage the files on the server, delete them permanently or reveal private company information. Law enforcement would be involved because the employee was most likely not supposed to take a critical server home. Business continuity plans may go into place to make the disgruntled employee happy to work for the company again, but most likely it would only go into place if this situation turns into a disaster.