In addition to information security, there are several different types of security systems in any substantial
organization, including things like physical security, personnel security, etc. Name at least two additional areas of security focus, and describe why they are important and how they might relate to information security in a banking organization. (2-3 paragraphs)
5. Consider a company like Facebook, which serves millions (billions?) of customers, and claims to require that each account be associated with exactly one person, and that the person must correctly identify themselves. Describe at
least two approaches that might be used to uniquely and positively identify individuals before they sign up for an
account (so that I can’t claim to be someone else, for example), and the data access required to make that happen.
These could be online or human-assisted validation approaches. Comment briefly on the tradeoffs between your two
approaches. (2-3 paragraphs)
6. Cloud computing, while not new, is gaining in visibility and popularity, both among consumers and businesses.
How does using a cloud computing service affect an organization’s risk management? Name at least three aspects of
cloud operations that make things easier for the InfoSec team, and three aspects that make things harder for the
InfoSec team to be confident about their security management. Explain why.
7.Consider the legal and regulatory impacts on information security. There were stories that indicated that the US
National Security Agency had requested encryption keys from U.S. companies are, so that they could at any time
decrypt communications or other data held by those companies, and that Yahoo! had routinely scanned millions of
e-mails on behalf of US intelligence agencies. Assuming those stories are true, what two or three approaches might
individuals take to protect their data from this type of access? Comment on the tradeoffs between the approaches
you identify. Based on Apple and Google’s claims that they have made themselves unable to respond to law
enforcement requests, how does this affect your position? (2-3 paragraphs)
8. Bring your own device, or BYOD, is a hot topic in the security industry. What are at least three areas of the
information security practice that are affected by people bringing their own electronic devices into the workplace,
and using them for work purposes? Identify the three areas, and comment briefly on how each is affected by BYOD.
9.The text describes a system development life cycle, where security is factored into a number of stages of that life
cycle. Why would it be important for a small retailer to use at least a simple form of a standard life cycle model, as
opposed to approaching decisions and development in a less-structured fashion? Why does a life cycle model
become more important as organizations grow in size and complexity? (1-2 paragraphs)
10 . Think about home security – how we protect the physical and other assets in our homes. What are at least four layers
of “defense in depth” in physical home security, and how do these compare and relate to their counterpart principles
in information security? (2-3 paragraphs)
11. Consider the recent flurry of data leaks and breaches from large, formerly reputable companies (most recently,
Yahoo!), which indicate that perhaps organizations continue to be more vulnerable than previously known. What
(perhaps additional) risk control strategies might organizations utilize to mitigate the risk and damage of these
events? How could disclosure, both of the breach itself, as well as details of how the breach happened, help to
improve security for the Internet as a whole? (2-3 paragraphs)