1) What is crime prevention through environmental design?

A) According to Whitman and Mattford (2012), crime prevention through

environmental design (CPTED) is an outline with regards how one can
properly build and use the physical environment to prevent or lower the
incidence of crime in that area.
According to Zahm (2007), CPTED considers environmental conditions and
modify or use them in order to reduce the crime or undesirable behaviors.
CPTED is important for any organization with regards to physical security
because it is preventative in nature.
Further explained by Zahm (2007), CPTED eliminates the undesirable
opportunities by providing control access like putting fences, tree lines,
sidewalks near the facility of the building. It provides modification in the
organization site so that there can be opportunities to see from one part of
site to other part. For example parking, walkways can be seen from office
windows. Providing proper lighting and landscaping near the facilities allows
the intruder to be seen.
2) How can you use nature to help secure an organizations physical security?
Give some examples.
A) According to Whitman & Mattford (2012), natural environment plays a huge
role in protecting organization with regards to crime protection. Natural
environment plays a huge role in terms of the natural light and visibility
coming through, also it should have an open area so that the sound can
travel easily in case of emergency.
Further explained by Whitman & Mattford (2012), the open area plays a huge
role in terms of spotting the intruder with the help of CCTV cameras. Also
clearly defined public and private zones will play a huge role in terms of
physical security.
Trees can play huge role in security, as they can provide space to mitigate
the external attacks.
3) Describe the different type of fire classes and their suppression methods and
why these are important when it comes to physical security?
A) According to Whitman and Mattford (2012), there are 4 types of Fires in
todays business.
Class A: Regards to common combustibles which can arise from wood
products, paper
Suppression method: Water and foam can suppress these fires.
Class B: Liquid, this is with regards to petroleum products and coolants.
Suppression method: Gas, CO2, dry powders can suppress these fires.
Class C: Electrical, in relation with electrical equipment and wires.
Suppression method: Gas, CO2, foam and dry powders.

Class D: Combustible Metals, which can arise due to metals like Magnesium,
sodium and potassium.
Suppression method: Dry powder can suppress these fires.
According to Whitman and Mattford (2012), fire is a great threat when it
comes to physical security of any company, it is extremely important to know
what the types of fires are and how to suppress them. Fire can destroy the
physical data, injure employees, in a company hence it is important to
understand the counter preventive measures.
4) Finally, why is physical security so important when it comes to having a fullyfledged information security program and architecture?
A) According to Whitman and Mattford (2012), physical security is the basic any
company or organization should have. Physical security represents protection
of the building sites and hence protection of company data. Company data
has to be secured and hence physical security is utmost important.
If physical security is weak, intruder can attack from outside and can gain
control on the company equipment and hence will have access to the
company data. To prevent external attacks by intruders, company should be
well versed with other aspects of physical security as using nature for
physical security, using security guards, having alarm system, using CC TV
cameras for observation.
This will reduce the impact of external attack on the company and company
can focus more on the internal security.
References:
Whitman, M. E., & Mattord, H. J. (2012). Principles of Information
Security. Boston: Cengage Learning.
Zahm, D. (2007). Using Crime Prevention through Environmental Design in
Problem-Solving. US Department of Justice. Retrieved from
http://www.popcenter.org/tools/pdfs/cpted.pdf
1) Explain the difference in prosecuting computer crime. Why is law
seemingly two steps behind new technologies or new paradigms? For
example crime such as denial of service, ransom ware, identity theft that
occur or are initiated from different countries or different law systems.
How can these malicious attacks be prosecuted?
A) According to Whitman and Mattford (2012), the law are rules or a certain
set of behaviors which are drawn out from ethics or socially acceptable
behaviors. Law deals with Privacy, ethics, technology, copyright, export
and espionage, so when the technology is updated or a new technology
comes into picture, there has to be law which takes care of all the above
aspects of the new technology.

For example, if a company releases any new software in the market, there
has to be laws to safeguard its copyright, identity and privacy. So I feel
that statement law is not behind the new technology, it is in such a way
that technology has to be improved upon or updated first then only we
can safeguard it using laws. So creating laws for technology is subset
associated with technology modification (Whitman and Mattford, 2012).

2) What is the purpose of information assurance? How does information

assurance and compliance work with each other?
A) According to Techopedia (2014), Information assurance (IA) is used to
protect computer information and network systems. It protects
information based on 5 qualities of system mainly Integrity, Availability,
Authentication, Confidentiality, Nonrepudiation.
Purpose of IA is to protect against the threats in the IT world such as
phishing, worms, viruses, social engineering and identity theft.
According to US EPA (2012), compliance means conformity of the laws and
regulations. Compliance makes sure that the qualities of IA while
protecting the data are followed to the core. It gives assurity that IA
methods are implemented correctly.
3) Furthermore, what is HIPAA and PCI DSS? Finally what is the purpose of
computer forensics?
A) According to Whitman and Mattford (2012), HIPAA is Health Insurance
Portability and Accountability Act of 1986. Primary purpose of HIPAA is to
protect the confidentiality and security of health care data. Further
according Whitman and Mattford (2012), HIPAA enforces the standards
and security for the electronic data interchange.
HIPAA is effective in all health care organizations and can heavily penalize
if some organizations fail to comply with the law.
According to Whitman and Mattford (2012), PCI DSS- Payment Card
Industry- Data Security Standards requires one to encrypt a credit card
account number stored in ones database and ensure that the data
remains secured when transferring outside a company.
It helps to protect the data through encryption keys.
Computer forensics, according to Whitman and Mattford (2012),
determines how the incident occurred and goes into the depth of the
matter. It records the facts emerged from reconstruction of data. Purpose
of computer forensics is to address any further vulnerabilities,

safeguarding data and prevent the incident to occur twice. It also takes
care of damage assessment.
References:
Whitman, M. E., & Mattord, H. J. (2012). Principles of Information Security.
Boston: Cengage Learning.
Techopedia. (2014). Information Assurance. Retrieved from
http://www.techopedia.com/definition/5/information-assurance-ia
USEPA. (2012). Compliance. Retrieved from
http://www.epa.gov/compliance/basics/compliance.html

1) Explain the difference between asymmetric and symmetric encryption

A) According to Whitman & Mattford (2012), Encryption can be Symmetric and
Asymmetric. In symmetric encryption methods, the sender and receiver have
the same encryption key. They use mathematical operations to perform
encryption and decryption. Problem with symmetric encryption methods is
that as the number of users grow more, the calculation of number of keys
needed becomes un-scalable.
As per Whitman & Mattford (2012), Asymmetric encryption methods, the
sender and receiver has 2 different keys, public and private keys. A public key
is key which is known to everyone. And private key should be only known to
sender or receiver.
2) What is PKI?
A) According to Whitman and Mattford (2012), public key infrastructure (PKI) is
the combination of software, encryption technologies, processes, and
services that enable an organization to secure its communications and
business transactions.
The ability of a PKI to secure communications and business transactions is
based on the exchange of digital certificates between authenticated users
and trusted resources.
According to SSLShopper (2014), PKI does the following
-

Authenticate users more securely than standard usernames and

passwords
Encrypt sensitive information
Electronically sign documents more efficiently

3) How and why must you design your organization to support a PKI?

A) According to Whitman and Mattford (2012), public key infrastructure has set
of programs, procedures and security policies which help ensure a secure and
trusted communication between sender and receiver.
It is standard which should be followed all over the organization in order to
enable safe transit during encryption for both the parties. If PKI is
implemented it can prevent third party invasion.
PKI uses the digital signatures to attest the public key of individual entities.
The Certification Authorities (CA) which play the central role in PKI, issue
certificates signing the public key of the individual entities with the digital
signatures created by encrypting the public key of the individual with its
private key.
4) What is the purpose of hashing and when it comes to hashing what is a
collision attack?
A) According to Rouse (2014), Hashing is the transformation of a string of
characters into a usually shorter fixed-length value or key that represents the
original string.
Hashing can be used to accomplish tasks such as generate new keys and
passwords for security.
In computer science, a collision or clash is a situation that occurs when two
distinct pieces of data have the same hash value, checksum, fingerprint, or
cryptographic digest.
Impact of collision depends on hash value.
References:
Princeton (2014). Hash collision. Retrieved from
https://www.princeton.edu/~achaney/tmve/wiki100k/docs/Hash_collision.html

1) Should your information technology department and information security

department report to the same department head? Or should your IT, IS
department work separately? Why or why not?
Information technology department and information security department
must report to the same department head.
The information technology (IT) department can be considered as the parent
department with the information security (IS) department as the child
department. The IT department cannot develop a program that is in line with
security policies and procedures without coordinating with the IS department.
Information security department is responsible for providing protection of the
information assets of the organization through its policies. It would be
irresponsible for the IT department not to work the IS department as the IT

department develops new programs based on the requirement of the IS

department.
Below are some of the advantages of IT and IS department working together:

The creation of one system for managing all the security, including a
streamlined workflow for creating, deleting and modifying user identities;

A unified network policy for both local network and remote access that
leverages location and status information from physical access systems;

Improves user access and helps solve privacy concerns;

A practical and affordable second authentication factor; Greater from

existing infrastructure;

Better coordination of security resources in critical and emergency

situations;

An identity-based reporting system for use in forensic investigations;

and

Assists with company-wide compliance efforts.

2. What is Split Knowledge, Separation of duties and Mandatory Vacation
and why should these administrative countermeasures be part of your normal
security operational procedures?
Split knowledge- It prevents any one person from knowing the complete
value of an encryption key or passcode. Two or more people should know
parts of the value, and all must be present to create or re-create the
encryption key or passcode. It is required for the creation of the master keys
which are in turn needed to protect data encryption keys. Any encryption
keys that are accessed or handled in the clear in any way should be protected
using split knowledge.
Separation of Duties- It means that different people control different
procedures so that no one person controls multiple procedures. In case of
encryption key management, there should be two different persons who
manage the encryption keys and encrypted data. It prevents fraud and other
mishandling of information.
Mandatory Vacation- Mandatory vacation policy requires employees to use
their vacations at specific times of the year or use all of their vacation days
allotted for a single year. Individuals who are stealing from the organization
or otherwise misusing information or systems are, in general, reluctant to
take vacations, for fear that their actions will be detected. This policy helps
detect security issues with employees, such as fraud or other internal hacking
activities, because the anomalies might surface while the user is away.
These practices should be part of any organization in order to avoid major
data breach. Introducing these counter measures mitigates the chances of
fraud or malfeasance caused by the mishandling of data or a data loss which
is caused due to hackers, employees or stolen or lost hardware.