Chapter 3
1. Name and Describe two (2) U.S. based compliance laws that exist.
A. Federal Information Security Management Act (FISMA) was passed into law in 2002 to make sure that all federal agencies protect their data. Agencies must make sure they protect data stored on their systems. They must also do inventory systems, do risk assessments, possibly put systems through a certification and accreditation process, and continue to monitor systems to make sure they stay secure. FISMA also requires agencies to conduct an annual inspection that tests for effectiveness. A sample of policies, procedures, and practices are tested to evaluate how effective the program is.
B. The Sarbanes-Oxley Act (SOX) was passed into law in 2002 for companies who trade publicly. The law holds board members, specifically chief executive officers (CEOs) and chief financial officers (CFOs) responsible for financial data. CEOs and CFOs must be able to verify financial statements and prove those statements are accurate; if they do not, they will be held liable.
2. Discuss the levels of the CMMI process improvement approach.
There are five levels of the Capability Maturity Model Integration. These five levels are:
0: Nonexistent, there are no security features in place
1: Initial, risks are considered only after a threat exploits vulnerabilities.
2: Managed, organization realizes there is a need for security because of risks but a detailed plan is not made; instead responses is reactive to incident.
3: Defined, action is proactive. An organization has policies in place to counter threats.
4: Quantitatively Managed, The organization has formal policies and procedures and performs regular risk assessments and vulnerability assessments.
5: Optimized, has formal processes, and monitors security continuously, also focuses on process improvement.
Chapter 4
1. What is Scope and why