Information Security Experts Only

Student Name:

Note: There is no minimum or maximum page length for your answer sheet. Answer questions with well thought out answers, explain your answer, and show your work. Answers, even if right but without an explanation (Also- must include references for each problem-APA Style), will get no credit. Test is open book/notes/internet, but individual, NOT TO BE SHARED. There is no limitation in terms of space for each answer as the content is more important than the quantity. Save the file as a word file (such as jbonner_MIDTERM_INFA670_SPRING_2020), and post it in the Assignment Folder before the deadline. Do keep the questions/instructions in this word file with your answers. (DUE TO THE ASSIGNMENT FOLDER BY 2359(EST)

Note: Questions or concerns on the mid-term must be directed to me by e-mail or phone call and not to be placed on our Class site. No Wiki references will be allowed!!

Each day late will have the final midterm grade marked down by 10% each day and will not be accepted after 72 hours from due date/time.

 

1) (10 pts.) Requirements are often difficult to derive, especially when the environments in which the system will function, and the specific tasks it will perform, are unknown. Explain the problems that this causes during development of assurance.

 

2) (10 pts.) Why is the waterfall model of software engineering the most commonly used method for development of trusted systems?

 

3) (10 pts.) What are the conceptual differences between a reference validation mechanism, a trusted computing base, and the TOE Security Functions?

 

4) (10 pts.) Identify the specific requirements in the Common Criteria that describe a reference validation mechanism. Hint: Look in both security functional classes and security assurance classes. Ref: Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, September 2007 http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R2.pdf

 

Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, September 2007 https://www.ipa.go.jp/security/jisec/cc/documents/CCPART2V3.1R2.pdf

5) (10 pts.) Discuss penetration testing versus flaw testing (4 pts).

· Who would perform the penetration test on a government system? NSA or DHS and why? (2 pts.)

· Penetration testing can solve a lot of issues for me except…………(2 pts.)

· What is the most important document to provide the penetration team for their use in the testing? (2-pts.)

 

6) (10 pts.) Formal Specifications are very important in what stage of the lifecycle (See figure below)-discuss your answer? Where in the lifecycle would I use both the CMMI Process and formal specification together and why-give an example?

 

 

7) (10 pts.) Design an Audit System (6 pts.)! Which part of your audit system is used to sanitize data (2 pts.)? Which part of the audit system should have caught Snowden (NSA Spy) and why? (2 pts.)

 

8) (14 pts.) Essay Question: Type-1 certification (TOP SECRET) focuses on Development Methodology. How would you address this certification issue with your hypothetical company (make up one for this problem) for your system (for example: operating system) that you are trying to certify at the TOP SECRET level? This certification issue focuses on two areas: (a) Software Development Process and (b) Life Cycle Model. Hint: Remember; you are focusing on security as your top priority for this case and not necessarily performance. (All the external information you need to answer this question is on the Internet (no other sources allowed) and you don’t need a security background on this subject. In addition, this subject has been addressed in a previous course in the INFA Curriculum (610)). This is a capstone question to get you thinking as a computer security system designer for information assurance.

 

9) (6 pts.) You have two (2) data centers shown below. You are the information security design engineer for Bonner Corporation. You have been asked to develop three (3) requirements for the data centers that address CIA. Please identify the requirements you are addressing and describe it in detail.

 

 

DC1

DC2

 

10) (10 pts). Develop an RTM based on the information listed below. After completing the RTM, answer the following questions.

 

MNS (1, 2, 3), CDP (10, 20, 30), CONOPS (100, 200, 300), and ORD (1000, 2000, 3000)-6pts.

 

(a) What does CONOPS 200 represent? (2 pts.)

(b) Can I use this information for testing-why/or why not? (2 pts.)

NOTE:

RTM-Requirement Traceability Matrix, MNS-Mission Need Statement, CDP-Capability Development Plan, and ORD –Operational Requirement Document

Hint-Use a spreadsheet/or develop a table for the mapping –see reference URL for hint:

Needs help with similar assignment?

We are available 24x7 to deliver the best services and assignment ready within 3-4 hours? Order a custom-written, plagiarism-free paper

Get Answer Over WhatsApp Order Paper Now