1. How can a security framework assist in the design and implementation of a security infrastructure?

2. Where can a security administrator go to find information on established security frameworks?

3. What are the inherent problems with ISO 17799, and why hasn’t the U.S. adopted it? What are the recommended alternatives?

4. What documents are available from the NIST Computer Resource Center, and how can they support the development of a security framework?

5. Can an organization that does not use the VISA cardholder protection system in conjunction with the processing of credit cards benefit from VISA’s security framework? How?

6. What benefit can a private, for-profit agency derive from best practices designed for federal agencies?

7. What resources are available on the Web to aid an organization in developing best practices as part of a security framework?

8. Briefly describe the management, an operational, and a technical control, and explain when would each be applied as part of a security framework?

9. What is the difference between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?

10. Who is ultimately responsible for managing a technology? Who is responsible for enforcing it?

11. What is contingency planning? How is it different from routine management planning? What are components of contingency planning?

12. When is IRP used?

13. When is DRP used?

14. When is BCP used? How do you determine when to use IRP, DRP, or BCP plans?

15. What are the five elements of a business impact analysis?

16. What are Pipkin’s three categories of incident indicators?

17. What is containment and why is it part of the planning process?

18. What is computer forensics? When are the results of computer forensics used?

19. What is an after-action review? When is it performed? Why is it done?

20. List and describe the six continuity strategies.