CHAPTER 1

🔐 Theme 1: Principles of Information Security

✅ Learning Outcomes (LOs) Covered

• LO1: Explain the concepts related to information security

• LO2: Describe the evolution of information security
• LO3: Discuss the role of security in the systems development life cycle (SDLC)
• LO4: Distinguish between the roles of professionals in information security

🌟 1. What is Information Security?

Information Security (InfoSec) is the process of protecting information and

information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction. It focuses on confidentiality, integrity, and availability
(called the CIA Triad):

• Confidentiality: Only authorized people can access information.

• Integrity: Information is accurate and unchanged.
• Availability: Information is accessible when needed.

🕰️ 2. Evolution of Information Security

• Pre-computer era: Security was about locking filing cabinets and physical safes.
• Mainframe era: Simple passwords protected central computers.
• Networked era: As systems connected via LANs/WANs/Internet, security needed
to protect data in motion.
• Modern era: Cybersecurity threats include hackers, malware, social engineering,
etc. Security now includes people, processes, and technology.
 🔄 3. Security in the Systems Development Life Cycle (SDLC)

Integrating security at every phase of the SDLC helps prevent vulnerabilities:

SDLC Phase Security Focus

Initiation Identify security requirements.
Planning Create a security plan.
Design Design with secure architecture, encryption, and authentication in
mind.
Implementatio Test code for security flaws.
n
Testing Perform security testing (e.g., penetration testing).
Deployment Use secure configurations.
Maintenance Apply security updates/patches and monitor threats.

👨‍💻 4. Roles of Professionals in InfoSec

Role Responsibility
Chief Information Security Officer Oversees all info security programs in the organization.
(CISO)
IT Manager Manages IT staff and ensures infrastructure supports security.
Security Analyst Monitors threats, analyses risks, and recommends solutions.
Software Developer Writes secure code and ensures applications are not
vulnerable.
End Users Follow security policies, use strong passwords, avoid risky
behaviors.
🛡️ Theme 2: The Need for Security

✅ Learning Outcomes (LOs) Covered

• LO5: Discuss the organisational need for information security

• LO6: Differentiate types of threats to information security
• LO7: Analyse the impact of weak coding on security

🏢 1. Why Organizations Need InfoSec

Organizations collect and store sensitive data (like customer records, financial data). If
this is compromised:

• It can result in financial loss, legal action, and loss of trust.

• There are laws and regulations (e.g., POPIA, GDPR) that require protecting data.
• It helps organizations maintain business continuity.

💣 2. Types of Threats to Information Security

Threat Type Example(s)

Malware Viruses, worms, trojans, ransomware
Phishing Fake emails tricking users to give up personal
info
Denial-of- Flooding a system to crash it
Service
Insider Threats Employees misusing access
Software Bugs Poor coding that creates vulnerabilities
Physical Theft, fire, natural disasters affecting hardware
Threats
💻 3. Weak Coding and Security Risks

Poor coding practices can open doors to attackers:

• SQL Injection: If input is not sanitized, attackers can access the database.
• Cross-Site Scripting (XSS): Attackers inject code into websites to steal user data.
• Unvalidated Input: Not checking input types allows code execution.
• Hardcoded Passwords: Using fixed passwords in code exposes systems.
• No Error Handling: Reveals system info when crashes happen.

📝 Quiz: Information Security Fundamentals (ISEC6321)

Theme 1: Principles of Information Security

1. What does the CIA triad in information security stand for?

a) Control, Integrity, Access

b) Confidentiality, Integrity, Availability

c) Confidentiality, Internet, Access

d) Control, Information, Authentication

2. True or False: Information security only focuses on protecting data from hackers.

3. Match the SDLC phase with its security activity:

• Initiation
• Design
• Maintenance
 • Implementation

a) Writing secure code

b) Identifying security requirements

c) Applying patches and monitoring systems

d) Secure architecture and encryption

4. Which of the following roles is responsible for overseeing all information security
programs in an organisation?

a) IT Technician

b) Software Developer

c) CISO

d) Database Administrator

5. What is meant by "integrity" in information security?

6. Fill in the blank: In the SDLC, the __________ phase involves conducting security
testing like penetration testing and vulnerability scans.

7. True or False: End users are not responsible for any part of information security.

8. Which of the following is NOT part of the CIA triad?

a) Accountability

b) Integrity

c) Confidentiality

d) Availability

9. Give one example of how a Security Analyst contributes to an organisation's security.

10. Why is it important to include security early in the SDLC?

Theme 2: The Need for Security

11. Which of the following is a type of technical threat to information security?

a) Fire

b) Ransomware

c) Employee strike

d) Theft of paper files

12. What is the purpose of information security in an organisation?

13. Explain what a phishing attack is.

14. True or False: Weak coding practices cannot be exploited by attackers.

15. Which of the following can result from a data breach?

a) Legal penalties

b) Customer trust loss

c) Financial damage

d) All of the above

16. Fill in the blank: SQL injection is an example of an attack due to _______________.

17. What law in South Africa requires organisations to protect personal data?

18. Which role is mainly responsible for ensuring code written does not introduce
vulnerabilities?

a) Security Analyst
b) Software Developer

c) End User

d) IT Support

19. Give one example of a physical threat to information security.

20. List two consequences of ignoring information security in a business.

Chapter 2

🔐 Learning Unit 2: Risk Management and Security Management

📌 Theme 1: Risk Management

✅ LO1: What is Risk Management?

Risk Management is a plan to protect something important (like data or systems) by:

• Identifying what could go wrong (risks),

• Assessing how bad it would be if it did,
• Controlling or reducing those risks.

Example: A company stores customer credit card info. Risk management helps them
find out:

• What threats exist (hackers, fire, employee mistakes),

• How likely and how harmful they are,
• And what to do to reduce those risks (firewalls, backups, training).
✅ LO2: Difference Between:

• Risk Identification: Finding what could go wrong (e.g., “someone might hack into
our system”).
• Risk Assessment: Figuring out how likely and how bad each risk is.
• Risk Control: Deciding how to prevent or reduce the risk (e.g., using strong
passwords, antivirus software).

✅ LO3: Key Components of Risk Identification

To identify risks, look at:

1. Assets – What do you want to protect? (data, systems, people)

2. Threats – What could harm the assets? (viruses, hackers, floods)
3. Vulnerabilities – Weak points that threats could exploit (outdated software,
unlocked doors).

✅ LO4: Stages of Risk Assessment

1. Identify risks
2. Analyze how serious they are (likelihood × impact)
3. Prioritize the biggest ones
4. Decide on actions to reduce them

Example: A small risk with a big impact may still need attention.

✅ LO5: Risk Control Strategies

Ways to control risk include:

Strategy Description Example

Avoidance Stop doing risky things Don’t store credit card data
 Transferenc Shift risk to someone Buy insurance or outsource
e else
Mitigation Reduce impact Install security software
Acceptance Accept the risk If the cost to fix is more than the
risk

📌 Theme 2: Security Management

✅ LO6: Roles and Responsibilities

Everyone has a job to do in protecting information:

• Top management: Set rules, provide resources

• IT team: Install and maintain security
• Employees: Follow policies, report issues
• Security Officer: Oversees it all

✅ LO7: Policies, Standards, Practices

Think of it like this:

• Policy: The rule (e.g., “No one shares passwords”)

• Standard: How the rule is applied (e.g., “Passwords must be 12 characters”)
• Practice: The actions you take (e.g., changing passwords every 60 days)

These help keep everything clear and consistent.

✅ LO8: Information Security Blueprint

This is like a security plan for the whole organization. It shows:

 • What needs protecting
• How it will be protected
• Who’s responsible

It includes technical tools (like firewalls) and processes (like training).

✅ LO9: Security Education, Training, and Awareness (SETA)

Why teach security?

• Education: Big-picture understanding for IT professionals

• Training: Specific skills (e.g., using a new system securely)
• Awareness: Reminding all staff of everyday security habits

Goal: Everyone should know how to avoid mistakes like clicking on phishing emails.

📌 Theme 3: Incident and Contingency Planning

✅ LO10: Contingency Planning

Think of it as “Plan B.”

It helps the business keep running during emergencies, like:

• Cyberattacks
• Fires
• System crashes

✅ LO11: Need for Contingency

Because no system is perfect, and problems can happen anytime. Being prepared saves
time, money, and reputation.
 Example: If the power goes out, the plan might include using backup generators and
restoring systems from backups.

✅ LO12: Main Parts of Contingency Plans

1. Incident Response Plan (IRP) – What to do immediately after something bad

happens (e.g., alert the IT team).
2. Disaster Recovery Plan (DRP) – How to fix the systems (e.g., restore data from
backups).
3. Business Continuity Plan (BCP) – How to keep the company running while fixing
things.

✅ LO13: Digital Forensics

This is like the “CSI” of computers.

It’s the process of:

• Collecting evidence (files, logs),

• Analyzing it to find out what happened (who hacked us, when, how),
• Helping with legal or internal action.

✅ LO14: Testing Contingency Plans

You must test your emergency plans to be sure they work:

• Do drills like fire drills (e.g., simulate a cyberattack),

• Fix any problems found during the test,
• Make sure everyone knows their roles.
✅ Summary

Theme Focus
Risk Management Identifying, assessing, and controlling
threats
Security Management Roles, policies, and planning for good
security
Incident/Contingency Handling problems and continuing
Planning operations

✅ Quiz Questions (No Answers Yet)

Theme 1: Risk Management

1. What is the main goal of risk management in information security?

2. Define the difference between risk identification, risk assessment, and risk control.
3. Name three key components involved in risk identification.
4. What are the four common risk control strategies?
5. Why is it important to assess the likelihood and impact of each risk?

Theme 2: Security Management

6. Who is responsible for overseeing the implementation of an organization’s security

policies?
7. What is the difference between a security policy, a standard, and a practice?
8. What is the purpose of an information security blueprint?
9. Why is a Security Education, Training, and Awareness (SETA) program important
for all employees?
Theme 3: Incident and Contingency Planning

10. What is the main purpose of contingency planning in information security?

11. What are the three major components of contingency planning?
12. What is the role of digital forensics in an information security incident?
13. Why is it important to regularly test contingency plans?

✅ Quiz Answers (Check After You Try)

Theme 1: Risk Management

1. To identify, assess, and reduce risks to an acceptable level while maintaining

business operations.
2.
a. Risk Identification: Finding what could go wrong.
b. Risk Assessment: Analyzing the impact and likelihood of those risks.
c. Risk Control: Deciding and applying ways to reduce or handle the risks.
3. Assets, threats, vulnerabilities.
4. Avoidance, transference, mitigation, acceptance.
5. To prioritize which risks to deal with first and choose the best control method.

Theme 2: Security Management

6. The Information Security Officer (ISO) or Chief Information Security Officer

(CISO).
7.
a. Policy: High-level rule (e.g., “Do not share passwords”)
b. Standard: Specific requirements (e.g., “Passwords must be 12 characters”)
c. Practice: Day-to-day actions (e.g., changing passwords regularly)
8. To provide a structured plan for securing the organization’s systems and
data.
9. To ensure all staff understand their role in protecting information and know
how to avoid common threats.
Theme 3: Incident and Contingency Planning

10. To prepare the organization to respond to unexpected incidents and

maintain operations.
11. Incident response, disaster recovery, and business continuity planning.
12. To investigate the cause and method of an attack and gather legal evidence.
13. To ensure the plan works in real situations and that staff know their
responsibilities.

Chapter 3

✅ Learning Unit 3: Security Technology (Made Simple)

🔒 Theme 1: Access Control

💡 What is Access Control?

Think of access control like a security gate for information. It controls who can enter,
what they can do, and what they can’t do inside a system or building.

🧱 1. Role of Access Control

• It protects sensitive information from being accessed by unauthorized people.

• Ensures only the right people can access the right data at the right time.

⚙️ 2. Basic Functions of Access Control Systems

There are three key functions:

1. Identification – “Who are you?” (e.g., typing in a username)

 2. Authentication – “Prove it’s really you” (e.g., password, fingerprint)
3. Authorization – “What are you allowed to do?” (e.g., view only or edit files)

🧬 3. Biometrics as Access Control

Biometrics use body features to identify people:

• Fingerprint scanners
• Facial recognition
• Iris scans

Pros: Hard to fake, always with you

Cons: Can be expensive, privacy concerns

🏛️ 4. Access Control Models

These are rules or methods used to control access:

• MAC (Mandatory Access Control) – Strict rules set by the system, not users.
• DAC (Discretionary Access Control) – Owners control who gets access.
• RBAC (Role-Based Access Control) – Access is based on job roles.
🛡️ Theme 2: Protecting Connections

🔥 5. Types of Firewalls

Firewalls are like security guards that inspect traffic coming in or out.

• Packet Filtering – Looks at small pieces of data.

• Stateful Inspection – Remembers past traffic and checks new ones accordingly.
• Proxy Firewalls – Acts as a middleman for your device.
• Next-Gen Firewalls – Smarter, check apps and behavior too.

🖥️ 6. Network Security Architectures

Ways to design secure networks:

• Single Bastion Host: One heavily protected computer that controls access.
• Screened Host: Adds a firewall between users and the protected system.
• Screened Subnet (DMZ): Isolates public-facing services to keep internal systems
safer.

✅ 7. Firewall Best Practices

• Use strong, updated rules.

• Block unused ports and services.
• Log activity and monitor it regularly.

🧹 8. Content Filters

These block harmful or unwanted content (e.g., porn, malware websites).

Used in:

• Schools
• Businesses
 • Public Wi-Fi

🌐 9. Controlling Remote and Dial-up Access

Controls how people connect to the network from far away.

• Require strong authentication

• Use encryption to protect the data being sent

🕵️ 10. Virtual Private Networks (VPNs)

A VPN creates a secure tunnel for internet traffic.

• Encrypts the connection

• Hides your location
• Used for remote work and privacy

🕵️‍♀️ Theme 3: Detecting and Preventing Intrusions

🚨 11. Intrusion Detection and Prevention Systems (IDPS)

IDPS = security alarms for networks and computers

• Detection: Notices something suspicious (like an alarm)

• Prevention: Blocks the attack before it causes harm

🌐 12. Network-Based IDPS

Detects attacks on the whole network

Can miss individual device attacks

📶 13. Wireless IDPS Issues

Wireless attacks are harder to detect because:

• Devices move
• Signals are hard to monitor
• Easier to spoof (pretend to be someone else)

⚔️ 14. Types of IDPS

• Host-based: Monitors one computer

• Network-based: Monitors all traffic on a network
• Signature-based: Looks for known attack patterns
• Anomaly-based: Looks for unusual behavior

🔧 15. Scanning and Analysis Tools

Tools that check your system for weaknesses like:

• Missing updates
• Weak passwords
• Open ports

Some common tools:

• Nmap – scans networks

• Wireshark – captures data packets
• Nessus – scans for known vulnerabilities

Quizzz

Great! Here are quiz questions and answers based on Learning Unit 3: Security
Technology, separated clearly for your study convenience.
✅ Quiz Questions: Learning Unit 3

🔒 Access Control

1. What is the main purpose of access control in information systems?

2. What are the three basic functions of an access control system?
3. Give two examples of biometric access control methods.
4. What is the difference between MAC and DAC in access control models?
5. What does RBAC stand for and how does it work?

🛡️ Protecting Connections

6. Name two types of firewall processing modes.

7. What is a single bastion host in a firewall architecture?
8. Why are content filters used in internet security?
9. What does a VPN do?
10. List two ways to control remote access securely.

🕵️‍♀️ Detecting and Preventing Intrusions

11. What does an Intrusion Detection and Prevention System (IDPS) do?
12. What is the difference between host-based and network-based IDPS?
13. Why is wireless IDPS more challenging?
14. What is the difference between signature-based and anomaly-based IDPS?
15. Name two scanning or analysis tools used in cybersecurity.
✅ Quiz Answers: Learning Unit 3

🔒 Access Control

1. To ensure only authorized users can access certain data or systems.

2. Identification, authentication, and authorization.
3. Fingerprint scanning and facial recognition.
4. MAC has strict system-defined access rules; DAC allows the data owner to
decide who gets access.
5. Role-Based Access Control – access is based on the user’s job role.

🛡️ Protecting Connections

6. Packet filtering and proxy firewall.

7. A single, highly protected system used to manage access between a trusted
and untrusted network.
8. To block inappropriate, dangerous, or unwanted web content.
9. It creates a secure, encrypted connection between a device and a network.
10. Use of strong authentication (e.g., two-factor) and encryption.

🕵️‍♀️ Detecting and Preventing Intrusions

11. It detects and/or blocks unauthorized access or attacks on systems or

networks.
12. Host-based monitors one device; network-based monitors all traffic across
the network.
13. Because signals move, devices are mobile, and it's easier to spoof access.
14. Signature-based checks for known attacks; anomaly-based detects unusual
or new behaviors.
15. Nmap and Nessus.

Chapter 4
🧠 Learning Unit 4: Cryptography & Physical Security – Full Explanation

🔐 Theme 1: Cryptography

Cryptography is how we protect information by turning it into a secret code so that

only the right person can understand it. Let’s break this into small, clear lessons.

🔑 LO1: Basic Principles of Cryptography

• The main purpose is to:

o Keep data confidential (only the right person can read it)
o Maintain integrity (make sure no one changed it)
o Ensure authenticity (prove who sent it)
o Stop denial (someone can’t say “I didn’t send it” when they did)

Analogy: Imagine writing a secret message to a friend and locking it in a box. You
keep the key, and your friend has a copy. Only you two can unlock the box.

🔀 LO2: Cipher Methods (How we scramble data)

• Ciphers are the rules we use to hide the message.

• Two classic types:
o Substitution cipher: Replace each letter (A becomes M, B becomes N,
etc.).
o Transposition cipher: Rearrange letters in a word (e.g., HELLO becomes
LOHEL).

Used in old wartimes and now in computers to protect data.

🔢 LO3: Hash Functions (Creating unique fingerprints)

• A hash takes any file or text and turns it into a short code.
 • You can’t reverse a hash to get the original data.
• Used to:
o Check if a file has been changed
o Secure passwords (you never store real passwords — only their hash)

Analogy: Like turning a document into a barcode — if the content changes, the
barcode changes too.

🔐 LO4: Cryptographic Algorithms (The "math" behind the security)

There are 3 main types:

1. Symmetric encryption
a. One key for locking and unlocking
b. Fast but risky if someone steals the key
c. Example: AES
2. Asymmetric encryption
a. Two keys: public (for everyone) and private (just for you)
b. Secure, used in emails, digital signatures
c. Example: RSA
3. Hashing
a. One-way only
b. Checks if something was changed

🧩 LO5: Cryptographic Techniques

Let’s match technique to use:

 Technique Use Case
Encryption Hide messages or files
Decryption Reveal them again
Hashing Check if data changed
Digital Prove a message came from you and wasn't
Signature changed
Certificates Verify identity (used in websites and emails)

🔗 LO6: Hybrid Cryptography

• Combines symmetric (fast) and asymmetric (secure).

• Example: When sending a secure file, you encrypt it with a symmetric key
(fast), and then encrypt that key with asymmetric encryption (secure).

This gives you the best of both worlds.

🌐 LO7: Cryptographic Protocols (Rules for secure communication)

These are the agreed ways for computers to talk securely:

Protocol Use
SSL/TLS Secure websites
(HTTPS)
IPSec Secures network data
PGP Secure emails
HTTPS Website security layer

🏢 Theme 2: Physical Security

Not all security is digital. If someone steals your laptop or server, they can get your
data too. That’s why we must protect the physical space.
🛡️ LO8: Why Physical Security Matters

• You can have the best encryption in the world, but if someone walks in and steals
the computer, your data is still at risk.
• So, we need locks, gates, guards, and environmental control.

🔥 LO9: Major Sources of Physical Loss

Threat Description
Theft Someone steals a device
Fire Destroys physical systems
Flood Damages computers and files
Power failure System shutdowns, data loss
Someone intentionally destroys
Vandalism
data

🔐 LO10: Key Physical Security Controls

• Locks, gates, security guards

• CCTV cameras
• Biometrics (fingerprint scanners)
• ID cards and access codes
• Fire suppression (gas-based, not water)

🏠 LO11: Physical Environment Design

Server rooms must be:

• Cool and dry

 • Fire-safe
• Have backup power (UPS)
• No windows, limited access
• Strong doors and walls

Treat server rooms like bank vaults — protect the "gold" (data).

🕵️‍♂️ LO12: Data Interception Methods

Hackers can try to listen in on your data:

Attack Type Description

Packet sniffing Capturing data from networks
Man-in-the- Hacker stands between two
middle people
Eavesdropping Listening without permission

📱 LO13: Mobile Device Security

Phones and tablets are easy targets.

Protect them by:

• Passwords, PINs, Biometrics

• Full disk encryption
• Remote wipe (if lost)
• Antivirus apps
• Avoid public Wi-Fi, or use VPNs
🔐 QUIZ QUESTIONS – Learning Unit 4: Cryptography & Physical Security

Theme 1: Cryptography

1. What is the main goal of cryptography in information security?

2. What is the difference between symmetric and asymmetric encryption?
3. Give one example of a symmetric encryption algorithm.
4. What does a hash function do?
5. Why is hashing important in storing passwords?
6. What is hybrid cryptography?
7. What protocol secures web browsing (HTTPS)?
8. What cryptographic technique is used to ensure a message hasn’t been changed
and is really from the sender?
9. Name two cryptographic protocols used to secure communication.
10. What is the purpose of a digital certificate?

Theme 2: Physical Security

11. Why is physical security important in protecting information?

12. Name three major sources of physical loss.
13. List two key physical security measures.
14. What does UPS stand for, and why is it used?
15. What kind of fire suppression is safest for server rooms?
16. What is a man-in-the-middle attack?
17. How can mobile devices be protected against unauthorized access?
18. What is the risk of using public Wi-Fi without protection?
19. How does remote wipe help in physical security?
20. What should be considered in the design of a secure server room?

✅ QUIZ ANSWERS – Learning Unit 4

1. To protect data confidentiality, integrity, authenticity, and prevent denial of origin.

2. Symmetric uses one key for both encryption and decryption; asymmetric uses a
public key to encrypt and a private key to decrypt.
3. AES (Advanced Encryption Standard)
4. It converts data into a fixed-size string (hash value) that uniquely represents the
input and is irreversible.
5. Because even if someone accesses the database, they can’t see the actual
password.
6. A system that combines symmetric and asymmetric encryption for speed and
security.
7. SSL/TLS
8. Digital signature
9. SSL/TLS and IPSec
10. To verify the identity of a person, server, or website in online communication.
11. Because physical access can allow attackers to bypass digital security and steal
or damage data.
12. Theft, fire, and power failure.
13. CCTV cameras and biometric access control.
14. Uninterruptible Power Supply – to keep systems running when power goes out.
15. Gas-based fire suppression like FM-200 or CO₂.
16. When a hacker intercepts communication between two parties without their
knowledge.
17. PINs, biometrics, antivirus software, encryption, and remote wipe.
18. Data can be intercepted by attackers using tools like packet sniffers.
19. It lets you delete all sensitive data on a lost or stolen device remotely.
20. Restricted access, fire and temperature control, CCTV, strong physical barriers.