ITS 3050 - Security Policies and Auditing

Review for Third Test

The following questions are provided to help you study for the third test. Do not expect to see these exact questions on the test.

  1. The text tells us there are seven domains that contain all the elements of our enterprise. Which one includes acceptable use policies and social networking policies?

  2. Which domain includes policies on inventory and discovery management?

  3. Which domain includes policies for network connectivity devices?

  4. Which domain includes policies about VPN hardware and its usage?

  5. Why does the text suggest that we need redundant controls to enforce a policy that we have made very clear to employees?

  6. Explain why security policies must be coordinated with human resource policies.



  7. With regard to a policy framework, what is a baseline?

  8. What is an organization's risk tolerance?

  9. Why is it important to establish a security program charter? Who must grant the authority to administer this charter?

  10. What are some well established security program framework models? Which one's are international standards?

  11. The text cautions us that the standards we develop should be measured on four scales. Why is each important?
    • clearly written
    • repeatable
    • pursuing a known goal
    • applicable to the people following them


  12. Which element of a policy framework contains more specific instructions than a standard? Why might one be needed?

  13. Chapter six lists five risks our security framework should address. What is meant by each of them?
    • unauthorized access
    • unauthorized use
    • unauthorized disclosure
    • disruption of services
    • destruction of assets

  14. Why should we inform the entire staff of our organization about the creation and any changes to our security framework?

  15. What does the text call a framework model that has low service integration and low standardization? Is this label a signal of trouble?

  16. What does the text call a framework model that has high service integration and low standardization?

  17. What does the text call a framework model that has low service integration and high standardization?

  18. What does the text call a framework model that has high service integration and high standardization?

  19. Since chapter seven repeats some information from the text, let's consider it again. What do each of these kinds of controls do that is different from the others?
    • Deterrent controls
    • Preventive controls
    • Detective controls
    • Corrective controls
    • Compensating controls
    • Mitigating controls
    • Recovery controls

  20. Name four branches of your organization, outside IT security, that should be consulted when you develop an new security policy.


  21. What is another term that probably means the same thing as a security event?

  22. According to the text, which security policy framework model is usually chosen by government agencies?

  23. What guideline does the text offer to help you choose the right model, if you are not in government or auditing?

  24. Which model is written from the perspective of entities that take credit card payments?

  25. What are the stated shortcomings of the COBIT and ISO models?

  26. Why should changes to security processes be reviewed by people other than your security staff?

  27. How do layers of approval fit in the concept of having governance over system changes?

  28. What does the principle of separation of duties tell us to do about processes that could be exploited by employees?

  29. What is the purpose of the technique called three lines of defense? How is it better than a simpler layered approach?

  30. What is typically done once a model is chosen for an organization?

  31. What are the 3 domains of the ISACA Risk IT framework?