ITS 305 - Security Policies and Auditing

Review for Second Test

The following questions are provided to help you study for the second test. Do not expect to see these exact questions on the test.

Questions on Chapter 8

  1. What is another term that probably means the same thing as a security event?

  2. According to the text, which security policy framework model is usually chosen by government agencies?

  3. What guideline does the text offer to help you choose the right model, if you are not in government or auditing?

  4. Which model is written from the perspective of entities that take credit card payments?

  5. What are the stated shortcomings of the COBIT and ISO models?

  6. Why should changes to security processes be reviewed by people other than your security staff?

  7. How do layers of approval fit in the concept of having governance over system changes?

  8. What does the principle of separation of duties tell us to do about processes that could be exploited by employees?

  9. What is the purpose of the technique called three lines of defense? How is it better than a simpler layered approach?

  10. What is typically done once a model is chosen for an organization?


    Questions for Chapters 9 and 10

  11. The text tells us that automated defenses are better than people, in some respects. What are three problems people have that automated defenses do not?

  12. In the social engineering discussion, the authors lumped some different concepts together. What is the difference between the "make a friend" concept, and method that asks the victim to log in to a test page?

  13. What should system users do instead of leaving their ID and password on a Post-it note?

  14. The authors do not suggest a counter measure to being asked to bypass security by a higher ranking executive. What should the technician do in that case?

  15. What is a common problem relating to access rights when an employee changes jobs in an organization?

  16. What is an SQL injection, and how is it often done?

  17. An acceptable use policy must be clear and must reach all employees, but it cannot be considered to be complete. Why not?

  18. What are some of the concepts that should be included in a Privileged Level Agreement?

  19. How is the principle of least access different from the principle of best fit?

  20. What devices are covered under workstation policies that you might not consider to be workstations?

  21. What kind of policy might apply to cell phones that would not apply to most other portable devices?

  22. What are some features we would expect to find in baseline standards for workstations? Which devices would those policies not apply to?

  23. What are some examples of devices that LAN policies should apply to?

    Questions for Chapter 11

  24. What did the text suggest as two locations we might use in classifying documents?

  25. If we used a classification scheme that put all important data in one class, and there is only one other class, what should it be?

  26. What is a security classification scheme based on?

  27. What is the difference between classifications based on the need to retain data and those based on the need to recover data?

  28. In the National Security Classification scheme, what is sensitive but unclassified? What is the common theme in the three highest security levels?

  29. How is information classified in the scheme above automatically declassified?

  30. Who is allowed to ask for a mandatory declassification review?

  31. Which two security framework models does the text recommend that contain guidelines for creating a security classification scheme?

  32. The text describes two scenarios in which a hacker breaks into an application, then an operating system to steal encrypted data. Which one presents the greater danger? Why?

  33. Why should email be encrypted in some circumstances?

  34. The text lists seven stages in the life cycle of information. What are the first and last states in the list?

  35. The text warns us that some audits done for regulatory reasons expect more than legal compliance. What else are they looking for?

  36. When assessing risk, what two things do we initially need to know about each asset?

  37. When we consider an exploit that could affect an asset, what numeric value about the exploit concerns us?

  38. How do we calculate a Single Loss Expectancy?

  39. What do we call the number of successful attacks of a given type that we expect each year?

  40. List the four risk management schemes mentioned in this chapter. Explain when is would be acceptable to use each one.