CSS 111 - Introduction to Information System Security

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.

1. What are specialized areas of security that are listed in chapter 1? What are some of the things a specialist in each area should be concerned with?
   
   
2. What is the meaning of the acronym CIA with regard to information security?
   
   
3. What is the difference between identification and authentication? Can you do one without the other?
   
   
4. What do the three axes on the McCumber cube represent?
   
   
5. What are the three concerns of IT Security staff, according to McCumber?
   
   
6. What are the three IT security concerns of IT Operations staff, according to McCumber?
   
   
7. What are the three IT security concerns of Enterprise Business staff, according to McCumber?
   
   
8. Explain the difference between a threat and a threat agent.
   
   
9. A category of threats listed in the text is human error. Why is this considered a threat, when errors are not intentional?
   
   
10. What is a security incident? How might it lead to a disaster?
    
    
11. What is risk, with regard to IT assets? How does vulnerability relate to risks?
    
    
12. What is an exploit?
    
    
13. What are examples of controls and safeguards?
    
    
14. In the SDLC discussion, why is the model shown in the text called a waterfall model?
    
    
15. Why does IT security need to protect the functions of an organization? Why does it need to protect an organizations software and data?
    
    
16. What is the difference between a virus and a worm?
    
    
17. What is a Denial of Service attack?
    
    
18. What are two ways that employees can be security risks?
    
    
19. What are phishing attacks?
    
    
20. How does social engineering help an attacker prepare for an attack?
    
    
21. What are the differences between laws, ethics, and morals?
    
    
22. Why should we try to achieve full distribution of security policies?
    
    
23. How does it help a company to make a security policy available to staff at an online web page?
    
    
24. Why should a company apply its policies uniformly to all staff?
    
    
25. Some policies have sunset clauses or provisions in the, because they are not meant to last forever. What would be an example of a policy that should have a known end date?
    
    
26. What would be the argument a lawyer would make against a policy that was not applied equally to all staff?
    
    
27. Name at least three things a person should do if they experience an identity theft, according to the Federal Trade Commission.
    
    
28. What is a catalog of assets, and how does it help us in IT security?
    
    
29. What are some ways we might choose to prioritize assets? Name at least three.
    
    
30. Must we protect all of our assets from all of the threat categories listed in the text?
    
    
31. Which federal law established that wiretaps need to be authorized by a court issued warrant?
    
    
32. Which law gave the FBI the power to ask for data about subscribers to electronic services without a warrant?
    
    
33. Which law makes it a crime to share health related information with people other than the patient without the patient's permission?
    
    
34. Which law made it possible to request information from federal agencies? What costs are involved that a requester should be aware of?
    
    
35. In the formula Risk = (V * L) -(V * M) + U, what is the meaning of each letter? How might we determine a value for each of those letters?
    
    
36. What does a company do if it is adopting the risk avoidance strategy? How is this different from the risk termination strategy?
    
    
37. What does it mean to adopt transference of your risks?
    
    
38. What is the risk mitigation strategy?
    
    
39. Why would a company decide to use risk acceptance?
    
    
40. What is single loss expectancy? Why might it not be the same number as annualized loss expectancy for a particular risk?
    
    
41. What is the annualized cost of a safeguard? How does this relate to cost benefit analysis?
    
    
42. What is baselining? What is the risk of not performing a baselining study?
    
    
43. The text tells us policies may come in three types: enterprise policies, issue specific policies, and system specific policies. What is the difference between them?
    
    
44. The text discusses the importance of choosing a good security model. What are the three models discussed in class? Where can you get more information about each of them?
    
    
45. Explain how the words blueprint, framework, and model relate to a project that develops a security plan for your organization?
    
    
46. Defense in depth is not a specific recommendation for a security plan. What does it mean to the person making the plan?
    
    
47. Even though the term is not a good metaphor, what is a DMZ with regard to your network and security?
    
    
48. How are the functions of a firewall and a proxy server similar and different?
    
    
49. Why do we train general employees in security matters, and provide them with security awareness reminders?
    
    
50. Consider Amy and the sudden problems she had on the help desk in chapter 1. What mitigation plan should have applied to her first phone call?
    
    
51. Assuming the company's problem in the last question is still continuing, what mitigation plan should apply to keeping the company running at the same time?
    
    
52. Once the worm is removed from all systems, which mitigation plan should be used if the company chose to operate briefly from another location?