ITS 3050 - Security Policies and Auditing

Review for Second Test

The following questions are provided to help you study for the second test. Do not expect to see these exact questions on the test.

  1. What is the meaning of MAO, also called MTO?

  2. How do critical success factors relate to critical business operations?

  3. What are the two things a control might do that would make the control worth using?

  4. What concept would be derived by subtracting the cost of a control from its projected benefits? How do you calculate projected benefits?

  5. How do the curves generally look for recovery costs and disruption costs when they are plotted in relation to time? Why would you plot them on the same graph?

  6. In a Business Continuity Plan, why must there be a notification phase? Other than notification, what is it for?

  7. What is the scope of the recovery that is done in a Business Continuity Plan?

  8. What is the end goal of a Disaster Recovery Plan?

  9. If you were to eliminate one or all but one of the plans recommended in the Risk text, which would you choose, and why?

  10. What are some of the commonly seen security incidents discussed in the first book?

  11. What does Rudyard Kipling have to do with dealing with a security incident?

  12. What is meant by CIRT, SIRT, CERT and any other version of this acronym?

  13. NIST SP 800-61 describes three ways to organize your CIRT service. What are they?

  14. Why would people who investigate security incidents be in a good position to recommend new controls?

  15. What is the difference between identification and authentication? Can you do one without the other?

  16. The text tells us that we can view the process of creating policies as having four phases, which the author calls domains. What happens in each of those phases?

  17. Which domain creates service level agreements?

  18. Which of the four domains creates controls for the new system?

  19. Which domain monitors daily performance of the new system?

  20. Which domain monitors the controls in the new system?

  21. What are the two IA concerns that are added to the traditional ISS CIA concerns?

  22. What processes are typically implemented as part of a governance layer in IT systems?

  23. What is the difference between a Principle we will observe in our organization and a Policy that addresses it?

  24. Which is typically more detailed and specific, a Standard or a Procedure?

  25. How are guidelines enforced in most organizations?

  26. What is a policy framework? What are some of the components we expect to find in one?

  27. What are some examples of physical controls?

  28. What are technical controls? Can they work with other kinds of controls?

  29. What are administrative controls? Why must users be made aware of these?

  30. Which kind of controls are likely to be automatic controls?

  31. Which kind of controls are likely to be manual controls?

  32. Which kind of control notices errors and offers a method to correct those errors?

  33. What is an acceptable use policy?

  34. Which law requires federal agencies to have a common set of information security standards?

  35. Which law includes many complicated rules about sharing a patient's medical information?

  36. Which federal law protects children from exposure to obscene materials in public libraries?

  37. What federal law sets standards for entities that take payment by bank and credit cards?