ITS 3050 - Security Policies and Auditing

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.

  1. Define risk. What are three examples of risk?

  2. What is a vulnerability? How is that different from an exploit?

  3. What are some common types of exploits?

  4. When a risk occurs, what do we mean by "its impact"?

  5. How do we measure tangible and intangible values?

  6. What are the seven domains of an IT infrastructure? Who is paying our author for mentioning them in every chapter?

  7. What do the letters CIA mean in terms of data security?

  8. What are some sources we should explore to learn about vulnerabilities?

  9. The test lists a few common strategies to manage risk. What are two of them?

  10. How can threats be unintentional? What are some of them?

  11. What are some intentional threats?

  12. What are some common practices for dealing with general threats?

  13. Why is it important to link threats to vulnerabilities? Why is this like a cookbook for attackers?

  14. What is the importance of patches to a system administrator? What is the importance to an attacker?

  15. Why do mitigation schemes often have costs?

  16. What is a cost benefit analysis?

  17. What would be the only strategy that avoids all risks? Why is it impractical?

  18. What are controls? Why and when do we reevaluate them?

  19. How is qualitative risk assessment different from quantitative risk assessment? What kind of results do you get from each of them?

  20. What are some limitations that relate to doing qualitative assessments?

  21. What is an asset's value? Why might we argue about that value?

  22. What is a single loss expectancy? Why does it vary from the value of an asset?

  23. Why would we annualize the rate of occurrence of successful attacks for a report?

  24. What is a safeguard value?

  25. What do uptime and downtime mean? How are they related?

  26. What is meant by some number of nines of uptime?

  27. What is failover? What kinds of devices might we apply the concept to?

  28. What are some of the critical details we should capture about software assets? What about other kinds of assets?

  29. What is a Business Impact Analysis? When should it be done?

  30. What is an Incident Response?

  31. When do we use a Business Continuity plan?

  32. What is the purpose of Disaster Recovery?

  33. What is the difference between in-place controls and planned controls? Okay, that was easy. Now, why do we care about those things?

  34. Considering the nature of fires, what controls would be effective in dealing with them? How about preventing them?