ITS 3050 - Security Policies and Auditing
Review for Second Test
The following questions are provided to help you study for the second
test. Do not expect to see these exact questions on the test.
- What is the meaning of MAO, also called MTO?
- How do critical success factors relate to critical business operations?
- What are the two things a control might do that would make the control worth using?
- What concept would be derived by subtracting the cost of a
control from its projected benefits? How do you calculate projected
- How do the curves generally look for recovery costs and
disruption costs when they are plotted in relation to time? Why would
you plot them on the same graph?
- In a Business Continuity Plan, why must there be a notification phase? Other than notification, what is it for?
- What is the scope of the recovery that is done in a Business Continuity Plan?
- What is the end goal of a Disaster Recovery Plan?
- If you were to eliminate one or all but one of the plans recommended in the Risk text, which would you choose, and why?
- What are some of the commonly seen security incidents discussed in the first book?
- What does Rudyard Kipling have to do with dealing with a security incident?
- What is meant by CIRT, SIRT, CERT and any other version of this acronym?
- NIST SP 800-61 describes three ways to organize your CIRT service. What are they?
- Why would people who investigate security incidents be in a good position to recommend new controls?
- What is the difference between identification and authentication? Can you do one without the other?