|
|
ITS 3050 - Security Policies and Auditing
Review for Third Test
The following questions are provided to help you study for the third
test. Do not expect to see these exact questions on the test.
- The text tells us there are seven domains that contain all the elements
of our enterprise. Which one includes acceptable use policies and social
networking policies?
- Which domain includes policies for network connectivity devices?
- Why does the text suggest that we need redundant controls to enforce
a policy that we have made very clear to employees?
- Explain why security policies must be coordinated with human resource
policies.
- With regard to a policy framework, what is a baseline?
- What is an organization's risk tolerance?
- Why is it important to establish a security program charter? Who
must grant the authority to administer this charter?
- What are some well established security program framework models?
Which one's are international standards?
- The text cautions us that the standards we develop should be measured
on four scales. Why is each important?
- clearly written
- repeatable
- pursuing a known goal
- applicable to the people following them
- Which element of a policy framework contains more specific instructions
than a standard? Why might one be needed?
- Chapter six lists five risks our security framework should address.
What is meant by each of them?
- unauthorized access
- unauthorized use
- unauthorized disclosure
- disruption of services
- destruction of assets
- Why should we inform the entire staff of our organization about the
creation and any changes to our security framework?
- What does the text call a framework model that has low service integration
and low standardization? Is this label a signal of trouble?
- What does the text call a framework model that has high service integration
and low standardization?
- What does the text call a framework model that has low service integration
and high standardization?
- What does the text call a framework model that has high service integration
and high standardization?
- Since chapter seven repeats some information from the text, let's
consider it again. What do each of these kinds of controls do that is
different from the others?
- Deterrent controls
- Preventive controls
- Detective controls
- Corrective controls
- Compensating controls
- Mitigating controls
- Recovery controls
- Name four branches of your organization, outside IT security, that
should be consulted when you develop an new security policy.
- What is another phrase that probably means the same thing as a security
event?
- According to the text, which security policy framework model is usually
chosen by government agencies?
- What guideline does the text offer to help you choose the right model,
if you are not in government or auditing?
- Which model is written from the perspective of entities that take
credit card payments?
- What are the stated shortcomings of the COBIT and ISO models?
- Why should changes to security processes be reviewed by people other
than your security staff?
- How do layers of approval fit in the concept of having governance
over system changes?
- What does the principle of separation of duties tell us to do about
processes that could be exploited by employees?
- What is the purpose of the technique called three lines of defense?
How is it better than a simpler layered approach?
- What is typically done once a model is chosen for an organization?
|