ITS 305 - Security Policies and Auditing
Review for First Test
The following questions are provided to help you study for
the first test. Do not expect to see these exact questions on the test.
are the three communities of interest that the text tells us should be
involved in making decisions about information security for an
enterprise? What is the focus of each one?
are specialized areas of security that are listed in chapter 1? What
are some of the things a specialist in each area should be concerned
- What is the meaning of the acronym CIA with regard to information security?
- What is the difference between identification and authentication? Can you do one without the other?
- What do the three axes on the McCumber cube represent?
- What are the three concerns of IT Security staff, according to McCumber?
- What are the three concerns of IT Operations staff, according to McCumber?
- What are the three concerns of Enterprise Business staff, according to McCumber?
the meaning of the word privacy as used in chapter one. How is it
different from the meaning that most of our customers may assume it
- How is an
autocratic manager different from a democratic manager? Describe a
situation in which each approach might be appropriate in the same
- What are the
time frames that you would associate with strategic, tactical, and
operational planning? Assume the time frames given in the text are not
those that will be used in your next job. What should be the same
- Compare organizational planning and contingency planning. What is a major difference between these two kinds of planning?
statements can be created at many levels in an organization. What
should be true about such statements from one level to the next? How
does this relate to mission statements that you may be asked to write
for a team or other subdivision of a company?
- The SMART acronym has several possible meanings, as we discussed in class. (See the article on Wikipedia
for some examples.) One way of explaining the concept is that
objectives must usable to enforce a contract or settle bet. What does
this mean? Give an example of a properly worded objective and a poorly
plans and tactical plans usually differ with respect to time frames,
and also differ with respect to who makes the plans and who they relate
to. Explain what this means.
- The SecSDLC model given in the text is an example of the waterfall model of systems design. What does that mean?
exploit is a potential method of breaching the security of a system.
What does your book call an instance of someone using an exploit?
first category of threats listed in the text is human error. Why is
this considered a threat, when errors are not intentional?
- Explain how failing to update your protection schemes is a threat in the context of the list of twelve categories.
- If organizational planning prepares us for our desired goals, what does contingency planning prepare us for?
- You should be familiar with the terms asset, threat,
exploit, and vulnerability with regard to computer security.
- What are controls, in terms of contingency planning?
- What are some of the purposes of a Business Impact Analysis (BIA)?
- What is an IT security incident? How might we become aware that one has occurred?
- What is an Incident Response?
should we follow a Business Continuity Plan (BCP)? Can you state a
guideline that would tell us when to activate such a plan?
is a Disaster Recovery Plan (DRP) different from a Business Continuity
Plan? What would be the most likely time sequence in following these
- The text's
definition of a disaster says it involves damage we cannot contain or
control. Why should your enterprise define this for itself? How might
you begin to define it for your hypothetical company?
- What term does the text use for what ITIL calls a problem? How does the scale of a problem relate to the scale of an incident?
- How might we attempt to contain a virus outbreak, to keep it from becoming a disaster?
- How does von Moltke's best known aphorism relate to IT security issues?
are the major differences between cold, warm, and hot sites? What are
they used for? What kind of plan from chapter 3 should cover their
planned use by our company?