ITS 305 - Security Policies and Auditing

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.

1. What are the three communities of interest that the text tells us should be involved in making decisions about information security for an enterprise? What is the focus of each one?
   
   
2. What are specialized areas of security that are listed in chapter 1? What are some of the things a specialist in each area should be concerned with?
   
   
3. What is the meaning of the acronym CIA with regard to information security?
   
   
4. What is the difference between identification and authentication? Can you do one without the other?
   
   
5. What do the three axes on the McCumber cube represent?
   
   
6. What are the three concerns of IT Security staff, according to McCumber?
   
   
7. What are the three concerns of IT Operations staff, according to McCumber?
   
   
8. What are the three concerns of Enterprise Business staff, according to McCumber?
   
   
9. Discuss the meaning of the word privacy as used in chapter one. How is it different from the meaning that most of our customers may assume it means?
   
   
10. How is an autocratic manager different from a democratic manager? Describe a situation in which each approach might be appropriate in the same company.
    
    
11. What are the time frames that you would associate with strategic, tactical, and operational planning? Assume the time frames given in the text are not those that will be used in your next job. What should be the same regardless?
    
    
12. Compare organizational planning and contingency planning. What is a major difference between these two kinds of planning?
    
    
13. Mission statements can be created at many levels in an organization. What should be true about such statements from one level to the next? How does this relate to mission statements that you may be asked to write for a team or other subdivision of a company?
    
    
14. The SMART acronym has several possible meanings, as we discussed in class. (See the article on Wikipedia for some examples.) One way of explaining the concept is that objectives must usable to enforce a contract or settle bet. What does this mean? Give an example of a properly worded objective and a poorly worded one.
    
    
15. Strategic plans and tactical plans usually differ with respect to time frames, and also differ with respect to who makes the plans and who they relate to. Explain what this means.
    
    
16. The SecSDLC model given in the text is an example of the waterfall model of systems design. What does that mean?
    
    
17. An exploit is a potential method of breaching the security of a system. What does your book call an instance of someone using an exploit?
    
    
18. The first category of threats listed in the text is human error. Why is this considered a threat, when errors are not intentional?
    
    
19. Explain how failing to update your protection schemes is a threat in the context of the list of twelve categories.
    
    
20. If organizational planning prepares us for our desired goals, what does contingency planning prepare us for?
    
    
21. You should be familiar with the terms asset, threat, exploit, and vulnerability with regard to computer security.
    
    
22. What are controls, in terms of contingency planning?
    
    
23. What are some of the purposes of a Business Impact Analysis (BIA)?
    
    
24. What is an IT security incident? How might we become aware that one has occurred?
    
    
25. What is an Incident Response?
    
    
26. When should we follow a Business Continuity Plan (BCP)? Can you state a guideline that would tell us when to activate such a plan?
    
    
27. How is a Disaster Recovery Plan (DRP) different from a Business Continuity Plan? What would be the most likely time sequence in following these plans?
    
    
28. The text's definition of a disaster says it involves damage we cannot contain or control. Why should your enterprise define this for itself? How might you begin to define it for your hypothetical company?
    
    
29. What term does the text use for what ITIL calls a problem? How does the scale of a problem relate to the scale of an incident?
    
    
30. How might we attempt to contain a virus outbreak, to keep it from becoming a disaster?
    
    
31. How does von Moltke's best known aphorism relate to IT security issues?
    
    
32. What are the major differences between cold, warm, and hot sites? What are they used for? What kind of plan from chapter 3 should cover their planned use by our company?