ITS 305 - Security Policies and Auditing

Review for Third Test

The following questions are provided to help you study for the third test. Do not expect to see these exact questions on the test.

  1. Why is human error considered a risk factor? What do we do to reduce it?

  2. What is asset valuation? Why do we perform asset valuation as part of our risk considerations?

  3. What is the most obvious economic measure for an IT asset?

  4. What is benchmarking? What are two alternative methods of benchmarking?

  5. What is due care? How is it different from due diligence? What must be true of the procedures you choose to adopt when following due care?

  6. What are the comparison factors you were asked use in the exercise with the FASP web site?

  7. What is baselining, with regard to IT security?

  8. What are four classic methods listed in the text dealing with risks?

  9. Which one has the goal of reducing the impact of an attack?

  10. Which one has the goal of making attacks less likely?

  11. Which one assigns the responsibility of risk management to another entity?

  12. What are the plans, discussed in previous chapters, that might be part of a risk mitigation plan?

  13. What is the difference between a disaster recovery plan and a business continuity plan?

  14. What are the two kinds of items that are placed on the rows and columns of a TVA chart? Why do we chart these things?

  15. The text quotes business writers who recommend that a company focus on its core business. What does this mean, and why might it make our company more successful?

  16. How can we tell if a control or safeguard will be organizationally feasible for our company?

  17. What must be true about a solution and about our company for the solution to be technically feasible?

  18. What must be true about a solution for it to be operationally/behaviorally feasible?

  19. If we know the Cost per Incident of an attack, what formula element from the text does this correspond to?

  20. Why is the Cost per Incident NOT necessarily the same as an ALE? How do you calculate an ALE?

  21. What is an Annualized Rate of Occurrence?

  22. What is the ongoing cost of a safeguard called in the text?

  23. According to the formula in the text, what three things do we need to know to calculate a Cost Benefit Analysis? What is the formula that gives us this number?