ITS 305 - Security Policies and Auditing

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.

  1. What is the meaning of the acronym CIA with regard to information security?

  2. What are the meanings of the following vocabulary words from chapter 1?
    Threat agent

  3. The text tells us that we can view the process of creating policies as having four phases, which the author calls domains. What happens in each of those phases?

  4. Which domain creates service level agreements?

  5. Which of the four domains creates controls for the new system?

  6. Which domain monitors daily performance of the new system?

  7. Which domain monitors the controls in the new system?

  8. What are the two IA concerns that are added to the traditional ISS CIA concerns?

  9. What processes are typically implemented as part of a governance layer in IT systems?

  10. What is the difference between a Principle we will observe in our organization and a Policy that addresses it?

  11. Which is typically more detailed and specific, a Standard or a Procedure?

  12. How are guidelines enforced in most organizations?

  13. What is a policy framework? What are some of the components we expect to find in one?

  14. What are some examples of physical controls?

  15. What are technical controls? Can they work with other kinds of controls?

  16. What are administrative controls? Why must users be made aware of these?

  17. Which kind of controls are likely to be automatic controls?

  18. Which kind of controls are likely to be manual controls?

  19. Which kind of control notices errors and offers a method to correct those errors?

  20. What is an acceptable use policy?

  21. Which law requires federal agencies to have a common set of information security standards?

  22. Which law includes many complicated rules about sharing a patient's medical information?

  23. Which federal law protects children from exposure to obscene materials in public libraries?

  24. What federal law sets standards for entities that take payment by bank and credit cards?

  25. The text tells us there are seven domains that contain all the elements of our enterprise. Which one includes acceptable use policies and social networking policies?

  26. Which domain includes policies on inventory and discovery management?

  27. Which domain includes policies for network connectivity devices?

  28. Which domain includes policies about VPN hardware and its usage?

  29. Why does the text suggest that we need redundant controls to enforce a policy that we have made very clear to employees?

  30. Explain why security policies must be coordinated with human resource policies.

  31. With regard to a policy framework, what is a baseline?

  32. What is an organization's risk tolerance?

  33. Why is it important to establish a security program charter? Who must grant the authority to administer this charter?

  34. What are some well established security program framework models? Which one's are international standards?

  35. The text cautions us that the standards we develop should be measured on four scales. Why is each important?
    • clearly written
    • repeatable
    • pursuing a known goal
    • applicable to the people following them

  36. Which element of a policy framework contains more specific instructions than a standard? Why might one be needed?

  37. Chapter six lists five risks our security framework should address. What is meant by each of them?
    • unauthorized access
    • unauthorized use
    • unauthorized disclosure
    • disruption of services
    • destruction of assets

  38. Why should we inform the entire staff of our organization about the creation and any changes to our security framework?

  39. What does the text call a framework model that has low service integration and low standardization? Is this label a signal of trouble?

  40. What does the text call a framework model that has high service integration and low standardization?

  41. What does the text call a framework model that has low service integration and high standardization?

  42. What does the text call a framework model that has high service integration and high standardization?

  43. Since chapter seven repeats some information from the text, let's consider it again. What do each of these kinds of controls do that is different from the others?
    • Deterrent controls
    • Preventive controls
    • Detective controls
    • Corrective controls
    • Compensating controls
    • Mitigating controls
    • Recovery controls

  44. Name four branches of your organization, outside IT security, that should be consulted when you develop an new security policy.