ITS 305 - Security Policies and Auditing
Review for Second Test
The following questions are provided to help you study for the second
test. Do not expect to see these exact questions on the test.
Questions on Chapter 8
- What is another term that probably means the same thing as a security
- According to the text, which security policy framework model is usually
chosen by government agencies?
- What guideline does the text offer to help you choose the right model,
if you are not in government or auditing?
- Which model is written from the perspective of entities that take
credit card payments?
- What are the stated shortcomings of the COBIT and ISO models?
- Why should changes to security processes be reviewed by people other
than your security staff?
- How do layers of approval fit in the concept of having governance
over system changes?
- What does the principle of separation of duties tell us to do about
processes that could be exploited by employees?
- What is the purpose of the technique called three lines of defense?
How is it better than a simpler layered approach?
- What is typically done once a model is chosen for an organization?
Questions for Chapters 9 and 10
- The text tells us that automated defenses are better than people,
in some respects. What are three problems people have that automated
defenses do not?
- In the social engineering discussion, the authors lumped some different
concepts together. What is the difference between the "make a friend"
concept, and method that asks the victim to log in to a test page?
- What should system users do instead of leaving their ID and password
on a Post-it note?
- The authors do not suggest a counter measure to being asked to bypass
security by a higher ranking executive. What should the technician do
in that case?
- What is a common problem relating to access rights when an employee
changes jobs in an organization?
- What is an SQL injection, and how is it often done?
- An acceptable use policy must be clear and must reach all employees,
but it cannot be considered to be complete. Why not?
- What are some of the concepts that should be included in a Privileged
- How is the principle of least access different from the principle
of best fit?
- What devices are covered under workstation policies that you might
not consider to be workstations?
- What kind of policy might apply to cell phones that would not apply
to most other portable devices?
- What are some features we would expect to find in baseline standards
for workstations? Which devices would those policies not
- What are some examples of devices that LAN policies should apply to?
Questions for Chapter 11
- What did the text suggest as two locations we might use in classifying
- If we used a classification scheme that put all important data in
one class, and there is only one other class, what should it be?
- What is a security classification scheme based on?
- What is the difference between classifications based on the need to
retain data and those based on the need to recover data?
- In the National Security Classification scheme, what is sensitive
but unclassified? What is the common theme in the three highest security
- How is information classified in the scheme above automatically declassified?
- Who is allowed to ask for a mandatory declassification review?
- Which two security framework models does the text recommend that contain
guidelines for creating a security classification scheme?
- The text describes two scenarios in which a hacker breaks into an
application, then an operating system to steal encrypted data. Which
one presents the greater danger? Why?
- Why should email be encrypted in some circumstances?
- The text lists seven stages in the life cycle of information. What
are the first and last states in the list?
- The text warns us that some audits done for regulatory reasons expect
more than legal compliance. What else are they looking for?
- When assessing risk, what two things do we initially need to know
about each asset?
- When we consider an exploit that could affect an asset, what numeric
value about the exploit concerns us?
- How do we calculate a Single Loss Expectancy?
- What do we call the number of successful attacks of a given type that
we expect each year?
- List the four risk management schemes mentioned in this chapter. Explain
when it would be acceptable to use each one.