INFA 620 MidTerm Exam (UMUC)
General questions (20 points) (5 pts each)
a) Which of the following are not directly addressed when implementing network security? (Choose two.) Explain.
A. Evolving business requirements
B. Freedom of information initiatives
C. Personal safety
D. Protection of data E. Physical plant security
b) Who should be involved in approving access to systems and applications?
A. The system administrator or custodian
B. The business owner
C. The proposed user's supervisor
D. All of the above
c) Which of the following is a type of preventive/technical access control? Explain.
A: Biometrics for identification
B: Motion detectors
C: Biometrics for authentication
D: An intrusion detection system
d) Which of the following is considered the first line of defense against human behavior? Explain.
C. Physical security
D. Business continuity planning
Risk analysis (20 points) (5 pts each) a) Select from the following the best definition of security risk analysis:
A. Risk analysis looks at the probability that a vulnerability exists in your system.
B. Risk analysis looks at the probability that your security measures won't stop a hacker breaking in to your system.
C. Risk analysis looks at the probability that a hacker may break in to your system.
D. Risk analysis determines what resources you need to protect and quantifies the costs of not protecting them.
E. Risk analysis looks at the consequences of being connected to the Internet.
b) Which of the following is NOT accurate regarding the process of risk assessment?
Explain. A. The likelihood of a threat must be determined as an element of the risk assessment.
B. The level of impact of a threat must be determined as an element of the risk assessment.
C. Risk assessment is the first process in the risk management methodology.
D. Risk assessment is the final result of the risk management methodology.
c) Which of the following is considered a flaw, loophole, oversight, or error that makes the organization susceptible to attack or damage? Explain.
d) True or False: An IT vulnerability assessment is the same as an IT security risk analysis. Explain
PROBLEM 3 - Security policy development and security organization (20 points)
(5 pts each)
a) Which of the following individuals' roles and responsibilities would include the
responsibility for maintaining and protecting the company's assets and data? Explain.
B. Data owner
C. Data custodian
D. Security auditor
b) Which of the following is a characteristic of a good security policy? Explain.
A. It is developed by end users.
B. It communicates consensus and defines roles.
C. It is developed after all security devices have been fully tested.
D. It should be encrypted as it contains backups of all important passwords and
c) Which of the following would be considered a critical flaw and lead to an audit failure?
A. An administrator was allowed to both create and approve users for a given application
(insufficient separation of duties)
B. Insufficient documentation that an application audit occurred
C. Fraud was detected by external auditors and not internal auditors
D. None of the above
d) Which of the following are elements of the Separation of Duties principle of
operations security? (Choose two.) Explain.
A. Individuals rotate security-related duties so that no one person is
permanently responsible for a sensitive function.
B. Includes two-man and dual operator controls.
C. Operators maintain an arms-length relationship with security controls.
D. Continuous retraining of personnel.
E. Ensures that no one person can compromise the whole system
PROBLEM 4 - Physical security (20 points)
(5 pts each)
a) Identify the critical part of physical security. Explain your answer
b) As a security officer in your company you might be concerned about the loss of
confidential information if an employee's laptop is stolen. Which of the following
represents the best defensive method? Explain.
A. Use integrity programs such as MD5 and SHA to verify the validity of installed
B. Place labels on the laptops offering a reward for stolen or missing units
C. Issue laptop users locking cables to secure the units and prevent their theft
D. Encrypt the hard drives
c) Which one of the following is considered the benefit of a contingency plan?
A. Perimeter defense
B. Diversity of controls
C. Defense in layers
D. Facility access controls
E. Threat identification
d) Which of the following statements best describes a disaster recovery plan (DRP)? Explain.
A) A DRP reduces the impact of a hurricane on a facility.
B) A DRP is an immediate action plan used to bring a business back online immediately
after a disaster has struck.
C) A DRP attempts to manage risks associated with theft of equipment.
D) A DRP is a plan that sets up actions for long-term recovery after a disaster has hit.
PROBLEM 5 - Authentication and authorization controls (20 points)
(5 pts each)
a) SSL is used to
A. Encrypt specific elements of data for application-specific purposes
B. Encrypt files located on a Web server
C. Encrypt data as it travels over a network
D. Encrypt digital certificates used to authenticate a Web site
E. Encrypt passwords for storage in a database
b) Suppose a user is authenticated based on an ID and password that are supplied by the
transmitter in plaintext. Does it make any difference if the password and ID are encrypted?
If yes, explain why? If no, how would you improve the system?
c) In a network system based on challenge and response, discuss the following two cases:
(i) What happens when an intruder tries to break the system and initiates the challenge?
(ii) How secure is the system if the server changes the challenge value once every minute.
This product hasn't received any reviews yet. Be the first to review this product!