Risk Management and Information Systems Security

Risk Management and Information Systems Security

[ad_1]

Exam guidelines.

Section A. Essay / Short Answer (36 points)

For three possible points each, provide a very concise/brief explanation of the following in terms of Risk Management and Information Systems Security.

  1. When determining a long-term disaster recovery plan, there are various types of plans that may be addressed, define the following:
  • Hot Site – A hot site has all the equipment available and ready to be used immediately
  • Cold Site – cold site is a empty building. There is no hardware or Rackspace. You are to bring your data with you. There are no people
  • Alternate Site – Alternate site is a facility to be occupied in the event that access to the primary site is prevented
  1. Explain why Comprehensive ST&E tests are normally grouped in general categories, such as Software, Hardware, etc.
  1. Explain why a Comprehensive ST&E Design Team would identify the Test Environment Required and the Test Data / Personnel Required portions of the test form.
  1. In 3 to 6 sentences, explain the difference between an Abbreviated ST&E and a Comprehensive ST&E.
  1. Briefly describe the purpose of a Risk Assessment, and generally what type of results you would expect to obtain.
  1. Briefly describe the purpose of an ST&E, and generally what type of results you would expect to obtain.
  1. Briefly define the purpose of a Contingency Plan andexplain under what condition(s) you might NOT require a complete Contingency Plan that uses an alternate, cold, or hot site for contingent situations.
  1. If a Risk Assessment has been completed, explain why it might be necessary for a Contingency Plan and an ST&E to be completed.
  1. Who should make a recommendation for the ST&E type, and who will make the determination? Why is this important?
  1. Why is it a good idea to let the Risk Assessment team personnel compose the ST&E Design Team, but not the ST&E Execution team?
  1. Briefly but thoroughly describe why a Contingency Plans should be tested regularly.
  1. Briefly but thoroughly describe why you will develop Contingency Plan tests for part of the Contingency Plan as opposed to always testing for Long Term loss and activation of Hot or Alternate sites.

Section B. (40 points) Multiple choice:

For two points each, select the answer that BEST completes the sentence or answers the statement in terms of Information Systems Security.

  1. Normally, a single person would be assigned to easily complete which of the following documents:
    1. Risk Assessment
    2. Abbreviated ST&E
    3. Comprehensive ST&E
    4. Contingency Plan
  1. A Network Contingency Plan should take into account:
  1. Long term disruption of network service, as the worst-case scenario.
  2. Short term disruption of network service as the most likely scenario.
  3. Both Long and Short-term disruption of network service
  4. Alternate organizational administrative procedures, automated network disaster recovery is only considered in a “COOP”.
  1. The purpose of the ST&E is to support at a minimum, all of the following key concepts:
  1. Protect, Detect, Recover
  2. Confidentiality, Integrity, Availability
  3. Destruction, Modification, Disclosure
  4. Assets, Threats, Safeguards (Countermeasures)
  5. Destruction, Disclosure, Denial of Service
  1. ST&Es test statements of fact that come from which Risk Assessment section:
  1. Asset Valutation Worksheets
  2. Threat Evaluation Worksheets
  3. ALE Calculations
  4. Recommended Additional Countermeasure Worksheets
  5. Risk Assessment Introduction
  1. Each in-place safeguard/countermeasure identified in a Risk Assessment should be tested by at least:
  1. One ST&E Test
  2. Two ST&E Tests
  3. Two ST&E Team Analysts
  4. Three ST&E Examiners
  5. Both “c” and “d”
  1. ST&Es generally:
  1. Assist the System/Network Approving Authority to make a risk management decision.
  2. Verify that in-place safeguards are working as intended.
  3. Are a series of tests to validate the security of a system or network.
  4. All of the above
  5. Only “a” and “b”.
  6. Only “b” and “c”.
  1. When conducting an Abbreviated ST&E, the Execution Team generates a complete, separate Results Report…
  1. After Abbreviated ST&E Execution.
  2. Prior to writing the Executive Summary and Introduction.
  3. They don’t, only the Design Team writes the Results Report.
  4. Never, it is not part of this type of ST&E.
  1. Scheduling the availability of the accounts, equipment, and interviewees for a particular test is the responsibility of:
  1. The Approving Authority.
  2. The Design Team.
  3. The Execution Team.
  4. Site Security personnel.
  1. According to the lecture, which of the following must Contingency Plans address?
  1. Emergency Response
  2. Backup Operations
  3. Activation Financial Section
  4. Recovery Actions
  5. Hot Site Activation Procedures
  1. I, II, and III.
  2. I, II, and IV
  3. II, III, and IV
  4. I, III, and V
  5. III, IV, and V
  1. The most cost-effective method for long term resumption of organizational operations after a disaster is:
    1. Hot Site
    2. Warm Site
    3. Cold Site
    4. Alternate Site
  1. The least cost-effective method for long term resumption of organizational operations after a disaster is:
    1. Hot Site
    2. Warm Site
    3. Cold Site
    4. Alternate Site
  1. Rotations of backup tapes do not require use and expenditures of off-site backups because you can go so far back in recovery-history.
    1. True
    2. False
  1. When developing a “short-term loss” response portion of a contingency plan and considering options for a mission-critical system or network, which of the following are NOT important to consider:
    1. Hot Site Activation
    2. User Denial of Service
    3. Revenue Loss
    4. Relocation of Personnel
  1. According to the lecture, some organizations consider Disaster Recovery Plans and _____ to be organizational-wide, rather than system-specific.
    1. Contingency Plans (CPs)
    2. Continuity-of-Operation Plans (COOPs)
    3. Disaster Recovery Emergency Response Plans (DRERPs).
    4. Personnel Relocation Plans (PRPs).
  1. There are occasions when you do NOT need a contingency plan.
    1. True
    2. False
  1. The Primary Purpose(s) for testing a Contingency Plan is:
  1. Determining the effectiveness of the CP.
  2. Finding the inadequacies of the CP.
  3. Updating the CP and Training the personnel as to their duties.
  4. Ensuring that management has invested properly in the alternate/hot/cold site.
  1. According to the reading, a contingency plan should consist of all of the following EXCEPT:
    1. Action plan
    2. Preliminary Plan
    3. Risk Assessment
    4. Preparatory Actions
  1. Threat identification is an important part of both risk assessments and contingency plans.
    1. True
    2. False
  1. According to the lecture, CPs must contend with Testing/Training and which of the following issues?
  1. Short Term and Long Term Loss.
  2. Hot Site Activation Procedures
  3. Activation Financial Issues
  4. CP Design Team Composition.
  1. The ST&E Execution Team writes new Tests when:
    1. The Design Team could not complete the tests before the Execution Team began their portion of the process.
    2. The Execution Team discovers new vulnerabilities.
    3. The Execution Team disagrees with the way the design team wrote the test.
    4. None of the above, the execution team does not normally write tests.

Section C. (24 points) Practical Application Essay Question

You are tasked with designing a security, test and evaluation (ST&E) for two of the risks cited in your own risk assessment exercise, that you will hand in as the written requirement for the course. Please note that you are on the design team preparing the ST&E documents before the team arrives on location, for use by the auditors who will conduct the actual ST&E.

Hints. This essay question tests how thoroughly Students design the ST&E audit, before anyone goes out and conducts the audit. If the ST&E audit is designed correctly, the ST&E auditor who actually conducts the audit will have a guideline that causes him/her to look at the right places and ask the right persons the right questions, to discover if the safeguards are indeed in place and working. Since the ST&E audit has not been done yet,

[Button id=”1″]


[ad_2]
Source link

"96% of our customers have reported a 90% and above score. You might want to place an order with us."

Essay Writing Service
Affordable prices

You might be focused on looking for a cheap essay writing service instead of searching for the perfect combination of quality and affordable rates. You need to be aware that a cheap essay does not mean a good essay, as qualified authors estimate their knowledge realistically. At the same time, it is all about balance. We are proud to offer rates among the best on the market and believe every student must have access to effective writing assistance for a cost that he or she finds affordable.

Caring support 24/7

If you need a cheap paper writing service, note that we combine affordable rates with excellent customer support. Our experienced support managers professionally resolve issues that might appear during your collaboration with our service. Apply to them with questions about orders, rates, payments, and more. Contact our managers via our website or email.

Non-plagiarized papers

“Please, write my paper, making it 100% unique.” We understand how vital it is for students to be sure their paper is original and written from scratch. To us, the reputation of a reliable service that offers non-plagiarized texts is vital. We stop collaborating with authors who get caught in plagiarism to avoid confusion. Besides, our customers’ satisfaction rate says it all.

Home

About Us

Professional Writing Services

Contact Custom Essay Writers

Register as a freelance writer

Order Custom Essay

Sign Up

Login

Facebook Twitter Youtube Instagram

© 2022 Homeworkcrew.com provides writing and research services for limited use only. All the materials from our website should be used with proper references and in accordance with Terms & Conditions.

Scroll to Top