Security

Question 0

Describe the confidentiality component of security

Answer 0

Providing protection from unauthorised access or disclosure

Question 1

What are the three components of security?

Answer 1

Confidentiality
Integrity
Availability

Question 2

Describe the integrity component of security

Answer 2

Ensuring that systems and information are complete and free from unauthorised change or modification

Question 3

Describe the availability component of security

Answer 3

Ensuring that information, services and resources are available when and where required

Question 4

Security should be regarded as a horizontal / vertical component within an organisational structure

Answer 4

Horizontal

Question 5

What is the concept of “defence in depth”?

Answer 5

The idea of a series of overlapping protective measures embracing the whole organisation. Each of the controls may be cheap and not necessarily particularly strong, but taken together they integrate to form a total solution.

Question 6

List some of the component controls of “defence in depth”

Answer 6

Physical security
Policies and procedures
Personnel security
Organisational culture
Clear desk policy
Document security
Audit trails
Business continuity

Question 7

In terms of security, why is it not advisable to rely on one control?

Answer 7

It creates a single point of failure

Question 8

In defining the controls required in a security system, what three points should be taken into consideration?

Answer 8

1. Security is a management issue not an information technology issue
2. The controls put in place should not interfere with legitimate business processes
3. Users may need to be made aware what the controls are designed to achieve, and trained to maximise the potential effect of the controls

Question 9

Physical security: what is the first defensive point of any organisation?

Answer 9

The perimeter

Question 10

Personnel security: what supplements a physical control quite well?

Answer 10

If staff have to show ID on entering the building

Question 11

Backups. At a minimum, how often should smaller organisations perform backups?

Answer 11

Backup of whole system once a week

Backup of data only, daily

Question 12

Where should backups be stored?

Answer 12

Off-site

Question 13

What risk do backups pose in terms of security?

Answer 13

Whereas the original data may be password controlled, the backup may not be protected

Question 14

With regard to application security, what five controls should be considered to minimise the risk of corruption of operational systems?

Answer 14

Updating operational program libraries should only be performed by the nominated librarian upon management authorisation
If possible, operational systems should only hold executable code
Executable code should not be implemented on an operational system until evidence of successful testing and UAT is obtained
Audit log should be maintained of all updates to operational program libraries
Previous versions of software should be retained as a contingency measure

Question 15

At what level should vendor-supplied software used in operational systems be maintained?

Answer 15

At a level supported by the supplier

Question 16

When should physical or logical access to applications be given to suppliers?

Answer 16

For support services when necessary, and with management approval

Question 17

With regards to application security, what does version control achieve?

Answer 17

It ensures recent versions of the software are not overwritten by earlier versions

Question 18

With regards to application controls, why should distribution of software be controlled?

Answer 18

So that the number of copies of software do not exceed the number of software licenses held by the organisation.

Question 19

What six things should operating procedures specify for the detailed execution of each job?

Answer 19

Processing and handling of information
Scheduling requirements, including interdependencies with other systems
Instructions for handling errors or other exceptional conditions
Support contacts in event of unexpected difficulties
Special output handling instructions
System restart and recovery procedures in event of system failure

Question 20

Documented operating procedures should also be documented for system housekeeping activities such as…

Answer 20

Computer startup and shutdown
Backup
Equipment maintenance
Computer room and mail handling management
Safety

Question 21

Each operational procedure should have an owner who is responsible for what five things?

Answer 21

Writing the original procedure
Maintaining the procedure in the light of operational needs
Ensuring its contents are circulated to relevant staff
Ensuring it is filed in control manual
Removing procedure when no longer required

Question 22

— — — is a way of reducing the risk of accidental or deliberate system misuse

Answer 22

Segregation of duties

Question 23

When segregation of duties is difficult due to the small size of an organisation, what should be considered?

Answer 23

Other controls such as monitoring of activities, audit trails and management supervision

Question 24

With respect to segregation of duties, the initiation of an event should be separated from its —

Answer 24

Authorisation

Question 25

It is important to segregate activities that require — in order to defraud

Answer 25

Collusion

Question 26

Other than physical separation, how can segregation of duties be enforced?

Answer 26

Access control policy and user profiles

Question 27

In a small organisation where segregation of access is difficult to achieve, how could a user with conflicting duties be handled?

Answer 27

Could be given separate user IDs for each function. Prevents accidental breaching of job segregation.

Question 28

With respect to the segregation of development, test and operational facilities, what kind of serious problems can development and test activities cause?

Answer 28

Unwanted modification of files or system environment

System failure

Question 29

What might happen if development and test staff have access to the operational system and its information?

Answer 29

They may be able to introduce unauthorised and untested code or alter operational data.

Question 30

Give five options for the segregation of development, test and operational environments

Answer 30

1. Development and operational software should run on different computer processors, or in different domains or directories
2. Development and testing activities should be separated as far as possible
3. Compilers, editors and other system utilities should not be accessible from operational systems when not required
4. Different login procedures should be used for operational and test environments. Different passwords should be used
5. Development staff should only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems. Passwords should be changed after use

Question 31

Why should developers’ access rights to the live environment be kept to the absolute minimum necessary for them to undertake their work?

Answer 31

Because of the nature of their knowledge, they pose a risk in the live environment even if they have a different ID to that used in the development area

Question 32

When monitoring the use of information processing facilities, what areas may need to be considered?

Answer 32

Authorised access
All privileged operations such as use of supervisor account, system startup and stop, input/output device attachment
Unauthorised access attempts
System alerts or failures
Result of monitoring activities should be reviewed regularly