UGANDA CHRISTIAN UNIVERSITY

FACULTY OF SCIENCE AND TECHNOLOGY

BACHELOR OF SCIENCE IN COMPUTER SCIENCE
AND
BACHELOR OF SCIENCE IN INFORMATION TECHNOLGY
THIRD YEAR SEPTEMBER SEMESTER EXAMINATION
IN
INFORMATION SECURITY

Date: December 2011

Time: 3 hrs

Instructions:
Answer all questions is section A and any four in section B.
SECTION A (40 marks)
1. Explain what you understand by the following
(a) Trojan
(b) Spoofing
(c) Risk appetite
(d) Business Impact Analysis
(e) Annual loss expectancy

(2 each)

2. What is a bastion host? List three common characteristics of a bastion host?

(8)

3. With respect to Information Security, distinguish between

(a) ethics and laws
(b) a policy and law
(c) detective control and preventive control
(d) subject and object of an attack

(3 each)

4. What are fourth generation firewalls? How do they differ from fifth generation firewalls?

(6)

5. A biometric system can be beaten. True or false? If true, give two scenarios where this is possible.
(4)

- 2 -

SECTION B (60 marks)

Question 1
a) Mitigation is a risk control strategy. What is the objective of this control strategy and outline some
rules of thumb for choosing this strategy.
(6)
b) Identify and explain the three (3) types of plans needed for risk mitigation
(9)

Question 2
a) Identify the five (5) stages involved during the development of an information systems security
plan. Describe the three (3) most important steps in detail. What steps would you take in
responding to a security breach?
(10)
b) What is meant by denial of service attack? Describe a scenario that occurs in such an attack. (5)

Question 3
a) Write short notes on the following:
(i) Benchmarking
(ii) Base lining
(iii) defence-in-depth
(iv) Security perimeter
(v) Traps
b) What considerations need to be considered when selecting a firewall for an organization?
c) What are the four (4) risk identification estimate factors? How are they related?

(5)

(5)
(5)

Question 4
a) What are the major steps in executing a project plan for Information security?
(3)
b) What is the importance of application level testing during an Information security audit?
(5)
c) How does SETA (Security Education Training and Awareness) enhance security within an
organization?
(7)

Question 5
a) Hot sites, warm sites and cold sites are three major options while planning for business continuity.
Briefly describe how each one of these options is used.
(9)
b) In order for an organization to get the sites mentioned above up and running quickly, the
organization must have the ability to port the data into the the new site systems. Describe three
ways in which an organization can port its data into the new site's systems.
(6)

Question 6
a) Why are policies difficult to shape?
b) What do ACL policies regulate?
c) Describe the primary functions of the components of contingency planning.

(3)
(3)
(9)