Support Services II

June Test Memo

MARKS: 120 DATE: 20 JUNE 2012

TIME: 3 hours PAGES: 10

PLEASE NOTE

1. Answer all questions in the spaces provided in this question paper.

2. Write your student number, surname and first name in the spaces below.
3. Write neatly - untidy writing will not be marked.
4. Write using pen only.

Student No: Name:

(Format: Surname, First Name)

FOR LECTURERS USE ONLY

QUESTION MARKS QUESTION MARKS QUESTION MARKS
1 15 9 15
2 5 10 15
3 5
4 10
5 15
6 10
7 15
8 15

TOTAL: 120

MARK (%):

DO NOT TURN THE PAGE BEFORE TOLD TO DO SO

Q1: Definitions [15]
Match the following terms with the most correct definitions as provided in the table.

Information is intended only for the purposes

1.1 Accountability C A stated by the data owner at the time it was
collected.

1.2 Authentication J B An act or event that exploits a vulnerability

Every activity involving the information can be

1.3 Authorization G C attributed to a named person or automated
process.
Enables user access to information in a
1.4 Availability D D usable format without interference or
obstruction

1.5 Confidentiality H E A technique used to compromise a system.

An identified weakness of a controlled

1.6 Identification M F information asset as a result of absent or
inadequate controls.
Assures that the user has been specifically
and explicitly permitted by the proper
1.7 Integrity K G
authority to access, update or delete the
contents of an information asset.
Only those with sufficient rights may access
1.8 Privacy A H
certain information.
A security mechanism, policy, or procedure
1.9 Policy O I that can counter system attack, reduce risks,
limit losses and resolve vulnerabilities.
Validation that the claimed identity of a
1.10 Threat N J person or entity requesting authorized access
is indeed who he/she/it claims to be.
The quality or state of being whole, complete
1.11 Attack B K
and uncorrupted.

A set of rules for the protection of information

1.12 Vulnerability F L
assets of an organization.

Information The ability of an information system to

1.13 L M
security policy recognize individual users.
A category of objects, persons or other
1.14 Control I N entities that represent a constant danger to
an asset
The set of organizational guidelines that
1.15 Exploit E O dictates certain behavior within the
organization.
Q2: True/False [5]
Indicate whether the statement is true or false.

T 1. A manager has many roles to play including informational, interpersonal,

and decisional.

F 2. When an incident takes place, the disaster recovery plan (DRP) is invoked
before the incident response plan (IRP).

F 3. Strategic planning has a more short-term focus than tactical planning.

T 4. A quality information security program begins and ends with policy.

F 5. The Brewer-Nash model is commonly known as a Japanese wall.

Q3: Multiple Choice [5]

Identify the choice that best completes the statement or answers the question.

A 1. ____ leaders reserve all decision-making responsibilities for themselves.

A. Autocratic C. Laissez-faire
B. Democratic D. Diplomatic

D 2. A(n) ____ approach to security implementation is frequently referred to as a

grass-roots effort.
A. SDLC C. Top-down
B. SecSDLC D. Bottom-up

B 3. A standard is built from a ____.

A. Practice C. Procedure
B. Policy D. Guideline

A 4. An Automated Teller Machine (ATM) is an example of a ____.

A. Constrained user interface C. Temporal isolation
B. Content-dependent access control D. None of these

B 5. ____ helps organizations comply with critical regulations.

A. COBIT C. NIST
B. COSO D. ISO
Q4: Short Questions (Chapter 1) [10]
Answer each question briefly.

1. Information security aims to protect three critical characteristics of information.

List these three characteristics. [3]

1. Confidentiality
2. Integrity
3. Availability

2. List the three stages during which information should be protected. [3]

1. Storage
2. Transmission
3. Processing

3. The principles of information security management are known as the six Ps. List
any four of these principles. [4]

1. Policy / Planning
2. Programs / Project Management
3. People
4. Protection

Q5: Short Questions (Chapter 2) [15]

Answer each question briefly.

1. List the three levels of management/planning that is present within a typical

organization. [3]

1. Strategic
2. Tactical
3. Operational

2. Given the definitions below, list the three statements within which the overall
business strategy is normally captured. [3]

1. Expresses what the organization wants to become Vision

2. Expresses what the organization is, does and for whom Mission
3. Makes an organizations conduct standards clear Values

TURN THE PAGE

3. Information security governance aims to achieve numerous outcomes. List three
of these outcomes. [3]

1. Value delivery / Risk management

2. Strategic alignment / Resource management
3. Performance measurement

4. List, in order, the six stages of the SecSDLC. [6]

1. Investigation
2. Analysis
3. Logical design
4. Physical design
5. Implementation
6. Maintenance

Q6: Short Questions (Chapter 3) [10]

Answer each question briefly.

1. List the four components of contingency planning. [4]

1. Enables a business to continue operations at

Business Continuity (BC)
an alternative site.
2. Focuses on restoring operations at the primary
Disaster Recovery (DR)
site.
3. Helps organizations determine which business
Business Impact Analysis
functions and information systems are the most
(BIA)
critical to the success of the organization.
Incident Response (IR)
4. Focuses on immediate response to an incident.

2. A number of indicators signal the presence of an information security incident.

List the three broad categories/types of indicators that exist. [3]

1. Possible
2. Probable
3. Definite

3. List three options available to protect an organizations information and to get

their operations up and running quickly in the event of a disaster. [3]

1. Electronic vaulting
2. Database shadowing
3. Remote journaling
Q7: Short Questions (Chapter 4) [15]
Answer each question briefly.

1. What three basic rules should be followed when shaping a policy? [3]

1. Should never conflict with the law

2. Must be able to stand up in court
3. Must be properly supported and administered

2. List the three main types of policies found within a typical organization.
(Do not use abbreviations!) [3]

1. Sets strategic direction, scope and

Enterprise information security policy
tone for all of an organizations
(EISP)
security efforts.
2. Provides detailed and targeted
guidance in the use of a process, Issue-Specific Security Policy
technology, or system used by an (ISSP)
organization.
3. Often functions as standards or
procedures to be used when Systems-Specific Policy (SysSP)
configuring and maintaining systems.

3. List four ways in which policies may be distributed to employees within an

organization. [4]

1. Hard-copy / Intranet site

2. Posting in public location / Document management system
3. Bulletin boards / Log-on notice
4. Email / Distribution software

4. List any five criteria policies must adhere to in order to be effective. [5]

1. Must be developed using industry standards or best practices

2. Must be agreed-to by employees
3. Must be understood by all employees
4. Must be reviewed and read by all employees
5. Must be applied and enforced / Must be distributed or disseminated

TURN THE PAGE

Q8: Short Questions (Chapter 5) [15]
Answer each question briefly.

1. List the three components of a SETA program. [3]

1. Security education
2. Security training
3. Security awareness

2. List the three benefits of a SETA program [3]

1. Improve employee behavior

2. Inform employees about where to report violations to policy

3. Enable organizations to hold employees accountable for their actions

3. Explain what trinkets are within a SETA program. [1]

Trinkets are everyday items with specialized security messages printed on

them.

4. List any three items that are commonly used as trinkets. [3]

1. Pens and pencils / T-shirts

2. Mouse pads / Hats
3. Coffee mugs / Plastic cups

5. Beyond trinkets, there are many other methods/ways by which you could raise
awareness of information security. List any five other methods. [5]

1. Posters and banners / Videos

2. Newsletters
3. Bulletin boards
4. Computer-based training / Lectures and conferences
5. Brochures and flyers

TURN THE PAGE

Q9: Short Questions (Chapter 6) [15]
Answer each question briefly.

1. List the three key principles upon which access control is built. [3]

1. Least privilege
2. Need to know
3. Separation of duties

2. Match the following models with the most correct definitions as provided in the
table below. [5]

2.1 Bell-LaPadula E A Built upon principles of change control.

An access control model with 3 parts: a set of

2.2 Clark-Wilson A B
objects; a set of subjects; and a set of rights.

Designed to prevent a conflict of interest

2.3 Graham-Denning B C
between 2 parties.
Based on the premise that higher levels of
2.4 Biba D D integrity are more worthy of trust than lower
ones.
A state machine model that help ensure the
confidentiality of an information system by
2.5 Brewer Nash C E
means of MACs, data classification and
security clearances.

3. What are three notable advantages of NIST documents over other sources of
security information? [3]

1. Publicly available at no charge

2. Have been available for some time
3. Have been reviewed by government and industry professionals

4. For each of the four security controls, indicate whether it is managerial,

operational or technical according to the NIST scheme. [4]

1. Policies Managerial
2. Data backups Technical
3. Gates, fences and guards Operational
4. Disaster recovery plan Managerial

TURN THE PAGE

Q10: Project Management Techniques [15]
Answer each of the questions that follow using the project management tool below.

Estimated
Activity Description Duration Predecessor
(days)
Evaluate current technology
A 1 None
platform

B Define user requirements 6 None

C Design Web page layouts 3 A,B

D Set-up server 2 B

E Estimate Web traffic 1 B

F Test Web pages and links 5 C, D

Move Web pages to production

G 2 D, E
environment

Write announcement of intranet

H 5 F, G
for corporate newsletter

I Train users 2 H

1. What is the name of this kind of project management tool? [1]

Work Breakdown Structure (WBS)

2. Complete the Gantt chart for the above scenario using the template provided.[13]

Assume the project will start on Tuesday, 12th March 2013 and that no work is
carried out on weekends and public holidays.

You therefore need to take the following public holidays into consideration:

Human Rights Day (21st March),

Good Friday (29th March),
Family Day (1st April).

3. On what day is this project planned to finish? [1]

12 April 2013

TOTAL MARKS: 120