CHAPTER 23

1. The National Institute of Standards and Technology, a federal government

agency, provides information that can assist IT managers and users on current IT
topics. The Association of Computing Machinery is another IT organization that
provides information to the IT community in general. Visit the Web sites of both of
these organizations and identify ve reports or information that can be benecial
to an IT manager.
Creating a Patch and Vulnerability Management Program
Electronic File Organization Tips
Performance Measurement Guide for Information Security
Cryptographic Algorithm Validation Program
Visualizing web search results using glyphs

2. From an auditors perspective, which network topology do you believe would be

the easiest to audit? Why? Which network topology would be the most dicult to
audit? Why?
Mesh topology is highly reliable because it provides a diverse set of
transmission routes. If one segment of the line fails, the rest of the line is
not aected. Because of its multiple transmission paths, mesh topology
also provides a high level of availability.
The bus topology is also not considered reliable. If the link fails, the entire
segment connected to that link also fails. However, if the node fails, the
rest of the network will continue to operate. The availability of network
resources using this topology depends on the Access Control Protocol
used, the length of the bus, and the transmission load. Under a light load,
availability is virtually assured, but as the load increases so also does the
chance of collisions among transmissions. The chance of collisions also
increases with greater bus length.

3. Why would audit weaknesses potentially be more serious when an organization

uses a WAN than a LAN?
An audit weakness in WAN is potentially more serious than in LAN
because its scope of audit is wider. An audit weakness in WAN is more
damaging since the network is widespread. Bigger network means more
exposure to risks and it will be more difficult to detect and correct.
 4. Why are virtual organizations difficult to audit in terms of assessing responsibility
and liability for control weaknesses?
A virtual organization is difficult to audit in terms of assessing
responsibility because of the complexity of the design of such
organization. Virtual organization is complex and management of it may
be difficult. It is difficult to comprehend technical descriptions of IT
systems as well as the specificity of responsibility of an employee.

5. If your company is considering adopting cloud computing, what steps would you take
in the preliminary assessment process? What security considerations should your
company consider?
There are four easy steps to consider in adopting cloud computing, assess
the value of cloud for your own organization; plan a simple application
deployment first, and gradually migrate to planning for enterprise systems;
adopt through learning and strategizing options and finally optimize your
assessments, planning, deployment methods and processed and
continuously refine your strategy.
Company should consider risks in implementing cloud computing sush as
network dependency, difficulty in creating hybrid systems, centralization
and data integrity/security