For more course tutorials visit
www.newtonhelp.com
CIS 349 Final Exam Guide Set 1
1) ___________ are the components, including people, information, and conditions, that support business objectives.
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
CIS 349 Imagine Your Future/newtonhelp.com
1. CIS 349 Final Exam Guide Set 1
For more course tutorials visit
www.newtonhelp.com
CIS 349 Final Exam Guide Set 1
1) ___________ are the components, including people,
information, and conditions, that support business
objectives.
2) The first step in the implementation of separation of
duties is to use access controls to prevent unauthorized data
access. The ultimate goal is to define access control where
each user has the permissions to carry out assigned tasks
and nothing else. This is known as the principle
of:
3) What is meant by business drivers?
2. 4) Which law defines national standards for all consumer
reports, including background checks?
5) ___________ is the process of providing additional
credentials that match the user ID or username.
6) What is meant by availability?
7) Which of the following is the definition of
authorization?
8) An organization wants to determine how well it
adheres to its security policy and determine if any “holes”
exist. What type of analysis or assessment does it
perform?
9) Which of the following is not a step to ensuring only
authorized users can see confidential data in the LAN
Domain?
3. 10) Which of the following is not typically a LAN
Domain component?
11) Which control is used in the LAN Domain to protect
the confidentiality of data?
12) The following are LAN Domain controls
except:
13) Here is a common flow a penetration tester follows to
develop attacks: This step collects as much information
about the target environment as possible. At this stage, the
attacker is collecting both technical and nontechnical
information. Both types of information can help the attacker
determine how the organization operates, where it operates,
and which characteristics the organization and its
customers’ value. This is:
14) A nonintrusive penetration test
____________.
15) One particular type of network security testing
simulates actions an attacker would take to attack your
network. This is known as:
4. 16) You have the least amount of control over who
accesses data in the ______ Domain.
17) What is the primary type of control used to protect data
in the WAN Domain?
18) What is a best practice for compliance in the WAN
Domain?
19) The Remote Access Domain server components also
generally reside in the ___________ environment, even
though they still belong to the Remote Access
Domain.
20) Which of the following is primarily a corrective
control in the Remote Access Domain?
5. 21) The most common control for protecting data privacy in
untrusted environments is encryption. There are three main
strategies for encrypting data to send to remote users. One
strategy does not require any application intervention or
changes at all. The connection with the remote user handles
the encryption. The most common way to implement system
connection encryption is by setting up a secure virtual
private network (VPN). This is:
22) An important step in securing applications is to remove
the _____________.
23) Security controls in the System/Application Domain
generally fall into salient categories. The need to create
backup copies of data or other strategies to protect the
organization from data or functionality loss.
24) Which of the following is true of a hot site?
25) What name is given to an IIA certification that tests
audit knowledge unique to the public sector?
=====================================
6. CIS 349 Final Exam Guide Set 2
For more course tutorials visit
www.newtonhelp.com
CIS 349 Final Exam Guide Set 2
1) Which type of access control defines permissions based on
roles, or groups, and allows object owners and
administrators to grant access rights at their discretion?
2) What is meant by business drivers?
3) The first step in the implementation of separation of
duties is to use access controls to prevent unauthorized data
access. The ultimate goal is to define access control where
each user has the permissions to carry out assigned tasks
and nothing else. This is known as the principle of:
4) ___________ are the components, including people,
information, and conditions, that support business
objectives.
7. 5) ___________ is the process of providing additional
credentials that match the user ID or username.
6) Which of the following is the definition of authorization?
7) An organization wants to determine how well it adheres
to its security policy and determine if any “holes” exist.
What type of analysis or assessment does it perform?
8) What is meant by availability?
9) There are two common types of monitoring tools
available for monitoring LANs, __________ and network
software log files.
10) Which control is used in the LAN Domain to protect the
confidentiality of data?
11) Which of the following is not typically a LAN Domain
component?
8. 12) Which of the following is not a step to ensuring only
authorized users can see confidential data in the LAN
Domain?
13) A nonintrusive penetration test ____________.
14) What is a corrective control in the LAN-to-WAN
Domain?
15) One particular type of network security testing simulates
actions an attacker would take to attack your network. This
is known as:
16) The __________ is a generic description for how
computers use seven layers of protocol rules to communicate
across a network.
17) Although __________ are not optimal for high
bandwidth, large-volume network transfers, they work very
well in most environments where you need to maintain
connections between several other networks.
9. 18) What is the primary type of control used to protect data
in the WAN Domain?
19) The Remote Access Domain server components also
generally reside in the ___________ environment, even
though they still belong to the Remote Access Domain.
20) The most common control for protecting data
privacy in untrusted environments is encryption. There are
three main strategies for encrypting data to send to remote
users. One strategy does not require any application
intervention or changes at all. The connection with the
remote user handles the encryption. The most common way
to implement system connection encryption is by setting up a
secure virtual private network (VPN). This is:
21) You want to configure devices to send an alert to the
network manager when remote users connect to your
network. Which protocol is the best choice for monitoring
network devices?
22) Security controls in the System/Application Domain
generally fall into salient categories. The need to create
backup copies of data or other strategies to protect the
organization from data or functionality loss.
10. 23) From the perspective of application architectures,
which of the following is generally not considered a critical
application resource?
24) Which plan would address steps to take when a water
main break interrupts water flow to your main office?
25) Who is responsible for verifying and testing an
organization’s code of conduct?
====================================
CIS 349 Week 2 Assignment 1 Designing Ferpa Technical
Safeguards (2 Papers)
For more course tutorials visit
www.newtonhelp.com
This Tutorial contains 2 Papers on the Below Mentioned
Topic
Imagine you are an Information Security consultant for a
small college registrar’s office consisting of the registrar and
11. two (2) assistant registrars, two (2) student workers, and one
(1) receptionist. The office is physically located near several
other office spaces. The assistant registrars utilize mobile
devices over a wireless network to access student records,
with the electronic student records being stored on a server
located in the building. Additionally, each registrar’s office
has a desktop computer that utilizes a wired network to
access the server and electronic student records. The
receptionist station has a desktop computer that is used to
schedule appointments, but cannot access student records.
In 1974, Congress enacted the Family Educational Rights
and Privacy Act (FERPA) to help protect the integrity of
student records. The college has hired you to ensure
technical safeguards are appropriately designed to preserve
the integrity of the student records maintained in the
registrar’s office.
Write a three to five (3-5) page paper in which you:
Analyze proper physical access control safeguards and
provide sound recommendations to be employed in the
registrar’s office.
Recommend the proper audit controls to be employed in the
registrar’s office.
Suggest three (3) logical access control methods to restrict
unauthorized entities from accessing sensitive information,
and explain why you suggested each method.
12. Analyze the means in which data moves within the
organization and identify techniques that may be used to
provide transmission security safeguards.
Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as
quality resources.
Your assignment must follow these formatting
requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and
references must follow APA or school-specific format. Check
with your professor for any additional instructions.
Include a cover page containing the title of the assignment,
the student’s name, the professor’s name, the course title,
and the date. The cover page and the reference page are not
included in the required assignment page length.
=====================================
CIS 349 Week 2 Discussion
For more course tutorials visit
www.newtonhelp.com
13. Select an organization with which you are familiar. Identify
the compliance laws that you believe would be most relevant
to this organization.
Justify your response.
Define the scope of an IT compliance audit that would verify
whether or not this organization is in compliance with the
laws you identified.
=====================================
CIS 349 Week 4 Assignment 2 Organizational Risk Appetite
and Risk Assessment (2 Papers)
For more course tutorials visit
www.newtonhelp.com
This Tutorial contains 2 Papers on the Below Mentioned
Topic
Assignment 2: Organizational Risk Appetite and Risk
Assessment
Due Week 4 and worth 100 points
14. Imagine that a software development company has just
appointed you to lead a risk assessment project. The Chief
Information Officer (CIO) of the organization has seen
reports of malicious activity on the rise and has become
extremely concerned with the protection of the intellectual
property and highly sensitive data maintained by your
organization. The CIO has asked you to prepare a short
document before your team begins working. She would like
for you to provide an overview of what the term “risk
appetite” means and a suggested process for determining the
risk appetite for the company. Also, she would like for you to
provide some information about the method(s) you intend to
use in performing a risk assessment.
Write a two to three (2-3) page paper in which you:
1. Analyze the term “risk appetite”. Then, suggest at least
one (1) practical example in which it applies.
2. Recommend the key method(s) for determining the risk
appetite of the company.
3. Describe the process of performing a risk assessment.
4. Elaborate on the approach you will use when
performing the risk assessment.
5. Use at least three (3) quality resources in this
assignment. Note: Wikipedia and similar Websites do
not qualify as quality resources.
Your assignment must follow these formatting
requirements:
15. • Be typed, double spaced, using Times New Roman font
(size 12), with one-inch margins on all sides; citations
and references must follow APA or school-specific
format. Check with your professor for any additional
instructions.
• Include a cover page containing the title of the
assignment, the student’s name, the professor’s name,
the course title, and the date. The cover page and the
reference page are not included in the required
assignment page length.
The specific course learning outcomes associated with this
assignment are:
• Describe the components and basic requirements for
creating an audit plan to support business and system
considerations.
• Describe the parameters required to conduct and report
on IT infrastructure audit for organizational
compliance.
• Use technology and information resources to research
issues in security strategy and policy formation.
• Write clearly and concisely about topics related to
information technology audit and control using proper
writing mechanics and technical style conventions.
• =====================================
CIS 349 Week 5 Discussion
16. For more course tutorials visit
www.newtonhelp.com
"Monitoring the User Domain" Please respond to the
following:
It is common knowledge that employees are a necessary part
of any business. Identify three (3) best practices in the user
domain and suggest the control type(s) (technical or manual)
that are best suited to monitor each best practice
Describe how the implementation process for such controls
might vary based on the business type. Determine the impact
that other factors such as physical security, device type, and
connectivity (wireless or wired) might have on the choices
that are made.
=====================================
CIS 349 Week 6 Assignment 3 Evaluating Access Control
Methods (2 Papers)
For more course tutorials visit
www.newtonhelp.com
17. This Tutorial contains 2 Papers on the Below Mentioned
Topic
CIS 349 Week 6 Assignment 3 Evaluating Access Control
Methods
Imagine you are an Information Systems Security Specialist
for a medium-sized federal government contractor. The
Chief Security Officer (CSO) is worried that the
organization’s current methods of access control are no
longer sufficient. In order to evaluate the different methods
of access control, the CSO requested that you research:
mandatory access control (MAC), discretionary access
control (DAC), and role-based access control (RBAC). Then,
prepare a report addressing positive and negative aspects of
each access control method. This information will be
presented to the Board of Directors at their next meeting.
Further, the CSO would like your help in determining the
best access control method for the organization.
Write a three to five (3-5) page paper in which you:
Explain in your own words the elements of the following
methods of access control:Compare and contrast the positive
18. and negative aspects of employing a MAC, DAC, and
RBAC.
Mandatory access control (MAC)
Discretionary access control (DAC)
Role-based access control (RBAC)
Suggest methods to mitigate the negative aspects for MAC,
DAC, and RBAC.
Evaluate the use of MAC, DAC, and RBAC methods in the
organization and recommend the best method for the
organization. Provide a rationale for your response.
Speculate on the foreseen challenge(s) when the organization
applies the method you chose. Suggest a strategy to address
such challenge(s).
Use at least three (3) quality resources in this
assignment.Note: Wikipedia and similar Websites do not
qualify as quality resources.
Your assignment must follow these formatting
requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and
references must follow APA or school-specific format. Check
with your professor for any additional instructions.
19. Include a cover page containing the title of the assignment,
the student’s name, the professor’s name, the course title,
and the date. The cover page and the reference page are not
included in the required assignment page length.
The specific course learning outcomes associated with this
assignment are:
Analyze information security systems compliance
requirements within the User Domain.
Use technology and information resources to research issues
in security strategy and policy formation.
Write clearly and concisely about topics related to
information technology audit and control using proper
writing mechanics and technical style conventions.
=====================================
CIS 349 Week 6 Discussion
For more course tutorials visit
www.newtonhelp.com
Many companies, large and small, have implemented Bring
Your Own Device (BYOD) policies allowing employees to
use their personal smartphones and tablets to conduct
20. business while at work. Debate the major pros and cons of
implementing such a policy.
Identify three (3) risks that might result from implementing
a BYOD policy. Suggest a method for mitigating each risk
you have identified. Provide a rationale for your response.
=====================================
CIS 349 Week 8 Assignment 4 Designing Compliance Within
The LanToWan Domain (2 Papers)
For more course tutorials visit
www.newtonhelp.com
This Tutorial contains 2 Papers on the Below Mentioned
Topic
CIS 349 Week 8 Assignment 4 Designing Compliance Within
The Lan-To-Wan Domain
Assignment 4: Designing Compliance within the LAN-to-
WAN Domain
21. Note: Review the page requirements and formatting
instructions for this assignment closely. Graphically depicted
solutions, as well as the standardized formatting
requirements, do NOT count toward the overall page length.
Imagine you are an Information Systems Security Officer
for a medium-sized financial services firm that has
operations in four (4) states (Virginia, Florida, Arizona, and
California). Due to the highly sensitive data created, stored,
and transported by your organization, the CIO is concerned
with implementing proper security controls for the LAN-to-
WAN domain. Specifically, the CIO is concerned with the
following areas:
Protecting data privacy across the WAN
Filtering undesirable network traffic from the Internet
Filtering the traffic to the Internet that does not adhere to
the organizational acceptable use policy (AUP) for the Web
Having a zone that allows access for anonymous users but
aggressively controls information exchange with internal
resources
22. Having an area designed to trap attackers in order to
monitor attacker activities
Allowing a means to monitor network traffic in real time as
a means to identify and block unusual activity
Hiding internal IP addresses
Allowing operating system and application patch
management
The CIO has tasked you with proposing a series of hardware
and software controls designed to provide security for the
LAN-to-WAN domain. The CIO anticipates receiving both a
written report and diagram(s) to support your
recommendations.
Write a three to five (3-5) page paper in which you:
Use MS Visio or an open source equivalent to graphically
depict a solution for the provided scenario that will:Identify
the fundamentals of public key infrastructure (PKI).
filter undesirable network traffic from the Internet
filter Web traffic to the Internet that does not adhere to the
organizational AUP for the Web
allow for a zone for anonymous users but aggressively
controls information exchange with internal resources
23. allow for an area designed to trap attackers in order to
monitor attacker activities
offer a means to monitor network traffic in real time as a
means to identify and block unusual activity
hide internal IP addresses
Describe the manner in which your solution will protect the
privacy of data transmitted across the WAN.
Analyze the requirements necessary to allow for proper
operating system and application patch management and
describe a solution that would be effective.
Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as
quality resources.
Note: The graphically depicted solution is not included in the
required page length.
Your assignment must follow these formatting
requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and
references must follow APA or school-specific format. Check
with your professor for any additional instructions.
24. Include a cover page containing the title of the assignment,
the student’s name, the professor’s name, the course title,
and the date. The cover page and the reference page are not
included in the required assignment page length.
Include charts or diagrams created in Visio or an equivalent
such as Dia or OpenOffice. The completed diagrams / charts
must be imported into the Word document before the paper
is submitted.
The specific course learning outcomes associated with this
assignment are:
Analyze information security systems compliance
requirements within the Workstation and LAN Domains.
Use technology and information resources to research issues
in security strategy and policy formation.
Write clearly and concisely about topics related to
information technology audit and control using proper
writing mechanics and technical style conventions
=====================================
CIS 349 Week 8 Discussion
For more course tutorials visit
www.newtonhelp.com
25. Remote access to corporate resources is becoming
commonplace. From an auditing perspective, suggest two (2)
or more controls that should be in place to prevent the loss
or theft of confidential information.
Give your opinion on what you believe are the essential
elements of an acceptable use policy for remote access.
Elaborate on each item and justify its importance.
=====================================
CIS 349 Week 9 Discussion
For more course tutorials visit
www.newtonhelp.com
Data Center Management" Please respond to the following:
Imagine you are an IT security specialist of a large
organization which is opening a new data center.
Recommend a minimum of three (3) controls, other than
door locks, you would utilize to secure the new data center
physically. Support your recommendations.
Recommend a process to govern obtaining, testing, and
distributing patches for operating systems and applications
within the new data center. Provide your rationale
26. =====================================
CIS 349 Week 10 Discussion
For more course tutorials visit
www.newtonhelp.com
"IT Auditor" Please respond to the following:
Take a position on whether or not you would want to pursue
a career as an IT auditor. Explain the key reasons why or
why not. Determine if you would recommend this job to
your family and friends. Provide a rationale for your
response.
Imagine you are working as an IT auditor. Identify the three
(3) best practices you believe would be most useful when
conducting audits for various businesses. Justify your
choices
=====================================
CIS 349 Week 10 Term Paper Planning An It Infrastructure
Audit For Compliance (2 Papers)
27. For more course tutorials visit
www.newtonhelp.com
This Tutorial contains 2 Papers on the Below Mentioned
Topic
CIS 349 Week 10 Term Paper Planning An It Infrastructure
Audit For Compliance
erm Paper: Planning an IT Infrastructure Audit for
Compliance
Due Week 10 and worth 200 points
The audit planning process directly affects the quality of the
outcome. A proper plan ensures that resources are focused
on the right areas and that potential problems are identified
early. A successful audit first outlines what’s supposed to be
achieved as well as what procedures will be followed and the
required resources to carry out the procedures. Considering
your current or previous organization or an organization
you are familiar with, develop an IT infrastructure audit for
compliance. Chapter 5 of the required textbook may be
helpful in the completion of the term paper.
28. Write a ten to fifteen (10-15) page paper in which you:
Define the following items for an organization in which you
are familiar with:
Scope
Goals and objectives
Frequency of the audit
Identify the critical requirements of the audit for your
chosen organization and explain why you consider them to
be critical requirements.
Choose privacy laws that apply to the organization, and
suggest who is responsible for privacy within the
organization.
29. Develop a plan for assessing IT security for your chosen
organization by conducting the following:
Risk management
Threat analysis
Vulnerability analysis
Risk assessment analysis
Explain how to obtain information, documentation, and
resources for the audit.
Analyze how each of the seven (7) domains aligns within
your chosen organization.
Develop a plan that:
30. Examines the existence of relevant and appropriate security
policies and procedures.
Verifies the existence of controls supporting the policies.
Verifies the effective implementation and ongoing
monitoring of the controls.
Identify all critical security control points that must be
verified throughout the IT infrastructure, and develop a
plan that include adequate controls to meet high-level
defined control objectives within this organization.
Use at least three (3) quality resources in this assignment.
Note: Wikipedia and similar Websites do not qualify as
quality resources.
Your assignment must follow these formatting
requirements:
Be typed, double spaced, using Times New Roman font (size
12), with one-inch margins on all sides; citations and
31. references must follow APA or school-specific format. Check
with your professor for any additional instructions.
Include a cover page containing the title of the assignment,
the student’s name, the professor’s name, the course title,
and the date. The cover page and the reference page are not
included in the required assignment page length.
The specific course learning outcomes associated with this
assignment are:
Explain the use of standards and frameworks in a
compliance audit of an IT infrastructure.
Describe the components and basic requirements for
creating an audit plan to support business and system
considerations.
Describe the parameters required to conduct and report on
IT infrastructure audit for organizational compliance.
Analyze information security systems compliance
requirements within the User Domain.
32. Analyze information security systems compliance
requirements within the Workstation and LAN Domains.
Design and implement ISS compliance within the LAN-to-
WAN and WAN domains with an appropriate framework.
Explain information security systems compliance
requirements within the Remote Access Domain.
Explain information security systems compliance
requirements within the System / Application Domain.
Use technology and information resources to research issues
in security strategy and policy formation.
Write clearly and concisely about topics related to
information technology audit and control using proper
writing mechanics and technical style conventions