Cis 349 Extraordinary Success/newtonhelp.com

CIS 349 Final Exam Guide Set 1
For more course tutorials visit
www.newtonhelp.com
1) ___________ are the components, including people, information, and
conditions, that support business objectives.
2) The first step in the implementation of separationof duties is to use
access controls to prevent unauthorized data access. The ultimate goalis to
define accesscontrolwhere eachuser has the permissions to carry out
assignedtasks andnothing else. This is known as the principle
of:
3) What is meant by business drivers?

4) Which law defines national standards for all consumer reports, including
backgroundchecks?
5) ___________is the process ofproviding additional credentials that
match the user ID or username.
6) What is meant by availability?
7) Which of the following is the definition of
authorization?
8) An organizationwants to determine how well it adheres to its security
policy and determine if any “holes” exist. Whattype of analysis or assessment
does it perform?
9) Which of the following is not a step to ensuring only authorized users
can see confidentialdata in the LAN Domain?
10) Which of the following is not typically a LAN Domain
component?
11) Which control is used in the LAN Domain to protect the confidentiality
of data?
12) The following are LAN Domain controls except:
13) Here is a common flow a penetration testerfollows to develop attacks:
This step collects as much information about the targetenvironment as

possible. At this stage, the attackeris collecting both technicaland
nontechnicalinformation. Both types of information canhelp the attacker
determine how the organizationoperates, where it operates, andwhich
characteristicsthe organization and its customers’value. This
is:
14) A nonintrusive penetration test ____________.
15) One particular type of network security testing simulates actions an
attackerwouldtake to attack your network. This is known
as:
16) You have the leastamount of control over who accessesdata in the
______Domain.
17) What is the primary type of controlused to protectdata in the WAN
Domain?
18) What is a best practice for compliance in the WAN
Domain?
19) The Remote Access Domainservercomponents also generallyreside in
the ___________environment, even though they still belong to the Remote
Access Domain.

20) Which of the following is primarily a corrective controlin the Remote
Access Domain?
21) The most common controlfor protecting data privacy in untrusted
environments is encryption. There are three main strategies forencrypting
data to send to remote users. One strategydoes not require any application
intervention or changes at all. The connectionwith the remote user handles
the encryption. The most common way to implement systemconnection
encryption is by setting up a secure virtual private network (VPN). This
is:
22) An important step in securing applications is to remove the
_____________.
23) Security controls in the System/Application Domain generallyfall into
salient categories. The need to create backupcopies of data or other strategies
to protect the organization from data or functionality loss.
24) Which of the following is true of a hot site?
25) What name is given to an IIA certificationthat tests audit knowledge
unique to the public sector?
------------------------------------------------

www.newtonhelp.com
1) Which type of access controldefines permissions basedon roles, or groups,
and allows objectowners and administrators to grant access rights at their
discretion?
2) What is meant by business drivers?
3) The first step in the implementation of separationof duties is to use access
controls to prevent unauthorized data access. The ultimate goalis to define
access controlwhere eachuserhas the permissions to carry out assignedtasks
and nothing else. This is knownas the principle of:
4) ___________are the components, including people, information, and
conditions, that support business objectives.
5) ___________is the process ofproviding additional credentials that match
the userID or username.

6) Which of the following is the definition of authorization?
7) An organization wants to determine how well it adheres to its security
policy and determine if any “holes” exist. Whattype of analysis or assessment
does it perform?
8) What is meant by availability?
9) There are two common types of monitoring tools available for
monitoring LANs, __________and network software log files.
10) Which control is used in the LAN Domain to protectthe confidentiality of
data?
11) Which of the following is not typically a LAN Domain component?
12) Which of the following is not a step to ensuring only authorized users can
see confidential data in the LAN Domain?
13) A nonintrusive penetration test____________.
14) What is a corrective controlin the LAN-to-WAN Domain?

15) One particular type of network security testing simulates actions an
attackerwouldtake to attack your network. This is knownas:
16) The __________ is a generic descriptionfor how computers use seven
layers of protocolrules to communicate across a network.
17) Although __________are not optimal for high bandwidth, large-volume
network transfers, they work very well in most environments where you need
to maintain connections betweenseveralothernetworks.
18) What is the primary type of controlused to protectdata in the WAN
Domain?
19) The Remote Access Domainservercomponents also generallyreside in the
___________ environment, even though they still belong to the Remote Access
Domain.
20) The most common controlfor protecting data privacy in untrusted
environments is encryption. There are three main strategies forencrypting
data to send to remote users. One strategydoes not require any application
intervention or changes at all. The connectionwith the remote user handles
the encryption. The most common way to implement systemconnection
encryption is by setting up a secure virtual private network (VPN). This is:
21) You want to configure devices to send an alert to the network manager
when remote users connectto your network. Which protocol is the best choice
for monitoring network devices?

22) Security controls in the System/Application Domain generallyfall into
salient categories. The need to create backupcopies of data or other strategies
to protect the organization from data or functionality loss.
23) From the perspective of applicationarchitectures, which of the
following is generally not considereda critical application resource?
24) Which plan would address steps to take when a watermain break
interrupts waterflow to your main office?
25) Who is responsible for verifying and testing an organization’s code of
conduct?
------------------------------------------------
CIS 349 Week 2 Assignment 1 Designing Ferpa Technical
Safeguards (2 Papers)
www.newtonhelp.com
This Tutorial contains 2 Papers on the Below MentionedTopic
Imagine you are an Information Security consultant for a small college
registrar’s office consisting of the registrarand two (2) assistantregistrars,

two (2) student workers, andone (1) receptionist. The office is physically
locatednear severalother office spaces.The assistantregistrars utilize mobile
devices over a wireless network to access studentrecords, with the electronic
student records being storedon a serverlocatedin the building. Additionally,
eachregistrar’s office has a desktopcomputer that utilizes a wired network to
access the serverand electronic student records. The receptioniststationhas a
desktopcomputer that is used to schedule appointments, but cannotaccess
student records. In 1974, Congressenactedthe Family EducationalRights
and Privacy Act (FERPA) to help protect the integrity of student records. The
college has hired you to ensure technicalsafeguards are appropriately
designedto preserve the integrity of the student records maintained in the
registrar’s office.
Write a three to five (3-5) page paper in which you:
Analyze proper physical accesscontrolsafeguards andprovide sound
recommendations to be employed in the registrar’s office.
Recommendthe proper audit controls to be employed in the registrar’s office.
Suggestthree (3) logicalaccess controlmethods to restrict unauthorized
entities from accessingsensitive information, and explain why you suggested
eachmethod.
Analyze the means in which data moves within the organization and identify
techniques that may be used to provide transmissionsecurity safeguards.
Use at leastthree (3) quality resources in this assignment. Note:Wikipedia
and similar Websites do not qualify as quality resources.
Your assignmentmust follow these formatting requirements:
Be typed, double spaced, using Times New Roman font (size 12), with one-inch
margins on all sides;citations and references must follow APA or school-
specific format. Check with your professorforany additional instructions.

Include a coverpage containing the title of the assignment, the student’s
name, the professor’s name, the course title, and the date. The cover page and
the reference page are not included in the required assignmentpage length.
------------------------------------------------
CIS 349 Week 2 Discussion
www.newtonhelp.com
Selectan organizationwith which you are familiar. Identify the compliance
laws that you believe would be most relevant to this organization.
Justify your response.
Define the scope of an IT compliance audit that would verify whether or not
this organizationis in compliance with the laws you identified.
------------------------------------------------
CIS 349 Week 4 Assignment 2 Organizational Risk Appetite
and Risk Assessment (2 Papers)
www.newtonhelp.com

Assignment 2: OrganizationalRisk Appetite and Risk Assessment
Due Week 4 and worth 100 points
Imagine that a software developmentcompany has just appointed you to lead
a risk assessmentproject. The Chief Information Officer (CIO) of the
organizationhas seenreports of malicious activity on the rise and has become
extremely concernedwith the protectionof the intellectual property and
highly sensitive data maintained by your organization. The CIO has asked
you to prepare a short document before your team begins working. She would
like for you to provide an overview of what the term “risk appetite” means
and a suggestedprocessfor determining the risk appetite for the company.
Also, she would like for you to provide some information about the method(s)
you intend to use in performing a risk assessment.
Write a two to three (2-3) page paper in which you:
1. Analyze the term “risk appetite”. Then, suggestat leastone (1) practical
example in which it applies.
2. Recommendthe keymethod(s) for determining the risk appetite of the
company.
3. Describe the process ofperforming a risk assessment.
4. Elaborate on the approach you will use when performing the risk
assessment.
5. Use at leastthree (3) quality resources in this
assignment. Note:Wikipedia and similar Websites do not qualify as
quality resources.
 Be typed, double spaced, using Times New Roman font (size 12), with
one-inch margins on all sides;citations and references must follow APA
or school-specificformat. Check with your professorfor any additional
instructions.

 Include a coverpage containing the title of the assignment, the student’s
name, the professor’s name, the course title, and the date. The cover
page and the reference page are not included in the required assignment
page length.
The specific course learning outcomes associatedwith this assignmentare:
 Describe the components and basic requirements for creating an audit
plan to support business and system considerations.
 Describe the parameters required to conduct and report on IT
infrastructure audit for organizationalcompliance.
 Use technologyand information resources to researchissues in security
strategyand policy formation.
 Write clearly and conciselyabouttopics relatedto information
technologyaudit and controlusing proper writing mechanics and
technicalstyle conventions.
------------------------------------------------
www.newtonhelp.com
"Monitoring the User Domain" Please respondto the following:
It is common knowledge that employees are a necessarypart of any business.
Identify three (3) bestpractices in the user domain and suggestthe control
type(s) (technicalor manual) that are best suited to monitor eachbest practice

Describe how the implementation process forsuch controls might vary based
on the business type. Determine the impact that other factors suchas physical
security, device type, and connectivity (wireless orwired) might have on the
choices that are made.
------------------------------------------------
CIS 349 Week 6 Assignment 3 Evaluating Access Control
Methods (2 Papers)
www.newtonhelp.com
CIS 349 Week 6 Assignment 3 Evaluating Access ControlMethods
Imagine you are an Information Systems Security Specialistfor a medium-
sized federal government contractor. The Chief Security Officer (CSO)is
worried that the organization’s current methods of accesscontrolare no
longersufficient. In order to evaluate the different methods of accesscontrol,
the CSO requestedthat you research:mandatory access control(MAC),
discretionaryaccesscontrol(DAC), and role-basedaccesscontrol(RBAC).
Then, prepare a report addressing positive and negative aspects ofeachaccess
control method. This information will be presented to the Boardof Directors

at their next meeting. Further, the CSO would like your help in determining
the bestaccesscontrolmethod for the organization.
Explain in your own words the elements of the following methods of access
control:Compare and contrastthe positive and negative aspects ofemploying
a MAC, DAC, and RBAC.
Mandatory access control(MAC)
Discretionaryaccesscontrol(DAC)
Role-basedaccess control(RBAC)
Suggestmethods to mitigate the negative aspects forMAC, DAC, and RBAC.
Evaluate the use of MAC, DAC, and RBAC methods in the organizationand
recommend the bestmethod for the organization. Provide a rationale for your
response.
Speculate on the foreseenchallenge(s)whenthe organization applies the
method you chose. Suggesta strategyto address such challenge(s).
Use at leastthree (3) quality resources in this assignment.Note:Wikipedia and
similar Websites do not qualify as quality resources.

Analyze information security systems compliance requirements within the
User Domain.
Use technologyand information resources to researchissues in security
Write clearly and conciselyabouttopics relatedto information technology
audit and control using proper writing mechanics and technicalstyle
conventions.
------------------------------------------------
www.newtonhelp.com
Many companies, large and small, have implemented Bring Your Own Device
(BYOD) policies allowing employees to use their personal smartphones and
tablets to conduct business while at work. Debate the major pros and cons of
implementing such a policy.
Identify three (3) risks that might result from implementing a BYOD policy.
Suggesta method for mitigating eachrisk you have identified. Provide a
rationale for your response.
------------------------------------------------
CIS 349 Week 8 Assignment 4 Designing Compliance Within
The LanToWan Domain (2 Papers)

www.newtonhelp.com
CIS 349 Week 8 Assignment 4 Designing Compliance Within The Lan-To-
Wan Domain
Assignment 4: Designing Compliance within the LAN-to-WAN Domain
Note:Review the page requirements and formatting instructions for this
assignmentclosely. Graphicallydepicted solutions, as wellas the standardized
formatting requirements, do NOT count towardthe overall page length.
Imagine you are an Information Systems Security Officer for a medium-sized
financial services firm that has operations in four (4) states (Virginia, Florida,
Arizona, and California). Due to the highly sensitive data created, stored, and
transported by your organization, the CIO is concernedwith implementing
proper security controls for the LAN-to-WAN domain. Specifically, the CIO
is concernedwith the following areas:
Protecting data privacy across the WAN

Filtering undesirable network traffic from the Internet
Filtering the traffic to the Internet that does not adhere to the organizational
acceptable use policy (AUP) for the Web
Having a zone that allows accessforanonymous users but aggressively
controls information exchange with internal resources
Having an area designedto trap attackers in order to monitor attacker
activities
Allowing a means to monitor network traffic in real time as a means to
identify and block unusual activity
Hiding internal IP addresses
Allowing operating systemand application patch management
The CIO has taskedyou with proposing a series of hardware and software
controls designedto provide security for the LAN-to-WAN domain. The CIO
anticipates receiving both a written report and diagram(s) to support your
recommendations.
Use MS Visio or an open source equivalent to graphically depict a solution for
the provided scenario that will:Identify the fundamentals of public key
infrastructure (PKI).
filter undesirable network traffic from the Internet
filter Web traffic to the Internet that does not adhere to the organizational
AUP for the Web
allow for a zone for anonymous users but aggressivelycontrols information
exchange with internal resources

allow for an area designedto trap attackers in order to monitor attacker
activities
offer a means to monitor network traffic in real time as a means to identify
and block unusual activity
hide internal IP addresses
Describe the manner in which your solution will protect the privacy of data
transmitted across the WAN.
Analyze the requirements necessaryto allow for proper operating systemand
application patch management and describe a solution that would be effective.
Note:The graphically depicted solution is not included in the required page
length.
Include charts or diagrams createdin Visio or an equivalent such as Dia or
OpenOffice. The completed diagrams / charts must be imported into the
Word document before the paper is submitted.

Workstationand LAN Domains.
conventions
------------------------------------------------
www.newtonhelp.com
Remote access to corporate resources is becoming commonplace. Froman
auditing perspective, suggesttwo (2) or more controls that should be in place
to prevent the loss or theft of confidential information.
Give your opinion on what you believe are the essentialelements ofan
acceptable use policy for remote access.Elaborate oneachitem and justify its
importance.
------------------------------------------------

www.newtonhelp.com
Data Center Management" Pleaserespondto the following:
Imagine you are an IT security specialistof a large organizationwhich is
opening a new data center. Recommenda minimum of three (3) controls,
other than door locks, you would utilize to secure the new data center
physically. Support your recommendations.
Recommenda process to govern obtaining, testing, and distributing patches
for operating systems and applications within the new data center. Provide
your rationale
------------------------------------------------
www.newtonhelp.com
"IT Auditor" Please respondto the following:
Take a position on whether or not you would want to pursue a careeras an IT
auditor. Explain the key reasons whyor why not. Determine if you would
recommend this job to your family and friends. Provide a rationale for your
response.

Imagine you are working as an IT auditor. Identify the three (3) best practices
you believe would be most useful when conducting audits for various
businesses. Justifyyour choices
------------------------------------------------
CIS 349 Week 10 Term Paper Planning An It Infrastructure
Audit For Compliance (2 Papers)
www.newtonhelp.com
CIS 349 Week 10 TermPaper Planning An It Infrastructure Audit For
Compliance
erm Paper:Planning an IT Infrastructure Audit for Compliance
Due Week 10 and worth 200 points
The audit planning process directly affects the quality of the outcome. A
proper plan ensures that resources are focusedonthe right areas and that
potential problems are identified early. A successfulaudit first outlines what’s
supposedto be achievedas well as what procedures will be followedand the
required resources to carry out the procedures. Considering your current or

previous organizationor an organizationyou are familiar with, develop an IT
infrastructure audit for compliance. Chapter 5 of the required textbook may
be helpful in the completion of the term paper.
Write a ten to fifteen (10-15)page paper in which you:
Define the following items for an organizationin which you are familiar with:
Scope
Goals and objectives
Frequency of the audit
Identify the criticalrequirements of the audit for your chosenorganization
and explain why you considerthem to be critical requirements.
Choose privacy laws that apply to the organization, and suggestwho is
responsible for privacy within the organization.
Developa plan for assessing IT security for your chosenorganizationby
conducting the following:
Risk management

Threat analysis
Vulnerability analysis
Risk assessmentanalysis
Explain how to obtain information, documentation, and resources forthe
audit.
Analyze how eachof the seven(7) domains aligns within your chosen
organization.
Developa plan that:
Examines the existence of relevant and appropriate security policies and
procedures.
Verifies the existence of controls supporting the policies.
Verifies the effective implementation and ongoing monitoring of the controls.

Identify all critical security control points that must be verified throughout
the IT infrastructure, and develop a plan that include adequate controls to
meet high-level defined control objectives within this organization.
Explain the use of standards and frameworks in a compliance audit of an IT
infrastructure.
Describe the components and basic requirements for creating an audit plan to
support business and systemconsiderations.

Describe the parameters required to conduct and report on IT infrastructure
audit for organizationalcompliance.
User Domain.
Workstationand LAN Domains.
Designand implement ISS compliance within the LAN-to-WAN and WAN
domains with an appropriate framework.
Explain information security systems compliance requirements within the
Remote Access Domain.
Explain information security systems compliance requirements within the
System / Application Domain.
conventions
------------------------------------------------

Cis 349 Extraordinary Success/newtonhelp.com

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to Cis 349 Extraordinary Success/newtonhelp.com

Similar to Cis 349 Extraordinary Success/newtonhelp.com (16)

Recently uploaded

Recently uploaded (20)

Cis 349 Extraordinary Success/newtonhelp.com