1. This is a closed-book, closed-notes quiz. No reference material (including assignments and labs) will be permitted for use during the quiz session. 2. The quiz contains the following types of questions:
* Short essay type
3. Place your answers in the space immediately following each question.
1. Define an SLA and state why it is required in a risk adverse organization. A SLA is a service level agreement, which is a contract between the ISP and the company. A SLA gives the company an idea of how much time they will be without services, should something happen with the ISP. A SLA is important to a company in making recovery plans, knowing what critical systems need to be available for a continuance of business and formulation of disaster recovery.
2. Using the user domain, define risks associated with users and explain what can be done to mitigate them. The user domain has several risk’s involved, as people are involved and there is no way employees can be monitored without the use of CCTV. Social engineering a person trying to obtain information through malicious means. The greatest tool in mitigating risk in the user domain is training and reminders for users to be aware of their surroundings. No acceptable user’s policy, AUP, or lack of training employees on the correct usage of the network. User accounts left active, if the employee is terminated, and another employee has the log on credentials. Mitigation would to be disabling all user accounts upon termination. .
3. Using the workstation domain, define risks associated within that domain and explain what can be done to reduce risks in that domain.
The use of USB’s or disk, the files could contain viruses and infect other files or applications on the network. No acceptable user’s policy, AUP, or
lack of training employees on the correct usage of the network. The users staying signed into their accounts when leaving their desk. Session timeout would help with this risk, but training and follow up with need to be done as well.
4. List four compliance laws or regulations or mandates, and explain them. HIPAA- covers all healthcare industries and states all patient information must be encrypted in storage, transmissions, and restrictions on access to the information.
SOX- cover all publically traded companies and require auditing of the accounting procedures of the business. The reports required by SOX are reported to the SEC. Access to the financial information is restricted and based on need to know.
FISMA- covers government agencies and is to ensure all assets of the government are protected. Assets like information, operations and actual machinery are protected from hackers or internal threats. Guidelines to develop a security guideline for government agencies, requires regular audits.
CIPA-Child Internet Protection Act- covers federally funded entities’ than provide internet services to individuals, schools and libraries. The Act requires content filters to be used to prevent children from being exposed to harmful content, pornography and illicit sites on the internet.
5. Define risk with a formula. Explain what each variable means. Risk= Threat x Vulnerability- Threat is any compromise in the network that can be used for malicious behavior, an example worm, or Trojan horse. Vulnerability- is a weakness in the software or OS of a network that can be exploited for malicious intent. The two multiplied equals a risk to the information, assets or intellectual property of a business.