Information Security & Audit

1. What is information security and how is it achieved?

Information security means protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction

Physical security - to protect the physical items, objects, or areas of an organization from
unauthorized access and misuse.

Personal security to protect the individual or group of individuals who are authorized to access
the organization and its operations.

Operations security to protect the details of a particular operation or series of activities.

Communications security to protect an organizations communications media, technology, and

content.

Network security to protect networking components, connections, and contents

2. What are the core principles of information security?

Security Principles
The definition of security principles is an important first step in security policy
development as they dictate the specific type and nature of security policies most
applicable to ones environment. Security principles are used to define a foundation upon
which security policies can be further defined. Organizations should evaluate and review these
security principles before and after the development and elaboration of security policies. This
will ensure that managements expectations for security and fundamental business
requirements are satisfied during the development and management of the security policies.
The security policies developed must establish a consistent notion of what is and
what is not permitted with respect to control of access to your data and processing
resources. They must respond to the business, technical, legal, and regulatory
environment in which your organization operates.
The principles here are based upon the following goals:
1Ensure the availability of data and processing resources.
2Provide assurance for the confidentiality and integrity of customer data and allow
for the compartmentalization of risk for customers and your organization.
3.Ensure the integrity of data processing operations and protect them from

unauthorized use.
4.Ensure the confidentiality of the customers and your processed data, and prevent
unauthorized disclosure or use.
5.Ensure the integrity of the customers and your processed data, and prevent the
unauthorized

3. What is a security policy and why do we need one?

A security policy is the essential basis on which an effective and comprehensive

security program can be developed. This critical component of the overall security
architecture, however, is often overlooked. A security policy is the primary way in
which managements expectations for security are translated into specific,
measurable, and testable goals and objectives. It is crucial to take a top down
approach based on a well-stated policy in order to develop an effective security
architecture. Conversely, if there isnt a security policy defining and communicating those
decisions, then they will be made by the individuals building, installing, and maintaining
computer systems; and this will result in a disparate and less than optimal security architecture
being implemented.

The characteristics of good security policies are:

1.They must be implementable through system administration procedures,
publishing of acceptable use guidelines, or other appropriate methods.

2. They must be enforceable with security tools, where appropriate, and with
sanctions, where actual prevention is not technically feasible.

3.They must clearly define the areas of responsibility for the users, administrators,
and management.

4. They must be documented, distributed, and communicated.

4. What is the difference between logical and physical security? Can you give an example of both?
4. What are the most common types of attack that threaten enterprise data security?
1.

Spoofing.

2.

Sniffing.

3.

Mapping.

4.

Hijacking.

5.

Trojans.

6.

DoS and DDoS.

7.

Social engineering.

5. What is the difference between a threat and vulnerability?

6. What is a security control?

7. What are the different types of security control?

8. What is incident management?
ncident management is a defined process for logging, recording and resolving incidents
The aim of incident management is to restore the service to the customer as quickly as possible, often through
a work around or temporary fixes, rather than through trying to find a permanent solution
What are the differences between incident management and
problem management?
Problem management differs from incident management in that its main goal is the detection of the underlying
causes of an incident and the best resolution and prevention. In many situations, the goals of problem
management
can be in direct conflict with the goals of incident management.
Deciding which approach to take requires careful consideration. A sensible approach would be to restore the
service
as quickly as possible (incident management), but ensuring that all details are recorded. This will enable
problem
management to continue once a workaround has been implemented.
Discipline is required, as the idea that the incident is fixed is likely to prevail. However, the incident may well
appear
again if the resolution to the problem is not found.
Incident versus problem
An incident is where an error occurs: something doesnt work the way it is expected.
This is often described as:
a fault
an error
it doesnt work!
a problem
but the ITIL term used with is an incident.

A problem (is different) and can be:

the occurrence of the same incident many times
an incident that affects many users
the result of network diagnostics revealing that some systems are not operating
in the expected way
A problem can exist without having immediate impact on the users, whereas incidents are usually more visible
and
the impact on the user is more immediate.U C I S A I T I L : A G U I D E T O I N C I D E N T M A N A G E M
ENT2
Examples of incidents
User experienced incidents
Application
Service not available (this could be due to either the network or the application, but at first the user will not
be
able to determine which)
Error message when trying to access the application
Application bug or query preventing the user from working
Disk space full
Technical incident
Hardware
System down
Printer not printing
New hardware, such as scanner, printer or digital camera, not working
Technical incident
Technical incidents
Technical incidents can occur without the user being aware of them. There may be a slower response on the
network
or on individual workstations but, if this is a gradual decline, the user may not notice.
Technicians using diagnostics or proactive monitoring usually spot technical incidents. If a technical incident is
not
resolved, the impact can affect many users for a long time.
In time, experienced users and the service desk will spot these Incidents before the impact affects most users.
Examples of technical incidents:
Disk space nearly full (this will affect users only when it is completely full)
Network card intermittent fault sometimes it appears that the user cannot connect to the network, but on
a second attempt the connection works. Replacing the card before it stops working completely provides more

benefit to the users

Monitor flickering it is more troublesome in some applications than others
Although the flicker may be easy to live with or ignore, the monitor will not usually last more than a few
weeks in this state
Why use incident management?
There are major benefits to be gained by implementing an incident management process:
improved information to customers/users on aspects of service quality
improved information on the reliability of equipment
better staff confidence that a process exists to keep IT services working
certainty that incidents logged will be addressed and not forgotten
reduction of the impact of incidents on the business/organisation
resolving the Incident first rather than the problem, which will help in keeping the service available (but
beware of too many quick fixes that problem management does not ultimately resolve)
working with knowledge about the configuration and any changes made, which will enable you to identify
the
cause of incidents quickly
improved monitoring and ability to interpret the reports, which will help to identify Incidents before they
have
an impact
9. What is business continuity management? How does it relate to security?
10. What is an IT security audit?
11. What is the difference between authentication and authorization?
12. What is a firewall?
13. What are the layers of the OSI model?
14. What information security challenges are faced in a cloud computing environment?

15. The typical responsibilities of a Chief Security Officer (CSO)?

the individual primarily responsible for the assessment, management, and implementation of securing the
information in the organization. The CISO may also be referred to as the Manager for Security, the Security
Administrator, or a similar title.
16. In your opinion, what are the top five information securities threats facing an organization such as ours?

17. What is Sensitive Data?

Sensitive data encompasses a wide range of information and can include: your ethnic or racial
origin; political opinion; religious or other similar beliefs; memberships; physical or mental
health details; personal life; or criminal or civil offences. These examples of information are
protected by your civil rights. Sensitive data can also include information that relates to you as
a consumer, client, employee, patient or student; and it can be identifying information as well:
your contact information, identification cards and numbers, birth date, and parents names.
All of this data belongs to you. You have full rights to access and use this information and you
also have rights to know how others are doing the same. You should be protective of this
information, just like you would be of your other belongings.
Sensitive Data
Sensitive Data is information covering:
The racial or ethnic origin of the Data Subject
Political opinions
Religious or other beliefs of a similar nature
Membership of trade unions
Physical or mental health or condition
Sexual Life
The commission of any offence or criminal records
Sensitive data must be collected using an opt-in and should be carefully handled. Other classes
of data which might be regarded as sensitive are data relating to children and financial
information.

18. Why Data Needs Protecting?

Ans: With the advent of the Internet and new technologies that allow easier, quicker, as well as

anonymous access to more information than ever

before, people have now become more aware of identity theft and make conscious decisions on
how to protect themselves. If the information is sensitive, its likely to be protected by laws,
regulations, or policies. However, you can take an active approach to making sure your
information has not fallen into the hands of those who would misuse it for financial gain or
other reasons. Identity theft and online crime have now surpassed any other form of crime in
profits earned, including drug-related crimes, so it is important to be wary of how exposed your
information really is. Protecting Financial Information Below are some tips to minimize the
exposure of your personal financial information.
The Internet: Know with whom youre doing business, especially when you provide
financial or identity information. Only deal with web sites that provide secure web pages, i.e.,
those addresses that start with https rather than http, for your transactions. Legitimate sites
will provide contact information and signed certificates for your verification. When logging in
to financial accounts, use a strong password that you change on a regular basis.
Credit cards online: Consider designating only one of your credit cards for online purchases.
If a problem occurs with that card, you can cancel it and still have other cards. You can also
request that your credit card limit be set to a level consistent with your credit card activities
(rather than the high line of credit the company assigns). But, dont set it so low that youll
have to use a second credit card.
Credit card receipts: Always check your credit card receipts and other financial paperwork.
They should not have the complete credit card number listed, only the last four digits. If the
full number is listed, ask that it be truncated in the future.
Your credit report: You should get a report at least once a year. Federal law entitles citizens
to a free credit report per year from each of the three national credit bureaus. If you think you
are in a high-risk category for identity theft, be sure to get a copy of your credit report once
every three months.

19. How Is Data Exposed?

Ans:Here are three ways your data can be exposed:

Intrusion: Intruders can gain access to your data through a weakness in your computer system.
To protect against this, keep your operating system updated, and use virus protection and
strong passwords.
Phishing: This is a clever method of extracting information from unsuspecting individuals.
An e-mail, designed to look like it originated from a reputable company, usually a bank or
online store, will tell you that there is a problem with your account. If links appear in this kind
of e-mail message, never click on them regardless of how believable they seem or who the
source is. If you have an account with the organization, its better to call your service
representative and verify the authenticity of the e-mail. If it is legitimate, ask to complete the

process by phone. This eliminates the need to send your sensitive data over an unprotected
network connection.
Social engineering: Sometimes swindlers attempt to gather sensitive information, such as
birthplace or mothers maiden name, by posing as a representative of a legitimate organization.
You should always be wary of unsolicited requests from your bank or financial institution in
which you are asked for information that could potentially be used for fraudulent purposes.
IS&T never asks you to provide your username and password in e-mail or over the phone. For
links and further information, see the rear panel of this pamphlet
20. Define security Policy and write the goals of security policy?
21. What are the characteristics of good security policies?
22. Write the Structure Security Policy.
23. How we can protect of computer from virus infection?
24. Explain Security Policy for Access Control.
25. What are the different methods for Computer Viruses Detection and Removal?
26 .Write are the Security Policy for Database.
27. Write a note on Information Systems Audit Policy.

28. What are the sources of threats to information systems?

Ans)
The sources of threats to any organization can be both internal and external. The main
threats to your information assets can be categorized as follows:

Internal and Unintentional

Uninformed workers - mistakes can be made, information can be destroyed, confidential

data exposed

Uninformed contract workers - not fully briefed, hence security can be compromised.

Internal and Intentional

Disgruntled employees - leaving bugs behind in your system

Contract workers trying to increase their employment value

Contract workers requiring access to get the job done despite opening your company to
security risk

External and Technical

Political activist "activists"

Hackers looking to steal credit card numbers

Information "brokers"

29. Why cyber attacks have been on the rise?

30. What is Packet Sniffing?
31. What is information security management? What are the benefits of ISMS?
What is ISMS?
Information Security Management Systems (ISMS) is a systematic and structured
approach to managing information so that it remains secure. ISMS
implementation includes policies, processes, procedures, organizational
structures and software and hardware functions. The ISMS implementation
should be directly influenced by the organizations objectives, security
requirements, processes employed, size and structure.
Why do we need ISMS?
Organizations and their information systems and networks are exposed with
security THREATS such as fraud, espionage, fire, flood and sabotage from a wide
range of sources. The increasing number of security breaches has led to
increasing information security concerns among organizations worldwide.
1. Provides the means for information security corporate governance
2. Improves the effectiveness of the information security environment
3. Allows for market differentiation due to a positive influence on company prestige and image, as well as
a possible effect on the asset or share value of the company
4. Provides satisfaction and confidence of that customers information security requirements are being met
5. Allows for focused staff responsibilities
6. Ensures compliance with mandates and laws
7. Reduces liability and risk due to implemented or enforced policies and procedures, which demonstrate
due diligence
8. Potentially lowers rates on insurance
9. Facilitates better awareness of security throughout the organization
10. Provides competitive advantages and reduction in costs connected with the improvement of process
efficiency and the management of security costs

32. Explain the Security Systems Development Life Cycle.

33.

What are Common Network Security Problems?