Professional Documents
Culture Documents
Page 1
6. Give examples to illustrate how each of the two security principles least privilege and
segregation of duties can prevent information security incidents in an online sharing
trading company
"Least Privilege" means a user should have only the minimum permissions on objects
(files, data records) that are needed to perform its assigned roles/tasks, and no more
Example: Internet firewall is configured to grant access to users on websites needed to
conduct the business of the organization.
"Segregation of Duties" means two or more people are involved in different steps to
complete a high risk transaction.
Example, different employees are needed to initiate, approve and execute an order in a
trading system.
7. What is the use of the standard ISO/IEC 27002 in an organization? Should a company
implement all the security controls stated in the ISO/IEC 27002 code of practice for
information security management? Support your answer with reasons.
Provide guidelines on the information security management and security measures. The
ISO/IEC 27002 code of practice is designed for any size of organization. Each
organization should implement the relevant controls that can reduce their information
security risks
Tutorial 2
1. Information risk management does not manage credit risk or liquidity risk. What are the
two types of risk that information risk management focuses on?
Answer: Operating risk, physical security risk and information systems risk.
2. What are the 3 components in the Risk Assessment stated in the ISO/IEC 27005:2011 (E)
Answer: Risk Identification, risk analysis and risk evaluation.
3. Describe the steps you use to determine the risk level of malware attack that may affect
your study in the school and at home. You need to use the keywords, asset, threat,
impact, vulnerability and likelihood in your description. You also need to calculate and
state the risk level of malware attack.
Answer:
1) Identify the asset study environment and assignment/project work
2) Identify the threat malware attack that may disrupt study environment and delete
assignment/project work
3) Identify the impact High as malware attack disrupt study for 2 days and delete all my
assignment/project work
4) Identify the threat vulnerability the computer systems not able to detect and stop
malware attack, the current anti-virus software cannot stop new unknown viruses
5) Identify the threat likelihood High as a number of malware hidden in email messages
and Internet websites
6) Determine the risk level High as both the threat impact and likelihood are a high
level.
4. State the advantage of using each of the two assessment methods, qualitative and
quantitative methods. Discuss the best use of these two methods in the same risk
assessment project.
Answer: Qualitative assessment method helps management to prioritize risks and
immediate areas for improvement. Quantitative assessment method provides magnitude
of the impacts that can be used in the cost-benefit analysis of recommended protection.
Page 2
The best use of these two methods is to conduct a qualitative assessment to identify
immediate areas for improvement and followed by quantitative assessment that can
determine a cost-effective security controls through a cost-benefit analysis.
5. Describe 4 vulnerabilities exploited by malware to attack lab PCs in the school. Suggest a
security control that can reduce each of the 4 vulnerabilities.
Answer:
1) A computer system cannot determine if a program is harmful to the system or human
being. Preventive Control: re-design computer architecture to block a program from
unauthorized access to other programs.
2) A user clicks the attachment in an email without checking. Preventive Control: brief
and training users to avoid clicking attachments in email messages from unknown or
untrusted senders.
3) A system operating system allows autoplay malware hidden in a removable USB
thumb drive. Preventive Control: Disable the autoplay capability in Windows registry.
4) Some home PCs do not have the latest security patches installed. Preventive Control:
software manufacturers provide regular auto security patches installation secured by
digital signing of the patches.
Tutorial 3
1. List the 7 steps required to conduct a risk assessment on a new information system for an
organization.
Answer:
1) System Characterization (Asset Valuation)
2) Threat Identifications
3) Vulnerabilities Identifications
4) Control Analysis (existing controls)
5) Likelihood Determination
6) Impact Analysis
7) Risk Determination
2. Read the Item 1A Risk Factors in pages 5 to 14 of Amazon Inc. 2011 Annual Report
available at learn.nyp.edu.sg. Identify and describe any TWO (2) risks that related to
information systems and their operation in Amazon Inc.
Answer:
1) Amazon may not manage the growth of the systems and technical performance
effectively.
2) Amazon may experience significant fluctuation in operating results on the extent to
which operators of the networks between our customers and our websites
successfully charge fees to grant our customers unimpaired and unconstrained
access tour online services.
3) Amazon could suffer on the difficulty of integrating a new companys accounting,
financial reporting, management, information and information security, human
resources and other administrative systems to permit effective management.
4) Amazon could be harmed by data loss or other information security breaches
including exposing customers to a risk of loss or misuse of information result in liability
for Amazon
3. Describe the TWO (2) sources of information that can provide figures on Annualized Rate
of Occurrence (ARO) on specific threats.
Answer:
Page 3
Page 4
Tutorial 4 and 5
Section 1 MCQ
1) A
2) B
3) A
4) D
5) C
6) C
7) B
8) D
9) C
10) D
Section 2
Checklist
Section
Audit Question
Findings
Compliance
Access
Control
7.1
7.1.1
7.2
7.2.1
A few policies
such as Wireless
Network Policy is
developed based
on the business
need to govern the
access to Wireless
network by
students
e.g. Wireless
Network Policy
logical access
control by user
logon procedure,
physical access
control by provide
wireless access
only in NYP
campus
Clear statement of
the business
requirement is in
the Wireless
Network Policy
Yes
Each student
needs to go
through a formal
student
registration
process
Yes
Yes
Yes
Page 5
Tutorial 6
1)
2)
3)
4)
5)
6)
7)
8)
a
d
b
b
a
c
d
c
Page 6
Tutorial 7
8. Some of the security tools of Windows operating system are listed below.
a. File permissions
b. Group policy
c. Microsoft Baseline Security Analyser
d. Performance monitor
e. Event viewer
f. Encrypting file system
g. Disk Quotas
Briefly describe how the above security tools help to reduce the risk level of each of the
following threats to Windows Servers
i.
ii.
iii.
iv.
v.
9. Identify two advantages on access controls in a Windows server with Active Directory
when it is compared to a standalone Windows server without Active Directory.
Active Directory provides single-sign-on (on any computers joined the Active Directory
domain) and delegation of administrative rights
10. Briefly describe TWO(2) important tasks required in the process to create a new user
account in Microsoft Windows operating system which can assure the new user has the
appropriate rights and permissions to perform his/her duty.
Any two of the following tasks:
1) Obtain new users department and roles (appointments)
2) Create the user in the relevant OU according to department of the new user
3) Configure users group membership user rights assignment (roles assignment)
4) Configure users network resources permissions
Page 7
The group policies are applied in sequence (local computer -> site -> domain -> parent
OU -> local OU), and the settings accumulate. In cases of conflict, the settings in the later
policies override those in earlier ones.
Tutorial 8
14. Briefly describe how the following configurations/services of Windows servers can be
hardened (protected)
a. Registry
Restrict remote access of registry grant administrators group full access
and authenticated users group read access
Limit the number of users in Administrators group
Remove registry editor from the system
Disable Registry tools through GPO (Group Policy Object) and apply the
GPO to all users except Administrators.
Enable auditing of specific keys and subkeys
b. User Accounts
Assign least required rights using group policies for each user to perform
their duties
Apply password policies
Apply logon session restrictions
c. Files and folders in hard disks
Apply disk quota
Assign file/folder permissions for each user
15. Briefly describe any TWO security tools/controls in Windows servers that protect
confidentiality of information assets.
Object-based access control and Encrypting File System
16. Briefly describe ONE security tool/control in Windows servers that protects integrity of
information assets.
File/folder access control allow only authorized users to modify particular files/folders
17. Briefly describe any TWO security tools/controls in Windows servers that protect
availability of information assets.
Disk quota, file replication, file access control
18. Name THREE duties that are normally performed by a Patch and Vulnerability Group.
Which patch management tool at Windows is recommended for individual users?
Refer to lecture notes
19. What is EICAR virus? How can it help in malware control?
Refer to lecture notes
20. What is the first step in handling a PC infected with virus? Justify your answer with a good
reason.
Refer to lecture notes
Page 8