@ MBO, SRL ucse UNIVERSITY OF COLOMBO SCHOOL OF COMPUTING MASTER OF INFORMATION SECURITY Academic Year 2016/2017 ~ First Semester ~ 2017 MIS 1103 — Information Risk Management and Audit (Repeat-1) TWO (2) HOURS To be completed by the candidate Examination Index No: For Examiner’s use only it Instructions to candidates: The medium of instruction and questions is English. | . If a page or a part of this question paper is not printed, please inform the supervisor immediately. Question | Marks Note that questions appear on both sides of the paper. No If a page is not printed, please inform the supervisor os immediately. a . Write your index number on each and every page of the question paper. This paper has 4 questions and 14 pages. 2 Answer ALL questions in the given spaces. The All | questions do not carry equal marks. 3 . Any electronic device capable of storing and retrieving —— text including electronic dictionaries and mobile a phones are not allowed, | Non-programmable calculators are allowed. Total |1. (a) Explain how risk management relates to business value and give an example of risk management principle that assist in the risk management process. [4 Marks} (b) Including “The identification of business processes’, write down seven(7) activities of risk management supporting a ‘value proposition’ along the general areas of the ‘PLAN-DO- CHECK-ACT” cycle, and describe the sub-activities to be done within each activity in the following table. Hint: The first activity is already given. Activity Describe the Activity Plan /Do/ Check / Act Identification of Business ProcessesActivity Describe the Activity Plan / Do/ Check / Act 17 Marks} (©) Select the most appropriate option (or options) from each of Plan, Do, Check, and Act that correspond to the selected activities in above table. “13 Marks](@) _Inrisk assessment, write down the equation relating individual loss, frequency, and average loss and give the definitions for each part of the equation using not more than one sentence each. Equati [2 Marks} Equation Element Description i 2 3 [3 Marks] (© When considering a particular information security control, the following formula is used to determine the value of the control to the organization. ALE" — ALE* — A-VAL = Value of the Control Describe the terms used in the formula above using not more than one sentence each. ‘Term Expanded Description ALE" ‘ALE* ‘A-VAL® [3 Marks}(Q When considering a particular control proposed for managing a given risk, you find that; ALE" - ALE” > A-VAL® What can you say about the control you have just considered ? (g) List five(S) steps which you should follow in calculating the ‘Annualized Loss Expectancy (ALE)’ within the process of risk assessment. Step Description [5 Marks]2@ @ w Information Security Controls may be categorized according to the action performed by the control. Describe the action performed by the following control categories: Category Description 1.Corrective 2, Preventative 3. Deterrent 4, Recovery 5. Compensating (5 Marks] Ifa single control is selected from each of the above categories to be applied to a system in a layered security model, write down the control categories you will use from the outside to the inside where ‘outside’ is untrusted and ‘inside’ is trusted. OUTSIDE INSIDE Catl Cat-2 Cat-3 Cat Cat-5 [5 Marks](b) Categories the Information Security Controls which are given in the following table (0 with respect to Technical, Administrative, and Physical controls. (ii) with respect to the categories given in section (a) above. [Control Categorization 1 Categorization 2 | (Administrative, Technical, | (Corrective, Preventative, Deterrent, Physical) Recovery, Compensating) Firewall on network perimeter Lock on computer a room door Police record checks of prospective employee ‘Warning message on application access screen IPS (Intrusion Prevention System) {5 Marks} 3. (a) Explain the following terms with reference to managing threats, vulnerabili countermeasures in information security; jes, risks, and Term Explanation Exploit ‘Safeguard/Control Mitigate Exposure Damage [5 marks](&) In not more than SO words, explain why information classification levels are necessary to implement information security controls. [5 Marks] (©) Propose five (5) levels of information classification for an organization with $000 internal employees producing design documents for commercial customers, including engineering drawings of commercial civil nuclear facilities Classification Level] Description 1@ () Classification Level | Description 5 [5 Marks } Select the correct answer out of the four answers provided and then write down one sentence to justify your answer. Which of the following represents an annualized loss expectancy (ALE) calculation? (ALE = GLE * ARO (Gross loss expectancy multiplied by annualized rate of occurrence) Gi) ALE = AV * EF (Asset value multiplied by exposure factor) Gi) ALE = Risk (AV, THREAT, VULNERABILITY) — Countermeasure Effectiveness (Residual Risk) (iv) ALE = SLE * ARO (Single loss expectancy multiplied by annualized rate of occurrence) [2 Marks] What security principle is operating when granting users only those rights necessary for them to perform their work? () Equal opportunities (i) Least Privilege (iii) Mandatory Access (iv) Separation of Duties [2 Marks](©) Which one of the following security control can be used to enforce role-based access. on a main-frame computer system? (a) Key-pad door lock (b) Two Factor dongle (Q) Mandatory (@ Discretionary (2 Marks] (@ The WannaCry ransomware program (a ‘worm’) most frequently spreads via, (@) User misuse of resources (b) Vulnerabilities in software (© Mobile code attacks (@) Infected wireless access points (2 Marks} (© What technical controls is often applied at the perimeter of a network to protect networks from each other? (@ End device scanning anti-malware system (bo) Firewall(s) (© Intrasion prevention system (IPD) (@ Two factor authentication device (What technical contvol identifies and confirms the source of information? (@) Perimeter firewall controls (b) Digital signatures (Proxy servers (@) AW protection client (2 Marks] 10(8) Which principle within information security recommends the division of responsibilities to prevent a person from committing fraud? (@) Least privilege (b) Need to know (© Mutual exclusion @ Separation of duties (2 Marks] (b) What principle is operating when granting users only those rights necessary for them to perform their work? (a) Equality & fairness (b) Mandatory Access (©) Least Privilege (® Separation of Duties [2 Marks} () At what stage of the application development process should the security department first become involved? (a) Prior to the implementation (b) Prior to user acceptance testing (© During unit testing (@) During requirements development (How are passwords stored securely on consumer systems, so that they can be quickly retrieved for authenticating users? (@) User HASH files within a computer system (b) Storing the passwords directly on the company Facebook page (©) Using encrypted directories containing the passwords (@)_ Iman SQL database for quick retrieval [2 Marks} u(kK) Which one of the following can be used to increase the authentication strength of an access control system? (a) Multi-party (b) Two Factor (©) Mandatory (d) Discretionary ()_ What pair of items are used to authenticate a user on a computer system or application? (a) Name/ Age (6) Employment status / National Identity Card (NIC) number (©) Username / Password (@ Password / Digital certificate number (m) Whats the correct representation of an ‘Information and data lifecycle from start to finish’? (a) Create / Activate / Send / Archive (>) Copy / Cut / Paste / Delete (© Generate / Calculate / Send / Write / Erase / Copy (@ Create / Process / Transmit / Store / Destroy [2 Marks] (n) Which best describes a quantitative risk analysis? (a) Aprobabilistic method for risk assessment (b) A method used to apply severity levels to potential loss, probability of loss, and risks (© Amethod that assigns monetary values to components in the risk assessment (@ —_ Amethod that is based uses opinions of individuals and a rating system to gauge the severity level of different threats and the benefits of specific countermeasures. [2 Marks} 12(0) An encrypted communications tunnel created between two systems, and used for secure communications, is called a; (@) Leased Line (b) Chinese Firewall (©) named-pipe (d) Virtual Private Network (VPN) [2 Marks] (®) What is the purpose of vendor published MDS hash values when they accompany software patches for their customers to download from the Internet? (@) Recipients can verify the software’s integrity after downloading (b) Recipients can confirm the authenticity of the site from which they are downloading the patch (© Recipients can request future updates to the software by using the assigned hash value (@)___ Recipients need the hash value to successfully activate the new software [2 Marks] (@) To address changes in risk, an effective risk management program should; (@) Ensure that continuous monitoring processes are in place, (>) Establish proper security baselines for all information resources, (©) Implement a complete data classification process, (@) Change security policies on a timely basis to address changing risk [2 Marks] (®) Information security is the responsibility of; (@) Everyone in the organization (6) Corporate management (c) The corporate security staff for Information Security (4) Everyone with computer access and who use computers regularly (2 Marks} 13(8) What communication technology has significant security advantages over other transmission technologies? (@ Wireless technology (b) Optical fiber technology (©) Ethernet technology (d@) Micro wave technology [2 Marks] (0) When is the security of an automated information system most effective and economical? (a) When the system is initially optimized and security controls applied to it (b) When security controls are customized to meet the specific security threat (©) Subjected to intense security testing after implementation (@ Created from a design that has the necessary, appropriate, and proportional controls built-in [2 Marks] Seren 14