CHAPTER 7 INFORMATION SYSTEM CONTROLS for SYSTEMS RELIABILITY SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 7. 1 1. Encryption is the final layer of preventative controls in that encrypting data provides a barrier against an intruder who has obtained access to company data. Encryption employing a digital signature and a public key infrastructure (PKI) can also strengthen authentication procedures and helps to ensure and verify the validity of e-business transactions.
The digital signature is some sort of identifying information about the signer that is encrypted with the signer’s private key. This identifying information can only be decrypted using the corresponding public key. Since a private key is only known to it’s owner, only the owner can hold both the public and the private key and be the creator of the digital signature. Thus, digital signatures can be used to authenticate a particular party involved in a transaction as being the creator of a document.
This provides for non-repudiation: the creator of the digital signature cannot deny having signed a document.. A digital certificate is an electronic document that is digitally signed by a trusted third party that certifies the identity of the owner of a pair of public and private keys. The PKI is a system that is used to process and manage the public and private keys used in digital signatures and digital certificates. An organization that handles digital certificates is called a certificate authority. 2.
The effectiveness of control procedures depends on how well employees understand and follow the organization’s security policies. If all employees are taught proper security measures and taught to follow safe computing practices, such as never opening unsolicited email attachments, using only approved software, not sharing or revealing passwords, and taking steps to physically protect laptops, company-wide security will increase. 3. Firewalls use hardware and software to block unauthorized access to the company’s system. 4.
A intrusion detection system (IDS) create logs of network traffic that was permitted to pass the firewall and then analyze those logs for signs of attempted or successful intrusions This provides a means to monitor the number of attempted intrusions successfully blocked by the firewall, and can provide early warning signals that the organization is being targeted. 5. A virtual private network (VPN) is a network that controls access to a company’s extranet by using encryption, identification, and authentication tools and techniques. (Definition from the text’s glossary, p. 794, 10th ed. )
Additional facts: A virtual private network (VPN) increases system reliability by encrypting data prior to sending it over the Internet. The data is then decrypted once it arrives at its intended destination. Thus, a private network is created using the Internet as the network connection and encryption as the method to make it private and secure the data from public disclosure. 7. 2 Having the person responsible for information security report directly to the Chief Information Officer (CIO) raises the visibility and therefore the importance of information security to all levels of management and to the company at large.
Security must be recognized as a top management issue, having the information security officer report to a member of the executive committed such as the CIO, formalizes information security as a top management issue. One potential disadvantage is that the CIO may not always react favorably to reports indicating that shortcuts have been taken with regard to security, especially in situations where following the recommendations for increased security spending could result in failure to meet budgeted goals.
Thus, just as the effectiveness of the internal audit function is improved by having it report to someone other than the CFO, the security function may also be more effective if it reports to someone who does not have responsibility for information systems operations. 7. 3The most effective auditor is a person who has training and experience as an auditor and training and experience as an information systems or computer specialist.
However, few people have such an extensive background, and personnel training and development are both expensive and time consuming. So, many organizations may find it necessary to accept some tradeoffs in staffing the Information Systems audit function. Since auditors generally work in teams, one common solution is to include members who have computer training and experience. Then, as audit teams are created for specific purposes, care should be taken to ensure that the members of each audit team have an appropriate mix of skills and experience.
However, in today’s technological age, all internal and external auditors on an audit engagement team must have a sound understanding of basic information security concepts so that during the course of an audit, they would be able to identify, report, and communicate security risks and exposures to the security specialists on the audit team for further assessment and investigation. 7. 4To provide absolute information security an organization must follow Jeff Richards’ “Laws of Data Security. ” 1. Don’t buy a computer 2. If you buy a computer, don’t turn it on.
As this humorous solution indicates, there is no way to make a system absolutely secure. However, as discussed in the text, there are numerous methods to make a system more secure. 7. 5Penetration testing provides a rigorous way to test the effectiveness of an organization’s computer security by attempting to break into the organization’s information system. Internal audit and external security consulting team perform penetration tests in which they try to compromise a company’s system. Some outside consultants claim that they can get into 90 percent or more of the companies they attack.
This is not surprising, given that it is impossible to achieve 100% security. Thus, one limitation of penetration testing is that it almost always shows that there are ways to break into the system. The more important analysis, however, is evaluating how difficult it was to break in and the cost-effectiveness of alternative methods for increasing that level of difficulty. Another limitation is that failure to break in may be due to lack of skill by the tester. Finally, penetration testing typically focuses on unauthorized access by outsiders; thus, it does not test for security breaches from internal sources. . 6Top management support is always essential for the success of any program an entity undertakes. Thus, top management support and participation in security awareness training is essential to maximize its impact on the employees and managers of the firm. Effective instruction and hands-on active learning techniques will also help to maximize training. Many employees have extensive experience and/or expertise in security, these employees should be involved in the design and execution of the security training. Real life” example should be used throughout the training so that employs can view or at least visualize the exposures and threats they face as well as the controls in place to address the exposures and threats. Role-playing has been shown to be an effective method to maximize security awareness training especially with regard to social engineering attack training. 7. 7The total quality movement focuses on continuous improvement and the elimination of errors. Security, like quality, is a moving target which can always be improved. Another similarity is the need for active top management support.
The focus on quality only began to achieve momentum when top management supported the up-front investment costs to improve quality and refused to accept the argument that the benefits of further improvements in quality did not justify the costs required to attain them. Similarly, top management needs to actively support the goal of ever-improving levels of security and the investment necessary to achieve that result. 7. 8What are the advantages and disadvantages of biometric security devices, such as fingerprint readers, in comparison with other security measures such as passwords and locked doors?
The advantages of biometric security devices include: • Providing security advantages over traditional methods because physical traits are almost impossible to duplicate. • Ease of use. • Cannot be forgotten like passwords and user id’s. • Cannot be left at home, in a rental car, or in a taxi. • Cannot be inadvertently lost or stolen. Nonbiometric access methods such as passwords and keys can be stolen and used by others, lost, or forgotten. It is easier for someone else to get access to tokens, smart cards, or passwords and use them to gain entry to the system.
As such, the greatest advantage of biometric devices is that they ARE the person and so cannot be lost, stolen, or forgotten. Drawbacks to such devices include: • Limited flexibility in responding to changes in the physically measured features. Such common problems as laryngitis, eye infections, and cut fingers alter physical features temporarily. • Non-revocability. If a password is guessed, a new one can be issued. Likewise, if a token is lost or stolen, a new one can be issued. However, if biometric template is compromised, it cannot be re-issued (e. g. you cannot assign someone a new fingerprint). Thus, secure storage of the template is crucial. • Users may not accept certain types of biometric methods. For example, in some cultures, fingerprints may have negative connotations that preclude their widespread use for authentication. • SUGGESTED SOLUTIONS TO THE PROBLEMS 7. 1 a. An employee’s laptop was stolen at the airport. The laptop contained personally identifying information about the company’s customers that could potentially be used to commit identity theft. Solution: Encrypt data stored on company laptops. b.
A salesperson successfully logged into the payroll system by guessing the payroll supervisor’s password. Solution: Employ and enforce strong password techniques such as at least an 8 character length, multiple character types, random characters, changed frequently. Also lock out accounts after 3-5 unsuccessful login attempts. c. A criminal remotely accessed a sensitive database using the authentication credentials (user ID and strong password) of an IT manager. At the time the attack occurred, the IT manager was logged into the system at his workstation at company headquarters.
Solution: Integrate physical and logical security. In this case, the system should reject any attempts from any user to remotely log into the system if that same user is already logged in from a physical workstation. The system should also notify appropriate security staff about such an incident. d. An employee received an email purporting to be from her boss informing her of an important new attendance policy. When she clicked on a link embedded in the email to view the new policy, she infected her laptop with a keystroke logger.
Solution: Security awareness training is the best way to prevent such problems. Employees should be taught that this is a common example of a sophisticated phishing scam. Detective and corrective controls include employing anti-spyware software that automatically checks and cleans all detected spyware on an employee’s computer as part of the logon process for accessing a company’s information system. e. The director of R&D quit abruptly after an argument with the CEO. The company cannot access any of the files about several new projects because the R&D director had encrypted them before leaving.
Solution: Employ a policy that files can only be encrypted using company encryption software and where IT security has access to the encryption keys through some form of key escrow. Internal Audit should test encrypted files and encryption keys. f. A company wrote custom code for the shopping cart feature on its web site. The code contained a buffer overflow vulnerability that could be exploited when the customer typed in the ship-to address. Solution: Teach programmers secure programming practices, including the need to carefully check all user input.
It is also important for management to support the commitment to secure coding practices, even if that means a delay in completing, testing, and deploying new programs. Useful detective controls include to make sure programs are thoroughly tested before being put into use and to have internal auditors routinely test in-house developed software. g. A company purchased the leading “off-the-shelf” e-commerce software for linking its electronic storefront to its inventory database. A customer discovered a way to directly access the back-end database by entering appropriate SQL code.
Solution: Insist on secure code as part of the specifications for purchasing any 3rd party software. Thoroughly test the software prior to use. Employ a patch management program so that any vendor provided fixes and patches are immediately implemented. h. Attackers broke into the company’s information system through a wireless access point located in one of its retail stores. The wireless access point had been purchased and installed by the store manager without informing central IT or security.
Solution: Enact a policy that forbids any implementation of unauthorized wireless access points. Conduct routine audits for unauthorized or rouge wireless access points. i. An employee picked up a USB drive in the parking lot and plugged it into their laptop to “see what was on it,” which resulted in a keystroke logger being installed on that laptop. Solution: The best preventive control is security awareness training. Teach employees to never insert USB drives unless they are absolutely certain of their source.
In addition, employ anti-spyware software that automatically checks and cleans all detected spyware on an employee’s computer as part of the logon process for accessing a company’s information system. j. A competitor intercepted the company’s bid for a lucrative contract that was emailed to the local government’s web site. The competitor used the information contained in the email to successfully underbid and win the contract. Solution: Encrypt sensitive files sent via email. Send sensitive files over a secure channel. k.
When an earthquake destroyed the company’s main data center, the CIO spent half a day trying to figure out who in the organization needed to be contacted in order to implement the company’s cold site agreement. Solution: Implement and document emergency response procedures. Periodic testing would likely uncover any such problems prior to an actual disaster. l. Although logging was enabled, the information security staff did not review the logs early enough to detect and stop an attack that resulted in the theft of information about a new strategic initiative.
Solution: Implement and enforce log review and analysis policies by proper management oversight of the information security staff or contract with a security information management service to perform such analysis. m. To facilitate working from home, an employee installed a modem on his office workstation. An attacker successfully penetrated the company’s system by dialing into that modem. Solution: Routinely check for unauthorized or rouge modems by dialing all telephone numbers assigned to the company and identifying those connected to modems. . An attacker gained access to the company’s internal network by installing a wireless access point in a wiring closet located next to the elevators on the fourth floor of a high-rise office building that the company shared with seven other companies. Solution: Secure or lock all wiring closets. Require strong authentication of all attempts to log into the system from a wireless client. Employ an intrusion detection system. 7. 2 Solution: The article in the Journal of Accountancy is very well written and the instructions are easy to follow.
If students follow the instructions they will have no problem completing the problem and will learn a new tool for Excel. It is expected that the instructor will familiarized themselves with the article prior to grading the assignment; however, the following are some screenshot of what the instructor may expect from student submissions. Part b. [pic] [pic] Part c. , sub-parts : a. password to open, b. password to modify, c. apply password to individual sheets, e. set workbook to be Read-only [pic] Part c – sub-part d. Encrypt the data [pic] Part c – sub-part f-1 protect cells. [pic]
Part c – sub-part f-2 protect sheet. [pic] 7. 3 a. Access control matrix: | | | | | | | | |Payroll Program |Inventory Update |Payroll |Inventory Master |System Log Files | |System User | |Program |MasterFile |File | | | | | | | | | Salesperson |0 |0 |0 |1 |0 | | | | | | | | |Inventory Control Clerk |0 |0 |0 |3 |0 | | | | | | | | |Payroll clerk |1 |0 |2 |0 |0 | | | | | | | | |Human Resources Manager |0 |0 |3 |0 |0 | | | | | | | | |Payroll Programmer |3 |0 |1 |0 |1 | | | | | | | | |Inventory Programmer |0 |3 |0 |1 |1 | | | | | | | | |CISO |3 |3 |3 |3 |3 | Codes for type of access: 0 = No Access Permitted. 1 = Read (Display) Only. 2 = Read and Modify. 3 = Read, Modify, Create, and Delete. b. Inventory control clerk. Should not have create and delete rights to the inventory file. This analyst should only have read, and modify (update) rights to the inventory master file. Payroll clerk. Should be able to run the payroll program but not display the code, modify it, create, or delete it. CISO.
Although this person may need read (display) access to many programs and files, the CISO should not have create, delete, and modify privileges to many of the functional files and programs. For example, should not be able to create new employee records or change pay rates. In addition, the CISO’s actions should be monitored regularly. 7. 4The Microsoft Baseline Security Analyzer (MBSA) allows users to scan a computer for common security misconfigurations. MBSA will scan the operating system and other installed components, such as Internet Information Services (IIS) and SQL Server™, for security misconfigurations and whether or not they are up-to-date with respect to recommended security updates. Grading depends upon instructor’s judgment about the quality of the report.
The MBSA will provide a list of weaknesses and how to correct those weaknesses. 7. 5Grading depends upon instructor’s judgment about the quality of the report; however, the student’s report should contain the student’s perspective on how these websites promote computer security and controls. The SANS Institute (www. sans. org) is basically commercial site selling security training. However, the site does contain over 1500 white papers on computer security that are divided into 71 different categories that range from Acceptable Use to Work Monitoring. Students should be able to find articles on almost any topic of interest to them about auditing.
The National Security Agency (www. nsa. gov) is a governmental website that explains and promotes the National Security Agency. Of interest to auditors is their work on data security. The work that is publicly available can be accessed from their Research link which lists their published scholarly work and work presented at conferences. Many articles deal with software, data, and systems security. The Information Systems Audit and Control Association (www. isaca. org) is a very extensive source of information for the auditor. Just about anything on this website would be of use to an auditor depending on their level of experience and responsibility.
Since this website is so extensive, instructors may want to recommend that students limit this portion of their report to three areas of student interest on the web site. The Information Systems Security Association (www. issa. org) is the website for a professional organization on security. Students will find Whitepapers and Webcasts on all security topics of general and specific interest. The draw back for this website is that access is limited to members. There is a student membership available for $30 and free 90 day trial membership. Students will have to join the organization as a student or trial membership to gain access to the information contained in the website. CERT (www. cert. org) is the website for the Carnegie Mellon University Software Engineering Institute (SEI).
The website is a good resource for information about software assurance, secure systems, organizational security, and coordinated response. The resources available are extensive, but they are also written for academics, so they may be a little deep for some students who have little experience with programming. The American Instituted of Certified Public Accountants (www. aicpa. org) is an excellent website for information pertinent to auditors. Students may access the website and the associated journal articles that target professionals. Students will have an easier time accessing and reading the information contained in this website since the target audience is accounting professionals.
The National Institute of Standards (www. nist. gov) is a government sponsored website. The Computer Security Division is the link within the site that is of the greatest interest and use for accounting students. It contains a great deal of information on computer security. The Computer Crime and Intellectual Property Section of the U. S. Department of Justice (www. cybercrime. gov) is another government website that provides information related to cyber crime in form of news releases and cases. The case summaries located in the news releases will be of the most use to the students. 7. 6Grading depends upon instructor’s judgment about the quality of the report.
Beware that although the Center for Internet Security does not charge for their benchmarking software downloads, they do require that the student register with their organization. Some students may object to this. In addition, it is unlikely that a lab administrator will allow students to download any software to lab hardware. 7. 7a. XYZ Company is secure under their best case scenario but they do not meet security requirements under their worst case scenario. P = 25 Minutes D = 5 Minutes (Best Case) 10 Minutes (Worst Case) C = 6 Minutes (Best Case), 20 minutes (Worst Case) Time-base model: P > D + C Best Case Scenario P is greater than D + C (25 > 5 + 6) Worst Case Scenario P is less than D + C (25 < 10 + 20) Currently, under the worst case scenario, security is ineffective.
As shown by the following table, any of the 3 options will result in effective security, even under the worst case scenario. |Situation |Cost Differential |Protection Time |Detection Time |Correction Time | |Current – best case |$0 |25 |5 |6 | |Current – worst case |$0 |25 |10 |20 | |Option 1 – best case |$50,000 |35 |5 |6 | |Option 1 – worst case |$50,000 |35 10 |20 | |Option 2 – best case |$40,000 |25 |1 |6 | |Option 2 – worst case |$40,000 |25 |4 |20 | |Option 3 – best case |$60,000 |25 |5 |4 | |Option 3 – worst case |$60,000 |25 |10 |10 | Cost effectiveness can be assessed in several ways.
Perhaps the simplest is to calculate the cost per minute improvement, as follows: Option 1: Costs of $50,000 will provide 10 minutes better protection = $5,000 per minute. Option 2: Costs of $40,000 will cut detection time by 4 to 6 minutes = $6,667 to $10,000 per minute Option 3: Costs of $60,000 will cut response time by 2 to 10 minutes = $6,000 to $30,000 per minute • Under this method of analysis, option 1 seems most cost-effective. Alternatively, a conservative approach would compare the buffer time provided under the worst case scenarios, as follows: Option 1: Costs of $50,000 to provide 5 minutes of buffer time (35 > 10 + 20) = $10,000 per minute buffer time.
Option 2: Costs of $40,000 to provide 1 minute of buffer time (25 > 4 + 20) = $40,000 per minute of buffer time Option 3: Costs of $60,000 to provide 5 minutes of buffer time (25 > 10 + 10) = $12,000 per minute of buffer time. • Once again, option 1 seems most cost-effective. It is also possible to compare buffer times provided under the best case scenarios, as follows: Option 1: Costs of $50,000 to provide 24 minutes of buffer time (35 > 5 + 6) = $2,083 per minute buffer time. Option 2: Costs of $40,000 to provide 18 minutes of buffer time (25 > 1+6) = $2,222 per minute of buffer time Option 3: Costs of $60,000 to provide 16 minutes of buffer time (25 > 5 + 4) = $3,750 per minute of buffer time. • Under this analysis, option 1 again appears to be most cost-effective. Note that if invested in all three options, the results would be: Situation |Cost Differential |Protection Time |Detection Time |Correction Time | |All 3 options – best case |$150,000 |35 |1 |4 | |All 3 options – worst case |$150,000 |35 |4 |10 | Investing in all 3 options improves the formula (P > D + C) by 16 (best case) to 40 (worst case) minutes at a cost of $150,000 = $3,750 (best case) to $9,375 (worst case) per minute. Investing in all 3 options also provides a total buffer time of 21 minutes (worst case scenario) at a cost of $150,000 = $7,143 per minute of buffer time.
Under the best-case scenario, investing in all 3 options would provide a total buffer of 30 minutes at a cost of $150,000 = $5,000 per minute. 7. 8 To encrypt a file or folder: 1. Open Windows Explorer. 2. Right-click the file or folder that you want to encrypt, and then click Properties. 3. On the General tab, click Advanced. 4. Select the Encrypt contents to secure data check box. To create new user accounts: 1. Click Start, Control Panel, double click User Accounts, follow prompts for User Account Creation Wizard. To create/change the password, double click on new user account icon, select Change The Password menu option and follow the prompts. a. Actions that can be performed using the new User Account 1. Open the file – No 2.
Copy the file to another location on the hard drive – No 3. Copy the file to a USB drive – No 4. Move the file to another location on the hard drive – Yes 5. Move the file to a USB drive – No 6. Rename the file – Yes 7. Delete the file – Yes 8. Restore the deleted file and open it – No, still cannot open a restored file b. Actions that can be performed by Account that encrypted the file 9. –Everything. However, you are prompted when trying to copy or move it to a USB device that performing that action will create an unencrypted copy of the file. 7. 9 Solution: (Solutions will vary from student to student and institution to institution) # |Description |Password length |Types of characters |Frequency of mandatory |Password history (can | | | |(maximum and minimum) | |changes |an old password be used| | | | | | |again) | |a. |Your school’s network | | | | | |b. |Your school’s email system | | | | | |c. |Your personal email account | | | | | |d. |Your financial institution | | | | |
Explanations of the reason for any differences should focus on the relative value/importance of the data contained in each system. 7. 10 Solution: Reports will vary from student to student; however, the reports should contain at least some of the following basic facts gathered from the text, cgisecurity. net, and wikipedia: a. Buffer overflows One of the more common input-related vulnerability is what is referred to as a buffer overflow attack, in which an attacker sends a program more data than it can handle. Buffer overflows may cause the system to crash or, even worse, may provide a command prompt, thereby giving the attacker full administrative privileges, and control, of the device.
Because buffer overflows are so common, it is instructive to understand how they work. Most programs are loaded into RAM when they run. Oftentimes a program may need to temporarily pause and call another program to perform a specific function. Information about the current state of the suspended program, such as the values of any variables and the address in RAM of the instruction to execute next when resuming the program, must be stored in RAM. The address to go to find the next instruction when the subprogram has finished its task is written to an area of RAM called the stack. The other information is written into an adjoining area of RAM called a buffer.
A buffer overflow occurs when too much data is sent to the buffer, so that the instruction address in the stack is overwritten. The program will then return control to the address pointed to in the stack. In a buffer overflow attack, the input is designed so that the instruction address in the stack points back to a memory address in the buffer itself. Since the buffer has been filled with data sent by the attacker, this location contains commands that enable the attacker take control of the system. Note that buffer overflows can only occur if the programmer failed to include a check on the amount of data being input. Thus, sound programming practices can prevent buffer overflow attacks.
Therefore, internal auditors should routinely test all applications developed in-house to be sure that they are not vulnerable to buffer overflow attacks. b. SQL injection Many web pages receive an input or a request from web users and then to address the input or the request, they create a Structured Query Language (SQL) query for the database that is accessed by the webpage. For example, when a user logs into a webpage, the user name and password will be used to query the database to determine if they are a valid user. With SQL injection, it is possible to send a specially crafted user name and password that will change the SQL query into something else; i. e. nject something new into the SQL query and thereby bypass the authentication controls and effectively gain access to the database. This can allow a hacker to not only steal data from the database, but also modify and delete data or the entire database. c. Cross-site scripting Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site so the request is less suspicious looking to the user when clicked on.
For example, IBM is extremely concerned about the loss of data and trade secrets due to disasters and corporate espionage and employs all 19 methods; however, most corporations do not employ all 19 methods. Thus, the following solution is an approximation of the methods that a typical corporation may employ and the more extensive methods that a financial institution would choose. The methods that any corporation would also be employed at financial institutions, but are not checked to more clearly highlight the differences. |Method |Any Corporation |Extra methods justified at a | | | |Financial Institution | |1.
Build on the right spot |( | | |2. Have redundant utilities |( | | |3. Pay attention to walls | |( | |4. Avoid windows |( | | |5. Use landscaping for protection |( | | |6.
Keep a 100-foot buffer zone around the site | | | | | |( | |7. Use retractable crash barriers at vehicle entry points | | | | | |( | |8. Plan for bomb detection | |( | |9.
Limit entry points |( | | |10. Make fire doors exit only |( | | |11. Use plenty of cameras |( | | |12. Protect the buildings machinery |( | | |13. Plan for secure air handling | |( | |14.
Ensure nothing can hid in the walls and ceilings | | | | | |( | |15. Use two-factor authentication |( | | |16. Harden the core with security layers |( | | |17. Watch the exits too |( | | |18. Prohibit food in the computer rooms |( | | |19.
Install visitor restrooms |( | | SUGGESTED SOLUTIONS TO THE CASES 7-1 Solution: Reports will vary from student to student, but the table below identifies corporate-grade firewalls that may or may not be included in student reports. |Name | Cost |Filtering Capability| Other Security Features |Ease of Configuration |Ease of Use | |SonicGuard Pro 5060 |$9,371 |Deep packet & Web |IPSec VPN, layered anti-virus,|Complex -Professional |Complex -Professional | | | |content |anti-spyware, intrusion |network administrator |network administrator | | | |prevention |needed |needed | |Fortinet 1000A |$24,745 |Deep packet, Web |IPSec VPN, layered anti-virus,|Complex -Professional |Complex -Professional | | | |content, stateful |anti-spyware, intrusion |network administrator |network administrator | | | |inspection |prevention, anti-spam |needed |needed | |Barracuda 910 |$28,500 |Deep packet, Web |IPSec VPN, layered anti-virus,|Complex -Professional |Complex -Professional | | | |content, stateful |anti-spyware, intrusion |network administrator |network administrator | | | |inspection |prevention, anti-spam |needed |needed | |SunScreen Secure Net |$14,995 |Dynamic packet |VPN |Complex -Professional |Complex -Professional | |3. 1 | |filtering, stateful | |network administrator |network administrator | | | |inspection | |needed |needed | . 7-2The answers to this case will vary by student.
Make sure that the student prepares questions for preventative, detective, and corrective controls with appropriate subcategories for each topic and questions that can be answered with a yes, no, or not applicable. For example, under the heading of preventive controls, there should be questions about the existence of various authentication methods, an access control matrix, training, physical access controls, firewalls, wireless access, host and application hardening, and encryption. Questions should be objective and focus on the existence of specific controls that the text suggests should be in place, such as “The main firewall employs stateful packet inspection. ” In this way, yes answers are evidence that security is effective, whereas “no” answers are evidence of potential security vulnerabilities. [pic]