INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA

END-OF-SEMESTER EXAMINATION SEMESTER 2, 2009/2010 SESSION KULLIYYAH OF INFORMATION AND COMMUNICATION TECHNOLOGY
Programme Time Duration Course Code Course Title
: : : : :

BIT

Level of Study Date

: :

Undergraduate

2 Hr(s) INFO 2602 Section(s)

:

All

INFORMATION SECURITY

This Question Paper Consists of Eight (6) Printed Pages with Five (3) Sections
Section 1 Section 2 Section 3 Multiple Choice Questions True or False 10 Questions: 10 Marks 20 Questions: 10 Marks

Essay Questions 6 Questions: 20 Marks Answer FIVE (5) out of SIX (6) questions.

INSTRUCTION(S) TO CANDIDATES DO NOT OPEN UNTIL YOU ARE ASKED TO DO SO

You are required to answer ALL questions. Write all answers in the answer booklet provided.

Any form of cheating or attempt to cheat is a serious offence which may lead to dismissal.
APPROVED BY

Section 1: Multiple Choice Questions. (10 marks). Answer all questions in the answer booklet. (1 mark for each question).
1. We can distinguish three elements of information system (IS) security: A. Logical security B. Physical security C. Premises security D. All the above 2. Physical Security Threats organized into the following categories: A. Environmental threats B. Technical threats C. Human-caused threats D. All of the above 3. security policy life cycle, the main steps are: A. Risk analysis then Policy development then Policy approval then Raising awareness then Policy implementation then Reassessment B. Policy development then Policy approval then Risk analysis then Raising awareness then Policy implementation then Reassessment C. Risk analysis then Policy approval then Policy development then Raising awareness then Policy implementation then Reassessment D. Risk analysis then Policy approval then Raising awareness then Policy implementation then Reassessment then Policy development 4. IT security management functions include all of the following except: A. organizational IT security objectives, strategies and policies B. identifying and analyzing security threats to IT assets C. educational and training activities D. developing and implement a security awareness program 5. IT security Controls can be classified as belonging to one of the following classes (although some controls include features from several of these): A. management control: B. operational: C. technical controls: D. all of the above

6. The security awareness program should address issues such as: A. the organizations security objectives, strategies and policies B. detecting potential security incidents C. identifying and responding to breaches in security D. documenting breaches in security for future reference

7. Preventative controls focus on A. the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability B. preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability. C. security policies, planning, guidelines and standards which then influence the selection of operational and technical controls to reduce the risk of loss and to protect the organizations mission. D. All the above 8. Which of the following is NOT included in IT security plan? A. selected controls (on the basis of the cost-benefit analysis) B. target start and end dates for implementation C. maintenance requirements and other comments D. documenting breaches in security for future reference

9. Intellectual Property Relevant to Network and Computer Security include all of the following except: A. Software B. Databases C. Hardware D. Algorithms 10. categorizes computer crime based on the role that the computer plays in the criminal activity, as follows: A. Computers as targets B. Computers as storage devices C. Computers as communications tool. D. All the above

Section 2: True or False (10 marks). Answer ALL questions either True (T) or False (F) in the answer booklet. (0.5 mark for each question).
1. Premises security also known as corporate or facilities security.

2. Pattern matching scans incoming packets for specific byte sequences (the signature) stored in a database of known attacks.

3. the physical security infrastructure includes Information system hardware and Supporting facilities only. 4. Human-caused threats are more difficult than other threats. 5. A vandalism threat includes destruction of equipment and destruction of data. 6. Misuse threats category includes improper use of resources by those who are authorized to use them, as well as use of resources by individuals not authorized to use the resources at all. 7. Security awareness, training, and education programs provide benefits in improving employee behavior. 8. Roles and Responsibilities Relative to IT Systems focuses on providing knowledge, skills, and abilities for individuals in their job position. 9. Violations reporting is types of violations, how theyre reported, and to whom. 10. The security of the operating systems is not including access control guidelines and logging requirements. 11. Risk transferal sharing responsibility for the risk with a third-party. 12. Technical controls: involve the correct use of hardware security capabilities in systems only.

13. Immutable audit is a method that identifies where data goes and who has seen it. 14. A professional code of conduct cannot provide a measure of support for a professional whose decision to act ethically in a situation may create conflict with an employer or customer. 15. Selective revelation is a method for maximizing exposure of individual information while enabling continuous analysis of potentially interconnected data. 16. Data transformation encodes portions of the data so as to preserver privacy but still allow data analysis functions needed for effective use. 17. Unlinkability ensures that a user may make multiple uses of resources or services without others being able to link these uses together. 18. In DRM system, the Identity management is mechanisms for unique entities, such as parties and content. 19. Unobservability ensures that a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used.
20. RSA public-key cryptosystem is an example of a patent from the computer

security realm.

Section 3: Essay Questions (20 marks).

Answer FIVE (5) out of SIX (6) questions.

Question 1 Please define each of the following: (4 marks) Accountability Privacy Risk appetite Intellectual property

Question 2 Give the full name for each of the following: (4 marks) Question 3 3.1 3.2 Question 4 4.1 Explain the managing information security steps (Plan - Do - Check Act) (2 marks) What is the difference between A trademark A servicemark (2 marks) Briefly explain ISO 27002 (2 marks) hence derive overall risk rating for each threat (2 marks) PIN PIV WIPO DRM

4.2

Question 5 Provide 4 steps for Threat Assessment (4 marks)

Question 6 Please write 4 general questions of the security policy document: (4 marks) ~ End of Questions ~
6