1) What are the differences between policies, standards and guidelines? Provide specific examples of these differences.
2) Differentiate between law and ethics. What laws provide guidance on the use of encryption? How do policies differ from laws? How has the Sarbanes-Oxley Act of 2002 affected information security managers?
3) What does due care mean? How does due diligence differ from due care? Why are both concepts important to an organization its everyday operations? Provide examples of due care and due diligence scenarios.
4) What types of biometric devices are currently available? How do they work and how much do they cost? What are the advantages and disadvantages to the use of biometrics? Will biometrics alone be sufficient as a threat deterrent? Why or why not?
5) Why is periodic review a key component of the risk management process? How does risk identification incorporate an asset inventory system? What are the 4 strategies to controlling risk? How can risks be mitigated?
6) Describe the following terms and how they relate to each other: risk avoidance, risk transference, risk appetite, incident response plan, residual risk.