Question 1: Security Awareness Training
You will develop a security awareness training plan for a 1000-employee company. You are to determine:
What training new-employees should receive upon hire
What written materials should be issued to new employees
What materials should be available on an intranet site
What types of security awareness messages that should be issued to employees
What specialized training should be available to IT personnel
What recordkeeping for training should take place
Question 2: Observe a Defense in Depth Environment
Study the environment of any organization (For example: VIU); what assets are being protected? What controls can you find that are used to protect assets? Write down all of the controls that you can find and describe how they protect assets.
What additional controls can be found? Identify their type: detective, preventive, deterrent, compensating, recovery, corrective, or mitigating.
Identify any additional controls that could be implemented to further protect assets.
Question 3: Web Application Security Architecture
As a consultant with the Security Consulting Company, you have been hired to develop a secure application architecture for VIU' online Web application.
You are to determine:
Should the database server and the web server be on the same system?
How many firewalls should protect the application?
What forms of access controls should be used to protect the application and its database?
Question 4: Evaluate NIST 800-34
As a consultant with the Ace Security Consulting Co., you have been asked to evaluate the use of NIST 800-34 as a framework and guide to contingency planning for a medium sized business.
Answer the following questions:
Does NIST 800-34 adequately address the issue of protecting sensitive data during recovery operations?
Have any technology advances since the publication of this document made contingency considerations outdated?
Question 5: Make Encrypted Files Available to Employees in a Large Organization
As a consultant with the Ace Security Consulting Co., you have been asked to determine how encrypted documents containing sensitive information can be made available to several hundred office workers in the Very Good Software Company.
The encrypted files can be downloaded from an internal web site at Very Good Software.
What considerations and methods can be used to ensure easy downloading and reading of the encrypted documents while minimizing the risk of compromise?