PODHIGAI COLLEGE OF

ENGINEERING AND TECHNOLOGY

Salem Main Road, Adiyur, Tirupattur– 635 601

DEPARTMENT OF
COMPUTER SCIENCE AND
ENGINEERING

QUESTION BANK

VIII SEMESTER

IT 8073`-INFORMATION SECURITY

Regulation – 2017

Academic Year 2021– 22(Even Semester)

Prepared by

Mr.G.RAJASEKARAN,Assistant Professor/CSE
 PODHIGAI COLLEGE OF ENGINEERING AND
TECHNOLOGY
Salem Main Road, Adiyur, Tirupattur– 635 601

DEPARTMENT OF COMPUTER SCIENCE AND

ENGINEERING

QUESTION BANK

SUBJECT :IT 8073 – INFORMATION SECURITY

SEM/YEAR :VIII/IV

Q.No Question (2)

s
1 How shall you interpret Information Security? (2)
2 Namethe multiple layers of security that a successful organization should (2)
have in its place to protect its operations..
3 Define Information Security. (2)
4 Listthecharacteristics of CIA triangle. (2)
5 Give the critical characteristics of Information. (2)
6 Discuss the bottom up approach and top down approach. (2)
7 Differentiate direct and indirect attacks. (2)
8 Givea short note on E-mail spoofing. (2)
9 What are the measures required to protect confidentiality of information? (2)
10 Show with the help of a diagramabout the components of information (2)
Security.
11 How shall youdesign thecomputer as the subject and object of the attack? (2)
12 Assess the importance of a C.I.A triangle (2)
13 Create a diagramfor Information Security Implementation. (2)
14 State the responsibilities of Data Owners, Data custodians and Data users. (2)
15 Examine if the C.I.A. triangle is incomplete, why is it so commonly used (2)
in security?
16 Describe a Security Team in an organization. Should the approach to security be (2)
technical or managerial?
17 What is the use of methodology in the implementation of Information (2)
Security?
18 CompareVulnerability and Exposure. (2)
19 Classify the three components of the C.I.A Triangle.What are they used (2)
for?
20 Information Securityis which of the following: An Art or Science or (2)
 both? Justify your answer.
PART –B
1 Evaluatethe various components information security that a successful (13)
organization must have
2 i)List the various components of an information system and tell about (8)
them.
ii)List the history of Information Security. (5)
3 i).What is NSTISSC Security Model? (8)
ii).Describein detail about the top down approach and the bottom
(5)
up approach with the help of a diagram.
4. i). Identifythe types of attacks in Information Security. (6)
(7)
ii). Examine E-mail spoofing and phishing.
5 i).Discussaboutthe need for confidentiality in Information Security.
(7)
ii).Explain the file hashing in the integrity of the information.
(6)
6 i) Examine the critical characteristics of information security. (7)
ii) Analyse in detail about the advantages and disadvantages of
(6)
information security. (13)
7 Illustrate briefly about SDLC waterfall methodology and its relation in respect (13)
to information security.
8 Describethe Security Systems Development Life Cycle. (13)
9 i)Composetheroles of Information Security Project Team. (5)
ii)Design the steps unique to the security systems development life
(8)
cycle in all the phases of SSDLC model.
10 i)Illustrate the different types of instruction set architecture in detail. (7)
ii)Examine the basic instruction types with examples.
(6)
11 What are the six components of an information system? Which are most (13)
directly affected by the study of computer security?
12 i).Infer about Information Security Project Team. (8)
ii) Analyze the methodology important in the implementation of information
security? How does a methodology improve the process?

(5)
13 Analyze thecritical characteristics of information. How are they used in (13)
the study of computer security?
14 Discuss the steps common to both the systems development life cycle (13)
and the security systems life cycle.
PART –C
1 Assess the importance of infrastructure protection (assuring the security
of utility services) and how that is related to the enhancement of information
security?
2 Formulate anymethodology, why it important in the implementation of
information security? How does a methodology improve the process?
3 Generalizewhich members of an organization are involved in the security
system development life cycle? Who leads the process?
4 Evaluatewho decides how and when data in an organization will be used
or controlled? Who is responsible for seeing that these wishes are carried out

UNIT -2 / PART-A
1 Show with the help of pointsthe 4 important functions for an organization (2)
based on the information security.
2 Analyzethe assets in the organization that requires protection. (2)
3 Constructwith the help of a table any 4 threats with its examples. (2)
4 Examine the meaning of the sentence“data in motion and data at rest”. (2)
5 Whatis meant by the term “Information Extortion”? (2)
6 Give the definition of software piracy. (2)
7 Illustratethe technical mechanisms that have been used to enforce (2)
copyright laws.
8 Analyzethe major differences between a Threat and an Attack. (2)
9 Express the logic behind using a licence agreement window and the use (2)
of online registration process to combat piracy.
10 Discuss about malware. (2)
11 Namethe most common methods of virus transmission. (2)
12 Formulatewhich management groups are responsible for implementing (2)
information security to protect the organization’s ability to function.
13 Evaluate the measures that individuals can take to protect themselves (2)
from shoulder surfing.
14 Definethe meaning of theterm‘Electronic Theft’. (2)
15 Express about the password attacks. (2)
16 Stateare the various types of malware? How do worms differ from (2)
viruses? Do Trojan horses carry viruses or worms?
17 Interpretthe following terms: Macro Virus & Boot Virus. (2)
18 Analyseabout commonplace security principles. (2)
19 List any five attacks that is used against controlled systems. (2)
20 Whatis the difference between a denial-of-service attack and a distributed (2)
denial-of-service attack? Which is more dangerous? Why?
PART - B (2)
1 i).Discussabout the threats. (6)
ii).Expressabout five criterias for a policy to become enforcebale.
 (7)
2 Illustrate the methods does a social engineering hacker use to gain information
(13)
about a user’s login id and password? How would this method differ if it were
targeted towards an administrator’s assistant
versus a data-entry clerk?
3 Describe about the types of Laws and Ethics in Information Security. (13)
4 How will you developmanagement groups that are responsible for
implementing information security to protect the organization’s ability to (13)
function ?
5 i) Statethe types of password attacks. (6)
ii)Tell the three ways in which an authorization can be handled.
(7)
6 i) Expressin detail about : (2)
(2)
(a) Protecting the functionality of an organization
(2)
(b) Enabling the safe operations of Applications (2)
(5)
(c) Protecting data that organizations collect and use
(d) Safeguarding Technology Assets in organizations
ii)Discuss in detail about worms.
7 Analyzein detail about Ethics and Information Security. (13)
8 i)Examinein detailabout Access control list. (8)
ii)Givean example of Systems-specific policy. (5)
9 i) List the Computer Security Hybrid Policies. (7)
(6)
ii) Describethe types of Computer Security.
10 i) Quote the confidentiality policies. (7)
ii) Discussin detail about the types of security policies. (6)
11 i) ExplainIntegrity Policies. (6)
(7)
ii) Assessthe Secure Software Development.
12 Analyze whether information security a management problem? What can (13)
management do that technology cannot?
13 Pointout why data the most important asset an organization possesses? (13)
What other assets in the organization require protection?
14 Illustrate which management groups are responsible for implementing
information security to protect the organization’s ability to function. (13)
PART - C
1 How has the perception of the hacker changed over recent years?
(15)
Compose the profile of a hacker today.
 Evaluate which management groups are responsible for implementing (15)

2. information security to protect the organization’s ability to function?

3 Summarizehow does technological obsolescence constitute a threat to (15)
information security? How can an organization protect against it?
4 Generalize how the intellectual property owned by an organization (15)
usually have value? If so, how can attackers threaten that value?
UNIT-3 / PART –A
1 Express the role of Risk Management in Information Security. (2)
2 Definethe four communities of interest responsible for addressing all (2)
levels of risk.
3 Define Risk Identification. (2)
4 List the Risk Management categorization subdivisions. (2)
5 Express the Data Asset Attributes. (2)
6 Distinguishbetween asset’s ability to generate revenue and its ability to (2)
generate profit.
7 Name thetypes of Information classification. (2)
8 Evaluatethe strategies for controlling risk. (2)
9 Statethe vulnerabilities in Risk Management. (2)
10 Designa table to list the threats and their related examples. (2)
11 Classify the Quantitative and Qualitative Risk Control Practices. (2)
12 Show with relevant exampleshow Microsoft follows best practices for (2)
Risk Management.
13 Assess the metric based measures used in benchmarking. (2)
14 Tell the Ten Immutable Laws of Security offered by the Microsoft. (2)
15 Show the Risk Management. (2)
16 Point out the significance of Residual Risk. (2)
17 Define Mitigate Strategy. (2)
18 Showthe three common methods used to defend control strategy. (2)
19 Classify the information contained in the computer or personal digital (2)
assistant. Based on the potential for misuse , what information would
be
confidential, sensitive, unclassified for public release?
20 Generalizethe strategies for controlling risk. (2)
PART –B (2)
1 Discussin detail about Risk Management. (13)
2 Describeand drawthe components of Risk Identification. (13)
3 i) Define Information Classification Scheme. (3)
(10)
ii)Describe the threats that represent danger to organization’s
information.
4 Design and develop Risk Assessment using sample TVA spreadsheet. (13)
5 i)Design Risk control strategies. (8)
ii)Examine Risk Handling Decision points.
(5)
6 i).Summarize Cost Benefit Analysis. (9)
ii).Distinguish the Defend control strategy and Transfer control strategy.
(4)
7 i).Discussin detail about Benchmarking. (7)
8 Assess the reasonas to why the periodic review be a part of the process in
(13)
risk management strategies.
9 Examineas to how Risk appetite varies from organization to organization. (13)
10 Expressthe Security Incident Handling. (13)
11 i)Explainin detail about Information Flow. (7)
ii).Pointout the Confinement Problem. (6)
12 i)Define Access Control List. (8)
ii) Differentiatebetween various Feasibility Studies for organization’s (5)
strategic objectives.
13 With a suitable diagram .examineabout the Risk Management. (13)
PART –C
1 Formulate the points for Hardware , Software and Network Asset (15)
Identification.
2 Explain in detail about System Access control Mechanism. (15)
3 Evaluate with a proper example about the Risk Identification in detail. (15)
4 Develop necessary points with any example for Assets Identification and (15)
valuation.
UNIT-4 / PART-A
1 Distinguishbetween Physical Design and Logical Design. (2)
2 Express significant points in Information Security Blueprint. (2)
3 Givethe five goals of Information Security Goverernance. (2)
4 Pointoutthe five criteriasfor a policy to be effective and thus legally (2)
enforceable.
5 Whatare the two areas in which Enterprise Security Policy typically (2)
addresses compliance?
6 DefineIssue Specific Security Policy. (2)
7 Statethe types of Policies. (2)
8 Assess the drawbacks of ISO 17799/BS 7799. (2)
9 Formulatethe significant points in the scope of NIST SP 800-14. (2)
10 Analyzethe name of NIST documents that can assist in the design of a (2)
security framework.
11 Generalize the security plans using NIST SP 800-18 that can be used as (2)
the foundation for a comprehensive security blueprint and framework.
12 Statetwo important documents in a VISA International Security Model. (2)
13 Assess the Defence in Depth Policy. (2)
14 Quotethe important types of controls in VISA International Security (2)
Model.
15 Pointoutthe components of Contigency Planning. (2)
16 Examineusing the diagram for spheres of security. (2)
17 Show the different stages in the Business Impact Analysis step. (2)
18 Assessthee commonly accepted Security Principles. (2)
19 Differentiate (2)
20 Examine the fivetesting strategies of Incident Planning. (2)
PART-B (2)
1 i)List the 3 types of security policies. (8)
(5)
ii)Identifythe components of ISSP.
2 Elaboratebriefly about Information Security Blueprint. (13)
3 i) Givethe details of the types of policies in Information Security. (4)
ii) Identifythe inherent problems withISO 17799. (9)
4 Expressin detail about ISO 17799/BS 7799. (13)
5 Explain in detail about NIST security Models. (13)
6 i) Defineinformation security governance. Who in the organization should plan (5)
for it? (8)
ii) Examinehow can a security framework assist in the design and
implementation of a security infrastructure?
7 i) Demonstratewith a diagram about the guidelines, purposes used to achieve (8)
using ISO/IEC 17799.
ii) Illustratewhere can a security administrator find information on (5)
established security frameworks?
8 i) EvaluateVISA International Security Model. (5)
ii) Summarizeplanning for Continuity. (8)
9 DesignSecurity Architecture and explain the goals used for achieving it. (13)
10 Analyze what Web resources can aid an organization in developing (13)
best practices as part of a security framework?
11 Pointoutmanagement, operational, and technical controls, and explain
(13)
when each would be applied as part of a security framework.
12 Describecontingency planning? How is it different from routine (13)
management planning? What are the components of contingency planning
13 Discussbriefly aboutpolicy, a standard, and a practices with any example. (13)
14 Illustrate briefly about Incident Response Methodology. (13)
PART-C
1 How shall you create framework and blueprint for Information Security ? (15)
Design diagrams and with suitable examples.
2 Explain Information Security Continuity for ISO 27001.Also tell about its (15)
security considerations.
3 Evaluate the Ten Sections mentioned ISO/IEC 17799 . (15)
4 Summarize SETA(Security, Education, Training, Awareness) and its (15)
elements.
UNIT-V / PART-A
1 Give the mechanisms that access control relies on. (2)
2 Show the advantages of the intrusion detection systems. (2)
3 List the three ways in which Authorization can be handled. (2)
4 Analyze the primary disadvantage of application-level firewalls. (2)
5 Quote the different types of Firewalls that are characterized by its structure.. (2)
6 Define Hybrid Firewall. (2)
7 Express five generations of Firewalls. Which generations are still (2)
common in use?
8 State Honey Pots. (2)
9 Differentiate signature-based IDPS and behavior-based IDPS. (2)
10 Show the use of scanning and Analysis Tools. (2)
11 Compare Cryptography and Steganography. (2)
12 Define Cryptography. (2)
13 Create the factors for selecting the right firewalls. (2)
14 Assess the controls of protecting the secure facility. (2)
15 Quote the signature based IDS. (2)
16 Express the information security function that can be placed within any (2)
one of the following functions.
17 Formulate the best practices such that the information security function (2)
can be placed within any of the following organizational functions.
18 Categorize IDPS Detection Methods. (2)
19 Differentiate Honey pots and Honey Nets (2)
20 Classify IDPS. (2)
PART-B
1 i) Define Scanning and Analysis tools. (8)
ii) List and explain the cryptographic algorithms. (5)
2 i) Give the names of firewalls categorized by processing mode. (4)
ii) Summarize IDPS Terminology. (9)
3 Express IDPS Response Options.. (13)
4 Examine Strengths and Limitations of IDPs. (13)
5 List the Biometric Access Controls. (13)
6 i) Pointout the tools used in cryptography. (7)
ii) Explain Man-in-the middle attack.
(6)
7 i) Evaluate Honeypots, Honeynets,Padded cells. (6)
ii) Assess the dictionary attack, Timing attacks and Defending against
(7)
attacks.
8 i) Classify architectural implementation of firewalls. (9)
 ii) Analyze typical relationship among the untrusted network, the firewall, (4)
and the trusted network?.
9 Formulate configuring and managing firewalls. (13)
10 Elaborate vulnerability scanners. (13)
11 Explain about Symmetric and Asymmetric Encryption with examples. (13)
12 i) Describe cipher methods. (8)
ii) Discuss about protocols for secure communications.
(5)
13 Illustrate briefly about the credentials of Information Security
Professionals. (13)
14 Discuss about Employment Policies and Practices. (13)
PART-C
1 Explain how does screened host architectures for firewalls differ from screened (15)
subnet firewall architectures? Which of these offers more security for the
information assets that remain on the entrusted network?
2 Evaluate how does a network-based IDPS differ from a host-based IDPS? (15)
3 Formulate in detail about the importance of Physical Security. (15)
4 Create the options available for the location of the information security (15)
functions within the organization. Discuss the advantages and
disadvantages of each option.