$1.[10$ points$]$ Describe why the Sarbanes$-$Oxley Act $($SOX$)$ was passed and provide a detailed description of the Act. How did SOX change IT auditing?

$2.[10$ points$]$ List and describe $4$ HIPAA Security Rules. For each security rule, describe one $(1)$ internal control for each security rule.

$3.[10$ points$]$ You are conducting an IT audit. You review the Windows firewall rules and determine that ports $22,53,80,$ and $443$ are open and listening on a Windows server. Logging into this server is permitted by policy by anyone. Answer the following questions.

a$.$ What services are running?

b$.$ Do you have any concerns about the security of the server?

c$.$ If you have concerns from $($b$),$ what suggestions do you have to improve the security of the Windows server? Describe your solution and what you would have to do to implement your solution $($you do not need to provide the exact commands$).$

$4.[10$ points$]$ Describe what a firewall does and explain how a firewall can be used to protect against a ICMP ping flood denial$-$of$-$service $($DoS$)$ attack. Describe a firewall$$s functionality and this type of attack $($ICMP ping flood$)$ in detail. Describe a rule to detect this type of attack and block it$.$

$5.[10$ points$]$ List and provide a one sentence description of each of the $5$ pillars of Information Assurance. For each pillar, provide one example of a vulnerability or threat to the pillar.

$6.[20$ points$]$ Describe in detail SaaS, PaaS, and IaaS Cloud computing models. Describe three considerations when auditing Cloud technologies.

$7.[15$ points$]$ A company discovers that there is no offsite or backup storage for a financial application. The application leaves port $80$ open for web requests. There is a known vulnerability that can be exploited by sending a specifically formatted message to the application on port $80.$ There is no policy to remove user accounts for the application when employees change jobs or leave the company. Answer the following questions.

a$.$ What are the threats?

b$.$ What are the risks?

c$.$ How would you mitigate the risks?

$8.[15$ points$]$ A company$$s IT policy states that passwords should contain $16$ characters with a mix of letters, numbers, and special characters. After reviewing the implemented policy within the IT system, it is noted that the current security settings stated that passwords only need to be $4$ character long and no multi$-$factor authentication is required. Answer the following questions.

a$.$ What are the threats?

b$.$ What are the risks?

c$.$ How would you mitigate the risks?