How can a security framework assist in the design and implementation of a security infrastructure? What is information security governance? Who in the organization should plan for it? Where can a security administrator find information on established security frameworks? At the security blueprint What is the ISO 27000 series of standards? Which individual
standards make up the series? One of the most widely referenced security models - Standard framework for information security that states organizational security policy is needed to provide management direction and support - Purpose is to give recommendations for information security management - Provides a starting point for developing organizational security What are the issues associated with adopting a formal framework or
model? Each environment is unique, framework may not be the best solution. What documents are available from the NIST Computer Security Resource Center, and how can they support the development of a security framework?Summarize
Quiz
Quiz 1
Quiz 2
Quiz 3
Quiz 4
Quiz 5
SP-800 series
Quiz 6
What benefit can a private, for-profit agency derive from best practices designed for federal agencies?
Quiz 7
What Web resources can aid an organization in developing best practices as part of a security framework?
Quiz 8
Briefly describe management, operational, and technical controls, and explain when each would be applied as part of a security framework.
- Management controls: strategic
- Operational controls: address personnel and physical security
- Technical controls: tactical and technical implementations related.
Quiz 9
What are the differences between a policy, a standard, and a practice?
- Policy: general, from high-ups
- Standard: minimum specification for compliance
- Practice: how to comply in detail
What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?
- Enterprise info SP: guides the dev, implementation nad managment of the SP
- Issue Specific SP: specific area of tech
- Sys Specific SP: standards for configuring and maintaining systems
Quiz 10
Who is ultimately responsible for managing a technology? Who is responsible for enforcing policy that affects the use of a technology?
- The Champion
- policy administrator or manager
Quiz 11
What is contingency planning? How is it different from routine management planning?What are the components of contingency planning?
- plan to anticipate, react to, and recover from advert events and restore BC.
- Incident response P, disaster recovery P, and business continuity P are components of contingency planning.
Quiz 12
When is the IR plan used?
As soon as an incident in progress has been identified.
Quiz 13
When is the DR plan used?
If an incident escalates or is disastrous, focuses on restoring systems at the original site.
Quiz 14
When is the BC plan used?
- Used concurrently with the disaster recovery plan when the damage is major, creates long-term consequences, or requires more than simple restoration of information and information resources.
Quiz 15
What are the elements of a business impact analysis?
Quiz 16
What are Pipkin’s three categories of incident indicators?
Quiz 17
What is containment, and why is it part of the planning process?
Isolating the affected channels, processes, services, or computers, and stopping the losses such as taking down the entire system, servers, and network.
Containment of incident’s scope or impact is first priority
Quiz 18
When should law enforcement be involved in an IR or DR action? What are the issues associated with law enforcement involvement?
Quiz 19
What is an after-action review? When is it performed? Why is it done?
Quiz 20
List and describe the six site and data contingency strategies identified in the text.
- Exclusive options:
- Hot site: “plugin and use”
- Warm site: has some equipment but not all
- Cold site: just the empty site
- Shared
options:
- Time-share: multiple companies rent the same site
- Service bureaus: third party providing the backup sites
- Mutual agreements: companies being backup sites of each other