Apply Security Governing Principles Flashcards
What is abstraction?
Abstraction define what types of data and object can contain, what types of functions can be performed on or by that object.
What is a Tactical Plan and give examples?
Midterm plan developed to provide more details on accomplishing the goals set forth in a strategic plan, Examples: acquisition plans, hiring plans, budget plans, maintenance plans
What is an Operational Plan, how often should it be updated and give examples?
Short-term, highly detailed, based on strategic and tactical plans. Must be updated often. Examples are: training plans, system deployment plans, and product plans
What is a strategic plan, how long can it stay in effect and what should it include?
Long-term plan that is fairly stable, defines organization’s security purpose. Lasts about 5 years if maintained and updated. Strategic plan should include a risk assessment.
What is the main purpose of change management?
Prevent unwanted reductions in security, changes are subject to documentation and auditing.
What are the 7 major steps in creating a data classification scheme?
- Identify custodian and define their responsibilities
- Specify the evaluation criteria and how the information will be classified and labeled
- Data owner classifies and labels each resource
- Document exception to classification policy and integrate them into evaluation criteria
- Select the security controls that will be applied to each classification level
- Specify procedures for resource declassification and and transferring custody of a resource to external entity
- Create and enterprise-wide awareness program to instruct all personnel about the classification system
What are the five levels of military/government classification?
U.S. Can Stop Terrorism Top Secret Secret Confidential Sensitive but Unclassified Unclassified
What are the private sector classification levels?
Confidential
Private
Sensitive
Publ
What is the role of the Security Professional (aka CIRT team)?
Writes and implements security policy,
What is the role of the Senior Manager?
Responsible for security and protection of assets- must sign off on all policy issues
What is the role of the Data Owner
Responsible for classifying information and protection to be applied
What is the role of the Data Custodian?
Responsible for implementing the prescribed protections prescribed by Senior management and the security policies
What is a Data User and what are their responsibilities?
Any user that has access to the secured system, tied to their work (least Privileges). Must follow rules/procedures, security policies, etc.
What is the role of the Auditor?
Responsible for reviewing and verifying that the security policy is properly implemented and the security solutions are adequate
What are the principles of COBIT 5 (by ISACA)?
- Meet stakeholder needs
- Cover enterprise from end to end
- Apply a single, Integrated framework
- Enable a holistic approach
- Separate Governance from Management
