Apply Security Governing Principles Flashcards

1
Q

What is abstraction?

A

Abstraction define what types of data and object can contain, what types of functions can be performed on or by that object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Tactical Plan and give examples?

A

Midterm plan developed to provide more details on accomplishing the goals set forth in a strategic plan, Examples: acquisition plans, hiring plans, budget plans, maintenance plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an Operational Plan, how often should it be updated and give examples?

A

Short-term, highly detailed, based on strategic and tactical plans. Must be updated often. Examples are: training plans, system deployment plans, and product plans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a strategic plan, how long can it stay in effect and what should it include?

A

Long-term plan that is fairly stable, defines organization’s security purpose. Lasts about 5 years if maintained and updated. Strategic plan should include a risk assessment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the main purpose of change management?

A

Prevent unwanted reductions in security, changes are subject to documentation and auditing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the 7 major steps in creating a data classification scheme?

A
  1. Identify custodian and define their responsibilities
  2. Specify the evaluation criteria and how the information will be classified and labeled
  3. Data owner classifies and labels each resource
  4. Document exception to classification policy and integrate them into evaluation criteria
  5. Select the security controls that will be applied to each classification level
  6. Specify procedures for resource declassification and and transferring custody of a resource to external entity
  7. Create and enterprise-wide awareness program to instruct all personnel about the classification system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the five levels of military/government classification?

A
U.S. Can Stop Terrorism
Top Secret
Secret
Confidential
Sensitive but Unclassified
Unclassified
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the private sector classification levels?

A

Confidential
Private
Sensitive
Publ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the role of the Security Professional (aka CIRT team)?

A

Writes and implements security policy,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the role of the Senior Manager?

A

Responsible for security and protection of assets- must sign off on all policy issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the role of the Data Owner

A

Responsible for classifying information and protection to be applied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the role of the Data Custodian?

A

Responsible for implementing the prescribed protections prescribed by Senior management and the security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a Data User and what are their responsibilities?

A

Any user that has access to the secured system, tied to their work (least Privileges). Must follow rules/procedures, security policies, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the role of the Auditor?

A

Responsible for reviewing and verifying that the security policy is properly implemented and the security solutions are adequate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the principles of COBIT 5 (by ISACA)?

A
  1. Meet stakeholder needs
  2. Cover enterprise from end to end
  3. Apply a single, Integrated framework
  4. Enable a holistic approach
  5. Separate Governance from Management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define Due Care?

A

Reasonable care to protect the organization

17
Q

Define Due Diligence

A

Practicing the activities that maintain due care effort

18
Q

What are the three types of security policies?

A

Regulatory, Advisory and Informative

19
Q

Define a security Guideline

A

recommends how standards and baselines are implemented and are customizable

20
Q

Give some examples of Security Baselines?

A

NIST, Trusted Computer System Evaluation Criteria (TSEC), Information Technology Security Evaluation (ITSEC)

21
Q

What is a Security Procedure?

A

Detailed step-by-step document that describes the exact actions necessary to implement a specific security mechanism, control or solution

22
Q

What are the 4 components of security policies from Largest to smallest contributor?

A

Procedures, Guidelines, Standards, Policies