Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ACCT 5378 - Control & Security of Financial Information > Ch 11 - Security and Personnel > Flashcards

Ch 11 - Security and Personnel Flashcards

1
Q

Story or vignette

A

The story is about Iris Majwubu who gets an email from the senior manager of IT, Charlie Moody.

In the email, he asks her to come by as he would like to discuss the Magruder case and investigation. Guy who left the USB at the coffee station and was found to be selling sensitive company information

It turns out he wants to reward her with an opportunity to join the information security team, as her actions saved the company from having significant losses. She is hesitant, but she says that she’ll think about it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Learning Objectives

A
  1. How should the info sec. function be positioned within an organization?
  2. What are the issues/concerns that must be addressed when staffing the IS function?
  3. What are some IS credentials one can earn in the field?
  4. How can employment policies and practices support the IS function?
  5. What special security precautions should be taken when using contract workers?
  6. What are the requisites (needed) to ensure the privacy of personnel data?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How are IS departments usually positioned?

A

Within the information technology department of organizations.

CISO or CSO as the head of the department reporting to the CIO

Not always have the same interest in mind

CIO - access

CSO/CISO - security

A balance between access and security is essential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Other possible places where the IS function can be positioned in an organization’s structure

A
  1. IT function
  2. Physical security function
  3. Administrative services function
  4. Insurance and risk mgmt. function
  5. Legal department
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Wherever the IS function is positioned matters less than that it meets two criteria:

A
  1. That it is able to have a say in terms of the reporting function.
  2. That it is able to enforce organizational policy, meaning monitor compliance.
  3. And that it be able to provide education, training, awareness, and customer service.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Best hiring practices

A
  1. Gen. mgmt. should learn about the skills/requisites needed to carry out the IS job.
  2. Gen. mgmt. needs to understand and allocate a budget that allows the IS function to carry out its duties
  3. IT and Gen. mgmt. should grant the appropriate level of influence and prestige to the IS function.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Important skills for people in the IS function to understand:

A
  • How an organization operates at all levels
  • That information security is usually a management problem and is seldom an exclusively technical problem
  • How to work with people and collaborate with end users, and the importance of strong communications and writing skills
  • The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem
  • Most mainstream IT technologies (not necessarily as experts, but as generalists)
  • The terminology of IT and information security
  • The threats facing an organization and how these threats can become attacks
  • How to protect an organization’s assets from information security attacks
  • How business solutions (including technology-based solutions) can be applied to solve specific information security problems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The broad 3 areas of IS job classifications:

A
  1. Those that define the IS program - provide the policies, guidelines, and standards. Do the consulting and risk assessment, and develop the product and technical architectures. Seniors in the field broad knowledge.
  2. Those that build the IS system and create the programs to implement IS controls. The techies.
  3. Those that administer the infosec control systems and programs that have been created. The sheep that can carry out specific tasks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CISO duties and responsibilities

A
  • Manages the overall information security program for the organization
  • Drafts or approves information security policies
  • Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans
  • Develops information security budgets based on available funding
  • Sets priorities for the purchase and implementation of information security projects and technology
  • Makes decisions or recommendations on the recruiting, hiring, and firing of security staff
  • Acts as the spokesperson for the information security team
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CISSP

A

Certified Information Systems Security Professional

CISSP accreditation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CISM

GIAC

A

CISM -Certified Information Security manager

GIAC - Global Info. Assurance Certification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

(ISC)2

A

International Information Systems Security Certification Consortium

is considered one the foremost organizations offering information security certifications today. Currently (ISC)2 offers three primary certifications and three specializations for its flagship certification.

CISSP - Certified Info Systems Security Professional

Concentrations of CISSP - Info Systems Security: Engineering Prof., Mgmt. Prof, and Architecture Prof.

SSCP - Systems Security Certified Practioner

Associate of ISC2

CAP - Certification and Accreditation Professional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

ISACA Certifications

The Information Systems Audit and Control Association

A

Offers 2 certifications:

CISA - for auditing, networking, and security professionals

CISM - for info. security management professionals

Requisites:

  • Successful completion of the requisite examination
  • Experience as an information systems auditor, with a minimum of five years’ professional experience in an area of direct interest to the certification
  • Agreement to the ISACA Code of Professional Ethics
  • Continuing education policy that requires maintenance fees and a minimum of twenty contact hours of continuing education each year and a minimum of 120 contact hours over the three-year certification period
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CISA

ISACA

A

Certified information systems auditor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CISM

ISACA

A

Certified Info Security Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

GIAC

A

Global Information Assurance Certification

Org: SANS

17
Q

Job Descriptions and Info Sec

A

Do not advertise access to sensitive information in the job description

18
Q

Background Checks components

A

Types of checks

  1. Identity
  2. Education and credential
  3. Previous employment verification
  4. Reference
  5. Worker’s compensation history
  6. Motor vehicle records
  7. Drug history
  8. Credit history
  9. Civil court history
  10. Criminal court history
19
Q

Terminating an employee

tasks that must be performed from an IS perspective:

A
  1. Access to org’s systems must be disabled
  2. Removable media must be returned
  3. Hard drives must be secured
  4. File cabinet locks must be changed
  5. Office door locks must be changed
  6. Keycard access must be revoked
  7. Personal effects must be removed from the org’s premises

Escorting off the premises.

Hostile vs. friendly departures

20
Q

exit interviews

A

NDAs reminder (civil or criminal prosecution), feedback, etc.

21
Q

Separation of duties

A

important for protecting information assets, specially financial assets.

General categories of functions to be separated:

  • authorization function
  • recording function, e.g. preparing source documents or code or performance reports
  • custody of asset whether directly or indirectly, e.g. receiving checks in mail or implementing source code or database changes.
  • reconciliation or audit
  • splitting one security key in two (more) parts between responsible persons
22
Q

two-person control

A

two-person control - requiring two individuals to review and approve each other’s work before the task is categorized as done/finished.

23
Q

job rotation or task rotation

A

the requirement that every employee be able to perform the work of another employee. If it is not feasible that one employee learn the entire job of another, then the organization should at least try to ensure that for each critical task it has multiple individuals on staff who are capable of performing it.

24
Q

Mandatory vacations

A

A mandatory vacation, of at least one week, provides the organization with the ability to audit the work of an individual. Individuals who are stealing from the organization or otherwise misusing information or systems are, in general, reluctant to take vacations, for fear that their actions will be detected.

25
Q

least-privilege

principle

A

employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties. In other words, there is no need for everyone in the organization to have access to all information.

26
Q
A

ACCT 5378 - Control & Security of Financial Information (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions