Chapter 5 Review

Question 1

Chapter 5 Review

An information security program is a collection of activities used to achieve these 3 activities in regards to risks

Answer 1

IDENTIFY, COMMUNICATE, and ADDRESS

Question 2

Chapter 5 Review

The security program consists of controls, processes, and practices to increase the resilience of the computing environment and ensure that these 2 things are achieved effectively in regards to risks

Answer 2

KNOWN and HANDLED

Question 3

Chapter 5 Review

This thing is a formal, written definition of the objectives of a program, its main timelines, the sources of funding, the names of its principal leaders and managers, and the business executives sponsoring the program

Answer 3

CHARTER

Question 4

Chapter 5 Review

Information security programs include numerous business processes to fulfill the overall mission of this

Answer 4

INFORMATION and INFORMATION SYSTEMS PROTECTION

Question 5

Chapter 5 Review

Information Security Programs business processes fall into three major categories:

1. R____ ; Concerns to the business and adhearance to requirement
2. A____ ; Design frameworks/manner in which information systems are built
3. O____ ; Day to day functions of the business

Answer 5

1. RISK and COMPLIANCE
2. ARCHITECTURE
3. OPERATIONS

Question 6

Chapter 5 Review

Modern information security includes essential business processes such as these 2 management activities, but overall it is also heavily involved in IT.

Answer 6

RISK and POLICY

Question 7

Chapter 5 Review

Information security is heavily involved in this area of the business as its mission is the protection of all things IT.

Answer 7

INFORMATION TECHNOLOGY
(IT)

Question 8

Chapter 5 Review

To scale with the power and speed of IT, information security has its own portfolio of 2 key technologies.

Answer 8

PROTECTIVE and DETECTIVE

Question 9

Chapter 5 Review

These are the things of value that an organization protects in an information security program.

Answer 9

ASSETS

Question 10

Chapter 5 Review

In a typical organization, assets will consist of these 2 things

Answer 10

INFORMATION and INFORMATION SYSTEMS

Question 11

Chapter 5 Review

This process is an activity whereby an organization assigns an asset to a category representing usage or risk.

Answer 11

ASSET CLASSIFICATION

Question 12

Chapter 5 Review

In an information security program, the purpose of asset classification is to determine this for each asset in regards to its context to the organisation

Answer 12

LEVEL OF CRITICALITY

Question 13

Chapter 5 Review

Information classification is a process whereby these 4 different sets and collections of data in an organization are analyzed;;

1. V____ ; The worth
2. C____ ; The importance
3. I____ ; Trustworthiness
4. S____ ; Delicacy of the system

Answer 13

1. VALUE
2. CRITICALITY
3. INTEGRITY
4. SENSITIVITY

These levels of information, together with examples of the types of levels that fall into each category and with instructions on handling information at each level, form the heart of a typical information classification program.

Question 14

Chapter 5 Review

Once an organization is satisfied that its information classification is in order, it can embark on this activity

Answer 14

SYSTEM CLASSIFICATION

Question 15

Chapter 5 Review

Information systems can be classified according to various criteria within these 2 areas

Answer 15

SECURITY and OPERATIONAL

Question 16

Chapter 5 Review

In some organizations, additional requirements are imposed on persons who have access to this sort of data

Answer 16

SENSITIVE INFORMATION

Whether this information consists of trade secrets, government secrets, or other information, organizations may be required to meet specific requirements such as more thorough or frequent background investigations.

Question 17

Chapter 5 Review

A key part of a risk assessment is identifying this in regards to each asset

Answer 17

VALUE

Question 18

Chapter 5 Review

Risk analysis is more often done in this manner where by a numeric scale such as 1 to 5 is assigned

Answer 18

QUALITATIVE

Instead of assigning a dollar (or other currency) value to an asset, the value of an asset can be assigned to a low-medium-high scale or a numeric scale such as 1 to 5 or 1 to 10

Question 19

Chapter 5 Review

A process that is common in larger or more mature organizations that want to better understand the actual costs associated with loss events

Answer 19

QUANTITATIVE ASSET VALUATION

Many organizations opt to surpass qualitative asset valuation and assign a dollar (or other currency) valuation to their assets. This is common in larger or more mature organizations that want to better understand the actual costs associated with loss events

Question 20

Chapter 5 Review

There are several types of frameworks in information security, and sometimes they are confused with one another. The types of framework include

1. C ____
2. R ____ M ____
3. A ____
4. S ____ P ____ M ____

Answer 20

1. CONTROL
2. RISK MANAGEMENT
3. ARCHITECTURE
4. SECURITY PROGRAM MANAGEMENT

Question 21

Chapter 5 Review

Standard control frameworks include

1. C ____ 2019
2. ISO/IEC ____
3. ISO/IEC ____
4. H ____
5. NIST SP 800- ____
6. NIST SP 800- ____
7. NIST ____
8. CIS ____
9. ETSI TR 103 ____
10. P ____

Answer 21

1. COBIT 2019
2. ISO/IEC 20000
3. ISO/IEC 27002
4. HIPAA
5. NIST SP 800-53
6. NIST SP 800-171
7. NIST CSF
8. CIS CSC
9. ETSI TR 103 305-1
10. PCI DSS.

Question 22

Chapter 5 Review

Information security management frameworks are business process models that include these 2 essential things needed by most organizations.

Answer 22

PROCESSES and ACTIVITIES

Question 23

Chapter 5 Review

Information security management frameworks are risk-centric because the identification of risk is a key driver for activities in other parts of the framework to reduce risk to acceptable levels. These frameworks include;

1. ISO/IEC ____
2. ISO/IEC ____
3. C ____ 2019
4. NIST SP 800- ____
5. NIST ____

Answer 23

1. ISO/IEC 27005
2. ISO/IEC 31000
3. COBIT 2019
4. NIST SP 800-37
5. NIST CSF

Question 24

Chapter 5 Review

This is a business function and a technical model.

Answer 24

ENTERPRISE ARCHITECTURE
(EA)

Question 25

In terms of a business function, **establishing an Enterprise Architecture (EA)** consists of activities that **ensure** that **IT systems meet** these.

Answer 25

BUSINESS NEEDS

Question 26

# Chapter 5 Review **Information security architecture** can be thought of as a **subset** or special topic **within Enterprise Architecture (EA)** that is concerned with the **protective characteristics** found in many components in an overall EA and specific components in an EA that provide these 2 security functions

Answer 26

PREVENTIVE or DETECTIVE

Question 27

# Chapter 5 Review These 4 Information security documents are the **written artifacts** that define the **business and technical rules** for information and information systems protection.

Answer 27

1. POLICES 2. STANDARDS 3. GUIDELINES 4. PROCEDURES

Question 28

# Chapter 5 Review Development of these is **foundational** to any organization's information security program.

Answer 28

SECURITY POLICIES

Question 29

# Chapter 5 Review Information **security policy** defines the principles and required actions for the organization to perform this activity in regards assets and personnel properly.

Answer 29

PROTECT

Question 30

# Chapter 5 Review These are **nonbinding statements** or narratives that pro vide additional **direction** to personnel regarding **compliance** with **security policies, standards, and controls**.

Answer 30

GUIDELINES ## Footnote Information security departments often develop guidelines when they receive numerous inquiries for help understanding certain policies or have trouble understanding how to implement them.

Question 31

# Chapter 5 Review These are **formal statements** describing the **characteristics** of a system to be changed, developed, or acquired.

Answer 31

REQUIREMENTS

Question 32

**Requirements** should flow from, and **align with**, the structure and content of these 2 things

Answer 32

POLICIES and STANDARDS ## Footnote Because of their use in systems and services development and acquisition, require ments should be published in a format that can be easily extracted for use in specific projects.

Question 33

# Chapter 5 Review These 2 documents are the **detailed, sequenced instructions** to complete **routine tasks**.

Answer 33

PROCESSES and PROCEDURES

Question 34

# Chapter 5 Review This document is a **collection** of one or more **procedures** that together fulfill a higher purpose

Answer 34

PROCESS

Question 35

This document is a written **set of instructions** for a **single task**

Answer 35

PROCEDURE

Question 36

# Chapter 5 Review This is a **measurement** of a **periodic and ongoing activity** that intends to help the organization understand the activity within the context of overall business operations.

Answer 36

METRIC

Question 37

# Chapter 5 Review **Metrics** are the means through which management can **measure** these and know whether their strategies are working

Answer 37

KEY PROCESSES

Question 38

# Chapter 5 Review A formal **metrics program** provides these 2 sets of **data** on the **effectiveness** of many elements of an organization's security program and operations.

Answer 38

QUALITATIVE and QUANTITATIVE

Question 39

# Chapter 5 Review **Metrics** can be developed via the **SMART** method: 1. S ____ 2. M ____ 3. A ____ 4. R ____ 5. T ____

Answer 39

1. SPECIFIC 2. MEASUREABLE 3. ATTAINABLE 4. RELEVANT 5. TIMELY

Question 40

# Chapter 5 Review **Metrics** must **align** with these 3 things in regards to the organization

Answer 40

MISSION, STRATEGY, and OBJECTIVES

Question 41

# Chapter 5 Review Some **metrics** can be used to **report** on results in the recent past, and some metrics serve as this as a means to a **call to action** by the leadership team when metrics are demonstrating a future changing trend.

Answer 41

LEADING INDICATORS

Question 42

# Chapter 5 Review A common **shortcoming** of a metrics program is its failure to provide this for various **audiences**.

Answer 42

RELEVANT METRICS ## Footnote As an organization develops its metrics program, it must take care to develop metrics that matter for each audience.

Question 43

# Chapter 5 Review This can depict the **high-level effectiveness** of an organization's **security program**

Answer 43

SECURITY BALANCED SCORECARD

Question 44

# Chapter 5 Review This is a **measure** of how well a **process** is progressing according to **expectations**.

Answer 44

KEY PERFORMANCE INDICATOR (KPI)

Question 45

# Chapter 5 Review This is a **measure** that determines how well the **process** is **perofrming** in enabling a **goal to be reached**

Answer 45

KEY PERFORMANCE INDICATOR (KPI)

Question 46

# Chapter 5 Review This is a **measure** of information **risk** and used to reveal **trends** related to **levels of risk**

Answer 46

KEY RISK INDICATOR (KRI)

Question 47

# Chapter 5 Review This is the **most common protocol** used to **ensure confidentiality** of transmissions, as example, in a business-to-customer financial web application

Answer 47

SECURE SOCKET LAYER (SSL)

Question 48

# Chapter 5 Review This is a **cryptographic protocol** that provides **secure communications** by providing **end point authentication** and commucations privacy **over the internet**

Answer 48

SECURE SOCKET LAYER (SSL)

Question 49

# Chapter 5 Review This is a **program** that can **give an attacker full control** over an **infected computer**, allowing them to hijack, copy or alter information after authentication by a user

Answer 49

TROJAN

Question 50

# Chapter 5 Review This process uses a **mathematical algorithm** to **ensure data has not been changed**

Answer 50

HASHING

Question 51

# Chapter 5 Review This is a **technique** used to **hide messages** in another file i.e. a message within a JPEG

Answer 51

STEGANOGRAPHIC

Question 52

# Chapter 5 Review The **development** of an **information security program** will begin after these have been defined

Answer 52

REQUIRED OUTCOMES

Question 53

# Chapter 5 Review These **documents** require the **most effort** for reviewing and **modifying** when supporting an operational information security program as they are designed at a more granular level

Answer 53

PROCEDURES ## Footnote When an information security program is operational, few changes to policies or standards will be needed. Procedures, however, are designed at a more granular level and will require reasonably frequent modification. Because procedures are more detailed and can be technology specific, there are generally far more procedures than standards or policies. Consequently, review and modification of procedures will consume the majority of effort

Question 54

# Chapter 5 Review This **document** sets the **allowable boundaries** for technologies, procedures and practices. It is therefore the most appropriate control to **address compliance** with specific regulatory requirements

Answer 54

STANDARDS ## Footnote Standards set the allowable boundaries for technologies, procedures and practices and thus are the appropriate documentation to define compliance requirements.

Question 55

# Chapter 5 Review **Policies** are **developed in response** to these which exists against the organisation

Answer 55

PERCEIVED THREATS ## Footnote Policies are developed in response to perceived threats. If there is no perceived threat, there is no need for a policy. A threat is defined as anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result in harm