Chapter 5: Security Governance Concepts, Principles, and Policies

Question 1

What is the purpose of security management planning?

Answer 1

Ensuring the proper creation, implementation, and enforcement of a security policy.

Question 2

What is the most important key factor in a security plan?

Answer 2

Senior management approval. Without this, it’s toothless.

Question 3

What is a strategic plan?

Answer 3

A long term, fairly stable plan defining the organization’s security purpose. Useful for about 5 years if updated annually.

Question 4

What is a tactical plan?

Answer 4

A midterm plan developed to provide more details on accomplishing the goals of the strategic plan. Useful for about a year, and often prescribes and schedules taks. Includes project, acquisition, hiring, budget, maintenance, support, and system development plans.

Question 5

What is an operational plan?

Answer 5

A short term, highly detailed plan based on the strategic and tactical plans, valid and useful only for a short time. Includes resource allotments, budgetary requirements, staffing assignments, scheduling, step by step or implementation procedures.

Question 6

What is security governance?

Answer 6

The collection of practices related to supporting, defining, and directing the security efforts of an organization.

Question 7

What are the sources of governance?

Answer 7

Some are imposed due to legislative and regulatory compliance needs. Others are imposed by industry guidelines or license requirements.

Question 8

What are the responsibilities of the senior manager?

Answer 8

Ultimately responsible for the security of the organization
Should be most concerned about the protection of its assets
All activities must be approved by this role
Rarely implements the solutions directly

Question 9

What are the responsibilities of the security professional?

Answer 9

AKA InfoSec officer or CIRT.
Responsible for following the directives mandated by senior management
Functional responsibility for security, including writing the security policy and implementing it.
Often filled by a team responsible for desigining and implementing security solutions based on an approved security policy.

Question 10

What are the responsibilities of the data owner?

Answer 10

Responsible for classifying information for placement and protection within the security solution.
Typically a high-level manager ultimately responsible for data protection
Data management is usually delegated to a data custodian

Question 11

What are the responsibilities of the data custodian?

Answer 11

Responsible for the tasks of implementing the proscribed protection defined by the security policy and senior management.
CIA triad
Backups/testing/deploying security solutions

Question 12

What are the responsibilities of the user?

Answer 12

Any person who has access to the secured system.
Responsible for understanding and upholding the security policy by following prescribed operational procedures and operating within defined security parameters

Question 13

What are the responsibilities of the auditor?

Answer 13

Responsible for reviewing and verifiying that the security policy is properly implemented and the security solutions are adequate. Produces compliance and effectiveness reports.

Question 14

Define “privacy”.

Answer 14

1. Active prevention of unauthorized access to information that is personally identifiable
2. Freedom from unauthorized access to information deemed personal or confidential
3. Freedom from being observed, monitored, or examined without consent or knowledge

Question 15

What is the CIA Triad?

Answer 15

Confidentiality, Integrity, Availability

Question 16

What is Confidentiality?

Answer 16

A high level of assurance that data, objects, or resources are restricted from unauthorized subjects.

Question 17

What is Integrity?

Answer 17

Objects must retain their veracity and be intentionally modified only by authorized subjects.

Question 18

What are the three perspectives on maintaining integrity?

Answer 18

1. Prevent unauthorized subjects from making modifications
2. Prevent authorized subjects from making unauthorized modifications
3. Maintain internal and external consistency so that data is correct and true

Question 19

What is Availability?

Answer 19

Authorized subjects are granted timely and uninterrupted access to objects.

Question 20

More from 218-220?

Answer 20

.

Question 21

What is a Security Policy?

Answer 21

A document that defines the scope of security needed by the organization and discusses the assets that need protection and the extent to which security solutions should go to provide the necessary protection.

Question 22

What are the three categories of security policies?

Answer 22

Regulatory, advisory, and informative

Question 23

When is a regulatory security policy required?

Answer 23

When industry or legal standards are applicable to your organization.

Question 24

What is an advisory security policy?

Answer 24

One that discusses behaviors and activities that are acceptable and defines consequences for violations.

Question 25

What is an informative security policy?

Answer 25

One that is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers.

Question 26

What are security standards?

Answer 26

Definitions of compulsory requirements for the homogenous use of hardare, software, technology, and security controls.

Question 27

What are the goals of Change Control?

Answer 27

1. Implement changes in a monitored and orderly manner
2. Include a formalized testing process to verify that a change produces expected results
3. All changes can be reversed
4. Users are informed of changes before they occur to prevent lost productivity
5. Effects of changes are systematically analyzed
6. Negative impact of changes on capabilities, functionality, and performance is minimized.

Question 28

What is the primary objective of data classification?

Answer 28

To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Data classification is used to provide security mechanizms for storing, processing, and transferring data, as well as removing and destroying it.

Question 29

What are the steps of implementing a data classification scheme?

Answer 29

1. Identify the custodian and define their responsibilities
2. Specify the evaluation criteria of how the information will be classified and labeled.
3. Classify and label each resource (by owner, reviewed by supervisor)
4. Document exceptions to the classification policy, integrate them into the policy
5. Select the security controls that will be applied to each classification level to provide necessary protection
6. Specify procedures for declassifying resources or transferring them to an external entity.
7. Create an enterprise wide awareness system

Question 30

What are the two common classification schemes?

Answer 30

Government/military and commercial business/private sector

Question 31

What are the five levels of government/military classification?

Answer 31

Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified

Question 32

More?

Answer 32

p 227

Question 33

What are the four levels of commercial/private classificatioN/

Answer 33

Confidential
Private
Sensitive
Public

Question 34

More?

Answer 34

p 228