Chapter4 Flashcards
List the 6 steps to developing a complaint security program
1 - Identify information Assets
2- Conducting risk assessment
3 - Selecting & Implementing security controls
4 - Monitor & Test the controls
5 - Review & Adjust the program
6 - Oversee third party service providers
Which step is the baseline for security controls?
Step 2: Conducting a risk assessment
What is a threat?
Anything that has the potential to cause harm
What is a Vulnerability?
Flaw or weakness that can be exploited.
What are the 3 security controls?
Physical Security Controls
Technical Security Controls
Administrative Security Controls
Factors citied in security statutes and regulations:
Organization size and combabilities Nature & Scope of the business Nature and sensitivity of information State of the art tech. Cost of the security Infrastructure Capabilities
Businesses must conduct periodic internal reviews to evaluate and adjust the information security program as a result of:
Testing & Monitoring Material Changes to the business Changes in technology Changes in threats Environmental or operational changes
What are the 3 basic requirements on businesses for outsourcing?
1- Exercising due diligence in selecting service provider
2- Contractually require outsource provider to implement appropriate security measures
3- Monitor the performance of the outsource provider
Physical Security Controls focuses on?
Facility and equipment
Media
Technical security controls focus on?
Access Controls
Identification and authentication
System and service acquisition Controls
System and information Integrity
Administrative Security Controls focus on?
Personal Security
Employee awareness and training
Contigency
Administrative Security Controls focus on?
Personal Security
Employee awareness and training
Contingency Planning, backup & disaster recovery
Incident Response Plan
3 categorization to protect facility and equipment
Physical access restriction
Protection against technological failures
Protection against environmental threats
Security Laws & Regulations require to protect data media from being:
Read
Copied
Altered
Removed
Controlling access to system and data requires?
Identification
Authentication
Authorization
To manage the acquisition process should include:
Imposing appropriate security requirements
Design and implementation of the system
Testing & Evaluation of security
System and data integrity includes:
System Integrity
Dats integrity
Malicious code protection
Instrusion detection
System and data integrity includes:
System Integrity (protect from unauthorized changes)
Dats integrity (protect from unauthorized alteration or destruction)
Malicious code protection
Intrusion detection
Laws and regulations require to verify employees, agents and contractors to have:
Technical Expertise
Personal Integrity
Reliability
Contingency Plan should include:
System & data backup procedures Recovery Plan Alternate source storage Backup & retention procedure Proper immediately deletion after they can not be used Appropriate mechanism to recovery Testing the plan on a regular basis Regular reviewing of the plan
Incidence Response Plan should include:
Incident Reporting Incident Handling and response Incident Monitoring and recordkeeping Incident Response assistance Training Testing
What is the purpose of Selecting and Implementing security controls?
To manage reduce the risk to an appropriate and reasonable level
The implementation of the security law involves:
Categories of the security control
The key role of the risk assessment
