ITSAC - Module 4

Question 1

• high-level overview or the org
• long term plan (5+ years)
• forward looking
• each level of division translates plan objectives into more specific objectives
• executive team (CEO, COO, CFO, CIO)

Answer 1

Strategic Planning

Question 2

• methods used to achieve the strategy
• short term plan (1-2 year or less)
• includes specific goals, budget, resources
• breaks down strategil goals
• eg. project plans, resource acquisition, project budgets, project reviews
• Chief Information Security Officer (CISO) and security managers

Answer 2

Tactical Planning

Question 3

• plan day to day running
• controlled via daily/weekly/monthly/annual
• inclued necessary tasks for all departments, communication, and reporting requirements

Answer 3

Operational Planning

Question 4

High-level statements which define roles, responsibilities, and expectations for specific domain areas.
- general
- what to do & not to do in org
- “all company data should be protected from unauthorized access”

Answer 4

Policies

Question 5

Specific low-level, mandatory controls that help enforce and support policies.
- how to comply to a certain policy

Answer 5

Standards

Question 6

Recommended controls that help support standards or serve as a reference for when no applicable standard is available.
- not mandatory
- “use password manager”

Answer 6

Guidelines

Question 7

Step-by-step instructions to accomplish policies, standards, and guidelines.
- specific
- how to change password

Answer 7

Procedures

Question 8

• isa management-level document, often written by the company’s CIO, detailing the company’s philosophy on security.
• general policy to a whole

Answer 8

1. Enterprise information security policies

Question 9

– is developed by an organization to outline the guidelines that govern the use of individual technologies in that organization.
- specific

Answer 9

2. Issue-specific security policies (ISSP)

Question 10

• focus on the information security policies of particular systems. For example, policies for customer-facing applications, payroll systems, or data archive systems.
• identtify security needed

Answer 10

3. Systems-specific security policies

Question 11

: An Introduction to Computer Security: The NIST Handbook​

Answer 11

SP 800-12

Question 12

: Generally Accepted Principles and Practices for Securing Information Technology Systems​

Answer 12

SP 800-14

Question 13

: Guide for Developing Security Plans for Federal Information Systems​

Answer 13

SP 800-18 Rev. 1

Question 14

: Guide for Conducting Risk Assessments​

Answer 14

SP 800-30 Rev. 1

Question 15

: Guide for Applying the Risk Management Framework to Federal Information Systems: ASecurity Life Cycle Approach​

Answer 15

SP 800-37 Rev. 1

Question 16

: Managing Information Security Risk: Organization, Mission, and Information System View​

Answer 16

SP 800-39

Question 17

: Building an Information Technology Security Awareness and Training Program​

Answer 17

SP 800-50

Question 18

: Performance Measurement Guide for Information Security​

Answer 18

SP 800-55 Rev. 1

Question 19

: Information Security Handbook: A Guide for Managers​

Answer 19

SP 800-100