Lecture 12 Flashcards
What is social engineering?
Psychological manipulation to trick people into making security mistakes or giving away sensitive information.
Who was Kevin Mitnick?
Once known as the world’s most-wanted hacker, later became a security consultant; famous for using social engineering.
According to Kevin Mitnick, what is the biggest threat to a company’s security?
The human element, not technology.
What is Information Security Governance?
Information Security Governance is the system by which an organization directs and controls its information security efforts.
What is COBIT?
A framework to help organizations develop, implement, and monitor IT governance and management.
Name two examples of COBIT control practices.
Using unique user IDs and conducting regular reviews of user access rights.
What is the difference between effective and non-effective security governance?
Effective governance involves active senior management participation and accountability; non-effective governance neglects information security.
What is a security policy?
A high-level, broad statement outlining an organization’s security goals and objectives.
What are procedures and processes in security?
Step-by-step instructions on how to implement security policies.
What are standards in security management?
Mandatory elements detailing how a policy is to be enforced.
What are guidelines in security management?
Recommended but not mandatory steps related to a policy.
What should an organizational security policy address?
Scope, purpose, IT security requirements, risk management, incident handling, training, and business continuity.
What is the role of an IT Security Officer?
Oversees security strategies, policies, incident handling, and awareness programs.
What are examples of organizational security policies?
Acceptable use policy, access control policy, data protection policy, physical security policy.
What are the four steps of the policy lifecycle?
Plan, Implement, Monitor, and Evaluate.
What is IT Security Management?
A process to protect critical assets in a cost-effective manner by identifying risks and applying safeguards.
Who is responsible for security management?
Management, IT security staff, IT staff, users, third parties.
Name a few information security job roles.
Chief Security Officer, Information Security Manager, Physical Security Manager, Security Technician.
What is the purpose of security awareness programs?
To inform employees about security responsibilities and promote a security-conscious culture.
What is ISO 27002?
A code of practice providing guidelines for organizational information security management and controls.
What is ISO 27001?
Specifies the requirements for establishing and maintaining an Information Security Management System (ISMS).
What is the difference between ISO 27001 and ISO 27002?
ISO 27001 defines how to manage security controls; ISO 27002 provides best-practice security controls.
Why is asset management important?
To understand what needs protection and how much investment it requires.
What are key elements of human resource security?
Background checks, security training, proper termination procedures.
