Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISAC 375 Khan Mohd > Module 3 - INFOSEC Management > Flashcards

Module 3 - INFOSEC Management Flashcards

1
Q

What are the 6 Ps of INFOSEC management?

A
  1. Planning
  2. Policy
  3. Programs
  4. Protection
  5. People
  6. Project management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Sets the long-term direction to be taken by the organization and each of its component parts

A

Strategic planning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The application of the principles and practices of corporate governance to the information security function

A

Information Security Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The ISO 27000 series standard for Governance of Information Security—specifies six high-level “action-oriented” information security governance principles:

A
  1. Establish organization-wide information security.
  2. Adopt a risk-based approach.
  3. Set the direction of investment decisions.
  4. Ensure conformance with internal and external requirements.
  5. Foster a security-positive environment.
  6. Review performance in relation to business outcomes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Information security governance goals(5):

A
  1. Strategic alignment of information security with business strategy to support organizational objectives
  2. Risk management
  3. Resource management
  4. Performance measurement
  5. Value delivery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Policies should (3):

A
  1. never contradict law
  2. Be able to stand up in court
  3. Be properly administered.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The least expensive controls to execute but most difficult to implement properly.

A

Security policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance, is known as a(n) _____.

A

Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Functions as organizational law that dictates acceptable and unacceptable behavior

A

Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Management must define three types of security policy:

A
  1. Enterprise information security policies
  2. Issue-specific security policies
  3. Systems-specific security policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

EISP typically addresses compliance in two areas:

A
  1. Ensure meeting of requirements to establish program and assigning responsibilities therein to various organizational components
  2. Use of specified penalties and disciplinary action
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Sets strategic direction, scope, and tone for all security efforts within the organization

A

Enterprise INFOSEC Policy (EISP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

EISP elements should include(4):

A
  1. Overview of corporate philosophy on security
  2. Information on the structure of the organization and people in information security roles
  3. Fully articulated responsibilities for security shared by all members of the organization
  4. Fully articulated responsibilities for security unique to each role in the organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The Issue Specific Security Policy (ISSP)(3):

A
  1. Addresses specific areas of technology
  2. Requires frequent updates
  3. Contains statement on the organization’s position on a specific issue
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Access control lists (ACLs) are an example of what kind of policy?

A

Systems-Specific Policy (SysSP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

For policies to be effective and legally defensible, the following must be done properly(6):

A
  1. Development
  2. Dissemination
  3. Reading
  4. Comprehension
  5. Compliance
  6. Enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Development

A

They must be written using industry-accepted practices and formally approved by management.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Dissemination

A

They must be distributed using all appropriate methods.

19
Q

Reading

A

They must be reviewed by all employees.

20
Q

Comprehension

A

They must be understood by all employees.

21
Q

Compliance

A

They must be formally agreed to by act or affirmation.

22
Q

Enforcement

A

They must be uniformly applied to all employees

23
Q

Awareness

A

Seeks to teach members of the organization what security is and what the employee should do in some situations

24
Q

Training

A

Seeks to train members of the organization how they should react and respond when threats are encountered in specified situations

25
Q

Education

A

Seeks to educate members of the organization as to why it has prepared in the way it has and why the organization reacts in the ways it does

26
Q

The basis for design, selection, and implementation of all security elements.

A

Information security blueprint

27
Q

The specification to be followed during the design, selection, and implementation of security controls

A

Information security framework

28
Q

A well-recognized framework promoted by a government agency, standards organization, or industry group

A

Information security model

29
Q

Standard framework for information security that states organizational security policy is needed to provide management direction and support

A

The ISO 27000 Series

30
Q

NIST’s approach to managing risk in the organization, titled:

A

Risk Management Framework (RMF)

31
Q

RMF consists of three fundamental components:

A
  1. Framework core
  2. Framework tiers
  3. Framework profile
32
Q

Set of information security activities an organization is expected to perform and their desired results

A

Framework core

33
Q

Help relate the maturity of security programs and implement corresponding measures and functions

A

Framework tiers

34
Q

Used to perform a gap analysis between the current state and a desired state of information security/risk management

A

Framework profile

35
Q

What are the 4 framework tiers?

A

Tier 1: Partial

Tier 2: Risk Informed

Tier 3: Repeatable

Tier 4: Adaptive

36
Q

What activities are included in the framework core (5)?

A
  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recovery
37
Q

What is the 7 step approach to implementing/improving programs?

A
  1. Prioritize and scope
  2. Orient
  3. Create current profile
  4. Conduct risk assessment
  5. Create target profile
  6. Determine, analyze, prioritize gaps
  7. Implement action plan
38
Q

Three levels of controls:

A
  1. Management
  2. Operational
  3. Technical
39
Q

Set the direction and scope of the security processes and provide detailed instructions for its conduct.

A

Management controls

40
Q

Address personnel security, physical security, and the protection of production inputs/outputs.

A

Operational controls

41
Q

The tactical and technical implementations related to designing and integrating security in the organization.

A

Technical controls

42
Q

More detailed than policies and describe the steps that must be taken to conform to policies.

A

Standards

43
Q

One of the least frequently implemented but most beneficial programs in an organization

A

Security awareness program

44
Q
A

ISAC 375 Khan Mohd (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions