Topic 4 Flashcards
Developing the security program
What is an InfoSec program?
An InfoSec program is the structure and organization of the effort to manage risks to an organization’s information assets.
What functions constitute a complete InfoSec program?
A complete InfoSec program consists of risk assessment, risk management, systems testing, policy, legal assessment, incident response, planning, measurement, compliance, centralized authentication, system security administration, training, network security administration, and vulnerability assessment.
What organizational variables can influence the size and composition of an InfoSec program’s staff?
Many variables, including culture, size, security personnel budget, and security capital budget will influence the plans for staff composition.
What is the typical size of the security staff in a small organization? A medium-sized organization? A large organization? A very large organization?
- Small—1 full-time/part-time manager and up to 2 part-time support staff members
- Medium—1 full-time manager and up to 3 part-time support staff members
- Large—1–2 full-time managers, 3–4 full-time admin/techs, 3–4 part-time managers, 10–12 part-time admin/techs
- Very large—4–5 full-time managers, 10–15 full-time admin/techs, 5–10 part-time managers, 30–35 part-time admin/techs
Where should an InfoSec unit be placed within an organization? Where shouldn’t it be placed?
In large organizations, it is placed within the IT department, but if the roles of the CIO and CISO have the potential to conflict with each other, InfoSec and IT should be kept separate. Therefore, the main places to put the InfoSec unit include IT, security, administrative services, insurance and risk management, strategy and planning, legal, internal auditing, help desk, accounting and finance, human resources, facilities management, and operations.
Into what four areas should the InfoSec functions be divided?
Functions performed by nontechnical areas of the organization, functions performed by IT staff outside the InfoSec area of management control, functions performed within the InfoSec department as part of customer service, and functions performed within the InfoSec department as part of a compliance enforcement obligation.
What are the steps in a seven-step methodology for implementing training?
The recommended steps are:
1. Identify program scope, goals, and objectives.
2. Identify training staff.
3. Identify target audiences.
4. Motivate management and employees.
5. Administer the program.
6. Maintain the program.
7. Evaluate the program.
When developing an awareness program, what priorities should you keep in mind?
Priorities for awareness programs include:
* Focus on people both as part of the problem and as part of the solution.
* Refrain from using technical jargon; speak the language the users understand.
* Use every available venue to access all users.
* Define at least one key learning objective, state it clearly, and provide sufficient detail and coverage to reinforce the learning of it.
* Keep things light; refrain from “preaching” to users.
* Don’t overload the users with too much detail, or too great a volume of information.
Why is project management of particular interest in the field of InfoSec?
Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal. InfoSec is a process, not a project; however, each element of an InfoSec program must be managed as a project, even if the overall program is perpetually ongoing and will benefit greatly from the application of sound project management processes.
What are the three planning parameters that can be adjusted when a project is not being executed according to plan?
When a project is not being executed according to plan, three planning parameters can be adjusted: effort and money allocated, elapsed time or scheduling impact, and quality or quantity of the deliverable.
What is a work breakdown structure (WBS) and why is it important?
In a WBS, the project plan is first broken down into a few major tasks. Each of these major tasks is placed on the WBS task list. A WBS is a very simple project management tool that can be prepared using a simple desktop PC spreadsheet program or with more complex project management software tools.
