Chapter 4 - Planning for Security
Redundancy can be implemented at a number of points throughout the security architecture, such as in ____.
All of the above: Proxy servers Firewalls Access controls
According to NIST SP 800-14's security principles, security should _________.
All of the above: Support the mission of the organization. Require a comprehensive and integrated approach. Be cost-effective.
The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages?
All of these are BIA stages: Identify resource requirements. Determine mission/business process and recovery critically. Identify recovery priorities for system resources.
A ________ site provides only rudimentary services and facilities.
Cold
__________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Defense in Depth
A cold site provides many of the same services and options of a hot site, but at a lower cost. T/F
False
A policy should state that if employees violate a company policy or any law using company technologies , the company will protect them, and the company is liable for the employee's actions. T/F
False
A sequential router is activated as the first person calls a few people on the roster, who in turn call a few other people. T/F
False
A standard is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions, take actions, and perform other duties. T/F
False
A(n) DR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs. T/F
False
A(n) disaster is any adverse even that could result in the loss of an information asset or assets, but does not currently threaten the viability of the entire organization. T/F
False
An attack, breach of policy, or other incident always continues a violation of law, requiring notification of law enforcement. T/F
False
Every member of the organization's InfoSec department must be a formal degree or certification in information security. T/F
False
Guidelines are more detailed statements of what must be done to comply with policy. T/F
False
ISO/IEC 17799 is widely considered more useful than any other information security management approach. T/F
False
In 2014, NIST published a new Cybersecurity Framework to relate mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services, based on vendor-specific technologies. T/F
False
One of the basic needs of security architectures is the layered implantation of security, which is called defense in redundancy. T/F
False
The ISSP sets out the requirements that must be met by the information security blueprint or framework. T/F
False
The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799. T/F
False
The key components of the security perimeter include firewalls, DMSZs (demilitarized zones), Web servers, and IDPSs. T/F
False
The operational plan documents the organization's intended long-term direction and efforts for the next several years. T/F
False
The security framework is a more detailed version of the security blueprint. T/F
False
The security model is the basis for the design, selection, and implementation of all security program elements including such things as policy implementation and ongoing policy and program management. T/F
False
Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. T/F
False
The goals of information security governance include all but which of the folllowing?
Regulatory compliance by using information security knowledge and infrastructure to support maximum standards of due care.
_______ often function as standards or procedures to be used when configuring or maintaining systems.
SysPs
A disaster recovery plan is a plan that shows the organization's intended efforts to restore operation at the original site in the aftermath of a disaster. T/F
True
A security policy should begin with a clear statement of purpose (policy). T/F
True
A service bureau is an agency that provides a service for a fee. T/F
True
A(n) capability table specifies which subjects and objects users or groups can access. T/F
True
Disaster recovery personnel must know their roles without supporting documentation, which is a function of preparation, training and rehearsal. T/F
True
Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator. T/F
True
Failure to develop an information security system based on the organizations' mission, vision, and culture guarantees the failure of the information security program. T/F
True
In recent years, NIST has shifted its approach from implementing security controls using a certification and accreditation (C&A) model to one or more aligned with industry practices, titled the Risk Management Framework. T/F
True
Management controls address the design and implantation of the security planning process and security program management. T/F
True
NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful effort are factored into the design of an information security program and to produce a blueprint for an effective security architecture. T/F
True
NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. T/F
True
Some policies may also need a(n) sunset clause indicating their expiration date. T/F
True
Technical controls are the tactical and technical implantations of security in the organization. T/F
True
The Computer Security Resource Center at NIST provides several useful documents free of charge in tis special publications area. T/F
True
The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident classification. T/F
True
The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. T/F
True
The stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins, is the offer guidelines and voluntary directions for information security management. T/F
True
To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date. T/F
True
To remain viable, security policies must have a responsible manager, a schedule or reviews, a method for making recommendations for reviews, and a policy issuance and revision date. T/F
True
The SETA program is a control measure designed to reduce the instances of ____________ security breaches by employees.
accidential
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a security ______.
blueprint
Incident __________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident.
damage assessment
The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called _________.
electronic vaulting
A security _______ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the organization.
framework
