Chapter 5
four areas of security functions
-non-technology business units outside the IT management control -IT groups outside the InfoSec area of management control -InfoSec department as a customer service to the organization and its external partners -InfoSec department as a compliance enforcement obligation
Program Evaluation and Review Technique (PERT)
A diagramming technique developed in the late 1950s that involves specifying activities and their sequence and duration.
Gantt Chart
A diagramming technique named for its developer, which lists activities on the vertical axis of a bar chart and provides a simple timeline on the horizontal axis.
Critical Path Method (CPM)
A diagramming technique, similar to PERT, designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.
security administrator
A hybrid position comprising the responsibilities of both a security technician and a security manager.
work breakdown structure (WBS)
A list of the tasks to be accomplished in the project; the _______ provides details for the work to be accomplished, the skill sets or even specific individuals to perform the tasks, the start and end dates for the task, the estimated resources required, and the dependencies between and among tasks.
security education, training, and awareness (SETA)
A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizational employees.
projectitis
A situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.
security analyst
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system.
security technician
A technical specialist tasked with configuring firewalls and intrusion detection systems (IDSs), implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to ensure that security technology is properly implemented.
Network security administration
Administers configuration of computer networks; often organized into groups by logical network area (i.e., WAN, LAN, DMZ) or geographic location
Systems security administration
Administers the configuration of computer systems, which are often organized into groups by the operating system they run
Security watchstanders
An entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. Also known as a security staffer.
Systems testing
Evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness
Incident response
Handles the initial response to potential incidents, manages escalation of actual incidents, and coordinates the earliest responses to incidents and disasters.
Risk assessment
Identifies and evaluates the risk present in IT initiatives and/or systems
Risk management
Implements or oversees use of controls to reduce risk
those that define, those that build, and those that administer
InfoSec positions can be classified into three types:
Vulnerability assessment (VA)
Locates exposure within information assets so these vulnerabilities can be repaired before weaknesses are exploited
Legal assessment
Maintains awareness of planned and actual laws and their impact, and coordinates with outside legal counsel and law enforcement agencies
Centralized authentication
Manages the granting and revocation of network and system credentials for all members of the organization
security awareness program
One of the least frequently implemented but most effective security methods
Planning
Researches, creates, maintains, and promotes InfoSec plans; often takes a project management approach to planning as contrasted with strategic planning for the whole organization
culture, size, budget
The InfoSec needs of an organization are unique to its _____________.
SETA program
The ________________________________ is the responsibility of the CISO and is designed to reduce the incidence of accidental security breaches.
NICE Cybersecurity Workforce Framework (NCWF)
The _________________________________ defines a common means of classifying roles in the discipline of cybersecurity.
slack time
The difference in time between the critical path and any other path is called ___________.
information security program
The entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to its information assets.
Scope creep
The expansion of the quantity or quality of project deliverables from the original project plan.
Security managers
The individual accountable for ensuring the day-today operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians.
security education
The portion of the SETA program based on formal delivery of knowledge of InfoSec issues and operations, usually through institutions of higher learning.
security awareness
The portion of the SETA program dedicated to keeping users conscious of key InfoSec issues through the use of newsletters, posters, trinkets, and other methods.
security training
The portion of the SETA program focused on providing users with the knowledge, skill, and/or ability to use their assigned resources wisely to avoid creating additional risk to organizational information assets.
project management
The process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal.
Training
Trains general staff in InfoSec topics, IT staff in specialized technical controls, and internal InfoSec staff in specialized areas of InfoSec, including both technical and managerial topics
Measurement
Uses existing control systems (and perhaps specialized data collection systems) to measure all aspects of the InfoSec environment
Compliance
Verifies that system and network administrators repair identified vulnerabilities promptly and correctly
Ignorance of the law is not an excuse
ignorantia juris non excusat
NIST SP 800-16
most useful documents for InfoSec practitioners and those developing training programs is
chief security officer (CSO)
n some organizations, an alternate title for the CISO; in other organizations, the title most commonly assigned to the most senior manager or executive responsible for both information and physical security.
Computer Security Act of 1987
requires federal agencies to provide mandatory periodic training in computer security awareness and accepted computer practices to all employees involved with the management, use, or operation of the agencies' computer systems.
chief information security officer (CISO)
responsible for the assessment, management, and implementation of information-protection activities in the organization.
chief information officer (CIO)
the senior technology officer responsible for aligning the strategic efforts of the organization and integrating them into action plans for the information systems or data-processing division of the organization.