IR Chapter 1
What is a contingency plan?
A contingency plan is used to anticipate, react to, and recover from events that threatened the security of information and information assets in the organization; it is also used to restore the organization to normal modes of business operations.
What is an issue-specific policy?
An ISSP addresses specific areas of technology and contains a statement on the organization's position on a specific issue
What is an asset in the context of information security?
An asset is an organizational resource of which the Confidentiality, Integrity, and Availability, must be preserved.
What three principles are used to define the CIA triangle? Define each in the context in which it is used in information security.
CIA stands for Confidentiality, Integrity, and Availability. Confidentiality: Only the people/computer systems with the rights and privileges to access it are able to do so. Integrity: Protecting information assets while being stored, processed, or transmitted, from corruption or damage, and ensuring that the information is whole, complete, and uncorrupted.
What is the enterprise information security policy, and how is it used?
ESP, also known as general security policy, IT security policy, or information security policy, is based on and directly supports the mission, vision, and direction of the organization and sets the strategies direction, scope, and tone for all security efforts. It addresses compliance by documenting the organizational structures put into place, describing the programs that have been developed, and reviewing the assignment of responsibilities and or the use of specified penalties and disciplinary actions.
What are standards? How are they different from policy?
While standards have the same compliance requirements as policies, they are instead a fine-grain statement of what must be done to comply policies. They are more technical and should convey the practical extensions of policies, which in turn effect the practices, procedures, and guidelines of an organization.
What is a threat in the context of information security?
A threat is an object, person , or other entity that is a potential risk of loss to an asset, something that violates CIA in some way.
What is vulnerability in the context of information security?
A vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally or intentionally exploited. A vulnerability heightens risk to the organization.
List and describe the four subordinate functions of a contingency plan.
Business impact analysis (BIA): an investigation and assessment of the impact that various attacks can have on the organization. It begins with the prioritized list of threats and vulnerabilities identified in the risk management process and adds critical information. It provides detailed scenarios of the potential impact each attack could have on the organization. Incident response planning (IRP): identifies, classifies, responds to, and recovers from any incident. It details procedures to be followed during or right after an attack. Covered are policies on what to do, who to contact, and what should be documented. Disaster recovery planning (DRP): deals with the preparation for and recovery from a disaster, whether natural or man-made. Media backup strategies are an integral part of the disaster recovery plan, in addition to strategies focused on limiting losses before and during the disaster. DR plans also include all the preparations for the recovery process, strategies to limit losses during the disaster, and detailed steps to follow after the disaster has passed. Business continuity planning (BCP): describes how, in the event of a disaster, critical business functions will continue at an alternate location while the organization recoveres its ability to function at the primary site - as supported by the DR plan. BCP includes planning the steps necessary to ensure the continuation of the organization when the scope or scale of a disaster exceeds the ability of the DR plan to restore operations.
List the critical areas covered in an issue-specific security policy.
ISSPs include a statement of policy, authorized access and usage of equipment, prohibited usage of equipment, systems management, violations of policy, and limitations of liability.
Who is expected to be engaged in risk management activities in most organizations?
If an organization depends on IT-based systems, responsibility for information security and risk management fall on the security team, which is composed of information security manages and technicians.
In general terms, what is policy?
Policy is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.
What are the component parts of risk management?
Risk management includes two main components: risk identification, and risk control. Risk identification is the process of examining, documenting and assessing the security posture of an organization's information technology and the risks it faces. Risk control is the process of applying controls to reduce the risks to an organization's data and information systems.
What is risk management?
Risk management is the process of identifying vulnerabilities in an organization's information systems and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of all the components of the organization's information system.
How is the CNSS model of information security organized?
The CNSS (Committee on National Security Systems) model of information security is made up of three vectors: the CIA triangle, Policy Education Technology, and "Storage, Processing, and Transmission"
Why is shaping policy considered difficult?
Shaping policy is difficult because it must never conflict with laws, must stand up in court if challenged, and must be properly administered through dissemination and documented acceptance.
What is a systems-specific security policy?
SysSPs are frequently codified as standard and procedures to be used when configuring or maintaining systems. SysSPs can be organized into two groups: access control lists and configuration rules.
20) When is a systems-specific security policy used?
SysSPs are used when configuring or maintaining systems.
What are the basic strategies used to control risk? Define each.
The basic risk control strategies are: Defense: prevent the exploitation of the vulnerability. This is accomplished by countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards. This approach is also referred to as avoidance. Transferal: shift the risk to other assets, other processes, or other organizations. This is accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers. Mitigation: reduce the impact caused by the exploitation of vulnerability through planning and preparation. This approach includes contingency planning and its four functional components: the business impact analysis, the incident response plan, the disaster recovery plan, and the business continuity plan. Early detection and response is essential to mitigation of threats Acceptance: do nothing to protect an information asset and to accept the outcome of its potential exploitation. Usually only happens when the business decided that the particular function, service, information, or asset did not justify the cost of protection. Termination: based on the organization's need or choice to leave an asset unprotected. Here, however, the organization does not which the information asset to remain at risk and so removes it from the environment that represents risk. The cost of protecting an asset outweighs its value.
What is information security?
the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information.