isa 09
16. Why is a simple list of measurement data usually insufficient when reporting InfoSec measurements?
Answer: An effective report must also provide context and meaning for the values being reported.
14. List and describe the fields found in a properly and fully defined performance measure.
Answer: As defined in Table 9-2, the elements of a properly and fully defined performance measure include a clear identifier of the measure, a goal or objective that the measurement should achieve, the process or element to be measured, a declaration of the intended type of measurement, the formula or formulas needed for any required calculations, the target value or range of values for the measurement, the nature and location of the evidence of the measurement, the frequency of collection for the measurement, identification of responsible parties to provide the data to be used, the data source where the measurement will originate, and the format for the collection, storage, and reporting of the measurement
7. What is baselining? How does it differ from benchmarking?
Answer: Baselining is a value or profile of a performance metric against which changes in the performance metric can be usefully compared. Benchmarking involves making comparisons to other companies, whereas baselining involves making comparisons to your own company.
17. What is the Capability Maturity Model Integrated, and which organization is responsible for its development?
Answer: CMMI is a process that measures an organization's effort to build effective and repeatable processes. The CMMI Institute at Carnegie Mellon University is primarily responsible for CMMI
I. What is benchmarking?
Answer: Comparing your own process, practice, or result to an external reference, such as a recommended or existing practice of a similar organization or an industry-developed standard.
12. What factors are critical to the success of an InfoSec performance program?
Answer: Four factors are critical to the success of an InfoSec performance program: • Strong upper-level management support • Practical InfoSec policies and procedures • Quantifiable performance measures • Results-oriented measurement analysis
9. What is a performance measure in the context of InfoSec management?
Answer: Measurements are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—implemented in the organization.
10. What types of measures are used for InfoSec management measurement programs?
Answer: Organizations use three types of measures: those that determine the effectiveness of the execution of InfoSec policy, those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, and those that assess the impact of an incident or other security event on the organization or its mission
13. What is a performance target, and how is it used in establishing a measurement program?
Answer: Performance targets are values assigned to specific metrics that indicate acceptable levels of performance They make it possible to define success in the security program
3. What is a recommended security practice? What is a good source for finding such recommended practices?
Answer: Recommended security practices are security efforts that are among the best in the industry. One of the many good sources for finding these practices is the Federal Agency Security Project (csrc.nist.gov/groups/SMA/fasp/index.html).
18. What is systems accreditation?
Answer: Systems accreditation is the authorization of an IT system to process, store, or transmit information. Accreditation is issued by a management official and serves as a means of assuring that systems are of adequate quality.
19. What is systems certification?
Answer: Systems certification is the comprehensive evaluation of an IT system's technical and nontechnical security controls to support the accreditation process and establish the extent to which a particular design and implementation meets a set of specified security requirements.
8. What are the NIST-recommended documents that support the process of baselining?
Answer: The NIST-recommended documents that support the process of baselining are SP 800-27, SP 800-53, and SP 800-53A.
6. When choosing recommended practices, what limitations should you keep in mind?
Answer: The biggest limitation to benchmarking in InfoSec is the fact that organizations do not talk to each other. Another limitation is that no two organizations are identical. A third limitation is that recommended practices are a moving target
4. What is a gold standard in InfoSec practices? Where can you find published criteria for it?
Answer: The gold standard is a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. There are no published criteria for the gold standard. 5. When selecting recommended
20. What is the new Risk Management Framework initiative? How is it superior to the previous approach for the certification and accreditation of federal IT systems?
Answer: The new approach is a formal methodology that brings a much more manageable and sustainable process to affected systems and allows the managers of those systems to integrate a life-cycle approach to C&A and better overall security to all information. The former C&A process tended to result in frantic short-term preparations that were relaxed immediately after the process was complete. The RMF approach results in an ongoing process of continuous improvement that offers better long-term security.
15. Describe the recommended process for the development of InfoSec measurement program implementation.
Answer: The process for performance measurement implementation recommended by NIST involves six subordinate tasks: • Phase 1: Prepare for data collection; identify, define, develop, and select InfoSec measures. • Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis). • Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on overall risk mitigation goals, and selecting the most appropriate corrective actions. • Phase 4: Develop the business case. • Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in phase 3. • Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls.
2. What is the standard of due care? How does it relate to due diligence?
Answer: The standard of due care is an organization's adoption of minimum levels of security for a legal defense; it may need to show that it has done what any prudent organization would do in similar circumstances. Failure to support a standard of due care or due diligence can open an organization to legal liability, provided it can be shown that the organization was negligent in its application of information protection.
5. When selecting recommended practices, what criteria should you use?
Answer: When selecting recommended practices, you should use the following criteria: • Does your organization resemble the target organization? • Are the resources you spend similar to those called for by the practice? • Are you in a similar threat environment as the one assumed by the practice?
11. According to Gerald Kovacich, what are the critical questions to be kept in mind when developing a measurements program?
Answer: Why should these measurements be collected? What specific measurements will be collected? How will these measurements be collected? When will these measurements be collected? Who will collect these measurements? Where (at what point in the function's process) will these measurements be collected?