Management

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

The _____ certification, considered the most prestigious for security managers and CISO's, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral

CISSP

name an activity apart of the risk evaluation process

Calculating the severity of risks to which assets are exposed in their current setting

A high level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project is known as a ___

Champion

the individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a___

Chief Information Security Officer (CISO)_

what are the aspects of access regulated by ACL's (3)

-What authorized users can access -how they can access the system -when they can access the system

A well defined risk appetite should have what characteristics (3)

-acknowledges a willingness and capacity to take risk -is documented as a formal risk appetite statement -reflective of all key aspects of the business

to move the InfoSec discipline forward, organizations should take these following steps (3)

-learn more about the requirements and qualification needed -learn more about budgetary and personnel needs -grant the infoSec function needed influence and prestige

what are three basic rules that must be followed when developing a policy

-policy should never conflict with law -must be able to stand up in court if challenged -must be properly supported and administered

information security governance responsibility of the Chief Information Security Officer (3)

-set security policy, procedures, programs and training

Larger organizations tend to spend about _____ percent of the total IT budget on security

5%

What should be included in an InfoSec governance program?

An InfoSec risk management methodology

Name a part of the risk identification process

Assigning a value to each information asset

when using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the

Board Risk Committee

The three types of InfoSec policies based on NIST's Special Publication 800-14

Enterprise information security policy Issue-specific security policy System-specific security policy

a network attribute that may be used in conjunction with DHCP, making asset indentification... attribute difficult.

IP address

name an attribute of a network device that is built into the interface

MAC address

denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts

RM framework

denotes the identification, analysis, and treatment of risk to info assets

RM process

the quantity of nature of risk organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility

Risk Appetite

the identification, analysis , and evaluation of risk in a company describes ___

Risk Assessment

SETA consists of 3 elements:

Security education, training, and awareness (seta)

Factors that affect the INTERNAL context and impact the RM process, its goals, and objectives (3)

The company's governance structure The company's culture the maturity of the company's info security program

What is true about the security staffing, budget, and needs of a medium sized company?

They have larger information security needs than a small company

This section of ISSP provides instructions on how to report observed an suspected policy infractions

Violations of Policy

a simply project management planning tool

WBS

A risk assessment is performed at which stage of the SecSDLC

analysis

The ______ Phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution

analysis

The InfoSec needs of an organizaiton are unique to which organizational needs (3)

budget, size, culture

A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the _____ while offering opportunities to lower costs.

business mission

The purpose of SETA is to enhance security in all but which of the following ways?

by adding barriers

for an organization to manage its infoSec security risk properly, manager should understand how information is (3)

collected processed transmitted

policy ______ means the employee must agree to the policy

compliance

Classification category must be mutually exclusive and _____

comprehensive

instructional codes that guide execution of the system when information is passing through it

configuration rules

what is an advantage of the 1 on 1 method of training

customized to the needs of the trainee

Once the members of the RM framework team have been picked, the governance group should communicate: (3)

desired outcomes priorities intent

when an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates

due delegence

what is the most cost effective method for disseminating security information and news to employees

emailed security newsletter

the prudent security manager always scours available resources for _____ that may be adapted into the organization.

examples

Risk management framework includes (3)

executive governance and support framework design continuous improvement

There are a number of methods for customizing training for users; two of which involve...

functional background; skill level

The organization can perform risk determination using certain risk elements including (3)

impact(consequence), likelihood of threat, element of uncertainty

name typical columns in the risk rating worksheet (3)

impact, risk-rating factor, likelihood

in which phase of the SecSDLC must the team create a plan to distribute and very distribution of the policies

implementation

Which type of security is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource

issue-specific

Factors that affect the external context and impact the RM process, its goals, and its objectives (3)

legal/ compliance environment business environment threat environment

The probability that a specific vulnerability within an organization will be the target of an attack

likelihood

____ sets the direction and scope of the security process and provide detailed instruction for its conduct?

managerial controls

What explicitly declares the business of the organization and its intended areas of operation?

mission statement

Which of the following is an example of a technological obsolescence threat?

outdated servers

GGG security is commonly used to describe which aspect of security

physical

Laws, policies, and their associated penalties only provide deterrence if three conditions are present. What are they?

probability of being apprehended fear of the penalty probability of penalty being applied

What should you be armed with to adequately assess potential weaknesses in each information asset

properly classified inventory

What is the final step in the risk identification process

ranking assets in order of importance

to ensure employees understand the policy, the document must be written at a reasonable ______ with minimal jargon.

reading level

The risk to information assets tat remain even after current controls have been applied

residual risk

The _____ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts

risk management policy

The amount of risk that an organization is willing to take for a info assest

risk tolerance

A specialized security administrator responsible for performing system development life cycle (SDLC) activities in the development of a security system.

security analyst

The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by CISO and resolving issues identified by technicians are known as a

security manager

qualified individual who are tasked with configuring security technologies and operating other technical control systems is known as a .

security technician

the person most likely responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems

security technician

attributes that apply to software information assets? (3)

serial number, controlling entity, manufacturer name

name a suggestion about a company's InfoSec awarness Web site

should be tested with multiple browsers

A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a

stakeholder

what type of document is a more detailed statement of what must be done to comply with a policy

standard

which type of planning is the primary tool in determining the long term direction taken by an organization?

strategic

The first priority of the CISO and the InfoSec management team should be the _____

structure of a strategic plan

The risk assessment deliverable titled _____ serves to rank-order/list to each threat/value to a company's info assets according to criteria developed

threat severity weighted table analysis

an estimate made by the manager using good judgment and experience can account for which factor risk assessment

uncertainty

the state of having limited or imperfect knowledge of a situation making it less likely that organizations can successfully anticipate future events or outcomes

uncertainty

The final component of the design and implementation of effective policies is

uniform and impartial enforcement

what is a key advantage of the bottom-up approach to security implementation?

utilizes the technical expertise of the individual administrators

Specific avenues that threat agents can exploit to attack an information asset

vulnerabilities


Kaugnay na mga set ng pag-aaral

Structure organisationelle Structure/classification/ fonctions

View Set

3421 Adults II - Emergency, Disaster, & Infection

View Set

Module 3 Quiz- Public Speaking I

View Set

Nutrition Chapter 9 - Study Questions

View Set