Management
The _____ certification, considered the most prestigious for security managers and CISO's, recognizes mastery of an internationally identified common body of knowledge (CBK) in InfoSec and is considered to be vendor neutral
CISSP
name an activity apart of the risk evaluation process
Calculating the severity of risks to which assets are exposed in their current setting
A high level executive, such as a CIO or VP-IT, who will provide political support and influence for a specific project is known as a ___
Champion
the individual responsible for the assessment, management, and implementation of information-protection activities in the organization is known as a___
Chief Information Security Officer (CISO)_
what are the aspects of access regulated by ACL's (3)
-What authorized users can access -how they can access the system -when they can access the system
A well defined risk appetite should have what characteristics (3)
-acknowledges a willingness and capacity to take risk -is documented as a formal risk appetite statement -reflective of all key aspects of the business
to move the InfoSec discipline forward, organizations should take these following steps (3)
-learn more about the requirements and qualification needed -learn more about budgetary and personnel needs -grant the infoSec function needed influence and prestige
what are three basic rules that must be followed when developing a policy
-policy should never conflict with law -must be able to stand up in court if challenged -must be properly supported and administered
information security governance responsibility of the Chief Information Security Officer (3)
-set security policy, procedures, programs and training
Larger organizations tend to spend about _____ percent of the total IT budget on security
5%
What should be included in an InfoSec governance program?
An InfoSec risk management methodology
Name a part of the risk identification process
Assigning a value to each information asset
when using the Governing for Enterprise Security (GES) program, an Enterprise Security Program (ESP) should be structured so that governance activities are driven by the organization's executive management, select key stakeholders, as well as the
Board Risk Committee
The three types of InfoSec policies based on NIST's Special Publication 800-14
Enterprise information security policy Issue-specific security policy System-specific security policy
a network attribute that may be used in conjunction with DHCP, making asset indentification... attribute difficult.
IP address
name an attribute of a network device that is built into the interface
MAC address
denotes the overall structure of the strategic planning and design for the entirety of the organization's RM efforts
RM framework
denotes the identification, analysis, and treatment of risk to info assets
RM process
the quantity of nature of risk organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility
Risk Appetite
the identification, analysis , and evaluation of risk in a company describes ___
Risk Assessment
SETA consists of 3 elements:
Security education, training, and awareness (seta)
Factors that affect the INTERNAL context and impact the RM process, its goals, and objectives (3)
The company's governance structure The company's culture the maturity of the company's info security program
What is true about the security staffing, budget, and needs of a medium sized company?
They have larger information security needs than a small company
This section of ISSP provides instructions on how to report observed an suspected policy infractions
Violations of Policy
a simply project management planning tool
WBS
A risk assessment is performed at which stage of the SecSDLC
analysis
The ______ Phase of the SecSDLC, the team studies the documents from earlier and looks at of relevant legal issues that could affect the design of the security solution
analysis
The InfoSec needs of an organizaiton are unique to which organizational needs (3)
budget, size, culture
A 2007 Deloitte report found that enterprise risk management is a valuable approach that can better align security functions with the _____ while offering opportunities to lower costs.
business mission
The purpose of SETA is to enhance security in all but which of the following ways?
by adding barriers
for an organization to manage its infoSec security risk properly, manager should understand how information is (3)
collected processed transmitted
policy ______ means the employee must agree to the policy
compliance
Classification category must be mutually exclusive and _____
comprehensive
instructional codes that guide execution of the system when information is passing through it
configuration rules
what is an advantage of the 1 on 1 method of training
customized to the needs of the trainee
Once the members of the RM framework team have been picked, the governance group should communicate: (3)
desired outcomes priorities intent
when an organization demonstrates that it is continuously attempting to meet the requirements of the market in which it operates
due delegence
what is the most cost effective method for disseminating security information and news to employees
emailed security newsletter
the prudent security manager always scours available resources for _____ that may be adapted into the organization.
examples
Risk management framework includes (3)
executive governance and support framework design continuous improvement
There are a number of methods for customizing training for users; two of which involve...
functional background; skill level
The organization can perform risk determination using certain risk elements including (3)
impact(consequence), likelihood of threat, element of uncertainty
name typical columns in the risk rating worksheet (3)
impact, risk-rating factor, likelihood
in which phase of the SecSDLC must the team create a plan to distribute and very distribution of the policies
implementation
Which type of security is intended to provide a common understanding of the purposes for which an employee can and cannot use a resource
issue-specific
Factors that affect the external context and impact the RM process, its goals, and its objectives (3)
legal/ compliance environment business environment threat environment
The probability that a specific vulnerability within an organization will be the target of an attack
likelihood
____ sets the direction and scope of the security process and provide detailed instruction for its conduct?
managerial controls
What explicitly declares the business of the organization and its intended areas of operation?
mission statement
Which of the following is an example of a technological obsolescence threat?
outdated servers
GGG security is commonly used to describe which aspect of security
physical
Laws, policies, and their associated penalties only provide deterrence if three conditions are present. What are they?
probability of being apprehended fear of the penalty probability of penalty being applied
What should you be armed with to adequately assess potential weaknesses in each information asset
properly classified inventory
What is the final step in the risk identification process
ranking assets in order of importance
to ensure employees understand the policy, the document must be written at a reasonable ______ with minimal jargon.
reading level
The risk to information assets tat remain even after current controls have been applied
residual risk
The _____ converts the instructions and perspectives provided to the RM framework team into cohesive guidance that structures and directs all subsequent risk management efforts
risk management policy
The amount of risk that an organization is willing to take for a info assest
risk tolerance
A specialized security administrator responsible for performing system development life cycle (SDLC) activities in the development of a security system.
security analyst
The individual accountable for ensuring the day-to-day operation of the InfoSec program, accomplishing the objectives identified by CISO and resolving issues identified by technicians are known as a
security manager
qualified individual who are tasked with configuring security technologies and operating other technical control systems is known as a .
security technician
the person most likely responsible for configuring firewalls and IDPSs, implementing security software, and diagnosing and troubleshooting problems
security technician
attributes that apply to software information assets? (3)
serial number, controlling entity, manufacturer name
name a suggestion about a company's InfoSec awarness Web site
should be tested with multiple browsers
A person or organization that has a vested interest in a particular aspect of the planning or operation of the organization in this case, the information assets used in a particular organization is known as a
stakeholder
what type of document is a more detailed statement of what must be done to comply with a policy
standard
which type of planning is the primary tool in determining the long term direction taken by an organization?
strategic
The first priority of the CISO and the InfoSec management team should be the _____
structure of a strategic plan
The risk assessment deliverable titled _____ serves to rank-order/list to each threat/value to a company's info assets according to criteria developed
threat severity weighted table analysis
an estimate made by the manager using good judgment and experience can account for which factor risk assessment
uncertainty
the state of having limited or imperfect knowledge of a situation making it less likely that organizations can successfully anticipate future events or outcomes
uncertainty
The final component of the design and implementation of effective policies is
uniform and impartial enforcement
what is a key advantage of the bottom-up approach to security implementation?
utilizes the technical expertise of the individual administrators
Specific avenues that threat agents can exploit to attack an information asset
vulnerabilities