Chapter 4
Goals
Sometimes used synonymously with objectives; the desired end of a planning cycle.
Disaster Recovery Planning
planning is the process of preparing an organization to handle a disaster and recover from it, whether the disaster is natural or man-made.
Sunset Clause
A component of policy or law that defines an expected end date for its applicability.
Alert Roster
A document that contains contact information for people to be notified in the event of an incident.
De Jure Standards
A standard that has been formally evaluated, approved, and ratified by a formal standards organization.
De Facto Standards
A standard that has been widely adopted or accepted by a public group rather than a formal standards organization.
Standards
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.
Information Security Blueprint
In information security, a framework or security model customized to an organization, including implementation details.
Strategic Plan
The documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years.
Tactical Plan
The documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years.
Business Continuity Planning
prepares an organization to reestablish or relocate critical business operations during a disaster that affects operations at the primary site
Governance
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
Redundancy
The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information.
Defense in Depth
A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.
Security Domain
An area of trust within which information assets share the same level of protection.
Policy Administrator
An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.
Adverse Events
An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.
Business Impact Analysis
An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.
Crisis Management
An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.
Issue Specific Security Policy (ISSP)
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
Practices
Examples of actions that illustrate compliance with policies.
Corporate Governance
Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use.
Information Security Framework
In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Also known as a security model.
Guidelines
Nonmandatory recommendations the employee may use as a reference in complying with a policy.
Operational Plan
The documented product of operational planning; a plan for the organization's intended operational efforts on a day-to-day basis for the next several months.
Systems-Specific Security Policies (SysSPs)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. Can be separated into two general groups—managerial guidance and technical specifications
ISO/IEC 17799
Originally released as part of the British Standard for Information Security in 1999 and then as the Code of Practice for Information Security Management in October 2000, it was elevated by the International Organization for Standardization (ISO) to an international code of practice for information security management. This standard defines information's confidentiality, integrity and availability controls in a comprehensive information security management system. The latest version is ISO/IEC 17799:2005.
Procedures
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.
Incident Response Planning
The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team. Planning, detection, reaction, and recovery.
Contingency Planning
The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.
Information Security Governance
The application of the principles of corporate governance to the information security function.
Security Perimeter
The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas.
Enterprise Information Security Policy (EISP)
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. Also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy.
Computer Forensics
The process of collecting, analyzing, and preserving computer-related evidence.
Strategic Planning
The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.