Exam 3 Review - Chapter 11
What should security managers consider with on-site interviews?
any tour should avoid secure/restricted sites because the candidate is not bound by organizational policy
The six key principles CISOs should follow to shape their careers:
1. Practice business engagement 2. Focus initiatives on what is learned 3. Align, target, and time initiatives 4. Deliver services 5. Establish and maintain credibility 6. Manage relationships
How much could exams cost?
$750
To move InfoSec forward, organizations should take the following steps
1. General management community of interest should learn about requirements/qualifications for InfoSec and IT positions 2. Upper management should learn more about InfoSec budgetary and personnel needs 3. IT and General Management should grant InfoSec (CISO) an appropriate level of influence/prestige
The 10 domains of info sec knowledge covered by the CISSP:
1. Access control 2. Business continuity and disaster recovery planning 3. Cryptography 4. InfoSec governance and risk management 5. Legal, regulations, investigations, and compliance 6. Operation security 7. Physical (environmental) security 8. Security architecture and design 9. Software development security 10. Telecommunications and network security
The seven domains of info sec knowledge covered by the SSCP:
1. Access control 2. Security operations and administration 3. Risk identification, monitoring, and analysis 4. Incident response and recovery 5. Cryptography 6. Networking communication security 7. Systems an application security
Certifications offered by the EC Council
1. Certified CISO (C|ISO) 2. Certified ethical hacker (CEH) 3. Computer hacking forensics investigator 4. Licensed penetration tester 5. Certified security analyst 6. Network security administrator 7. Certified incident handler 8. Disaster recovery professional 9. Certified secure computer user 10. Certified network defense architect 11. Certified security specialist 12. Certified secure programmer 13. Certified VoIP professional 14. Certified encryption specialist
The four certifications of ISACA
1. Certified information systems manager (CISM) 2. Certified in the governance of enterprise IT (CGEIT) 3. Certified in risk and the information systems control (CRISC) 4. Certified information systems auditor (CISA)
Three security certifications offered by the international information systems security certification consortium (ISC) superscript two:
1. Certified information systems security professional (CISSP) 2. System security certified practitioner (SSCP) 3. Certified secure software lifecycle professional (CSSLP)
When terminating an employee, the organization should
1. Disable employee's access to the organization's systems 2. Retrieve all removable media, technology, and data 3. Secure the employee's hard drives 4. Change file cabinet locks 5. Change office door locks 6. Revoke the employee's physical access key card 7. Remove the employee's personal effects from the premises 8. Escort the employee from the premises 9. Perform an exit interview
Three GIAC management certifications:
1. GIAC security leadership certification (GSLC) 2. GIACinformation security professional (GISP) 3. GIAC certified project manager certification (GCPM)
Two methods for handling employee out-processing:
1. Hostile (involuntary) departure 2. Friendly (voluntary) departure
Three CompTIA certifications
1. Security+ 2. Mobile app security+ 3. CompTIA advanced security practitioner (CASP)
The three aspects of the Centers of Academic Excellence (CAE) program
1. The centers of academic excellence in information assurance research (CAE-R) 2. The centers of academic excellence in information assurance/cyber defense (CAE IA/CD) 3. The centers of academic excellence in two year instructions (CAE2Y)
Three CISSP concentrations
1. information systems security architecture professional (ISSAP) 2. Information systems security engineering professional (ISSEP) 3. Information systems security management professional enterprise security management practice (ISSMP)
How many questions is the SSCP?
125
How many questions is the CISSP?
250
The National Initiative for Cybersecurity Education (NICE)
A framework promoted by NIST which is being considered for adoption by institutions across the United States, it focuses on seven security work domains, some of which are unique in the government intelligence communities
What is an associate of (ISC)²?
An individual who has successfully completed and (ISC)² certification examination, but has not completed the experience requirement
When should employees receive InfoSec training?
As part of their new hire orientation and periodically to maintain and increase security awareness
Why must employee contracts and agreements be in place at the time of hire of a new employee?
Because existing employees cannot necessarily be compelled to sign, but candidates can offered "employment contingent upon agreement"
Who jointly sponsored a program to recognize some of the best institutions through the Centers of Academic Excellence (CAE) program?
Department of Homeland Security and the National Security Agency
What are sans certifications called?
Global information assurance certifications (GIAC)
Systems administrators have some management functions, but are they held accountable as managers are?
No, ultimately, security managers are held accountable
Do security technician's tend to be generalized to specialized?
Specialized on one major security technology group (firewalls, IDPSs, servers, routers, and software) Should non-information security job descriptions include information security roles responsibilities?: Yes, organizations often find that many if not all non-information security jobs include information security roles and responsibilities
If a temporary worker violates a policy or causes a problem, what is the most the organization can do?
Terminate the relationship with the individual and request that he/she be censured
In information security, who is the manager of managers?
The CISO
What is the most prestigious certification for security measures in CISO's?
The CISSP
What are the two most common qualifications for the CISO?
The certified information systems security professional (CISSP) and the certified information security manager (CISM)
What is a security manager accountable for?
The day-to-day operations of all or part of the information security program
What is the primary role of a CISO?
They are business managers first and technologists second
Do chief information security officers develop budgets?
They develop budgets based on available funding and they make decisions or recommendations about purchasing, project and technology implementation, and the recruiting, hiring, and firing of security staff
What do you have to be careful about when it comes to job descriptions?
Unwanted disclosures
Is managing technology different from administering it?
Yes, A manager may not need to be proficient in its configuration, operation, or fault resolution
Should personnel and personal data be held to the same level of protection as operational data?
Yes, InfoSec is expected to protect it, and many regulations cover its protection
What should be conducted before the organization extends an offer to any candidate?
a background check
Collusion
a conspiracy of cooperation between two or more individuals or groups to commit illegal or unethical acts
When it comes to contractor's access to the facility, what should be considered?
a contractor only needs access to the areas of the organization necessary to do their jobs
Mandatory vacation policy
a requirement that all employees take time off from work, which allows the organization to audit the individual's areas of responsibility
Security technician
a technically qualified individual who may configure firewalls and IDPSs, implement security software diagnose, and troubleshoot problems and coordinate with systems and network administrators to ensure that security technical controls are properly implemented also known as a security admin
Chief Information Officer (CIO)
an executive-level position that oversees the organization's computing technology and strives to create efficiency in the processing and access for the organization's information
Basically, the role of the CISO is
and information security department manager
What certification does the International Society of Forensic Computer Examiners (ISFCE) offer?
certified computer examiner (CCE)
Worker's compensation history
claims from worker's compensation
Credit history
credit problems, financial problems, and bankruptcy
Criminal court history
criminal background, arrests, convictions, and time
Medical history
current and previous medical conditions, usually associated with physical capability to perform the work in the specified position
Motor vehicle records
driving records, suspensions, and other items noted in the applicant's public record
Drug history
drug screening and usage, past and present
Fair Credit Reporting Act (FCRA) of 1970
governs the activities of consumer credit reporting agencies as well as the uses of the information procured from these agencies, also prohibits employers from obtaining a credit report unless the candidate gives written permission for such a report to be released
When it comes to outside consultants, what should be considered regarding the consultant's relationship with the organization?
if the organization wishes to keep this private, the organization must write these restrictions into the contract
What can an organization do to heighten InfoSec awareness and change workplace behavior?
incorporate InfoSec components into employee evaluations
Education and credential checks
institutions attended, degrees and certifications earned, and certification status
Civil court history
involvement as the plaintiff or defendant in civil suits
Two principles used to minimize opportunities for employee misuse of information
need-to-know and least-privilege
Identity check
personal identity validation
Security managers must be competent at
providing the organization with information security oversight and managing the information security office personnel
The process for handling a hostile (involuntary) departure
security cuts off all access cards/codes; security escorts the employee to the supervisor's office for notification, then to their office to gather their belongings, then out of the building
The process for handling a friendly (voluntary) departure
security sets the access card/code expiry for the employee's final day and the employee is asked to drop off all organizational property before departing
Chief information security officers work with CIOs and other executive managers on
strategic planning, tactical plans, and operational planning
Security managers accomplish objectives identified by
the CISO
Separation of duties
the information security principle that requires significant tasks to be split up so that more than one individual is required to complete them
Two-person (dual) control
the organization of a task or process such that it requires at least two individuals to work together to complete
Tak rotation
the requirement that all critical tasks can be performed by multiple individuals
Job rotation
the requirement that every employee be able to perform the work of at least one other employee
Information security positions can be classified into one of three areas
those that define, those that build, and those that administer
Chief information security officer (CISO)
though not usually an executive level position, often considered the top information security officer in the organization, will generally report to the chief information officer (CIO)
Reference checks
validity of references and integrity of reference sources
Previous employment verification
where candidates worked, why they left, what they did, and for how long