ITSY1300 - Review - Chapter 4

managerial guidance SysSPs

a systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective

incidents

an adverse event that could result in loss of an information asset or assets, but does not currently threaten the viability of the entire organization

disasters

an adverse event that could threaten the viability of the entire organization

practices

examples of actions that illustrate compliance with policies

corporate governance

executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use

goals

sometimes used synonymously with objectives; the desired end of a planning cycle

access control list (ACL)

specifications of authorization that govern the rights and privileges of users to a particular information asset

procedures

step-by-step instructions for completing a task

operational plans

the documented product of operational planning; a plan for the organization's intended operational efforts on a day-to-day basis for the next several months

strategic plan

the documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years

tactical plans

the documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years

full backup

the duplication of all files for an entire system, including all applications, operating systems components, and data

objectives

the intermediate states obtained to achieve progress toward a goal or goals

Strategic Planning

the process of defining and specifying the long-term direction to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort

access control matrix

An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user

false

A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.

defense in depth

A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Redundant Array of Independent Disks (RAID)

A system of drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure

alert

A(n) ____________________ message is a scripted description of an incident, usually just enough information so that each individual knows what portion of the IRP plan to implement, and not enough to slow down the notification process.

sequential roster

An alert roster in which a single contact person calls each person on the roster

hierarchical roster

An alert roster in which the first person calls a few other people on the roster, who in turn call others. This method typically uses the organizational chart as a structure.

disk duplexing

An approach to disk mirroring in which each drive has its own controller to provide additional redundancy.

security domains

An area of trust within which information assets share the same level of protection.

policy administrator

An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.

adverse events

An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.

true

The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area

tactical planning

The actions taken by management to specify the intermediate goals and objectives of the organization in order to obtain specified strategic goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives

operational planning

The actions taken by management to specify the short term goals and objectives of the organization in order to obtain specified tactical goals, followed by estimates and schedules for the allocation of resources necessary to achieve those goals and objectives

incident response planning (IRP)

The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team.

contingency planning (CP)

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster.

disaster recovery planning (DRP)

The actions taken by senior management to specify the organization's efforts in preparation for and recovery from a disaster.

information security governance

The application of the principles of corporate governance to the information security function.

security perimeter

The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas.

contingency plan

The documented product of contingency planning; a plan that shows the organization's intended efforts in reaction to adverse events

standards

a detailed statement of what must be done to comply with policy

information security blueprint

a framework or security model customized to an organization, including implementation details

hot swapped

a hard drive feature that allows individual drives to be replaced without powering down the entire system and without causing a fault during the replacement

de jure standards

a standard that has been formally evaluated, approved, and ratified by a formal standards organization

de facto standards

a standard that has been widely adopted or accepted by a public group rather than a formal standards organization

redundancy

a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information

disk striping

A RAID implementation (typically referred to as RAID Level 0) in which one logical volume is created by storing data across several available hard drives in segments called stripes.

disk mirroring

A RAID implementation (typically referred to as RAID Level 1) in which the computer records all data to twin drives simultaneously, providing a backup if the primary drive fails

sunset clause

A component of policy or law that defines an expected end date for its applicability.

alert roster

A document that contains contact information for people to be notified in the event of an incident

hot site

A fully configured computing facility that includes all services, communications links, and physical plant operations.

capabilities table

A lattice-based access control with rows of attributes associated with a particular subject (such as a user).

server fault tolerance

A level of redundancy provided by mirroring entire servers to provide redundant capacity for services

security education, training, and awareness (SETA)

A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organization's employees

true

Disaster recovery personnel must know their roles without supporting documentation.

true

Failure to develop an information security system based on the organization's mission, vision, and culture guarantees the failure of the information security program.

classification

Incident ____________________ is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.

operational controls

Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.

technical controls

Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.

redundant

RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure

governance

Set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring objectives are achieved, risks are properly managed, and verifying that the enterprise's resources are used responsibility

true

Some policies may also need a(n) sunset clause indicating their expiration date.

false

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

enterprise information security policy (EISP)

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts.

configuration rules

The instructions a system administrator codes into a server, networking device, or security device to specify how it operates.

Recovery Time Objective (RTO)

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD.

Recovery Point Objective (RPO)

The point in time, prior to a disruption or system outage, to which mission/business process data can be recovered (given the most recent backup copy of the data) after an outage.

Maximum Tolerable Downtime (MTD)

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.

managerial controls

information security safeguards that focus on administrative planning, organizing, leading, and controlling, and that are designed by strategic planners and implemented by the organization's security administration. These safeguards include governance and risk management.

guidelines

nonmandatory recommendations the employee may use as a reference in complying with a policy

Systems-Specific Security Policies (SysSPs)

organizational policies that often function as standards or procedures to be used when configuring or maintaining systems

issue-specific security policy

organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource

incident response (IR) plan

plan that shows the organization's intended efforts in the event of an incident

technical specifications SysSPs

type of systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective

information security policy

written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets