Principles of Information Security (6th ed.) - Chapter 11 Review Questions

Security Analyst (sec technicians)

Qual: - Varied; organizations prefer expert, certified, proficient technician - Some experience with a particular hardware and software package - Actual experience in using a technology usually required Reqs: - some experience with a particular HW and SW package - Technically qualified employees tasked to configure security hardware and software - Tend to be specialized

15. Who should pay for the expenses of certification. Why?

"It depends. Individuals not currently working in the field of the certification being pursued should have to pay for the certification themselves. If management is mandating the certification for an individual already performing the job functions, then the company should have to bear the responsibilities of the certification" - CourseHero

12. What functions does the sec analyst perform?

"Sec technicians" - Config FWs - Deploy IDPSs - Implement sec SW - Diagnose and troubleshoot probs - Coordinate with systems and NW admins to ensure tech is properly impl.d

10. What functions does the CISO perform?

- Manages the overall infoSec program for the org - Drafts/approves infoSec policies - Works with CIO on strategic plans, develops tactical plan, and works with sec mgrs on operational plans - Develops infoSec budgets based on available funding - Sets priorities for the purchase and implementation of infoSec projects and tech - Makes decisions/recommends recruits, hiring, firing - Acts as infoSec team spokesperson

CompTIA Certifications

-A+ series -Security+

> (ISC)^2 Certifications

- CISSP (Certified Information Systems Security Professional) -- Most prestigious -- Hardest to get -- Mastery of CBK = Common Body of Knowledge - SSCP (Systems Security Certified Practitioner) -- Practices, roles, and responsibilities as defined by experts fom major infosec industries -- More applicable to ec mgrs than technicians -- Scaled-down version of CISSP - CSSLP (Certified Secure Software Lifecycle Professional) -- Development of secure applications -- Essay - CCFP (Certified Cyber Forensic Professional) -- Newer - HCISPP (HealthCare Information Security and Privacy Practitioner) -- Security mgt topics and healthcare - CCSP (Certified Cloud Security Professional) -- Specifying, acquiring, securing, and managing cloud-based services - Associate of (ISC)^2 -- For those who want CISSP/SSCP before required experience

EC-Council Certifications

- C|CISO = Certified CISO --Governance (Policy, Legal, Compliance) --IS Mgt Controls and Auditing Mgt --Mgt: Projects, and Operations --InfoSec Core Competencies --Strategic Planning and Finance

13. What rationale should an aspiring information security professional use in acquiring professional credentials?

(Not sure what question's asking) - Costly - Do your homework - If pass -> very marketable ??

11. What functions does the security manager perform?

- Accountables for daily ops of infosec prog - Accomplish objs from CISO - Resolve issues from technicians - Responsible for mgt functions (scheduling, setting relative priorities, admining budget control) - Draft lower to middle level policy

ISACA Certifications

- CISM (Certified Information Security Manager) -- InfoSec governance -- Information Risk Assmt -- InfoSec Program Development and Management -- InfoSec Incident Management - CISA (Certified Information Systems Auditor) -- Process of auditing systems -- Governance and Management of IT -- Information systems acquisition, development, and implementation -- Information Systems Operations, Maintenance and Support -- Protection of Information Assets - CGEIT (Certified in the Governance of Enterprise IT) -- Framework for GEIT -- Strategic Management -- Benefits Realization -- Risk Optimization -- Resource optimization - CRISC (Certified in Risk and Information Systems Control) --IT Risk Identification --IT Risk Assm --Risk Response and Mitigation --Risk and Control Monitoring and Reporting

ISFCE Certifications

-CCE (Certified Computer Examiner)

SANS Certifications

-GIAC Security Leadership Certification (GSLC) -GIAC Security Expert (GSE)

4. What factors influence an organization's decision to hire info sec professionals?

> Cands who understand - how org operates at all levels - info = mgt problem - strong comm + writing skills - role of policy - most mainstream IT tech - It/info sec terms - org threats and how they become attacks - how bus solutions can be applied > Other - proven IT skills + professional experience

[skip 5] 6. What are critical considerations when dismissing an employee? Do they change according to whether the departure is friendly or hostile, or according to which position the employee is leaving?

> Crit considerations - Disable org access - Return removable media - Secure hard drives - Change file cabinet locks - Change office door locks - Revoke keycard access - Remove personal effects - Escort from building > They shouldn't change for either departure type.

2. List and describe the options for placing the information security function within the organization. Discuss the advantages and disadvantages of each option

> IT > Physical security > Admin services > Insurance and risk mgt > The legal dpt Advs/dis?

16. List and describe the standard personnel practices that are part of the information sec function. What happens to these practices when they are integrated with info sec concepts?

> Job Descriptions - review and update all descriptions; avoid revealing access privileges to prospective employees > Interviews - educate HR on certifications and experience for each; instruct HR to limit information provided to cand about responsibilities and access rights; avoid tours through secure and restricted sites > Background Checks - conduct before extending job offer > Employment Contracts - require emp to sign agreement in writing and nondisclosure agreements; "employment contingent upon agreement" > New Hire Orientation - extensive security briefing; procedures for performing necessary sec ops; outline level of authorized; training provided > On-the-Job Sec Training - sec awareness education > Evaluating Performance: incorporate info sec into evals > Termination - purge system of any emp's traces; request org property from emp

20. What is job rotation, and what benefits does it offer an organization?

> Job rotation requires each employee to perform another employee's job; employee can detect another's misuse or abuse of company information, and any employee could be subject to physical audit by another. > Accountability > Company security: If one employee leaves or is dismissed, other coworkers will know how to perform that employee's duties until a replacement can be found

8. What career paths do most experienced professionals take when moving into information security? Are other pathways available? If so, describe them.

> Most: (1) Law enforcement/military, or (2) Technical professionals > Others: College students with tailored degree programs, and those with IT skills and professional experience in another IT field.

19. What is separation of duties? How can it be used to improve an org's info sec practices?

> SOD: Requires significant tasks to be split up so that more than one individual is required to complete them > Reduces the chance that an emp will violate info sec; accountability

18. List and describe the typical relationship that prgs have with temp emps, contract emps, and consultants. What sec precautions must an org consider for such worker, and why are they sig?

> Temp emps - provide secretary/admin support - no subject to contractual obligations - strongest action = terminate relationship, request censure of temp - limit info to need to know stuff - attempt nondisclosure/fair-use policies - ensure emps practice good sec practices > Contract Emps - host makes contract with parent org - seldom need broad access - don't allow to wander around unescorted - verify services are scheduled/approved - change regulations > Consultants - have their own sec reqs and contract obligations - specify all reqs before they come onsite - prescreen 'em, escort, sign nondisc agreements - restrict mentioning working relat (if org wants) - doens't have to allow taking samples

1. What member of an organization should decide where the information security functions belongs within the organizational structure? Why?

Not sure

Security Manager

Qualification - Bachelor's in tech, bus, or sec-related - CISSP certification - often have accreditation - ability to draft middle- and lower-level policies, standards, and guidelines - budgeting, project management, and hiring and firing - ability to manage technicians Reqs: - Daily ops of infosec program - Accomplish CISO objs and resolve technician issues - General understaning of tech - Ability to draft middle and lower level policies, standards and guidelines - Experience in trad. bus matters - Manage technicians

CISO

Qualifications: - Bachelor's degree - Sometimes grad degree - Communication, interpersonal, management skills Reqs: - Manages the overall infosec program - Drafts/approves infoSec policies - Works w/ CIO on strategic, develops tactical, works w/ sec mgrs on operational - Develops infosec budgets - Sets priorities for purchase/impl of infosec projects/tech - Makes decisions/recommendations for recruiting/hiring/firing - Acts as infosec team spokesperson

CSO

Qualifications: - CISO's position may be combined with physical security responsibilities - Demonstrate experience as a security magr w/ planning, policy, and budgets Reqs: - familiar with infosec reqs and "gaurds, gates, guns" approach

14. List and describe the credentials of the infor sec professional mentioned in this chapter.

See next few cards

3. For each major information security job covered title covered in the chapter, list and describe the key qualifications and requirements for the position.

See next few cards

7. How do security considerations for temp/contract employees differ from those for regular fulltime employees?

Temps: - Can be censured - Can be asked to sign nondisclosure/fair us policies - Restrict info access - Ensure emps follow good sec practices Contractors: - Not allowed to wander freely; escorted from room to room - Verify services are scheduled/approved - Maintenance/background checks/cancellation/rescheduling regulations

17. Why shouldn't an organization give a job cand a tour of a secure area during an interview?

They may be able to retain enough information about operations or information security functions to become a threat.

9. Why is it important to use specific and clearly defined job descriptions for hiring information security professionals?

This is important because: - It can increase the degree of professionalism and - Improve the consistency of roles and responsibilities among organizations