Ch. 4
Enterprise Information Security Policy
High level policy that sets the strategic direction, scope, and tone for the organization's security efforts.
What documents are available from the NIST Computer Security Resource Center, and how long can they support the development of a security framework?
SP 800-12 SP 800-14 SP 800-18 SP 800-30 SP 800-37 SP 800-39 SP 800-50 SP 800-55 SP 800-100
What are the elements of a business impact analysis?
Scope, Plan, Balance, Know the objective, Follow Up.
When is the BC plan used? How do you determine when to use the IR, DR, and BC plans?
The Business Continuity plan is used concurrently with the DR plan and when the damage is major or ongoing, and requires more than simple restoration of information resources. The BC plan establishes critical business functions at an alternate site.
Who is ultimately responsible for managing technology? Who is responsible for enforcing the policy that affects the use of technology?
A Policy Administrator is an employee who is responsible for the creation, revision, distribution, and storage of a policy in an organization.
Time-Share
A continuity strategy in which an organization co leases facilities with a business partner or sister organization.
Service Bureau
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
Mutual Agreement
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.
Warm Site
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications.
Cold Site
A facility that provides only rudimentary services, with no computer hardware or peripherals. Cold sites are used for Business Continuity Operations.
How can a security framework assist in the design and implementation of a security infrastructure?
A framework is a specification of a model to be followed during, design, selection, and initial and ongoing implementation of all subsequent security controls. A framework is an outline of the major issues that must be taken care of. Information governance is
What are the issues associated with adopting a formal framework or model?
A framework must be customized to fit the individual enterprise's needs.
Hot Site
A fully configured computing facility that includes all services, communications links, and physical plant operations. Hot sites are used for BC operations.
What is the ISO 27000 series of standards? Which individual standards make up the series?
A roadmap of planned standards related to information security issues and topics.
What is contingency planning? How is it different from routine management planning?
Actions taken by senior management to specify the organization's efforts and actions if an adverse becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. Routine management planning only considers business as usual, CP considers inevitable incidents.
What is an after action review? When is it performed? Why is it done?
An analysis of the outcome of a specific plan. It is done to evaluate the level of success. It is done after completion of the original plan.
Issue Specific Security Policy
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.
What benefit can a private, for-profit agency derive from best practices designed for federal agencies?
BE advised on widely accepted standards, practices, and policies. Modify them to suit individual needs.
Where can a security administrator find information on established security frameworks?
ISO/IEC 27002
When should law enforcement be involved in an IR or DR action? What are the issues associated with law enforcement involvement?
If the incident is determined to be corporate espionage, sabotage, or theft. Issues include: When to inform law enforcement, what level of LE, what will happen to business?
When is the IR plan used?
Immediately after an incident, but if the attack escalates or is disastrous (fire, flood, earthquake) the process moves on to the disaster recovery, and the Business Continuity plan.
What are the components of contingency planning?
Incident Response Planning (IR plan) Disaster Recovery Plan (DR plan) Business Continuity Plan (BC plan)
Operational Controls
Information security safeguards focusing on lower-level planning that deals with the functionality of the organization's security. These safeguards include disaster recovery and incident response planning.
Managerial Controls
Information security safeguards that focus om administrative planning organizing, leading, and controlling, and that are designed by strategic planners and implemented b the organization's security administration. These safeguards include governance and risk management.
Technical Controls
Information security safeguards that focus on the application of modern technologies, systems, and processes to protect information assets. These safeguards include firewalls, virtual private networks, and IDPSs.
When is the DR plan used?
Is used if the IR plan is insufficient, or if the incident begins as a disaster, such as a fire, flood, or blackout.
What is containment, and why is it part of the planning process?
Isolating affected channels, processes, services, or computers; stopping the losses; and regaining control of the affected systems. It is part of the planning process to identify the best containment option for each scenario or system affected.
System Specific Security Policy
Organizational policies that often function as standards or procedures to be used wen configuring or maintaining systems. SysSPs can be separated into two general groups-managerial guidance and technical specifications- but may be written as a single unified document.
What are the differences between a policy, a standard, and a practice? What are the three types of security policies? Where would each be used? What type of policy would be needed to guide use of the Web? E-mail? Office equipment for personal use?
Policy - Written instructions that describe proper behavior. Standard - Detailed statement of what must be done to comply with policy. Practice - Examples of actions that would comply with policy. The 3 types of Sec. Policy are: Enterprise Information Sec. Policy (EISP) Issue Specific Sec. Policy (ISSP) System Specific Sec. Policy (SysSP)
What are Pipkin's three categories of incident indicators?
Possible Probable Definite
What is information governance? Who in the organization should plan for it?
The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.
What Web resources can aid an organization in developing best practices as part of a security framework?
www.cert.org www.techforum.com www.securityforum.org www.isaca.org www.iapsc.org