Chapter 11: Security and Personnel
T or F: Administrators provide the policies, guidelines and standards in the Schwartz, Erwin,Weafer, and Briney classification.
False, Administrators is Definers
T or F: GIAC stands for Global Information Architecture Certification.
False, Architecture is Assurance.
T or F: ISACA stands for Information Systems Automation and Control Association.
False, Automation is Audit.
T or F: The CISA certification is for information security management professionals.
False, CISA is CISM.
T or F: ISSEP stands for Information Systems Security Expert Professional.
False, Expert is Engineering
T or F: Friendly departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting.
False, Friendly is Hostile
T or F: Many hiring managers in the information security field prefer to recruit a security professional who has already proven HR skills.
False, HR is IT
T or F: ISSMP stands for Information Systems Security Monitoring Professional.
False, Monitoring is Management
T or F: The most common qualification for the CISO type of position is the SSCP accreditation.
False, SSCP is CISSP
T or F: A mandatory furlough provides the organization with the ability to audit the work of an individual.
False, furlough is vacation.
T or F: The general management community of interest must plan for the proper staffing for the information security function.
False, general management is information security
The organization should conduct a behavioral feasibility study before the ____________________ phase.
implementation
Employees should be provided access to the minimal amount of information for the minimal amount of time necessary for them to perform their duties. This is referred to as the principle of ____________________.
least privilege
Security ____________________ are accountable for the day-to-day operation of the information security program.
managers
Separation of ____________________ is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information.
duties
When new employees are introduced into the organization's culture and workflow, they should receive as part of their ____________________ an extensive information security briefing.
employee orientation
Once a candidate has accepted a job offer, the ____________________ becomes an important security instrument.
employment contract
It is important to gather employee ____________________ early about the information security program and respond to it quickly.
feedback
T or F: SCP stands for Security Certified Program.
True
Describe the concept of separation of duties.
Among several internal control strategies, separation of duties is a cornerstone in the protection of information assets and in the prevention of financial loss. Separation of duties is used to reduce the chance of an individual violating information security and breaching the confidentiality, integrity, or availability of information. The control stipulates that the completion of a significant task that involves sensitive information should require at least two people. The idea behind this separation is that if only one person had the authorization to access a particular set of information, there may be nothing the organization can do to prevent this individual from copying the information and removing it from the premises. Separation of duties is especially important, and thus commonly implemented, when the information in question is financial.
The SCP certification provides three tracks: the SCNS (Security Certified Network Specialist); the SCNP (Security Certified Network Professional); and the SCNA (Security Certified Network ____________________).
Architect
The ____________________ of (ISC)2 program is geared toward those who want to take the CISSP or SSCP exams before obtaining the requisite experience for certification.
Associate
SANS developed a series of technical security certifications in 1999 that are known as the Global Information ____________________ Certification or GIAC family of certifications.
Assurance
The Information Systems ____________________ and Control Association offers the CISA certification for auditing, networking, and security professionals.
Audit
The ____________________ acts as the spokesperson for the information security team.
CISO Chief Information Security Officer (CISO or CSO) CSO Chief Information Security Officer Chief Information Security Officer (CISO
The __________________________________________________ certification requires both the successful completion of the examination and an endorsement by a qualified third party, typically another CISSP-certified professional, the candidate's employer, or a licensed, certified, or commissioned professional.
Certified Information Systems Security Professional CISSP Certified Information Systems Security Professional (CISSP) CISSP (Certified Information Systems Security Professional)
_____________________ departures include resignation, retirement, promotion, or relocation.
Friendly
T or F: Security managers accomplish objectives identified by the CISO and resolve issues identified by technicians.
True
T or F: Upper management should learn more about the budgetary needs of the information security function and the positions within it.
True
What functions does the CISO perform?
The CISO performs the following functions: - Manages the overall information security program for the organization - Drafts or approves information security policies - Works with the CIO on strategic plans, develops tactical plans, and works with security managers on operational plans - Develops information security budgets based on available funding - Sets priorities for the purchase and implementation of information security projects and technology - Makes decisions or recommendations on the recruiting, hiring, and firing of security staff - Acts as the spokesperson for the information security team
T or F: ISSAP stands for Information Systems Security Architecture Professional.
True
What tasks must be performed when an employee prepares to leave an organization?
When an employee prepares to leave an organization, the following tasks must be performed: - Access to the organization's systems must be disabled. - Removable media must be returned. - Hard drives must be secured. - File cabinet locks must be changed. - Office door lock must be changed. - Keycard access must be revoked. - Personal effects must be removed from the organization's premises.
____ are the real techies who create and install security solutions. a. Builders c. Senior managers b. Administrators d. Definers
a. Builders.
The ____ position is typically considered the top information security officer in the organization. a. CISO c. CTO b. CFO d. CEO
a. CISO
The ____ examination is designed to provide CISSPs with a mechanism to demonstrate competence in the more in-depth and concentrated requirements of information security management. a. ISSMP c. CISSPM b. ISSAP d. CISSMP
a. ISSMP
____ are hired by the organization to serve in a temporary position or to supplement the existing workforce. a. Temporary employees c. Contractors b. Consultants d. Self-employees
a. Temporary employees
The applicant for the CISM must provide evidence of ____ years of professional work experience in the field of information security, with a waiver or substitution of up to two years for education or previous certification. a. five c. ten b. eight d. twelve
a. five
Sometimes onsite contracted employees are self-employed or are employees of an organization hired for a specific, one-time purpose. These people are typically referred to as ____________________.
consultants
The model used often by large organizations places the information security department within the ____ department. a. management c. financial b. information technology d. production
b. information technology
____ are often involved in national security and cyber-security tasks and move from those environments into the more business-oriented world of information security. a. Marketing managers c. Business analysts b. Military personnel d. Lawyers
b. military personnel
A study of information security positions, done by Schwartz, Erwin,Weafer, and Briney, found that positions can be classified into one of ____ areas. a. two c. four b. three d. five
b. three.
CISOs are ____________________ managers first.
business
The SSCP exam consists of ____ multiple-choice questions, and must be completed within three hours. a. 75 c. 125 b. 100 d. 225REF: 484
c. 125
The breadth and depth covered in each of the domains makes the ____ one of the most difficult-to-attain certifications on the market. a. NSA c. CISSP b. CISO d. ISEP
c. CISSP
Many information security professionals enter the field from traditional ____ assignments. a. HR c. IT b. BA d. All of the above
c. IT
System Administration, Networking, and Security Organization is better known as ____. a. SANO c. SANS b. SAN d. SANSO
c. SANS
____ was designed to recognize mastery of an international standard for information security and a common body of knowledge (sometimes called the CBK). a. CISSP c. SSCP b. ISSMP d. All of the above
c. SSCP
____ is a cornerstone in the protection of information assets and in the prevention of financial loss. a. Fire protection c. Separation of duties b. Business separation d. Collusion
c. Separation of duties
Many organizations use a(n) ____ interview to remind the employee of contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee's tenure in the organization. a. hostile c. exit b. departure d. termination
c. exit
In recent years, the ____ certification program has added a set of concentration exams. a. ISSEP c. ISSAP b. ISSMP d. CISSP
d. CISSP
The ____ program focuses more on building trusted networks, including biometrics and PKI. a. NFC c. PKI b. SCNP d. SCNA
d. SCNA
____ are the technically qualified individuals tasked to configure firewalls, deploy IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that an organization's security technology is properly implemented. a. CSOs c. Security managers b. CISOs d. Security technicians
d. Security technicians
____ is the requirement that every employee be able to perform the work of another employee. a. Two-man control c. Duty exchange b. Collusion d. Task rotation
d. Task rotation
The information security function can be placed within the ____. a. insurance and risk management function b. administrative services function c. legal department d. All of the above
d. all of the above
Once an information security function's organizational position has been determined, the challenge is to design a(n) ____________________ structure for the information security function that balances the competing needs of each of the communities of interest.
reporting
Job ____________________ can greatly increase the chance that an employee's misuse of the system or abuse of the information will be detected by another.
rotation
A(n) "____________________ agency" is an agency that provides specifically qualified individuals at the paid request of another company.
temp
Related to the concept of separation of duties is that of ____________________, the requirement that two individuals review and approve each other's work before the task is categorized as finished.
two-person control