Chapter 4

Ace your homework & exams now with Quizwiz!

Goals

Sometimes used synonymously with objectives; the desired end of a planning cycle.

Disaster Recovery Planning

planning is the process of preparing an organization to handle a disaster and recover from it, whether the disaster is natural or man-made.

Sunset Clause

A component of policy or law that defines an expected end date for its applicability.

Alert Roster

A document that contains contact information for people to be notified in the event of an incident.

De Jure Standards

A standard that has been formally evaluated, approved, and ratified by a formal standards organization.

De Facto Standards

A standard that has been widely adopted or accepted by a public group rather than a formal standards organization.

Standards

A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance.

Information Security Blueprint

In information security, a framework or security model customized to an organization, including implementation details.

Strategic Plan

The documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years.

Tactical Plan

The documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years.

Business Continuity Planning

prepares an organization to reestablish or relocate critical business operations during a disaster that affects operations at the primary site

Governance

The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly.

Redundancy

The use of multiple types and instances of technology that prevent the failure of one system from compromising the security of information.

Defense in Depth

A strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection.

Security Domain

An area of trust within which information assets share the same level of protection.

Policy Administrator

An employee responsible for the creation, revision, distribution, and storage of a policy in an organization.

Adverse Events

An event with negative consequences that could threaten the organization's information assets or operations. Sometimes referred to as an incident candidate.

Business Impact Analysis

An investigation and assessment of the various adverse events that can affect the organization, conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities.

Crisis Management

An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster.

Issue Specific Security Policy (ISSP)

An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies.

Practices

Examples of actions that illustrate compliance with policies.

Corporate Governance

Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use.

Information Security Framework

In information security, a specification of a model to be followed during the design, selection, and initial and ongoing implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. Also known as a security model.

Guidelines

Nonmandatory recommendations the employee may use as a reference in complying with a policy.

Operational Plan

The documented product of operational planning; a plan for the organization's intended operational efforts on a day-to-day basis for the next several months.

Systems-Specific Security Policies (SysSPs)

Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. Can be separated into two general groups—managerial guidance and technical specifications

ISO/IEC 17799

Originally released as part of the British Standard for Information Security in 1999 and then as the Code of Practice for Information Security Management in October 2000, it was elevated by the International Organization for Standardization (ISO) to an international code of practice for information security management. This standard defines information's confidentiality, integrity and availability controls in a comprehensive information security management system. The latest version is ISO/IEC 17799:2005.

Procedures

Step-by-step instructions designed to assist employees in following policies, standards, and guidelines.

Incident Response Planning

The actions taken by senior management to develop and implement the IR policy, plan, and computer security incident response team. Planning, detection, reaction, and recovery.

Contingency Planning

The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis.

Information Security Governance

The application of the principles of corporate governance to the information security function.

Security Perimeter

The boundary in the network within which an organization attempts to maintain security controls for securing information from threats from untrusted network areas.

Enterprise Information Security Policy (EISP)

The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. Also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy.

Computer Forensics

The process of collecting, analyzing, and preserving computer-related evidence.

Strategic Planning

The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.


Related study sets

Succeeding in Your Online Course

View Set

Cancer & Oncology Nursing NCLEX Practice Quiz 3

View Set

Economics chapter 1 - 3 functions of money

View Set

accounting 1b chapter 12 appendix partnerships

View Set

3A-6-Electronic Communications Privacy Act (ECPA)

View Set