Chapter 5

Ace your homework & exams now with Quizwiz!

four areas of security functions

-non-technology business units outside the IT management control -IT groups outside the InfoSec area of management control -InfoSec department as a customer service to the organization and its external partners -InfoSec department as a compliance enforcement obligation

Program Evaluation and Review Technique (PERT)

A diagramming technique developed in the late 1950s that involves specifying activities and their sequence and duration.

Gantt Chart

A diagramming technique named for its developer, which lists activities on the vertical axis of a bar chart and provides a simple timeline on the horizontal axis.

Critical Path Method (CPM)

A diagramming technique, similar to PERT, designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project.

security administrator

A hybrid position comprising the responsibilities of both a security technician and a security manager.

work breakdown structure (WBS)

A list of the tasks to be accomplished in the project; the _______ provides details for the work to be accomplished, the skill sets or even specific individuals to perform the tasks, the start and end dates for the task, the estimated resources required, and the dependencies between and among tasks.

security education, training, and awareness (SETA)

A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizational employees.

projectitis

A situation in project planning in which the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts in the project management software than accomplishing meaningful project work.

security analyst

A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system.

security technician

A technical specialist tasked with configuring firewalls and intrusion detection systems (IDSs), implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to ensure that security technology is properly implemented.

Network security administration

Administers configuration of computer networks; often organized into groups by logical network area (i.e., WAN, LAN, DMZ) or geographic location

Systems security administration

Administers the configuration of computer systems, which are often organized into groups by the operating system they run

Security watchstanders

An entry-level InfoSec professional responsible for the routine monitoring and operation of a particular InfoSec technology. Also known as a security staffer.

Systems testing

Evaluates patches used to close software vulnerabilities and acceptance testing of new systems to assure compliance with policy and effectiveness

Incident response

Handles the initial response to potential incidents, manages escalation of actual incidents, and coordinates the earliest responses to incidents and disasters.

Risk assessment

Identifies and evaluates the risk present in IT initiatives and/or systems

Risk management

Implements or oversees use of controls to reduce risk

those that define, those that build, and those that administer

InfoSec positions can be classified into three types:

Vulnerability assessment (VA)

Locates exposure within information assets so these vulnerabilities can be repaired before weaknesses are exploited

Legal assessment

Maintains awareness of planned and actual laws and their impact, and coordinates with outside legal counsel and law enforcement agencies

Centralized authentication

Manages the granting and revocation of network and system credentials for all members of the organization

security awareness program

One of the least frequently implemented but most effective security methods

Planning

Researches, creates, maintains, and promotes InfoSec plans; often takes a project management approach to planning as contrasted with strategic planning for the whole organization

culture, size, budget

The InfoSec needs of an organization are unique to its _____________.

SETA program

The ________________________________ is the responsibility of the CISO and is designed to reduce the incidence of accidental security breaches.

NICE Cybersecurity Workforce Framework (NCWF)

The _________________________________ defines a common means of classifying roles in the discipline of cybersecurity.

slack time

The difference in time between the critical path and any other path is called ___________.

information security program

The entire set of activities, resources, personnel, and technologies used by an organization to manage the risks to its information assets.

Scope creep

The expansion of the quantity or quality of project deliverables from the original project plan.

Security managers

The individual accountable for ensuring the day-today operation of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by technicians.

security education

The portion of the SETA program based on formal delivery of knowledge of InfoSec issues and operations, usually through institutions of higher learning.

security awareness

The portion of the SETA program dedicated to keeping users conscious of key InfoSec issues through the use of newsletters, posters, trinkets, and other methods.

security training

The portion of the SETA program focused on providing users with the knowledge, skill, and/or ability to use their assigned resources wisely to avoid creating additional risk to organizational information assets.

project management

The process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal.

Training

Trains general staff in InfoSec topics, IT staff in specialized technical controls, and internal InfoSec staff in specialized areas of InfoSec, including both technical and managerial topics

Measurement

Uses existing control systems (and perhaps specialized data collection systems) to measure all aspects of the InfoSec environment

Compliance

Verifies that system and network administrators repair identified vulnerabilities promptly and correctly

Ignorance of the law is not an excuse

ignorantia juris non excusat

NIST SP 800-16

most useful documents for InfoSec practitioners and those developing training programs is

chief security officer (CSO)

n some organizations, an alternate title for the CISO; in other organizations, the title most commonly assigned to the most senior manager or executive responsible for both information and physical security.

Computer Security Act of 1987

requires federal agencies to provide mandatory periodic training in computer security awareness and accepted computer practices to all employees involved with the management, use, or operation of the agencies' computer systems.

chief information security officer (CISO)

responsible for the assessment, management, and implementation of information-protection activities in the organization.

chief information officer (CIO)

the senior technology officer responsible for aligning the strategic efforts of the organization and integrating them into action plans for the information systems or data-processing division of the organization.


Related study sets

Respiratory: The Physiology of Altitude, Exercise, and Diving

View Set

C Programming: Key term chapter 4-6

View Set

Leadership Exam 1: All Questions

View Set

NUR 238: Chapter 24 Practice Questions

View Set

Anatomy and Physiology: Blood (Reviewer)

View Set