cspp Chapter 15 IT Security Controls, Plans, and Procedures -- Stallings
What are the general classes of Controls?
+ Management Controls + Operational Controls + Technical Controls
For each of the three general Control classes, what sub-controls do they each include?
+ Supportive Controls + Preventative Controls + Detection and Recovery Controls
Implementation plan
a plan for how to implement our intentions to carry out some action
Configuration Management
is concerned with specifically keeping track of the configuration of each system in use and the changes made to each. This includes lists of the hardware and software versions installed on each system.
1. To ensure that a suitable level of security is maintained, management must follow up the implementation with an evaluation of the effectiveness of the security controls.
T
10. It is likely that the organization will not have the resources to implement all the recommended controls.
T
12. The recommended controls need to be compatible with the organization's systems and policies.
T
Technical
4. ________ controls involve the correct use of hardware and software security capabilities in systems.
13. The implementation phase comprises not only the direct implementation of the controls, but also the associated training and general security awareness programs for the organization.
T
risk assessment
1. A _________ on an organization's IT systems identifies areas needing treatment.
detection and recovery
10. The _________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources.
Preventative
12. _________ controls focus on preventing security beaches from occurring by inhibiting attempts to violate security policies or exploit a vulnerability.
supportive
14. Controls can be classified as belonging to one of the following classes: management controls, operational controls, technical controls, detection and recovery controls, preventative controls, and _______ controls.
monitor risks
3. The three steps for IT security management controls and implementation are: prioritize risks, respond to risks, and __________ .
IT security
5. The _______ plan documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used.
management
6. When the implementation is successfully completed, _______ needs to authorize the system for operational use.
Change
8. _______ management is the process used to review proposed changes to systems for implications on the organization's systems and use.
Configuration
9. _______ management is concerned with specifically keeping track of the configuration of each system in use and the changes made to each.
13. Identification and authentication is part of the _______ class of security controls. A. technical B. operational C. management D. none of the above
A
14. Maintenance of security controls, security compliance checking, change and configuration management, and incident handling are all included in the follow-up stage of the _________ process. A. management B. security awareness and training C. maintenance D. all of the above
A
3. _______ controls focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization's mission. A. Management B. Technical C. Preventative D. Supportive
A
9. The implementation process is typically monitored by the organizational ______. A. security officer B. general counsel C. technology officer D. human resources
A
14. Appropriate security awareness training for all personnel in an organization, along with specific training relating to particular systems and controls, is an essential component in implementing controls.
T
2. Management controls refer to issues that management needs to address.
T
4. Detection and recovery controls provide a means to restore lost computing resources.
T
5. Water damage protection is included in security controls.
T
7. Physical access or environmental controls are only relevant to areas housing the relevant equipment.
T
Control
An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.
Operational control
Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies. These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems.
5. ________ controls focus on the response to a security breach, by warning of violations or attempted violations of security policies. A. Technical B. Preventative C. Detection and recovery D. Management
C
6. A contingency plan for systems critical to a large organization would be _________ than that for a small business. A. smaller, less detailed B. larger, less detailed C. larger, more detailed D. smaller, more detailed
C
9. Controls may vary in size and complexity in relation to the organization employing them.
T
Security compliance
An audit process to review the organization's security processes. The goal is to verify compliance with the security plan.
Safeguard
Another term for control or countermeasure
countermeasure
Another term used for control or safeguard
1. _________ is a formal process to ensure that critical assets are sufficiently protected in a cost-effective manner. A. Configuration management control B. IT security management C. Detection and recovery control D. Security compliance
B
12. The objective of the ________ control category is to counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. A. asset management B. business continuity management C. information security incident management D. physical and environmental security
B
15. Periodically reviewing controls to verify that they still function as intended, upgrading controls when new requirements are discovered, ensuring that changes to systems do not adversely affect the controls, and ensuring new threats or vulnerabilities have not become known are all ________ tasks. A. security compliance B. maintenance C. incident handling D. program management
B
4. _______ controls are pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls. A. Preventative B. Supportive C. Operational D. Detection and recovery
B
7. Management should conduct a ________ to identify those controls that are most appropriate and provide the greatest benefit to the organization given the available resources. A. cost analysis B. cost-benefit analysis C. benefit analysis D. none of the above
B
11. The objective of the ________ control category is to avoid breaches of any law, statutory, regulatory, or contractual obligations, and of any security requirements. A. access B. asset management C. compliance D. business continuity management
C
Configuration management
Concerned with specifically keeping track of the configuration of each system in use and the changes made to each. This includes list of the hardware and software versions installed on each system.
10. The follow-up stage of the management process includes _________. A. maintenance of security controls B. security compliance checking C. incident handling D. all of the above
D
2. An IT security ________ helps to reduce risks. A. control B. safeguard C. countermeasure D. all of the above
D
8. An IT security plan should include details of _________. A. risks B. recommended controls C. responsible personnel D. all of the above
D
IT security plan
Documents what needs to be done for each selected control, along with the personnel responsible, and the resources and time frame to be used.
11. The selection of recommended controls is not guided by legal requirements.
F
15. The IT security management process ends with the implementation of controls and the training of personnel.
F
3. Operational controls range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.
F
6. All controls are applicable to all technologies.
F
8. Once in place controls cannot be adjusted, regardless of the results of risk assessment of systems in the organization.
F
Preventative control
Focus on preventing security breaches from occurring, by inhabiting attempts to violate security policies or exploit a vulnerability.
Management control
Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls reduce the risk of loss and to protect the organization's mission. These controls refer to issues that management needs to address.
Detection and recovery controls
Focus on the response to a security breach by warning of violations or attempted violations of security policies or the identification exploit of a vulnerability and by providing means to restore the resulting lost computing resource
Compliance
Following the law
Technical control
Involve the correct use of hardware and software capabilities in systems. These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions.
Supportive control
Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls.
Change Management
Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability.
Change management
The process used to review proposed changes to systems for implications on the organization's systems and use.
