Unformatted text preview: ITC482 REVISION #2 POLICY, RISK, PROTECTION, PERSONNEL, LAW& ETHICS, PERSONNEL, PROJECT MANAGEMENT PROJECT
1 What is information security policy? What Why it is critical to the success of the information security program? the Answer: The Information Security Answer: Policy sets the strategic direction, scope, and tone for all of an organization’s security efforts. It is organization security important because it helps employees view what an organization wants and where it wants to go and for what reason. wants
2 1 Describe the bull’s-eye model. What does it eye say about policy in the information security program? program? Answer: In the bulls eye model policies are on Answer: the outside, because policies should deal with every aspect, then you have networks, here is where the public will most likely attack you. Next, comes systems, like desktop computer and severs. Then, in the center, you have all your applications. The bull eye model is effective because it starts with policy, if you have good policy then your networks, systems, and applications will be more secure, after policy, you have your network security, i.e. firewalls, IDS, 3 stuff like that. stuff How are policies different from standards and How procedures? In what way? procedures? A standard is a more detailed statement of standard what must be done in order to be measured as in compliance with the policy. Whereas procedures explain how the employee might act to comply with the policy and to be successfully measured by the standard. In other words, steps that are needed to be taken so the employees will abide by the policy. It may state activities to be done in addition to the policy. be
4 2 For what purpose is an issue-specific specific security policy (ISSP) designed? security Answer: An Issue Specific Security Answer: Policy is designed to provide a detailed and targeted guidelines and expectations about how the technology-based system in question technology based should be used. should
5 What functions constitute a complete What information security program? information Answer:
Policies and procedures that outline proper use of information and nd information systems; Planning, Incident, Disaster and Business Continuity Planning, Technology countermeasures to prevent intrusions, attacks, and Technology system misuse; Centralized Authentication, System Security Administration, Network Security Administration Administration, Awareness and education programs for the information technology Awareness (IT) staff, management team, and all employees; Roles and responsibilities for managing information security; and Roles Periodic review and evaluation of the program’s effectiveness. Periodic effectiveness. Vulnerability and Risk Assessment, Risk Management, Systems Testing, Legal Assessment Testing,
6 3 Information security positions can be Information classified into what three areas? What are the differences among them? the Answer: Three areas: 1. Those that define – Answer: they provide policies, guidelines and they standards, 2. Those that build – There are There technical people who create and install security solutions, and 3. Those that administer – They operate and They administrate the security tools. administrate 7 Which of the SETA program’s three three elements is the organization best prepared to offer? Which should it consider outsourcing? consider Answer: Security awareness is the Answer: organizations best prepared to offer, and even though some organization do have in-house security training, a do house lot of the times they outsource security training. security
8 4 What is an information security framework? What How does it relate to the information security blueprint? security Answer: The information security framework Answer: is the outline of the blueprint, which is the basis for design, selection, and implementation of all subsequent security controls, including information security policies, security education and training programs, and technological controls. programs, 9 W hat is the standard of due care? How does it relate to What due diligence? due Answer: The standard of due care is when an Answer: organization adopts minimum levels of security for a legal defense; they may need to show that they have done what any prudent organization would do in similar circumstances. Failure to support a standard of due care or due diligence can open an organization to legal liability, provided it can be shown that the organization was negligent in its application or lack of application of information protection. protection. 10 5 What is benchmarking? What is baselining? What baselining How do they differ? How Answer: Benchmarking is looking at what Answer: other organizations have done and compare it to yourself. Baselining iis a Baselining s value or profile of a performance metric against which changes in the performance metric can usefully compared. Benchmarking is comparing to other companies while baselining iis comparing to baselining s your own company. your
11 What is risk management? List and describe What the key areas of concern for risk management. management. Answer: Risk management is the process of Answer: discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated. Areas = Risk identification, risk assessment, and risk control. assessment, 12 6 What value would an automated asset What inventory system have for the risk identification process? identification Answer: An automated asset inventory Answer: system would be valuable to the risk identification process because all hardware components are already identified – models, make and models, locations – thus management can thus review for the most critical items and assess the values. assess
13 What are vulnerabilities? Answer: A vulnerability is a weakness Answer: in an information system, security practice or control that could be exploited to gain unauthorised unauthorised access to information or disrupt access information processing. information *Threats exploit vulnerabilities to carry *Threats out an attack of some sort. out
14 7 Describe risk avoidance, risk transference, risk Describe mitigation, risk acceptance, and residual risk. mitigation, Answer: Risk avoidance attempts to prevent the Answer: exploitation of the vulnerability. Risk transference attempts to shift the risk to other assets, other processes, or other organizations. Risk mitigation attempts to reduce, by means of planning and preparation, the damage caused by the exploitation of vulnerability. Risk acceptance is the choice to do nothing to protect an information asset and to accept the outcome from any resulting exploitation. Residual risk is the “left-over” risk that is not risk completely removed, shifted, or planned for. completely 15 Describe how outsourcing can be used for risk Describe transference. transference. Answer: Outsourcing can be used for risk transference Answer: when an organization chooses to hire an ISP or a consulting organization to provide products and services for them like buying and configuring servers, hiring their own webmasters, web system administrators and even specialized security experts. This allows the organization to transfer risk associated with management of these complex systems to another organization that has experience in dealing with those risks. Benefit of outsourcing is that the provider is responsible for disaster recovery and through service level arrangements is responsible for guarantying server and website availability. and
16 8 How does a disaster recovery plan differ from a How business continuity plan? business Answer: The DRP differs from the BCP because the Answer: DRP involves immediate recovery activities while the BCP involves longer term recovery. Secondly departments manage the DRP, while owners or their representatives at that time manages the BCP. Thirdly, the DRP is deployed after the incident is labeled a disaster while the BCP is deployed immediately after it is determined that the disaster affects the continued operations of the organization. affects 17 What is risk appetite? Explain why risk What appetite varies from organization to organization. organization. Answer: Risk appetite is the amount of risk Answer: that organizations are willing to accept, as they evaluate the trade-offs between they offs perfect security and unlimited accessibility. Risk appetite varies from organization to organization because of differences in size, budget, organizational culture as well as the difference in value placed on certain assets. assets.
18 9 What is the OCTAVE Method? What does it provide to those What who adopt it? who Answer: The OCTAVE Method is an InfoSec risk evaluation Answer: InfoSec risk methodology that allows organizations to balance the protection of critical information assets against the costs of providing protection of critical information assets against the costs of providing protective and detective controls. controls. Phase 1: Build Asset Based Threat Profile Asset list and current protection mechnisms Asset mechnisms Phase 2: Identify Infrastructure Vulnerabilities Key IT components are examined for vulnerabilities that Key could lead to unauthorised access. unauthorised Phase 3: Develop Security Stratergy and Plans Phase Stratergy Risk are analysed, iimpact, and costs to protect, then a list of Risk analysed mpact, highest priority is made. highest
19 What is the most widely accepted What biometric authorization technology? Why do you think this is the case? this Answer: Photo identification cards Answer: read by human guards or gatekeepers. It is low-cost and gatekeepers. cost highly reliable. highly
20 10 What is the most effective biometric What authorization technology? Why do you think this is the case? you Answer: Iris scanning. It is very Answer: accurate, highly repeatable and moderately unobtrusive. moderately *also can be expensive to implment *also implment 21 What is a DMZ? Is this really a good What name for the function that this type of subnet performs? subnet Answer: A demilitarized zone (DMZ) is Answer: an intermediate area between a trusted network and an untrusted untrusted network. It is a fitting name since network. traffic coming into this area can not directly access its destination; making this a security feature by limiting access and potential flaws. limiting
22 11 How does a network-based IDS differ from a based host-based IDS? host Answer: A network-based IDS monitor’s network traffic in order to provide early warning to potential network threats (such a DOS attacks). A host-based IDS is setup DOS based to monitor the access or altering of files on multiple systems. The host-based IDS are multiple based much easier to set up and administer than the network-based IDS due to the more the based specific rules and restrictions that can be set. set.
23 What special function does a cache server What perform? Why does this function have value for larger organizations? value Answer: Answer: A cache server stores the Answer: most recently accessed pages in an internal cache. This is beneficial to large companies since it can cut down on load and access times due to the pages being stored on a more local basis, therefore eliminating constant access to the outside improving load times and security. improving
24 12 What is a VPN? Why are VPNs widely used? What VPNs Answer: A VPN is a private; secure network Answer: operated over a public and insecure network. It keeps the contents of messages hidden from the public thru a process called tunneling. Thus a user has access to a network from outside but it is still a secure connection. VPN usage continues to grow to support telework and telework and SOHO computer usage. SOHO 25 What attributes do organizations seek in a What candidate when hiring information security professionals? Prioritize this list of attributes and justify your ranking. attributes Answer: Experience, credentials, hiring Answer: issues, certification and background checks. Experience is the most important element with credentials being preferred, and hiring issues and background checks are important but less than experience and credentials. credentials.
26 13 W hat are the critical issues that management must What consider when dismissing an employee? Do these issues change based on whether the departure is friendly or hostile? friendly Answer: When dismissing an employee, management Answer: must consider the following: must -the former employee's access to the organization's the systems must be disabled systems -the former employee must return all removable the media media -the former employee's hard drives must be secured -file cabinet locks must be changed -office door locks must be changed 27 How do the security considerations for temporary or How contract workers differ from those for regular employees? employees? Answer: For security purposes temporary and contract Answer: employees should have limited access to information. Information access to these people should be limited to what is necessary to perform their duties. The organization can attempt to have temporary employees sign non disclosure agreement to fair use of policies. In secure facilities all contract employees should be escorted from room to room us well as into and out of the facility. W hen contract employees report for maintenance or repair services, the first step is to verify that these services are actually scheduled or called for. services
28 14 W hat functions does the CISO perform, and what are What the key qualifications and requirements for the position? position? Answer: The CISO is responsible for all security Answer: functions within an organization. They are required to write and draft policies, implement security measures, handle security-oriented budgets and measures, oriented planning. It is a more business-oriented position planning. oriented with knowledge of technology. The key qualifications for a CISO are to have a CISSP and a graduate degree in business or technology as well as having some experience as a security manager. as 29 What is least privilege? Why is What implementing least privilege important? important? Answer: Least privilege is allowing Answer: employees to access only the information resources they need to in order to perform their duties. Practicing least privilege will keep you from having abusers that could possibly damage data or steal data. possibly
30 15 W hat is intellectual property? Is it offered the same What protection in every country of the world? What laws currently protect it in the U.S. and Europe? currently Answer: Intellectual property is and material or words Answer: created by an individual on their own free time, or at any time depending on the policy their employers issue. Every country in the world may have different definitions as to what intellectual property is defined as. Therefore intellectual property is difficult to protect worldwide. Currently the U.S. Copyright Laws ensure intellectual property in the United States and Europe has the European Council Cyber-Crime Convention. Council 31 What is a policy? How does it differ from a What law? law? Answer: Policy is a formalized description of Answer: acceptable and unacceptable employee behavior, which, when properly defined and enforced, functions the same way as laws within the organization. Unlike law however, ignorance is an acceptable defense, so steps must be taken to assure that policy is communicated, understood, and accepted by employees. and
32 16 Why are project management skills important Why to the information security professional? to Answer: IT organizations are looking for IT Answer: personnel that are good in project management, because an information security program has often has to run a project to implement a new security aspect. Generally, information security is a continuous series, or chain, of projects. continuous 33 What are the three planning What parameters that can be adjusted when a project is not being executed according to plan? according Answer: When a project is not being Answer: executed on plan, three planning parameters can be adjusted: effort and money allocated, elapsed time or scheduling impact, and quality or quantity of the deliverable. quantity
34 17 What is a work breakdown structure What and why is it important? and Answer: In the WBS approach, the Answer: project plan is first broken down into a few major tasks. Each of these major tasks is placed on the WBS task list. WBS is a very simple project management tool and despite its simplicity it could cause problems, if it is not used properly. if
35 18 ...
View Full Document