Deck 9: Security Management Practices

One question you should ask when choosing among recommended practices is "Can your organization afford to implement the recommended practice?"

One of the critical tasks in the measurement process is to assess and quantify what willbe measured and how it is measured.____________

Attaining certification in security management is a long and difficult process,but once attained,an organization remains certified for the life of the organization.

Using a practice called baselining,you are able to develop policy based on the typical practices of the industry in which you are working.

Recommended practices are those security efforts that seek to provide a superior level of performancein the protection of information.____________

A comprehensive assessment of a system's technical and nontechnical protectionstrategies,as specified by a particular set of requirements is known as ​accreditation.____________

Data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization are known as programmeasurements.____________

A company striving for 'best security practices' makes every effort to establish security program elements that meet every minimum standard in their industry.

Standardization is an an attempt to improve information security practices by comparing anorganization's efforts against those of a similar organization or an industry-developedstandard to produce results it would like to duplicate.____________

Performance measurements are seldom required in today's regulated InfoSec environment. ​

The authorization by an oversight authority of an IT system to process,store,ortransmit information is known as certification.____________

Aperformance measure is an an assessment of the performanceof some action or process against which futureperformance is assessed._____________

Astandard of due process is a legal standard that requires an organization and its employees to actas a "reasonable and prudent" individual or organization would under similar circumstances.____________

When choosing from among recommended practices,an organization should consider a number of questions.List four.

A practice related to benchmarking is ____________,which is a measurement against a prior assessment or an internal goal.

Best security practices balance the need for user _____________ to information with the need for adequate protection while simultaneously demonstrating fiscal responsibility.

The last phase in the NIST performance measures implementation process is to apply ______________ actions which closes the gap found in Phase 2.

____________________ encompasses a requirement that the implemented standards continue to provide the required level of protection.

A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a performance __________.

Why it measurement prioritization and selection important?How can it be achieved?

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
An assessment of the performance of some action or process against which futureperformance is assessed.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
Those security efforts that are considered among the best in theindustry.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
A common approach to a Risk ManagementFramework (RMF)for InfoSec practice.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
The actions that demonstrate that an organization has made a valid effort to protect othersa requirement and that the implementedstandards continue to provide the required level of protection.

Before beginning the process of designing,collecting,and using measures,the CISO should be prepared to answer the following questions posed by Kovacich.List four of these questions.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
A comprehensive assessment of a system's technical and nontechnical protectionstrategies,as specified by a particular set of requirements.

The process of implementing a performance measures program recommended by NIST involves six phases.List and describe them.

Compare and contrast accreditation and certification.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
An attempt to improve information security practices by comparing anorganization's efforts against practices of a similar organization or an industry-developedstandard to produce results it would like to duplicate.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
Those procedures that provide a superior level of security for an organization's information.

Describe the three tier approach of the RMF as defined by NIST SP 800-37.

Why must you do more than simply list the InfoSec measurements collected when reporting them?Explain.

List the four factors critical to the success of an InfoSec performance program,according to NIST SP 800-55,Rev.1.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
The authorization of an IT system to process,store,or transmit information.

On what do measurements collected from production statistics greatly depend?Explain your answer.

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
The data or the trends in data that may indicate the effectiveness ofsecurity countermeasures or controls-technical and managerial-implemented in theorganization.

What are the two major activities into which the InfoSec measurement development process recommended by NIST is divided?

a.accreditation
b.baseline
c.benchmarking
d.certification
e.due diligence
f.best security practices
g.recommended business practices
h.standard of due care
i.performance measurements
j.NIST SP 800-37
A legal standard that requires an organization and its employees to actas a reasonable and prudent individual or organization would under similar circumstances.