Deck 5: Planning for Security

Information security safeguards provide two levels of control: managerial and remedial.

Quality security programs begin and end with policy.

The Security Area Working Group endorses ISO/IEC 17799.

The global information security community has universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799.

NIST 800-14,The Principles for Securing Information Technology Systems,provides detailed methods for assessing,designing,and implementing controls and plans for applications of varying size.

Each policy should contain procedures and a timetable for periodic review.

To remain viable,security policies must have a responsible individual,a schedule of reviews,a method for making recommendations for reviews,and a policy issuance and planned revision date.

The policy administrator is responsible for the creation,revision,distribution,and storage of the policy.

The ISSP sets out the requirements that must be met by the information security blueprint or framework.

A standard is a plan or course of action that conveys instructions from an organization's senior management to those who make decisions,take actions,and perform other duties.

Failure to develop an information security system based on the organization's mission,vision,and culture guarantees the failure of the information security program.

A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.

A policy should state that if employees violate a company policy or any law using company technologies,the company will protect them,and the company is liable for the employee's actions.

ISO/IEC 17799 is more useful than any other information security management approach.

You can create a single comprehensive ISSP document covering all information security issues.

Many industry observers claim that ISO/IEC 17799 is not as complete as other frameworks.

NIST Special Publication 800-18 Rev.1,The Guide for Developing Security Plans for Federal Information Systems,includes templates for major application security plans.

Management controls address the design and implementation of the security planning process and security program management.

ACLs are more specific to the operation of a system than rule-based policies and they may or may not deal with users directly.

A cold site provides many of the same services and options of a hot site.

A disaster recovery plan addresses the preparation for and recovery from a disaster,whether natural or man-made.

The gateway router can be used as the front-line defense against attacks,as it can be configured to allow only set types of protocols to enter.

Informational controls guide the development of education,training,and awareness programs for users,administrators,and management.

Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.

Systems-specific security policies are formalized as written documents readily identifiable as policy._________________________

A(n)integrated information security policy is also known as a general security policy._________________________

NIST documents can assist in the design of a security framework._________________________

The security blueprint is the basis for the design,selection,and implementation of all security program elements including such things as policy implementation and ongoing policy management._________________________

Disaster recovery personnel must know their roles without supporting documentation.

The Federal Bureau of Investigation deals with many computer crimes that are categorized as felonies.

Every member of the organization needs a formal degree or certificate in information security.

Some policies may also need a(n)sunset clause indicating their expiration date._________________________

The standard should begin with a clear statement of purpose._________________________

A(n)capability table specifies which subjects and objects users or groups can access._________________________

The vision of an organization is a written statement of an organization's purpose._________________________

Database shadowing only processes a duplicate in real-time data storage but does not duplicate the databases at the remote site.

Policies are living documents that must be managed._________________________

Laws are more detailed statements of what must be done to comply with policy._________________________

Additional redundancy to RAID can be provided by mirroring entire servers called redundant servers or server fault tolerance.

A firewall can be a single device or a firewall extranet,which consists of multiple firewalls creating a buffer between the outside and inside networks._________________________

Technical controls are the tactical and technical implementations of security in the organization._________________________

A(n)sequential roster is activated as the first person calls a few people on the roster,who in turn call a few other people._________________________

SP 800-18 Rev.1,The Guide for Developing Security Plans for Federal Information Systems,must be customized to fit the particular needs of a(n)organization._________________________

Proxy servers can temporarily store a frequently visited Web page,and thus are sometimes called demilitarized servers._________________________

A(n)contingency plan is prepared by the organization to anticipate,react to,and recover from events that threaten the security of information and information assets in the organization,and,subsequently,to restore the organization to normal modes of business operations._________________________

A(n)full backup only archives the files that have been modified that day,and thus requires less space and time than the differential._________________________

Evidence is the physical object or documented information that proves an action occurred or identifies the intent of a perpetrator._________________________

The Federal Agency Security Practices (FASP)site is a popular place to look up best practices._________________________

A service bureau is an agency that provides a service for a fee._________________________

Within security perimeters the organization can establish security circles._________________________

A(n)IR plan ensures that critical business functions continue if a catastrophic incident or disaster occurs._________________________

A(n)honeynet is usually a computing device or a specially configured computer that allows or prevents access to a defined area based on a set of rules._________________________

Host-based IDPSs are usually installed on the machines they protect to monitor the status of various files stored on those machines._________________________

One of the basic tenets of security architectures is the layered implementation of security,which is called defense in layers._________________________