Topic 8 Flashcards
Security management models
How do the security considerations for temporary or contract workers differ from those for regular employees?
For security purposes, the information access given to temporary and contract employees should be limited to what is necessary to perform their specific assigned duties. The organization should require temporary employees to sign a nondisclosure agreement and an agreement to follow organizational policies. In secure facilities, all people who are not permanent employees of the organization should be escorted at all times, including into and out of the facility. When contract employees report for maintenance or repair services, the first step is to verify that these services are actually scheduled or called for.
Discuss the standard personnel practices that are part of the InfoSec function. What happens to these practices when they are integrated with InfoSec concepts?
Information security personnel should understand how organizations are structured and operate, recognize that information security is a management task that cannot be handled by technology alone, work well with people, acknowledge the role of policy in guiding security efforts, understand the role of security education and training, perceive the threats facing an organization and know how to handle them, understand how to apply technical controls to
solve specific security problems, demonstrate familiarity with mainstream information technologies, and understand IT and InfoSec terminology and concepts.
What is separation of duties? How can this method be used to improve an organization’s InfoSec practices?
Separation of duties is a way of assigning multiple people to a process to provide checks and balances in order to seek the highest security. Separation of duties makes it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information.
What is least privilege? Why is implementing least privilege important?
Least privilege means allowing employees to access only the information resources they need to perform their duties. Practicing least privilege reduces the chance that abusers will damage or steal data.
What types of measures are used for InfoSec management measurement programs?
Organizations use three types of measures: those that determine the effectiveness of the execution of InfoSec policy, those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, and those that assess the impact of an incident or other security event on the organization or its mission.
What factors are critical to the success of an InfoSec performance program?
Four factors are critical to the success of an InfoSec performance program:
1. Strong upper-level management support
2. Practical InfoSec policies and procedures
3. Quantifiable performance measures
4. Results-oriented measurement analysis
What is the standard of due care? How does it relate to due diligence?
The standard of due care is an organization’s adoption of minimum levels of security for a legal defense; it may need to show that it has done what any prudent organization would do in similar circumstances. Failure to support a standard of due care or due diligence can open an organization to legal liability, provided it can be shown that the organization was negligent in
its application of information protection.
What is a recommended security practice? What is a good source for finding such recommended practices?
Recommended security practices are security efforts that are among the best in the industry. One of the many good sources for finding these practices is the Federal Agency Security Project (csrc.nist.gov/groups/SMA/fasp/index.html).
When selecting recommended practices, what criteria should you use?
When selecting recommended practices, you should use the following criteria:
* Does your organization resemble the target organization?
* Are the resources you spend similar to those called for by the practice?
* Are you in a similar threat environment as the one assumed by the practice?
When choosing recommended practices, what limitations should you keep in mind?
The biggest limitation to benchmarking in InfoSec is the fact that organizations do not talk to each other. Another limitation is that no two organizations are identical. A third limitation is that recommended practices are a moving target.
