Chapter 2 - Understanding Security Policies Using a LIfecycle Approach Flashcards
What is initiation in regards to the security lifecycle?
This involves preliminary risk assessments and categorizing of risk, such as with labels of low, medium, or high.
What are the 5 phases of the security lifecycle?
1) Initiation
2) Acquisition and development
3) Implementation
4) Operations and maintenance
5) Disposition
What is acquisition and development in regards to the security lifecycle?
This involves a more detailed risk assessment, acquiring the products and tools needed to implement the countermeasures needed to reduce the risk, and testing these countermeasures.
What is implementation in regards to the security lifecycle?
This is the actual point where the rubber meets the road, where you put the countermeasures in place on the production network.
What is operations and maintenance in regards to the security lifecycle?
This involves monitoring and with the care and feeding of our network security devices (and incident handling when issues arise).
What is disposition in regards to the security lifecycle?
All things come to an end, and disposing of network gear (including sanitizing/formatting/destroying media storage devices) is part of this.
What are 2 methods for calculating the impact or risk value of an asset?
1) Qualitative - The data is gathered by an individual, who likely is a subject matter expert (in this case as to the asset’s value, its vulnerabilities, potential threats, and the impact or risk based on those factors).
2) Quantitative - In this method, you use raw data, numbers, and statistics to determine the risk.
What are 5 key activities when assessing the current security posture of network devices?
1) General security assessment - Provides a high-level idea about the security state of network devices (servers, desktops, and data storage).
2) Internal assessment - How well protected you are from the inside network.
3) External assessment - This is to assess the security risk associated with attacks from external devices on networks that connect to you.
4) Wireless assessment - Identifies vulnerabilities and weaknesses associated with the wireless implementation.
5) Analysis and documentation - This combines the details about vulnerabilities that may exist from the assessments completed.
What are 5 things to consider when considering a specific asset in regards to risk management?
1) Value of the asset
2) Vulnerabilities
3) Potential threats
4) Compliance issues
5) Business requirements
For each new asset (for which you have not calculated risk) what steps should you take?
1) Using qualitative/quantitative approaches, identify the risk (value of asset, vulnerability, potential threats = risk).
2) Take action regarding the risk (which could include transferring the risk, accepting the risk, or reducing the risk using countermeasures).
3) Monitor the risk.
What are the who, what, and why of a security policy?
1) Who creates security policies?
2) What is in a security policy?
3) Why do we have security policies?
Who is ultimately responsible for the data and the networks that carry the data in the company?
The executive senior management team.
What is the governing policy?
The high-level security policy.
What is the responsibility of management teams and staff who have the appropriate skills when it comes to the creation of security policies?
Implementing the appropriate controls (which include physical, logical, and administrative).
What is an end-user policy or acceptable use policy?
End users agreeing to and abiding by the policies set forth by the company.
