IT Governance Institute defines IT governance as being the responsibility of the board of directors and executive management
maintains the overal responsibility for protection of the information assets. - Must be aware of risks that they are accepting
responsible for design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidlines.
Information Systems Security Professional
drafting of policies, standards, guidelines and baselines is coordinated through these individuals.
assign appropriate classification to information assets. ensure business information is protected with appropriate controls. Need to determine the criticality, sensitivity, retention, backups and safeguards for the information. need to understand risks for information that they control.
takes care of the information on behalf of the owner. This group administers rights to the information assets.
Information Systems Auditor
determine compliance with policy, procedures, standards, baselines, designs, architectures, management direction and other requirements placed on systems. Provide top management with an independent view of controls and their effectiveness.
Business Continuity Planner
develop contigency plans. ensures business process can continue through the disaster and coordinates those activities with the buisness areas and information technology personnel responsible for disaster recovery.
Information Systems/Information Technology Professionals
responsible for designing security controls into information systems, testing the controls, and implementing the systems in production through agreed upon policies and procedures
manages the user acces request process and ensures that privileges are provided to those individuals who have been authorized for access by application/system/data owners. Has elevated privileges and creates and deletes accounts and access permissions. Maintains records
configures network and server hardware and the operating system, ensuring informaion is available and accessible
establish relationships with external law enforcement to assist in investigations. Manage the installation, maintenance and ongoin operation of the closed circuit television, burglar alarms, card reader access. Act as a deterrent to unauthorized access
be subject to social engineering attacks
Help desk administrator
ususally where first security incidents will be seen. Contacts Computer Security Incident response team (CIRT). Reswet passwords, tokens and smart cards
Safe Harbor Provision
"good faith" conditions
Must be Consistent. meaurable, standardized, comprehensive, and modular
European Data Protection Directive
compliance with a legal action, protect life of subject, subject provided consent, performed within the scope of public interest and the law. NIST 800-3 ISO 27001
care a reasonable person would exercise, lack is negligence
measure made to avoid harm to other persons or property
Guidelines for writing security policies
formally define a policy creation and policy maintenance practice; policies should survive for two or three years; do not be too specific; use forceful wording; do not include technical implementation details; keep each policy as short as possible; provide references to supporting documents; thoroughly review; conduct management review and sign-off, employees should acknowledge policies; do not use jargon; review incidents and adjust policies; periodically review; define exception rules;and sanctions for non-compliance
Spanning Tree Analysis
creates a tree of all possible threat or faults of the system
Value at risk
Human; Natural; Technical, Physical, Environmental, and Operational
When determining the value of an intagible asset which is sthe BEST apprach? A. Determine the physical storage cost and multiply by the expected life of the compancy B. With the assistance of finance of accounting professional determine how much profit the asset has returned C. Review the depreciation of the intangible asset over the past three years D. Use teh historical acquisition or development cost of the intangible asset
B. With the assistance of finance of accounting professional determine how much profit the asset has returned
Qualitative risk assessment is earmarked by which of the following? A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process B. Can be completed by personnel with a limited understanding of the risk assessment process and uses detailed metrics for calculation of risk C. Detailed metrics used for calculation of risk and ease of implementation D. Can be completed by personnel with a limited understanding of the risk assessment process and detailed metrics used for the calculation of risk
A. Ease of implementation and it can be completed by Personnel with a limited understanding of the risk assessment process
Single loss expectancy is calculated by using: A. Asset value an annulaized rate of occurrence (ARO) B. Asset value, local annual frequeny estimate (LAFE) and standard annual frequency estimate (SAFE) C. Asset value and exposure factor D. Local annual frequency estimate and annualized rate of occurrence
C. Asset value and exposure factor
Consideration for which the type of risk assessment to perform includes all of the following: A. Culture of the organization, liklihood of exposure and budget B. Budget, capabilities of resources, and liklihood of exposure C. Capabilities of resources, liklihood of exposure and budget D. Culture of the organization, budget, capabilities and resources
D. Culture of the organization, budget, capabilities and resources
Security awareness training includes A. Legislated secuirty compliance objectives B. Security roles and responsibilities for staff C. The high-level outcome of vulnerability assessments D. Specialilzed curriculum assignments, course work and an accredited institution
B. Security roles and responsibilities for staff
A signed user acknowledgment of the corporate security policy A. Ensures that users have read the policy B. Esures that users understand the policy, as well as the consequences for not following the policy C. Can be waived if the organization is satisfied that users have an adequate understanding of the policy D. Helps to protect the orgainzation if a user's behavior violates the policy
D. Helps to protect the orgainzation if a user's behavior violates the policy
Effective security management A. Achieves security at the lowest cost B. Reduces risk to an acceptable level C. Prioritizes security for new products D. Installs patches in a timely manner
B. Reduces risk to an acceptable level