Flashcards in Chapter 5: Security Governance Concepts, Principles, and Policies Deck (34)
What is the purpose of security management planning?
Ensuring the proper creation, implementation, and enforcement of a security policy.
What is the most important key factor in a security plan?
Senior management approval. Without this, it's toothless.
What is a strategic plan?
A long term, fairly stable plan defining the organization's security purpose. Useful for about 5 years if updated annually.
What is a tactical plan?
A midterm plan developed to provide more details on accomplishing the goals of the strategic plan. Useful for about a year, and often prescribes and schedules taks. Includes project, acquisition, hiring, budget, maintenance, support, and system development plans.
What is an operational plan?
A short term, highly detailed plan based on the strategic and tactical plans, valid and useful only for a short time. Includes resource allotments, budgetary requirements, staffing assignments, scheduling, step by step or implementation procedures.
What is security governance?
The collection of practices related to supporting, defining, and directing the security efforts of an organization.
What are the sources of governance?
Some are imposed due to legislative and regulatory compliance needs. Others are imposed by industry guidelines or license requirements.
What are the responsibilities of the senior manager?
Ultimately responsible for the security of the organization
Should be most concerned about the protection of its assets
All activities must be approved by this role
Rarely implements the solutions directly
What are the responsibilities of the security professional?
AKA InfoSec officer or CIRT.
Responsible for following the directives mandated by senior management
Functional responsibility for security, including writing the security policy and implementing it.
Often filled by a team responsible for desigining and implementing security solutions based on an approved security policy.
What are the responsibilities of the data owner?
Responsible for classifying information for placement and protection within the security solution.
Typically a high-level manager ultimately responsible for data protection
Data management is usually delegated to a data custodian
What are the responsibilities of the data custodian?
Responsible for the tasks of implementing the proscribed protection defined by the security policy and senior management.
Backups/testing/deploying security solutions
What are the responsibilities of the user?
Any person who has access to the secured system.
Responsible for understanding and upholding the security policy by following prescribed operational procedures and operating within defined security parameters
What are the responsibilities of the auditor?
Responsible for reviewing and verifiying that the security policy is properly implemented and the security solutions are adequate. Produces compliance and effectiveness reports.
1. Active prevention of unauthorized access to information that is personally identifiable
2. Freedom from unauthorized access to information deemed personal or confidential
3. Freedom from being observed, monitored, or examined without consent or knowledge
What is the CIA Triad?
Confidentiality, Integrity, Availability
What is Confidentiality?
A high level of assurance that data, objects, or resources are restricted from unauthorized subjects.
What is Integrity?
Objects must retain their veracity and be intentionally modified only by authorized subjects.
What are the three perspectives on maintaining integrity?
1. Prevent unauthorized subjects from making modifications
2. Prevent authorized subjects from making unauthorized modifications
3. Maintain internal and external consistency so that data is correct and true
What is Availability?
Authorized subjects are granted timely and uninterrupted access to objects.
More from 218-220?
What is a Security Policy?
A document that defines the scope of security needed by the organization and discusses the assets that need protection and the extent to which security solutions should go to provide the necessary protection.
What are the three categories of security policies?
Regulatory, advisory, and informative
When is a regulatory security policy required?
When industry or legal standards are applicable to your organization.
What is an advisory security policy?
One that discusses behaviors and activities that are acceptable and defines consequences for violations.
What is an informative security policy?
One that is designed to provide information or knowledge about a specific subject, such as company goals, mission statements, or how the organization interacts with partners and customers.
What are security standards?
Definitions of compulsory requirements for the homogenous use of hardare, software, technology, and security controls.
What are the goals of Change Control?
1. Implement changes in a monitored and orderly manner
2. Include a formalized testing process to verify that a change produces expected results
3. All changes can be reversed
4. Users are informed of changes before they occur to prevent lost productivity
5. Effects of changes are systematically analyzed
6. Negative impact of changes on capabilities, functionality, and performance is minimized.
What is the primary objective of data classification?
To formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Data classification is used to provide security mechanizms for storing, processing, and transferring data, as well as removing and destroying it.
What are the steps of implementing a data classification scheme?
1. Identify the custodian and define their responsibilities
2. Specify the evaluation criteria of how the information will be classified and labeled.
3. Classify and label each resource (by owner, reviewed by supervisor)
4. Document exceptions to the classification policy, integrate them into the policy
5. Select the security controls that will be applied to each classification level to provide necessary protection
6. Specify procedures for declassifying resources or transferring them to an external entity.
7. Create an enterprise wide awareness system