Topic 2 Flashcards
Planning for security
What are the three common levels of planning?
- Tactical planning—A shorter focus than strategic planning (usually one to three years) and breaks down each applicable strategic goal into a series of incremental objectives.
- Strategic planning—The basis for long-term direction for the organization.
- Operational planning—Clearly identified coordination activities across department boundaries, communications requirements, weekly meetings, summaries, progress reports, and associated tasks.
What is InfoSec governance?
Information security governance includes all the accountabilities and methods undertaken by a board of directors and executive management to provide strategic direction, establish objectives, measure progress toward those objectives, verify that risk management practices are appropriate, and validate that the organization’s assets are used properly.
What should a board of directors recommend as an organization’s InfoSec objectives?
- Creating and promoting a culture that recognizes the criticality of information and information security to the organization
- Verifying that management’s investment in information security is properly aligned with organizational strategies and the organization’s risk environment
- Mandating and assuring that a comprehensive information security program is developed and implemented
- Requiring reports from the various layers of management on the information security program’s effectiveness and adequacy
What are the five basic outcomes that should be achieved through InfoSec governance?
- Strategic alignment of information security with business strategy to support organizational objectives
- Risk management by executing appropriate measures to manage and mitigate threats to information resources
- Resource management by utilizing information security knowledge and infrastructure efficiently and effectively
- Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved
- Value delivery by optimizing information security investments in support of organizational objectives
Define top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organization?
Top-down strategic planning involves high-level managers providing resources and giving directions. Directors issue policies, procedures, and processes and dictate the goals and expected outcomes of the project, as well as determine who is accountable for each of the required actions. In top-down planning, managers give directions on how projects should be handled, while in bottom-up planning, system administrators give directions on how projects should be handled. Of the two, top-down planning is the more effective security strategy, because it encompasses critical features such as coordination between departments, coordinated plans from top management, provision of sufficient resources, and support from end users.
What is security convergence and why is it significant?
The synergistic combination of physical and logical security functions within an organization is called security convergence. It is significant in that it offers the potential to streamline operations and reduce costs for some organizations.
What is joint application design?
JAD is a systems development approach that incorporates teams of representatives from multiple constituencies, including users, management, and IT, each with a vested interest in the success of the project.
How does the SecSDLC differ from the more general SDLC?
The SecSDLC is more closely aligned with risk management practices and involves extensive effort in identifying specific threats and risks, and subsequent design and implementation of specific controls to counter those threats and assist in management of the risk. SDLC involves the general methodology for design and implementation of an information system in an organization.
What is the primary objective of the SecSDLC? What are its major steps, and what are the major objectives of each step?
The primary objective of the SecSDLC is the identification of specific threats and the risks that they represent and the subsequent design and implementation of specific controls to counter those threats and assist in the management of the risk. The major steps and their objectives are:
* Investigation—Beginning with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints, investigation involves validating the directive and the affirmation or creation of security policies on which the organization’s security program is or will be founded.
* Analysis—The documents from the investigation phase are studied.
* Logical design—The team members create and develop the blueprint for security, and examine and implement key policies that influence later decisions.
* Physical design—Team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final decision.
* Implementation—The security solutions are acquired, tested, implemented, and tested again.
* Maintenance—Information systems are constantly monitored, tested, modified, updated, and repaired. This is the most important phase.
What is an operational security control?
Operational controls deal with the operational functionality of security in the organization. They cover management functions and lower-level planning, such as disaster recovery and incident response planning (IRP). In addition, these controls address personnel security, physical security, and the protection of production inputs and outputs. Operational controls also provide structure to the development of education, training, and awareness programs for users, administrators, and management. Finally, they address hardware and software systems maintenance and the integrity of data.
What is a technical security control?
Technical controls address technical approaches used to implement security in the organization. Operational controls address specific operational issues, such as control development and integration into business functions, while technical controls must be selected, acquired (made or bought), and integrated into the organization’s IT structure. Technical controls include logical access controls, such as those used for identification, authentication, authorization, and accountability.
Why is maintenance needed for information security management systems?
As new threats emerge and old threats evolve, the InfoSec profile of an organization requires constant adaptation to prevent threats from successfully penetrating sensitive data.
