Information Security Program
The entire set of activities, resources, personnel, and technologies used by an organization to manage the rsisks to its information assets.
Which variable is most influential in how an organization chooses to structure its InfoSec program?
Organizational culture
What are all the variables that determine how an organization structures its InfoSec program?
Organizational culture, size, security, personnel budget, and security capital budget.
How is InfoSec security in large organizations different from small organizations?
InfoSec departments in large organizations tend to be divided among groups, whereas there are fewer groups (or just one) in smaller organizations.
What are the functions performed within the InfoSec department as customer service to the organization and its external partners?
Risk assessment; Systems testing; Incident response planning; Disaster recovery planning; Performance measurement; Vulnerability assessment
What are the functions performed within the InfoSec department as compliance enforcement?
Policy; Compliance/audit; Risk management
According to Kosutic, what are the three options for placing the CISO and their security group in an organization?
1 - In a separate group reporting directly to the CEO/President (most common in large organizations); 2 - Under a divisionor department with no conflict of interest (most common in mid-to-large organizations); 3 - As an additional duty for an existing manager or executive (most common in smaller organizations).
What are the most critical components of an InfoSec program?
Personnel and their expectations, roles, responsibilities, and credentials
Chief Information Officer (CIO)
Typically considered the top information technology officer in an organization. The CIO is usually an executive-level position, and frequently the person in this role reports to the CEO.
Chief Information Security Officer (CISO)
Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
Chief Security Officer (CSO)
In some organizations, an alternative title for the CISO; in others, the title is most commonly assigned to the most senior manager or executive responsible for both information and physical security.
Security Administrator
A hybrid position comprising the responsibilities of both a security technician and a security manager.
Security Analyst
A specialized security administrator responsible for performing systems development life cycle (SDLC) activities in the development of a security system.
Security Manager
In larger organizations, a manager responsible for some aspect of information security who reports to the CISO; in smaller organizations, this title may be assigned to the only or senior security administrator.
Security technician
A technical specialist responsible for the implementation and administration of some security-related technology.
Security watchstander
An entry-level InfoSec responsible for the routine monitoring and operation of a particular InfoSec technology. Also known as a security staffer.
What are the most common paths to an InfoSec career?
Military, Law Enforcement, IT, and InfoSec college graduates
Security Awareness
The portion of the SETA program dedicated to keeping users conscious of key InfoSec issues through the use of newsletters, posters, trinkets, and other methods.
Security Education
The portion of the SETA program based on formal delivery of knowledge of InfoSec issues and operations, usually through institutions of higher learning
Security Education, Training, and Awareness (SETA)
A managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for organizational employees.
Security Training
The portion of the SETA program focused on providing users with the knowledge, skill, and/or ability to use their assigned resources wisely to avoid creating additional risk to organizational information assets.
What are the three ways that SETA seeks to enhance security?
1 - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and their information assets; 2 - By developing skills and knowledge so that computer users can perform their jobs while using information assets more securely; 3 - By improving awareness of the need for and methods to protect information assets.
What issues must an InfoSec educational program address?
1 - The InfoSec educational components required of all InfoSec professionals; 2 - The general education requirements that all IT professionals must have; 3 - General foundational knowledge that all business professionals must understand.
Project Management
The process of identifying and controlling the resources applied to a project as well as measuring progress and adjusting the process as progress is made toward the goal.
-
Chapter 1 - Intro to Management of InfoSec88
-
Chapter 3 - The Role of Planning37
-
Chapter 4 - Information Security Policy32
-
Chapter 5 - Developing the Security Program31
-
Chapter 6 - Risk Management: Assessing Risk35
-
Quiz 1-6 Questions184
-
Chapter 7 - Risk Management: Treating Risk37
-
Chapter 8 - Security Management Models23
-
Quiz Pool Chapters 7-12206
