An information security program charter defines four elements:
1 - The program’s purpose and mission
2 - The program’s scope within the organization
3 - Assignment of responsibilities for program implementation
4 - Compliance management
Three industry-standard policy frameworks that stand out because of their scope and wide acceptance within the security community are:
1 - COBIT
2 - ISO/IEC 27000 series
3 - NIST Special Publications
Which of the following is the first step in establishing an information security program?
A - Adoption of an information security policy framework or charter
B - Development and implementation of an information security standards manual
C - Development of a security awareness training program for employees
D - Purchase of security access control software
A - Adoption of an information security policy framework or charter
________ are best defined as high-level statements, beliefs, goals, and objectives.
Policies
What is the difference between risk appetite and risk tolerance?
A - Risk tolerance measures impact and likelihood, whereas risk appetite measures variance from a target goal.
B - Risk appetite measures impact and likelihood, whereas risk tolerance measures variance from a target goal.
C - There is no difference between the two.
B - Risk appetite measures impact and likelihood, whereas risk tolerance measures variance from a target goal.
__________________ indicates how specific the policy is regarding resources or rules.
Granularity
__________________are formal documents that establish:
Uniform criteria that you can evaluate and measure
Methods to accomplish a goal
Repeatable processes and practices for compliance with policies
Standards
An ________________ standard focuses on an area of current relevance and concern to your company.
issue-specific
The six basic components for issue-specific or baseline standards are:
1 - Statement of an issue
2 - Statement of the organization’s position
3 - Statement of applicability
4 - Definition of roles and responsibilities
5 - Compliance
6 - Points of contact
A ______________ standard, or ____________ standard, is focused on the secure configuration of a specific system, device, operating system, or application.
system-specific, baseline
A _____________ is a written instruction on how to comply with a standard.
procedure
Procedures should be:
Clear and unambiguous
Repeatable
Up to date
Tested
Documented
TF: A single standard often requires multiple procedures to support it.
True
A _______________ is typically one that has not been used for an extended period of time.
dormant account
_______________ are generally not mandatory—failing to follow them explicitly does not lead to compliance issues. Rather, they assist people in developing procedures or processes with best practices that other people have found useful.
Guidelines
The ___________ establishes and maintains security and risk management programs for information resources
-CISO
-Information resources manager
-Information resources security officer
CISO
The ____________________ maintains policies and procedures that provide for security and risk management of information resources
-CISO
-Information resources manager
-Information resources security officer
Information resources manager
The _________________ directs policies and procedures designed to protect information resources, identifies vulnerabilities, and develops security awareness program
-CISO
-Information resources manager
-Information resources security officer
Information resources security officer
_________________ are responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner.
Owners of information resources
_______________ provide technical facilities, data processing, and other support services to owners and users of information resources.
Custodians of information resources
______________ provide technical support for security of information resources.
Technical managers (network and system administrators)
________________ conduct periodic risk-based reviews to ensure the effectiveness of information resources security policies and procedures.
Internal auditors
_______________ are typically in areas such as compliance and operational risk. they ensure that security policies result in operational compliance with risk appetite and regulatory requirements.
Control partners
_______________ have access to information resources in accordance with the owner-defined controls and access rules
Users
-
Chapter 1 - Information Systems Security Policy Management29
-
Chapter 2 - Business Drivers for Information Security Policies28
-
Chapter 3 - Compliance Laws and InfoSec Policy Requirements28
-
Chapter 4 - Business Challenges Within the Seven Domains of IT Responsibility48
-
Chapter 5 - Information Security Policy Implementation Issues45
-
Chapter 6 - IT Security Policy Frameworks25
-
Chapter 7 - How to Design, Implement, and Maintain IT Security Policies60
-
Chapter 8 - IT Security Policy Framework Approaches52
-
Chapter 9 - User Domain Policies33
-
Chapter 10 - IT Infrastructure Security Policies81
-
Chapter 11 - Data Classification and Handling Policies and Risk Management Policies48
-
Chapter 12 - IRT Policies45
-
Quiz 1 & 220
-
Quiz 3 & 449
-
Quiz 5 & 649
-
Quiz 7 & 850
-
Quiz 9 & 1046
-
Quiz 11 & 1246
