1
Q
This is responsible for ensuring that the IAP is developed and implemented in accordance with regulatory and business requirements; allocates resources and foster commitment to the IAP
A
Chief Executive Officer (CEO)
2
Q
This is responsible for the execution of overall IT program and delegate authority to the CISO for the management of the IAP
A
Chief Information Officer (CIO)
3
Q
This is the focal point for IT management and governance of IT portfolios
A
Chief Information Officer (CIO)
4
Q
Responsibilities of a Chief Information Officer (CIO)
A
- It’s responsible for: Ensuring information security management processes are integrated with
strategic and operational planning processes. - This is responsible for ensuring trained personnel is sufficient to assist in complying with the information assurance requirements in related legislation, policies, directives, instructions, standards, and guidelines
- This is responsible for coordinating with senior management to report annually to the head of the federal agency on the overall effectiveness of IAP, including progress of remedial actions
5
Q
This carries out the CIO’s security and privacy responsibilities under FISMA and is responsible for managing the IAP
A
Chief Information Security Officer (CISO)
6
Q
Characteristics of a Chief Information Security Officer (CISO)
A
- This possess professional qualifications, including training and experience, required to administer the IAP functions
- This maintain information assurance duties as a primary responsibility
- This heads an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with FISMA and Privacy Act requirements
7
Q
What does FISMA mean
A
Federal Information Security Management Act
8
Q
Responsibilities of CISO
A
- Develop an organization-wide IAP that provides adequate security for all information systems
- Centralized reporting of information security-related activities
- Develop and maintain information security and privacy policies
- Define specific security requirements, tools, templates, and checklists to support the IAP
- Ensure that personnel with significant system security responsibilities are trained
- Assist senior management concerning security responsibilities
- Ensure implementation of information privacy and security protections as required by the Privacy Act, FISMA, and memoranda
- Monitor security incidents and provide assistance when required
- Manage the Office of Information Technology (OIT) audits and program reviews; support Office of the Inspector General (OIG) investigations
- Report to the CIO and other senior management on the effectiveness of IAP and developing and submitting the annual FISMA report
9
Q
This is appointed by the CEO and is granted the authority to formally assume responsibility for operating an information system at an acceptable level of risk
A
Authorizing Official
10
Q
True or false: The AO has budgetary oversight for an information system and is responsible for the mission/business operations supported by the system
A
True
11
Q
They approve systems security plans (SSPs), memorandums of agreement or understanding (MOA/MOU), and plans of action and milestones (POA & Ms).
A
Authorizing Official
12
Q
True or false: AOs can deny authorization to operate an information system if unacceptable risks exist
A
True
13
Q
True or False: It is possible that a particular information system may involve multiple AOs
A
True
14
Q
Responsibilities of the AO
A
- Ensure the security posture of the Agency’s information systems is maintained
- Reviewing security status reports and security documents and determining if the risk to the Agency of operating the system remains acceptable
- Reauthorizing information systems when required
- Assisting in response to security incidents and privacy breaches
- Appointing, when required, a designated representative to coordinate and carry out system security responsibilities
15
Q
Appointed by the CEO and serves as the focal point for the information system and is the central point of contact during the security authorization process
A
Information System Owner (ISO)
16
Q
Responsibilities of the ISO
A
- Coordinating data protection requirements with Information Owners (IOs) that have information stored and processed in the system
- Deciding, in coordination with the IO and Information System Security Officer (ISSO), who has access to the system. Determining access privileges and rights to the system
- Ensuring that system users and support personnel receive the required security training
- Ensuring that the system is compliant with the required security controls
- Appointing an ISSO for the information system to carry out the day-to-day security responsibilities
- Reviewing system security documents
- Ensuring that system-specific security training is provided to the users and administrators of the systems
- Ensuring that remediation activities for the system are performed as needed to maintain the authorization status
- Appointing an Information System Security Manager (ISSM) to coordinate system security task and provide oversight responsibilities to ensure security activities are performed
17
Q
This is an official with regulatory, management, or operational authority for specified information and is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.
A
Information Owner
18
Q
Responsibilities of Information Owner (IO)
A
- Providing input to ISOs regarding the security requirements and controls for
the systems where the information is processed, stored, or transmitted. - Retaining information in accordance with the National Archives and
Records Administration (NARA) record schedule. - Categorizing the sensitivity level5 of the information stored and
processed in the system. - Establishing rules for appropriate use and protection of the information.
- Coordinating with the ISO when security requirements change.
- Assisting in the response to security incidents.
- Ensuring that the PII inventory is updated.
19
Q
Appointed by the ISO and works closely with the ISO or ISSM to ensure that the appropriate security posture is maintained for the information system
A
Information System Security Officer
20
Q
True or False: The Information System Security Officer (ISSO) serves as a principal advisor on all the security related issues of an information system
A
True
21
Q
This supports activities at the system level and includes physical and environmental protection, personnel security, incident handling, and security training and awareness
A
Information System Security Officer (ISSO)
22
Q
Responsibilities of the Information System Security Officer (ISSO)
A
- Ensuring system compliance with security policies and procedures.
- Managing and controlling changes to the system.
- Assessing the security impact of any changes.
- Monitoring the system and its environment.
- Developing and updating the SSP.
- Coordinating with and supporting the ISO with security responsibilities.
- Preparing or overseeing the preparation of system security documents7 and
security activities. - Developing security policies and procedures that are consistent with IA policies.
- Performing or overseeing remediation activities to maintain the authorization status.
- Assisting the ISO assemble the security authorization package for submission to
the AO. - Assisting in the investigation of security incidents.
23
Q
This serves as the primary liaison for the CISO to individuals with security and privacy responsibilities and supports activities at the IAP level
A
Information Assurance Manager (IAM)
24
Q
Responsibilities of the Information Assurance Manager (IAM)
A
- Monitoring compliance with Federal requirement and IA policies.
- Providing guidance on the implementation of IA policies.
- Providing security and privacy training.
- Investigating system security and privacy incidents.
- Providing support for audits and reviews.
- Managing the vulnerability management program.
25
This coordinates system security task and provide oversight responsibilities to ensure security activities are performed and serves as the liaison between the Information System Security Officer (ISSO) and the Information System Owner (ISO)
The ISSO (contractor) coordinates directly with the ____ for all system security related issues
Information System Security Manager (ISSM)
26
Responsibilities of the Information System Security Manager (ISSM)
Providing oversight of system security activities performed by the ISSO.
* Acting as the liaison between the IAM and the ISSO.
* Monitoring system compliance with Information Assurance policies and federal
guidance.
27
This is nominated by the Agency and assists the Contracting Officer (CO) by
Acting as a technical liaison between the CO and the contractor.
* Providing technical assistance.
* Performing onboarding and off boarding activities for the contractors assigned to the
contract.
* Ensuring that contractors have the proper background investigations before
accessing information or systems.
* Ensuring that contractors properly maintain information and information systems in
accordance with the IAP.
Contracting Officer's Representative (COR)
28
This conducts assessments of the security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the system).
Security Assessment Team
29
Responsibilities of a Security Assessment Team (SAT)
* Developing a security assessment plan for each subset of security controls
that will be assessed.
* Submitting the security assessment plan for approval prior to conducting the
assessment.
* Conducting the assessment of security controls as defined in the
security assessment plan.
* Providing an assessment of the severity of weaknesses or deficiencies
discovered in the information system.
* Recommending corrective actions to address identified vulnerabilities.
* Preparing the final security assessment report containing the results
and findings from the assessment
30
This stipulates the constraints and practices that an employee using organizational IT assets must agree to in order to access to the corporate network or the internet
Acceptable Use Policy (AUP)
31
True or False: Acceptable Use Policy (AUP) is standard on boarding policy for new employees. They are given an AUP to read and sign before being granted a network ID. An example of this can be found at SANS
True
32
This outlines the access available to employees in regards to an organization's data and information systems. An example of this policy is available at IAPP
Access Control Policy (ACP)
33
Topics included in Access Control Policy
NIST's Access Control, Implementation Guides, standards for user access, network access controls, operating system software controls, and the complexity of corporate passwords.
34
This refers to a formal process for making changes to IT, software development, and security services/operations. The goal of this is to increase the awareness and understanding of proposed changes across an organization, and to ensure that all changes are conducted methodically. A good example of this is at SANS
Change Management Policy
35
High-level policies that can never cover a large number of security controls. This is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization comply with its stated rules and guidelines. This is designed for employees to hold them accountable with regard to the sensitivity of the corporate information and IT assets
Information Security Policy
36
This is an organized approach to how the company will manage an incident and remediate the impact to operations. The goal of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers, and reducing recovery time costs
Incident Response (IR) Policy
37
This is a document which outlines and defines acceptable methods of remotely connecting to an organization's internal networks. This is a requirement for organizations with dispersed networks (i.e., local coffee house or unmanaged home networks). An example of this is available at SANS
Remote Access Policy
38
A document that is used to formally outline how employees can use the business' chosen electronic communication (email, blogs, social media, and chat technologies). The primary goal of this policy is to provide guidelines on what is considered acceptable and unacceptable use of any corporate communication technology. An example is available at SANS
Email/Communication Policy
39
This include both cybersecurity and IT teams' input and will be developed as part of the larger business continuity plan. An example of this is available at SANS
Disaster recovery policy
40
This will coordinate efforts across the organization and will use the disaster recovery plan to restore hardware, applications, and date deemed essential
Business Continuity Plan (BCP_
41
Everything related to IT security and the security of related physical assets
Information Assurance Policy
42
Purpose of Information Assurance Policy
* Create an overall approach to information security.
* Detect and preempt information security breaches such as misuse of networks, data,
applications, and computer systems.
* Maintain the reputation of the organization, and uphold ethical and legal responsibilities.
* Respect customer rights, including how to react to inquiries and complaints about non-
compliance.
43
You may also
specify which audiences are out of the scope of the information assurance policy (for example, staff in another
business unit which manages security separately may not be in the scope of the policy).
Audience of Information Assurance Policy
44
Three main objectives of information assurance
Confidentiality, Integrity, Availability
45
Only individuals with authorization can and should access data and information assets
Confidentiality
46
Data should be intact, accurate and complete, and IT systems must be kept operational
Integrity
47
Users should be able to access information or systems when needed
Availability
48
What authority and access control policy?
A senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.
Hierarchical pattern
49
Users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens
Network Security Policy
50
The policy should classify data into categories, which may include "top secret, "secret" "confidential" and public
Data classification
51
What are the objectives of data classification
* To ensure that sensitive data cannot be accessed by individuals with
lower clearance levels.
* To protect highly important data, and avoid needless security
measures for unimportant data.
52
What are different data support and operations
Data protection regulations, Data backup, Movement of Data
53
systems that store personal data or other sensitive data must be protected according to organizational standards, best practices, industry compliance standards and relevant regulations (Encryption, Firewall, Anti-Malware Protection)
Data protection regulations
54
Encrypt data backup according to industry best practices. Securely store backup media, or move backup to secure cloud storage
Data backup
55
Only transfer data via secure protocols. Encrypt any information copied to portable devices or transmitted across a public network .
Movement of data
56
Share IT security policies with staff. Conduct training sessions to inform employees of security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification
Security awareness and behavior
57
Examples of security awareness and behavior
Social Engineering, Clean Desk Policy, Acceptable Internet Usage Policy
58
Place special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks
Social Engineering
59
Secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands
Clean desk policy
60
Define how the internet should be restricted. Block unwanted websites using a proxy
Acceptable Internet Usage Policy
61
Appoint staff to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy
Responsibilities, rights, and duties of personnel
62
What are the 9 best practices for drafting information security policies
1. Information and Data Classification
2. IT operations and Administration
3. Security Incident Response Plan
4. SaaS and cloud policy
5. Acceptable use Policies (AUPs)
6. Identity and Access Management (IAM)
7. Data Security Policy
8. Privacy Regulations
9. Personal and Mobile Devices
63
Can make or break security program. Poor information and data classification may leave system open to attacks. Lack of inefficient management of resources might incur expenses. A clear classification policy helps organizations take control of the distribution of their security assets
Information and Data Classifcation
64
Should work together to meet compliance and security requirements. Lack of cooperation may lead to configuration errors. Teams that work together can coordinate risk assessment and identification through all departments to reduce risks
IT operations and administration
65
Helps initiate appropriate remediation actions during security incidents. A security incident strategy provides a guideline, which includes initial threat response, priorities identification, and appropriate fixes
Security incident response plan
66
Provides the organization with clear cloud and SaaS adoption guidelines, which can provide the foundation for a unified cloud ecosystem. This policy can help mitigate ineffective complications and poor use of cloud resources
SaaS and cloud policy
67
Helps prevent data breaches that occur through misuse of company resources. Transparent AUPs help keep all personnel in line with the proper use of company technology resources
Acceptable Use Policies
68
Let IT admins authorize systems and applications to the right individuals and let employees know how to use and create passwords in a secure way. A simple password policy can reduce identity and access risks.
Identity and Access Management (IAM) regulations
69
Outlines the technical operations of the organization and acceptable use standards in accordance with the Payment Card Industry Data Security Standard (PCI DSS) compliance
Data Security Policy
70
Government-enforced regulations such as the General Data Protection Regulation (GDPR) protect the privacy of end users. Organizations that don't protect the privacy of their users risk losing their authority and may be fined.
Privacy regulations
71
Companies that encourage employees to access company software assets from any location, risk introducing vulnerabilities through personal devices such as laptops and smartphones. Creating a policy for proper security of personal devices can help prevent exposure to threats via employee-owned assets
Personal and mobile devices
72
ITE18 - Information Assurance and Security
flashcards
Decks in class (6)
# Cards
