Information Security Governance Module 3

Questions and Answers

What is the main purpose of an enterprise information security policy (EISP)?

• To dictate employee performance reviews
• To manage an organization’s finances
• To guide the development and management of the security program (correct)
• To provide marketing strategies

Formal standards are always published and ratified by a group.

True (A)

What does the term 'security policy' refer to in governmental agencies?

National security and national policies to deal with foreign states

An enterprise information security policy (EISP) is also known as a general ______ policy.

security

Match the types of security policy with their functions:

EISP = Guides the overall security program ISSP = Focuses on specific security issues De facto standards = Informal standards adopted by practice De jure standards = Formal standards published and ratified

What is the first priority of incident reaction?

Stopping the incident or containing its scope (D)

The ultimate containment option is used frequently to manage incidents.

False (B)

What is the purpose of incident recovery?

To restore the system to a fully functional state after containment.

To mitigate the impact of an incident, an organization may need to _____ compromised accounts.

disable

Match the incident containment strategies with their appropriate scenarios:

Severing affected circuits = Incident originates outside the organization Disabling accounts = Compromised accounts are in use Reconfiguring the firewall = Traffic coming through a firewall Taking down an application = Application or server is propagating the incident

Which action should be taken immediately after an incident is contained?

Identify needed human resources (A)

Incident containment is typically not considered an immediate priority.

False (B)

What process helps to understand how an incident occurred?

Computer forensics

Which of the following NIST publications focuses on managing information security risk?

SP 800-39 (C)

The sphere of use in the spheres of security only pertains to how people access printed documents.

False (B)

What does defense in depth require from an organization's security architecture?

It requires implementing security in layers.

Information security safeguards provide three levels of control: managerial, operational, and ______.

technical

Match the following NIST publications with their primary focus:

SP 800-30 Rev. 1 = Guide for Conducting Risk Assessments SP 800-37 Rev. 1 = Risk Management Framework SP 800-50 = Security Awareness and Training Program SP 800-100 = Information Security Handbook

What is the role of the Security Area Working Group?

To act as an advisory board for security protocols (B)

Technical controls are primarily concerned with establishing the direction of the security process.

False (B)

What does FASP stand for?

Federal Agency Security Practices

Which of the following is NOT part of the recovery process after an incident?

Conduct a damage assessment (C)

Computer forensics is concerned with the collection and preservation of computer-related evidence.

True (A)

What is the foundation of an organization's information security program?

Information security policy (A)

The planning process for information security does not involve the organization’s role during incidents.

False (B)

What is the immediate action called that determines the scope of a breach of information and assets after an incident?

Incident damage assessment

The process of collecting, analyzing, and preserving evidence is known as __________.

computer forensics

What does SETA stand for in the context of information security?

Security Education, Training, and Awareness

Match the items with their corresponding actions in the recovery process:

Identify vulnerabilities = Resolve and prevent future incidents Restore services = Bring systems back into operation Restore data = Use backups to recover lost information Continuous monitoring = Ensure ongoing protection and detection

The information security program begins with policy, standards, and practices, which are the foundation for the information security _______.

architecture

Which source can provide information about the type and extent of damage in an incident?

System logs (D)

Match the following components of information security planning:

Governance = Overall direction and control Incident response = Support during security breaches Disaster recovery = Restoration of IT systems Business continuity = Maintaining essential functions during crises

Which of the following is NOT a focus of information security governance?

Employee profit-sharing (A)

Business Continuity and Disaster Recovery Planning is solely focused on disaster response.

False (B)

What two aspects does Business Continuity and Disaster Recovery Planning focus on?

Strategies and policies

Military data classification schemes are different from those used in private organizations.

True (A)

What are two primary components of security policy?

Standards and practices

What is the primary focus of crisis management during a disaster?

Managing the event from an enterprise perspective (D)

The disaster recovery process is the same as business continuity planning.

False (B)

What is one major activity of the crisis management team?

Supporting personnel and their loved ones during the crisis

The document combining all aspects of the contingency policy and plan is called the __________.

Consolidated Contingency Plan

Match the following functions with their correct descriptions:

Crisis Management Team = Manages the event from an enterprise perspective Disaster Recovery = Restores operations after a disaster Business Continuity Planning = Ensures ongoing operations during disruptions Law Enforcement Agencies = Processes evidence in incidents involving legal violations

Which of the following is an advantage of involving law enforcement in a crisis?

They can process evidence more effectively (B)

Small organizations should only store their contingency plans electronically.

False (B)

What should be done with the Consolidated Contingency Plan to ensure its accessibility during a crisis?

It should be stored electronically in a secure off-site location and be easily accessible via the Internet.

Flashcards

Enterprise Information Security Policy (EISP)

A high-level document that outlines an organization's overall approach to information security.

Issue-Specific Security Policy (ISSP)

A document that sets out the specific requirements, policies, and procedures for protecting a particular information system or asset.

Security Policy

A set of rules for protecting an organization's assets, including information and technology.

Ratification

The process of formally documenting and approving a security standard.

De facto Standard

A set of standards that are commonly accepted and used within an organization but are not formally documented.

Information Security Planning

The systematic and comprehensive approach to establishing and maintaining an organization's information security program.

Information Security Governance

The overall framework and rules for managing and overseeing an organization's information security.

Information Security Policy

The foundation of an organization's information security program, defining the principles and objectives.

Information Security Standards

Detailed instructions and guidelines for implementing security policies.

Information Security Practices

The actions taken to ensure compliance with security policies and standards.

Information Security Blueprint

A high-level plan that outlines the overall security architecture and approach.

Information Security Alignment

The process of aligning information security with business objectives.

Information Security Lifecycle

A continuous process of planning, implementing, monitoring, and improving information security efforts.

Incident Reaction

The initial response to a security incident, focusing on stopping the incident or limiting its impact.

Incident Containment

The act of preventing an incident from spreading or causing further damage.

Incident Containment Strategies

Strategies used to confine an incident to a specific system or network.

Incident Recovery

The process of restoring systems and data to their pre-incident state.

Computer Forensics

The analysis of computer systems and data to determine the cause of a security incident.

Incident Response Plan (IRP)

A plan that outlines the steps to be taken in response to a security incident.

Key Personnel

Key personnel involved in the incident response process.

Incident Documentation

The process of documenting actions taken during an incident response.

SP 800-39: Managing Information Security Risk

A framework that helps organizations manage information security risks by addressing organizational structure, mission, and information systems.

SP 800-50: Building an Information Technology Security Awareness and Training Program

This NIST guide provides recommendations for building comprehensive awareness and training programs for information security within organizations.

Defense in Depth

This NIST document recommends using a layered approach to security, ensuring an attacker encounters several security controls.

Managerial Controls

These controls set the strategic direction for information security within an organization.

Operational Controls

These controls focus on the practical implementation of information security measures, like physical security.

Technical Controls

These controls use technology to implement security measures, such as firewalls and encryption.

Levels of Controls

These levels of controls are the core components of a secure environment.

Spheres of Security

This model highlights the various points where information is vulnerable to attacks.

Incident Damage Assessment

The process of determining the extent of damage to information and assets after a security incident, including evaluating the impact on confidentiality, integrity, and availability.

Vulnerability Resolution

The process of identifying vulnerabilities that allowed an incident, fixing them to prevent future incidents.

Safeguard Enhancement

Evaluating and improving safeguards that failed or were missing during an incident, enhancing security measures to prevent similar incidents.

Monitoring Enhancement

Improving monitoring capabilities to detect and report security events more effectively, ensuring quicker identification of future threats.

Data Restoration

Restoring data from backups to recover from a security incident, ensuring business continuity and data availability.

Service and Process Restoration

The process of restoring critical services and business processes after a security incident, ensuring operational continuity.

Business Continuity and Disaster Recovery Planning

Strategies, policies, and procedures for an organization to respond to threats and disruptive events, minimizing negative impacts.

Crisis Management

Actions taken during and after a disaster to mitigate damage and restore operations.

Crisis Management Team

A team responsible for managing the overall impact and response to a disaster, including communication and support for personnel.

Disaster Recovery (DR)

The process of restoring an organization's business operations after a disaster, involving recovery of critical functions and data.

Consolidated Contingency Plan

A document that combines all aspects of contingency planning, including incident response, disaster recovery, and business continuity.

Business Continuity (BC)

A plan that ensures the continuity of critical business functions in the event of a disaster, allowing the organization to operate despite disruption.

Incident Response (IR)

Encompasses the actions taken to respond to an incident, such as a security breach or system failure.

Law Enforcement Involvement

Occurs when an attack, breach of policy, or incident violates the law or involves criminal activity.

Study Notes

Module 3 Goals

• At the end of this module, students should be able to identify key terminologies in information security governance
• Identify information security policies, standards, and practices of an organization
• Describe the importance of security education, training, and awareness programs

Focal Points

• This module presents several widely accepted security models and frameworks
• It examines best business practices and standards of due care and due diligence
• It provides an overview of security policy development
• Explains data classification schemes
• Includes security education, training, and awareness (SETA) programs
• Explains planning processes for business continuity, disaster recovery, and incident response
• Outlines the organization's role during incidents
• Specifies when to involve outside law enforcement agencies

Lesson 1

• Information Security Planning and Governance

Lesson 2

• The Information Security Blueprint

Lesson 3

• Security Education, Training, and Awareness Program

Lesson 4

• Continuity Strategies

Information Security Planning and Governance

• An organization's information security effort is successful when it's aligned with a security policy. This includes standards and practices to establish the security’s architecture and blueprint

Information Security Blueprint

• This document provides guidelines, implementation, and management of the security program. It outlines purpose, scope, and applicability of the security program.

Security Education, Training, and Awareness Program

• This program is crucial for reducing security breaches through training and awareness activities.

Continuity Strategies

• Contingency planning (CP) is critical for managers to assure continuous availability of information systems, especially during potential attacks. This includes incident response planning (IRP), disaster recovery planning (DRP), and business continuity planning (BCP).

Key Terms

• Strategic Planning
• Operational Planning
• Tactical Planning
• Strategic Plan
• Operational Plan
• Tactical Plan
• Governance
• Information Security Governance
• Policy
• Guidelines
• Practices
• Procedures
• Standard
• Enterprise Information Security Policy (EISP)
• Issue-specific Security Policy (ISSP)
• Systems-specific Security Policies (SysSPs)
• Access Control List (ACL)
• Information Security Blueprint
• Information Security Framework
• Defense In Depth
• Security Education, Training, and Awareness (SETA)
• Contingency Planning (CP)
• Business Continuity Plan (BC Plan)
• Business Continuity Planning (BCP)
• Disaster
• Disaster Recovery Plan (DR Plan)
• Disaster Recovery Planning (DRP)
• Incident Response Plan (IR Plan)
• Incident Response Planning (IRP)
• Business Impact Analysis (BIA)

Description

This quiz covers essential concepts in information security governance, including key terminologies, policies, and standards. Students will explore widely accepted security models, the importance of training programs, and how to handle incidents effectively. Assess your knowledge of governance best practices and security frameworks.