Information Security Planning

Questions and Answers

What is the primary goal of Information Security Governance (ISG)?

• To implement specific security technologies across the organization.
• To ensure all employees are properly trained in security protocols.
• To manage the daily operations of the IT department.
• To provide strategic direction and establish objectives for measuring progress. (correct)

Which of the following is validated by Information Security Governance?

• The frequency of security awareness training sessions.
• The selection of specific software vendors.
• The appropriateness of Risk Management (RM) practices and proper asset usage. (correct)
• Employee compliance with industry certifications.

Which of the following is NOT typically considered an ISG outcome?

• Performance Measurement
• Technical Support (correct)
• Resource Management
• Strategic Alignment

What is the relationship between policies and the law?

Policies must never contradict the law and must be able to stand up in court. (D)

Which of the following best describes the function of a security policy?

An organizational law that dictates acceptable and unacceptable behavior. (B)

Which of the following provides detailed minimum specifications for compliance with a policy?

Standard (A)

Which of the following is the most accurate description of a security guideline?

A recommendation or suggestion on how to comply with a policy. (C)

What is the purpose of a security procedure?

To provide step-by-step instructions for compliance. (D)

An effective and legally enforceable policy requires which of the following?

Uniform enforcement and industry-accepted development practices. (A)

What is the purpose of the 'Comprehension' criterion in creating an effective policy?

To ensure the policy is easily understood by all members of the organization. (A)

What is the primary focus of an Enterprise Information Security Policy (EISP)?

Setting the overall security direction for the organization. (B)

Which document typically drafts the Enterprise Information Security Policy (EISP)?

The Chief Information Officer (CIO) (D)

What is the purpose of addressing compliance in an Enterprise Information Security Policy (EISP)?

To ensure meeting of requirements to establish a program and assigning responsibilities. (A)

What is the main purpose of an Issue-Specific Security Policy (ISSP)?

To address specific security issues within the organization. (A)

Why do Issue-Specific Security Policies (ISSPs) require frequent updates?

To reflect rapid changes in technology. (C)

What is a System-Specific Security Policy (SysSP)?

A technical policy designed for specific systems or devices. (C)

What determines whether a System-Specific Security Policy (SysSP) requires organizational-wide approval?

Whether it alters minimum configuration settings in a system. (A)

Why must policies be managed so that they are constantly updated?

Because organizational needs and risks continuously evolve. (A)

To remain viable, which of the following elements should policies have?

A responsible manager, a schedule of reviews, and automated policy management. (A)

What is the purpose of including a policy issuance and revision date on a security policy?

To identify which version of the policy is current. (A)

Flashcards

Information Security Governance

Responsibilities and practices by the board and executive management to provide strategic direction and measure progress.

Policy

Organizational law dictating acceptable and unacceptable behavior, sanctioned by management.

Standard

Detailed statements specifying what must be done to comply with policy; prescribes minimum specifications for compliance.

Guideline

Explanations of how to comply with policy with recommendations for compliance.

Procedure

Step-by-step instructions for compliance.

Enterprise Information Security Policy (EISP)

High-level security policy setting the overall security direction for the entire organization.

Information Systems Security Policy (ISSP)

Addresses specific security issues within the organization.

System-Specific Security Policy (SysSP)

Technical policies designed for specific systems or devices.

Policy Reviews

An essential component for policy viability.

Study Notes

• IS planning includes information security governance, policies, standards, guidelines, and procedures

Information Security Governance

• Governance involves responsibilities and practices by the board and executive management
• The goal of governance is to provide strategic direction, set objectives, and measure progress
• Governance validates the appropriateness of risk management practices and proper asset use
• ISG outcomes include strategic alignment (SA), risk management (RM), resource management (PM), value delivery (VD) and performance measurement

Policies, Standards, Guidelines and Procedures

• Policies should be based on management from communities of interest for IS planning, design, and deployment
• Policies direct how to address issues and use technologies
• Policies should never contradict the law, must be able to stand up in court and must be properly administered
• Security policies are the least expensive but most difficult controls to implement

Policy

• Functions as organizational law defining acceptable and unacceptable behavior
• Policies are sanctioned by management
• An example of such a policy is employees using strong passwords, changing them regularly, and protecting them against disclosure

Standard

• Comprises more detailed statements for policy compliance
• Includes detailed minimum specifications for compliance
• An example of a standard is passwords being at least 18 characters long and changed every 90 days

Guideline

• Effectively explains how to comply with policy
• Gives recommendations for compliance
• For example, using diceware to help generate a passprase

Procedure

• Provides step-by-step instructions for compliance
• For example, "click on... then click on... then click on save" within Windows

Criteria for Effective Policy

• Development (industry-accepted)
• Dissemination (distribution)
• Review (reading)
• Compliance (agreement)
• Comprehension (understanding)
• Uniform enforcement (fairness in application)

Types of Policies

Enterprise Information Security Policy (EISP)

• A high-level security policy that sets the overall security direction for the entire organization
• Sets strategic direction, scope, and tone for all security efforts
• Executive-level document drafted by or with the CIO
• Addresses general compliance for meeting requirements, establishing programs, and assigning responsibilities
• Addresses use of specific penalties and disciplinary actions
• Elements should include an overview of corporate security philosophy, information on the structure of the organization, articulated responsibilities for all members of the organization and unique elements for each role in the organization

Information System Security Policy (ISSP)

• Addresses specific security issues within the organization
• Addresses specific areas of technology
• Requires frequent updates and contains a statement on the organization's position on specific issues
• Common Approaches include; creating several independent ISSPs, creating a single comprehensive ISSP or a modular ISSP.

System Specific Security Policy (SysSP)

• These are technical policies designed for specific systems or devices
• Can operate as the standards or procedures used when configuring or maintaining systems
• Are divided into two groups: managerial guidance (separation of duties, etc.) and technical specifications
• Functions as a minimum configuration setting in a system
• Typically does not require organizational-wide approval

Policy Management

• Policies must be managed and updated, to remain viable
• A responsible manager, a schedule of reviews, a method for making recommendations for review and automated policy management are needed
• Policies must have a policy issuance and revision date