Podcast Beta
Questions and Answers
A standard is a written instruction provided by management that informs employees and others in the workplace about proper behavior.
False
Good security programs begin and end with policy.
True
The ISSP is a plan which sets out the requirements that must be met by the information security blueprint or framework.
False
Each policy should contain procedures and a timetable for periodic review.
Signup and view all the answers
A policy should state that if employees violate a company policy or any law using company technologies, the company will protect them, and the company will provide for the employee's legal defense.
Signup and view all the answers
Having a formal degree or certification in information security is not a requirement for members of the InfoSec department.
Signup and view all the answers
Security training provides general information about security threats to employees.
Signup and view all the answers
The ISO/IEC 27000 series is an original standard and not derived from any earlier standard.
Signup and view all the answers
NIST Special Publication 800-18 Rev. 1 provides general guidelines for developing security plans for federal information systems.
Signup and view all the answers
Managerial controls specify the technical implementation details of security controls.
Signup and view all the answers
Study Notes
Security Policies and Frameworks
- A standard is not a written instruction provided by management that informs employees about proper behavior.
- Good security programs begin and end with policy.
Information Security Programs
- The ISSP (Information Security SSP) is not a plan that sets out the requirements that must be met by the information security blueprint or framework.
- A single, comprehensive ISSP document can cover all information security issues.
Policy Guidelines
- Each policy should contain procedures and a timetable for periodic review.
- A policy should not state that the company will protect employees who violate company policy or law using company technologies, or provide for their legal defense.
Policy Administration
- The policy administrator is responsible for the creation, revision, distribution, and storage of the policy.
- To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and policy issuance and planned revision dates.
Security Training and Certification
- Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely.
- Not every member of the organization's InfoSec department must have a formal degree or certification in information security.
Security Frameworks and Standards
- The security framework is not a more detailed version of the security blueprint.
- The complete details of ISO/IEC 27002 are not widely available to everyone.
- The ISO/IEC 27000 series is derived from an earlier standard, BS7799.
NIST Guidelines and Frameworks
- NIST 800-14's Principles for Securing Information Technology Systems can be used to ensure key elements of a successful effort are factored into the design of an information security program.
- NIST Special Publication 800-18 Rev. 1 provides templates for major application security plans and detailed methods for assessing, designing, and implementing controls and plans for applications of varying size.
- In 2016, NIST did not publish a new Federal Master Cybersecurity Framework to create a mandatory framework for managing cybersecurity risk for the delivery of critical infrastructure services at every organization in the United States.
Managerial Controls and Defense in Depth
- Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct.
- To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards.
Strategic Planning and Security Policies
- An operational plan does not document the organization's intended long-term direction and efforts for the next several years (strategic plan does).
- Guidelines are not detailed statements of what must be done to comply with policy (standards are).
- A strategic information security policy is also known as an enterprise security policy, and sets the strategic direction, scope, and tone for all security efforts.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge of information security policies, including management instructions, good security programs, and ISSP documents.