Information Security Policies Overview

Questions and Answers

Which of the following is a physical security control?

Data encryption

Two-factor authentication

Antivirus software

Surveillance cameras (correct)

What is the primary function of a VPN?

To authenticate user identities

To encrypt data (correct)

To monitor network traffic

To provide antivirus protection

Which of the following is used to protect mobile devices within a corporate network?

Firewall systems

DDoS mitigation tools

Endpoint security solutions (correct)

Cloud access security brokers

What do cloud security controls primarily focus on?

Protecting data and workloads in the cloud

Which of the following is a key component of cybersecurity controls?

Intrusion prevention systems

Which feature is NOT typically associated with digital certificates?

Encryption Speed

What is a key characteristic of symmetric-key algorithms?

A secret key is required for data transformation

Which statement is true about hash functions?

They do not use keys for their basic operation

Which of the following is considered a major source of data loss?

Extreme temperature fluctuations

What is one effective method for preventing data interception and theft?

Create password policies

What primarily defines the operation of asymmetric-key algorithms?

They use paired keys for their operations

Which of the following is an example of cryptographic hash function application?

Password verification

What does information classification involve?

Evaluating the data protection level required

What is the role of a Certification Authority (CA)?

Manages domain control and verifies public keys

Which of the following is a recommended practice for proper disposal of sensitive data?

Shred paper records

What is the significance of mobile device security?

Over 50 percent of business PCs are mobile

What defines a hybrid encryption scheme?

Merges two or more encryption systems

Which option correctly describes a type of security control?

Parameters to protect data and infrastructure

What is a digital signature primarily used for?

To provide authenticity and validate identity

What does the ISSP specifically address?

Specific areas of technology

What can be classified as a living organism source of physical loss?

Viruses and bacteria

Which of the following describes data seeding?

Planting synthetic details within a database

What is a key requirement for maintaining an ISSP?

Frequent updates

What distinguishes the Systems-Specific Policy (SysSP) from other types of policies?

It provides detailed technical specifications

What role does a well-structured policy play in an organization?

It conveys management’s intentions

What element is NOT typically a part of a Systems-Specific Policy?

Regulatory compliance

Which statement best describes Access Control Lists (ACLs)?

Specifications of authorized users for technology

What is the primary objective of technical specifications in SysSPs?

To guide implementation of technical controls

What does a policy generally dictate in an organization?

Specific guidelines or instructions

Which type of Access Control List provides more granular control than standard ACLs?

Extended ACLs

What is the purpose of Time-based ACLs?

To allow or deny access based on time constraints

Which of the following is NOT one of the Five Pillars of NIST?

Implement

What are Reflexive ACLs primarily used for?

To allow IP packets to return to the sender

What does the mission of an organization represent?

A written statement of purpose

Which ACL is also referred to as lock-and-key?

Dynamic ACLs

What does strategic planning aim to achieve within an organization?

Aligning resources with organizational vision

Which type of ACL is the simplest form of packet filtering?

Standard ACLs

What does a firewall specifically do?

Selectively discriminates against information flowing into or out of an organization

What term describes an intrusion detection system's failure to identify an actual attack?

False Negative

What is the main purpose of intrusion prevention?

To deter intrusions proactively

What does a digital certificate primarily prove?

The identity of a device, server, or user

Which of the following describes a demilitarized zone (DMZ) in network security?

An intermediary network location for web servers

What process does intrusion correction activities involve?

Restoring normal operations after an intrusion

What is the official name for 3DES as used by NIST?

Triple Data Encryption Algorithm

What does the confidence value in an IDS signify?

The estimated probability of an attack occurring

Study Notes

Information Security Policy, Standards, and Practices

• Organization: A group of people working towards a common goal, with defined acceptable behaviors.
• Policy: Management's intentions communicated to employees, outlining desired security practices.
• Effective Security Program: Formal plan to implement and manage security within an organization.
• Issue-Specific Security Policy (ISSP): Addresses specific technology areas, requiring frequent updates and organizational position statements.
• Systems-Specific Policy (SYSSP): Detailed technical specifications guiding implementation and configuration of a specific technology.
• Policy: Set of guidelines/instructions implemented by senior management.
• Standards: Detailed descriptions of compliance with policy, outlining specifics and procedures.
• Procedures: Methods for accomplishing policies and standards.
• Effective Policies: Include dissemination, comprehension, compliance, and uniform enforcement.

What Drives Policy Development?

• Mission: Written statement of purpose, usually not modified.
• Vision: Written statement of long-term goals, sometimes modified.
• Strategic Planning: Process for moving the organization toward its vision, constantly reworked.
• Security Policy: Set of rules protecting organizational assets.

Types of Information Security Policies

• Information Security Policy: Set of rules protecting organizational information assets.
• Enterprise Information Security Policies: General security policies.
• Issue-Specific Security Policies: Specific technology policies.
• Systems-Specific Security Policies: Configurations of systems.

Access Control List (ACL)

• ACL: A defined set of rules (often abbreviated as ACL).
• Types of ACLs:
  • Standard ACLs: Fundamental packet filtering.
  • Extended ACLs: More granular control than standard ACLs.
  • Dynamic ACLs (lock-and-key): Allow IP packet returns to the sender.
  • Reflexive ACLs: Allow IP packet returns to the sender.
  • Time-based ACLs: Limit access to a network/device based on time of day/week.

Week 11: Planning for Security P2

• The Five Pillars of NIST:
  • Identify: Inventory of IT assets & vulnerabilities.
  • Protect: Measures like MFA and phishing training.
  • Detect: Setup of monitoring solutions (SIEM, IDS).
  • Respond: Automated incident flagging & ticketing.
  • Recover: Time to restore functionality and attack response procedures.

Week 12: Security Technology: Intrusion Detection, Access Control, and Other Security Tools

• Intrusions: Malicious attempts to disrupt or break into a system.
• Intrusion Detection: Procedures/systems for detecting system intrusions.
• Intrusion Reaction: Actions taken upon detecting an intrusion.
• Intrusion Correction: Activities to restore normal operations.
• Intrusion Prevention: Actions to deter intrusions proactively.
• NIDS: Network Intrusion Detection Systems: resides on a network segment to detect attacks.
• NIDS Advantages/Disadvantages:
  • Advantages: Monitor large networks with fewer devices, passively deployed, less susceptible to attacks.
  • Disadvantages: Can be overwhelmed by network traffic, need to monitor all traffic, cannot analyze encrypted packets or detect some attacks like fragmented packets.

Week 13: Cryptography

• Cryptography: Secret writing for secure communication.
• Cryptology: Science of secure comms.
• Cryptanalysis: Science of breaking encrypted comms.
• Cipher: Cryptographic algorithm.
• Unencrypted Message (plaintext).
• Encryption: Converts plaintext to ciphertext.
• Decryption: Converts ciphertext to plaintext.
• Cryptographic Hash Function: Mathematical function for integrity checks and authentication.
• Hash Functions: Common data structures for message integrity and authentication.

Week 14: Cryptography P2

• Digital Certificate: Electronically verifies a device, server, or user's identity using cryptography and PKI.
• Secure Sockets Layer (SSL): Verifies website identity to web browsers.
• Types of Public Key Certificates:
  • TLS/SSL (server-client comms).
  • Domain Validated.
  • Organization Validated.
  • Extended Validation.
• Collision-Free: No two input hashes should produce the same output hash.
• Examples of Cryptographic Hash Functions: Password verification, signature verification, and integrity verification.

Week 15: Physical Security

• Physical Security: Protects personnel, hardware, software, networks, and data from physical threats.
• Major Sources of Physical Loss: Extreme temp, gases, liquids, living organisms, projectiles, movement, energy anomalies, radiation.
• Security Controls: Implemented parameters to protect data and infrastructure.
• Types of Security Controls: Physical, Digital, Cybersecurity, Cloud Security.

Week 16: Implementing Information Security

• Major steps in executing project plan: Planning, supervising tasks, wrapping up.
• Project Planning Considerations: Financial, priority, time, schedule, staff, procurement, organizational feasibility, and training.
• Organizational Feasibility Considerations: Policies, technology, training, scope.
• The Need for Project Management: Specialized skills and broad understanding necessary.
• Technical Topics of Implementation: Technical and human interface aspects.
• Conversion Strategies: Four basic approaches (direct, phased, pilot, parallel).
• The Bull's-Eye Model for Information Security Project Planning: Prioritizing complex changes systematically.

To Outsource or Not, Technology Governance, and Organizational Change

• Outsourcing IT/Information Security: Consideration for complex nature of outsourcing, best vendor/attorneys recommended.
• Technology Governance & Change Control: Managing impact and costs from technology implementation.
• Change Control Considerations: Communication, coordination, unintended consequences, quality of service, and compliance.
• Organization Change Considerations: Steps for organizational change, reducing resistance and developing supporting cultures.

Description

This quiz covers essential concepts of information security policies, standards, and practices within organizations. You will explore the definitions and roles of policies, effective security programs, and specific types of security policies, including issue-specific and systems-specific ones. Test your understanding of how these elements work together to ensure organizational security.