Information Security: The Six P's

Questions and Answers

Which of the following is NOT one of the 'six P's' of information security management?

• Policy
• Protection
• Planning
• Performance (correct)

Incident response planning is considered a type of InfoSec plan.

True (A)

What does the acronym ISSP stand for in the context of information security policies?

Issue-specific security policy

A security education, training, and awareness program is also known as a ______ program.

SETA

Match the category of policy with its description:

EISP = Broad security guidelines for an organization ISSP = Policies addressing specific security issues SysSPs = Policies tailored to specific systems

Which of the following is an example of how protection is executed in information security?

Through risk management activities. (D)

Technology is not as important as people, in information security.

False (B)

In project management for information security, what is required to meet the project requirements?

Application of knowledge, skills, tools and techniques to project activities

In project management terms, the resources needed to complete a project involve a temporary ______ of resources.

assemblage

Match the types of connections with their primary role in managing information boundaries

Intranet = Connections within business units Extranet = Connections to business partners VPN = Remote connections for staff

Which element is considered the most critical in an information security program?

People (A)

Project management is unnecessary for information security programs.

False (B)

What is the purpose of 'planning' as a part of InfoSec management?

To support the design, creation, and implementation of information security strategies

A complete physical security program includes fire protection, physical access control, and ______.

guards

Match the type of InfoSec plan with the corresponding situation:

Incident response plan = Responding to malware infections Disaster recovery plan = Recovering systems after a natural disaster Business continuity plan = Maintaining operations during an outage

In the context of the 'six P's', which element focuses on the application of risk assessment and specific controls within an information security plan?

Protection (C)

All aspects of information security can be managed as projects.

False (B)

What is the primary purpose of an Enterprise Information Security Policy (EISP)?

To set broad security guidelines for an organization

Identifying and controlling the resources applied to projects is a key part of ______ management.

project

Match the following terms with the context of Info Security Management:

Confidentiality = Ensuring information is accessible only to authorized users Integrity = Maintaining the accuracy and completeness of information Availability = Ensuring that authorized users have reliable and timely access to information when needed

Flashcards

The Six P's

Extended characteristics of information security which includes Planning, Policy, Programs, Protection, People, Project Management.

Planning (InfoSec)

Activities to support the design, creation, and implementation of information security strategies.

Policy

A guiding principle or set of rules designed to influence and determine all major decisions and actions.

Programs (InfoSec)

InfoSec operations specifically managed as separate entities, such as a security education training and awareness (SETA) program.

Protection (InfoSec)

Executed through risk management activities, including risk assessment, control, protection mechanisms, technologies, and tools.

People (InfoSec)

The most critical link in the information security program; also includes security personnel and their security, as well as aspects of a SETA program.

Project Management

Identifying and controlling the resources applied to a project which includes measuring progress and adjusting the process as progress is made.

Enterprise Information Security Policy (EISP)

A general category of policy which focus on strategic issues.

Issue-Specific Security Policy (ISSP)

A general category of policy which focus on certain departments or groups.

System-Specific policies (SysSPs)

A general category of policy which focus on certain devices.

Study Notes

• The extended characteristics of information security are known as the six P's

The Six P's

• Planning
• Policy
• Programs
• Protection
• People
• Project Management

Planning

• Planning is part of InfoSec management
• Planning is included in the InfoSec planning model
• Activities are necessary to support the design, creation, and implementation of information security strategies

Planning Types of InfoSec plans

• Incident response
• Business continuity
• Disaster recovery
• Policy
• Personnel
• Technology rollout
• Risk management
• Security program
• Security programs include education, training, and awareness

Policy

• Policies are organizational guidelines dictating certain behaviors
• Policies are sets of organizational guidelines that dictate certain behavior within the organization

Three general categories of policy

• Enterprise information security policy (EISP)
• Issue-specific security policy (ISSP)
• System-specific policies (SysSPs)

Programs

• InfoSec operations are specifically managed as separate entities
• A security education training and awareness (SETA) program is an example

Other Program Types

• Physical security
• Includes fire safety, physical access control via gates and guards

Protection

• It is executed through risk management activities
• It includes risk assessment and control, protection mechanisms, technologies, and tools
• Each mechanism represents some aspect of the management of specific controls in the overall information security plan

People

• This the most critical link in the information security program
• Managers must recognize the crucial role that people play in the information security program
• Includes security personnel and the security of personnel, as well as aspects of a SETA program

Project Management

• Identifying and controlling the resources applied to the project
• Measuring progress
• Adjusting the process as progress is made

Project Management Aspects

• Each element of an information security program must be managed as a project
• Some aspects of information security are not project-based, they are managed processes (operations)
• Each element of an information security program must be managed as a project
• A continuous series, or chain, of projects

Project Management Definition

• The application of knowledge, skills, tools, and techniques to project activities to meet project requirements
• Accomplished through the use of processes such as initiating, planning, executing, controlling, and closing
• Involves the temporary assemblage of resources to complete a project
• Some projects are iterative, occurring regularly

Managing Information Boundaries

• Intranet connections to other business units
• Extranets to business partners
• Remote connections to staff working off-site
• Virtual Private Networks (VPN's)
• Customer networks
• Supplier chains
• Service Level Agreements, outsourcing contracts, arrangements
• Third-party access

Info Security Management Context

• Includes the public, internal management, customers, employees, stakeholders, and internal auditors
• It also includes integrity, confidentiality, availability, and risk
• The outer ring includes litigation