InfoSec 5

buntfu's version from 2012-03-10 20:19


Question Answer
Strategic planning is the process of moving the organization towards itsvision
Sets out the long- term direction to be taken by the whole organization and by each of its component parts.Strategic planning
Are living documents that must be managed. Policies
often function as standards or procedures to be used when configuring or maintaining systems.SysSPs (System Specific Policies)
Standards may be published, scrutinized, and ratified by a group, as in formal or ____ standardsde jure
The ____ is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.EISP (Enterprise Information Security Policies)
Organization must instruct employees on the proper use of these technologies and processes.ISSP (Issue-Specific Security Policy)
Effective management includes planning andorganizing, leading, controlling
Regulating the use of e- mail, the storage of materials, the authorized monitoring of employees, and the physical and electronic scrutiny of e- mail and other electronic documents.System Management
Is a plan or course of action that conveys instructions from an organization’s senior management to those who make decisions, take actions, and perform other duties.Policy
The policy champion and manager is called the ____________-. Typically a midlevel staff member and is responsible for the creation, revision, distribution, and storage of the policy.Policy Adminstrator
Should be defined and published as part of the document. Typically a policy should be reviewed at least annually to ensure that it is still an effective control.Schedule of Reviews
SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and security principles that can direct the security team in the development of a securityblueprint
The stated purpose of ____ is to “give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.”ISO/IEC 27002
An Introduction to Computer Security: The NIST HandbookSP 800-12
Generally Accepted Security Principles and Practices for Securing Informa-tion Technology SystemsSP 800-14
Guide for Developing Security Plans for Federal Information SystemsSP 800-18
Security Self-Assessment Guide for Information Technology SystemsSP 800-26
Risk Management Guide for Information Technology SystemsSP 800-30
Are reliable methods used by some organizations to assess security practices.baselining and best practices
The ______________________ site is a popular place to look up best practices.(FASP) Federal Agency Security Practices
The spheres of ____ are the foundation of the security framework and illustrate how information is under attack from a variety of
Security ____ are the areas of trust within which users can freely
____ controls cover security processes that are designed by strategic planners and implemented by the security administration of the organization.Managerial
controls address personnel security, physical security, and the protection of production inputs and outputs.Operational


Question Answer
Controls are the tactical and technical implementations of security in the organization.Technical
One of the basic tenets of security architectures is the layered implementation of security, which is called ______________________Defense in Depth
A ____________________ defines the boundary between the outer limit of an organization’s security and the beginning of the outside world.Security Perimeter
A(n) ____________________ server performs actions on behalf of another system.Proxy
A buffer against outside attacks is frequently referred to as a(n) ____.DMZ
A(n) ____________________ is a device that selectively discriminates against information flowing into or out of the organization.firewall
IDPSs are usually installed on the machines they protect to monitor the status of various files stored on those machines. Host-Based
__________is the responsibility of the ____ and is a control measure designed to reduce the incidences of accidental security breaches by employees.The SETA program, CISO
A(n) _________________________ ensures that critical business functions continue if a catastrophic incident or disaster continuity plan
An investigation and assessment of the impact that various attacks can have on the organization.BIA (Business Impact Analysis)
A(n) ____________________ is any clearly identified attack on the organization’s information assets that would threaten the assets’ confidentiality, integrity, or availability.incident
A(n) ____ plan deals with the identification, classification, response, and recovery from an incident.IR
A ______________ addresses the preparation for and recovery from a disaster, whether natural or man-made.disaster recovery plan
Incident ____________________ is the process of examining a potential incident, or incident candidate, and determining whether or not the candidate constitutes an actual incident.Classification
Incident ____________________ is the set of activities taken to plan for, detect, and correct the impact of an incident on information assets.Response
The actions taken during and after a disaster are referred to as ____________________ management.Crisis
Is a fully configured computer facility, with all services, communica-tions links, and physical plant operations including heating and air
Provides many of the same services and options of the hot site.warm-site
Provides only rudi-mentary services and facilities. No computer hardware or peripherals are provided. All com-munications services must be installed after the site is occupied.cold-site
Implementing multiple types of technology and thereby precluding that the failure of one system will compromise the security of information is referred to as ____________________.redundancy