IA Administering Security

  1. What are the aspects of Security Administration?
    Planning, Risk Analysis, Policy, Physical Control
  2. What is a document describing how an org will address it's security needs?
    Security Plan
  3. A Security Plan should include(6)?
    Policy, Current State, Requirements, Recommended Controls, Accountability, Timetable, Continuing Attention
  4. high level statement and should specify goals, responsibility, and commitment
    policy is
  5. Who gets access, What resources should be accessed, What types of access for each user per resource
    In policy a high level statement says
  6. Policy should specify and should be
    • Goals, Responsibility, Committment to security
    • Top Down
  7. To find the current state of security, a company must perform
    Risk Analysis
  8. Investigation of the system, environment, and vulnerabilities who is responsible
    Risk Analysis
  9. Performing a risk analysis can be a
    political nightmare
  10. With planning this is, what needs to be done
  11. direct the implementation of requirements
  12. "Only campus machines should be authenticated into the library system" is a ____ & "Not all faculty are on site" is a ____
    requirement & constraint
  13. Remove or reduce a vulnerability
  14. "graduating students leave unattended e-mail accounts" is a ____ & "match student enrollment with email accounts each semester" is a _____
    vulnerability, control
  15. Controls counter
  16. Requirements specify ___ should be accomplished not ___
    What, How
  17. Hire programmers(is an art) telling them what you want is good but when you tell them how to do it they will make a horrible program
    software developers dilemma
  18. Requirements must have (7)
    • Correctness( and understandability)
    • Consistency
    • Completeness
    • Realism
    • Need
    • Verifiability
    • Traceability
  19. correlation between requirment and the function/data related to it
  20. Planning-Controls include:
    • Software
    • Hardware
    • People
  21. Responsibility for implementation
    Planning- Accountability
  22. People who have the responsibility for implementation include:
    users, project leaders, managers, database admin, informaiton officers H/R(best friend)
  23. Phased development? Order of implementation? What if things change?
    Planning- timetable
  24. need _____ for change not just "we are agile"
  25. periodic reviews, changes in software/hardware, discovered vulnerabilities
    planning- continual attention
  26. need to change policy to account for new technology
    needs to be an active, living document
    continual attention
  27. computer hardware group, system administrators, system programmers, application programmers, data entry personnel, physical security personnel, representative users
    planning- team members
  28. someone who cares and has the power to make changes work
  29. All of these must come together for IA to really work - Commitment
    • Champions
    • Constant Training
    • Awareness
    • Funding
  30. In case of a catastrophy we need to have a
    continuity plan
  31. long duration issues, fall back plans, redunancy, death of a principal
  32. Need these for a good one
    Assess business impact
    Develop a startegy(policy)
    Develop a plan(procedures)
    Try it out!!!!!!!
    Continuity Plans
  33. procedures for dealing with a secuiry incident
    incident response plans
  34. what is an incident
    who should take charge
    what actions should be taken
    Advance planning is key
    people: director, lead technician, advisors
    incident response plans need
  35. legal issues
    preserve evidence
    keep records(perfect)
    public relations
    considerations of an incident response plan
  36. what controls need t be changed, did the incident reponse plan work?
    after an incident
  37. Planning:
    University of Utah
    Hartwick College
    Brandeis University
    • not perfect but good
    • pretty, business bingo, BAD
    • Very Good Policy
Card Set
IA Administering Security