IS430 Exam Review

  1. Components of risk identification
    People, Procedures, Data, Software, Hardware
  2. three general categories of controls:
    -Policies, Programs, Technologies
  3. five risk control strategies
    Defend, Transfer, Mitigate, Accept, Terminate
  4. Three common methods of risk avoidance:
    • Application of policy,
    • Training and education,
    • Applying technology
  5. Cost Benefit Analysis (CBA) Formula
    CBA = ALE(prior) – ALE(post) – ACS
  6. Information Security Governance Five Goals
    • -Strategic alignment,
    • Risk management,
    • Resource management,
    • Performance measures,
    • Value delivery
  7. Components of Issue-Specific Security Policy (ISSP)
    • -Statement of Policy,
    • -Authorized Access and Usage of Equipment,
    • -Prohibited Use of Equipment,
    • -Systems Management,
    • -Violations of Policy,
    • -Policy Review and Modification,
    • -Limitations of Liability
  8. Stages of Business Impact Analysis (BIA)
    • -Threat attack identification and prioritization,
    • -Business unit analysis,
    • -Attack success scenario development,
    • -Potential damage assessment,
    • -Subordinate plan classification
  9. Six steps in contingency planning process
    • –Identifying mission- or business-critical functions
    • –Identifying resources that support critical functions
    • –Anticipating potential contingencies or disasters
    • –Selecting contingency planning strategies
    • –Implementing contingency strategies
    • –Testing and revising strategy
  10. law enforcement agencies disadvantages:
    • –Once a law enforcement agency takes over case, organization cannot control chain of events 
    • –Organization may not hear about case for weeks or months 
    • –Equipment vital to the organization’s business may be tagged as evidence
    • –If organization detects a criminal act, it is legally obligated to involve appropriate law enforcement officials
  11. law enforcement agencies advantages:
    • –Agencies may be better equipped at processing evidence
    • –Organization may be less effective in convicting suspects 
    • –Law enforcement agencies are prepared to handle any necessary warrants and subpoenas
    • –Law enforcement is skilled at obtaining witness statements and other information collection
  12. Three components of Contingency planning (CP)
    • incident response planning (IRP),
    • disaster recovery planning (DRP),
    • and business continuity planning (BCP)
  13. Enterprise Information Security Policy (EISP) addresses compliance two areas:
    • Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components
    • Use of specified penalties and disciplinary action
  14. Three approaches when creating and managing ISSPs
    • Create a number of independent ISSP documents
    • Create a single comprehensive ISSP document
    • Create a modular ISSP document
  15. Systems-specific policies two groups:
    • Managerial guidance
    • Technical specifications
  16. ISO 27000 Series
    • •One of the most widely referenced and often discussed security models
    • •Framework for information security that states organizational security policy is needed to provide management direction and support
    • •Purpose is to give recommendations for information security management
    • •Provides a common basis for developing organizational security
  17. Design of Security Architecture levels of controls
    • Management controls
    • Operational controls
    • Technical controls
  18. NIST Special Publication 800-14
    Generally Accepted Principles and Practices for Securing IT Systems
    • •Security supports mission of organization; is an integral element of sound management
    • •Security should be cost effective; owners have security responsibilities outside their own organizations
    • •Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach
    • •Security should be periodically reassessed; security is constrained by societal factors
  19. Spheres of security:
    foundation of the security framework
  20. Defense in depth
    • –Implementationof security in layers
    • –Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls
  21. Security perimeter
    • Point at which an organization’s security protection ends and outside world begins
    • –Does not apply to internal attacks from employee threats or on-site physical threats
  22. Firewall:
    device that selectively discriminates against information flowing in or out of organization
  23. DMZs:
    •no-man’s land between inside and outside networks where some place Web servers
  24. Intrusion detection systems (IDSs):
    •in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
  25. Security Education, Training, and Awareness Program
    • •SETA is a control measure designed to reduce accidental security breaches
    • •Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely
  26. •Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs)
    primary functions
    • –IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP
    • –DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP
    • –BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources
  27. Business Impact Analysis (BIA)
    • •Investigation and assessment of the impact that various attacks can have on the organization
    • •Assumes security controls have been bypassed, have failed, or have proven ineffective, and attack has succeeded
  28. Attacks classified as incidents if they:
    • –Are directed against information assets
    • –Have a realistic chance of success
    • –Could threaten confidentiality, integrity, or availability of information resources
  29. Model for a Consolidated Contingency Plan
    • •Single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR and DR plans
    • •Model is based on analyses of disaster recovery and incident response plans of dozens of organizations
  30. Information Security Governance
    • •Set of responsibilities and practices exercised by the board and executive management
    • •Goal to provide strategic direction, ensuring that objectives are achieved
    • •Ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly
  31. Enterprise Information Security Policy (EISP)
    • •Sets strategic direction, scope, and tone for all security efforts within the organization
    • •Executive-level document, usually drafted by or with CIO of the organization
    • •EISP elements
  32. EISP Elements
    • •An overview of the corporate philosophy on security
    • •Information on the structure of the information security organization and individuals who fulfill the information security role
    • •Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
    • •Fully articulated responsibilities for security that are unique to each role within the organization
  33. Issue-Specific Security Policy (ISSP)
    • –Addresses specific areas of technology
    • –Requires frequent updates
    • –Contains statement on organization’s position on
    • specific issue
  34. Systems-Specific Policy (SysSP)
    frequently function as standards and procedures used when configuring or maintaining systems
  35. Hot sites
    •fully operational sites
  36. Warm sites
    •fully operational hardware but software may not be present
  37. Cold sites
    •rudimentary services and facilities
  38. Crisis management team is responsible for managing event from an enterprise perspective and covers:
    • –Supporting personnel and families during crisis
    • –Determining impact on normal business operations and, if necessary, making disaster declaration
    • –Keeping the public informed
    • –Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
  39. Risk management
    process of identifying and controlling risks facing an organization
  40. Risk identification
    •process of examining an organization’s current information technology security situation
  41. Risk control
    applying controls to reduce risks to an organization’s data and information systems
  42. Communities of interest are responsible for:
    • –Evaluating the risk controls
    • –Determining which control options are cost effective for the organization
    • –Acquiring or installing the needed controls
    • –Ensuring that the controls remain effective
Card Set
IS430 Exam Review
Exam Review for IS430