IS430 Exam Review

People, Procedures, Data, Software, Hardware

-Policies, Programs, Technologies

Defend, Transfer, Mitigate, Accept, Terminate

• Application of policy,
• Training and education,
• Applying technology

CBA = ALE(prior) – ALE(post) – ACS

• -Strategic alignment,
• Risk management,
• Resource management,
• Performance measures,
• Value delivery

• -Statement of Policy,
• -Authorized Access and Usage of Equipment,
• -Prohibited Use of Equipment,
• -Systems Management,
• -Violations of Policy,
• -Policy Review and Modification,
• -Limitations of Liability

• -Threat attack identification and prioritization,
• -Business unit analysis,
• -Attack success scenario development,
• -Potential damage assessment,
• -Subordinate plan classification

• –Identifying mission- or business-critical functions
• –Identifying resources that support critical functions
• –Anticipating potential contingencies or disasters
• –Selecting contingency planning strategies
• –Implementing contingency strategies
• –Testing and revising strategy

• –Once a law enforcement agency takes over case, organization cannot control chain of events 
• –Organization may not hear about case for weeks or months 
• –Equipment vital to the organization’s business may be tagged as evidence
• –If organization detects a criminal act, it is legally obligated to involve appropriate law enforcement officials

• –Agencies may be better equipped at processing evidence
• –Organization may be less effective in convicting suspects 
• –Law enforcement agencies are prepared to handle any necessary warrants and subpoenas
• –Law enforcement is skilled at obtaining witness statements and other information collection

• incident response planning (IRP),
• disaster recovery planning (DRP),
• and business continuity planning (BCP)

• Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components
• Use of specified penalties and disciplinary action

• Create a number of independent ISSP documents
• Create a single comprehensive ISSP document
• Create a modular ISSP document

• Managerial guidance
• Technical specifications

• •One of the most widely referenced and often discussed security models
• •Framework for information security that states organizational security policy is needed to provide management direction and support
• •Purpose is to give recommendations for information security management
• •Provides a common basis for developing organizational security

• Management controls
• Operational controls
• Technical controls

• •Security supports mission of organization; is an integral element of sound management
• •Security should be cost effective; owners have security responsibilities outside their own organizations
• •Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach
• •Security should be periodically reassessed; security is constrained by societal factors

foundation of the security framework

• –Implementationof security in layers
• –Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls

• Point at which an organization’s security protection ends and outside world begins
• –Does not apply to internal attacks from employee threats or on-site physical threats

device that selectively discriminates against information flowing in or out of organization

•no-man’s land between inside and outside networks where some place Web servers

•in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS

• •SETA is a control measure designed to reduce accidental security breaches
• •Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely

• –IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP
• –DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP
• –BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources

• •Investigation and assessment of the impact that various attacks can have on the organization
• •Assumes security controls have been bypassed, have failed, or have proven ineffective, and attack has succeeded

• –Are directed against information assets
• –Have a realistic chance of success
• –Could threaten confidentiality, integrity, or availability of information resources

• •Single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR and DR plans
• •Model is based on analyses of disaster recovery and incident response plans of dozens of organizations

• •Set of responsibilities and practices exercised by the board and executive management
• •Goal to provide strategic direction, ensuring that objectives are achieved
• •Ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly

• •Sets strategic direction, scope, and tone for all security efforts within the organization
• •Executive-level document, usually drafted by or with CIO of the organization
• •EISP elements

• •An overview of the corporate philosophy on security
• •Information on the structure of the information security organization and individuals who fulfill the information security role
• •Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
• •Fully articulated responsibilities for security that are unique to each role within the organization

• –Addresses specific areas of technology
• –Requires frequent updates
• –Contains statement on organization’s position on
• specific issue

frequently function as standards and procedures used when configuring or maintaining systems

•fully operational sites

•fully operational hardware but software may not be present

•rudimentary services and facilities

• –Supporting personnel and families during crisis
• –Determining impact on normal business operations and, if necessary, making disaster declaration
• –Keeping the public informed
• –Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties

process of identifying and controlling risks facing an organization

•process of examining an organization’s current information technology security situation

applying controls to reduce risks to an organization’s data and information systems

• –Evaluating the risk controls
• –Determining which control options are cost effective for the organization
• –Acquiring or installing the needed controls
• –Ensuring that the controls remain effective