Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
ISS Policies
| Question | Answer |
|---|---|
| Briefly describe the 5 pillars of the Information Assurance | Confidentiality, Integrity, Availability, Authentication, nonrepudiation |
| Explain the differences between Policies and procedures. | policies are what to do, procedures are how-to steps to accomplish a policy. |
| Why are security policies important to an organization? | To protect information resources |
| What are the 3 things that you can do to improve security in the user domain? | Awareness, Enforcement, & Reward |
| How do you improve security in the Workstation Domain? | Update patches and virus definitions |
| How do you improve security in the LAN-WAN Domain can improved using a __________? | DMZ |
| What are 3 basic elements of motivation? | Pride, Self-Interest, & Success. |
| What are the 8 common reasons for the failure of security policies? | Unclear purpose, doubt, insufficient support from leadership, Organizational baggage, Lack of organizational incentives, Lack of candor, low intolerance for bad news,unmanageable complexity |
| An employee pays attention to reward and punishment because of self-interest? True Or False | True |
| When it comes to security policies, what is meant by "unclear purpose" and how can you reduce it? | Reduce risk, cost and impact |
| What is IT policy framework? | Resembles a hierarchy or tree and is a library of documents that covers all policies, standards, baselines, procedures, and guidelines. |
| What is a Program Framework Policy, or charter (when it comes to a company's information security program?) | The capstone (main) document. |
| What are the 4 issues addressed in the charter? | Purpose and mission, scope, responsibilities, Compliance |
| What are the 5 elements of Information Assurance? | Confidentiality, Integrity, Availability, Authentication, nonrepudiation |
| What are the 5 areas of concern when it comes to information systems security considerations? | Unauthorized access to and use of the system. Unauthorized Disclosure of the information. Disruption of the system or services.Modification of information. Destruction of information Resources |
| What are the key factors for successful implementation of a security policy? | Reviews and approvals, publication of Documents, Awareness and training |
| A data steward's job is to... | Be responsible for the quality of data |
| A data administrators job is to... | Execute policies and procedures such as backup, versioning, uploading, uploading, downloading, and database admin. |
| A data security administrators job is to... | Grant access rights. |
| A fundamental component of internal control is the separation of duties (SOD) True or False | True |
| In SOD or "layered security approach" there are 3 lines of defense. Name and describe each one. | Business Unit (BU), A risk management program, An independent auditor. |
| What is an AUP and what does it prohibit? | Acceptable Use Policy. Prohibits offensive content. |
| What is the document that allows holding people accountable for their actions? | Security awareness policy |
| Administrators with higher access priviledges have to sign a _________ recognizing their higher responsibilities. | (PAA) privileged-level access agreement |
| Contractors/temporary workers should also sign a ______________________ | PAA |
| What is the job of an IT Auditor? | They look at an organization's technology controls and risks. |
| __________ are the core requirements of an infrastructure domain security policy. | Control Standards |
| Give an example for a control standard in a workstation domain? | Anti-viruses and malware protection |
| Give an example for a control standard in a LAN domain? | Firewall, DOS protection, and wireless protection |
| Give an example for a control standard in a LAN-WAN domain? | DMZ, proxy server, content-filtering. |
| Give an example for a control standard in a WAN domain? | Web services, DNS |
| Give an example for a control standard in a remote access domain? | VPN |
| Give an example for a control standard in a System/Application domain? | Classifying assets and assigning accountability |
| Give an example for a control standard in a Telecommunications domain? | VoIP |
| A business with little to no classification is a very risky business T/F | True |
| You must have a ________ before you can create a Business Continuity Plan (BCP) | (BIA) Business Impact Analysis |
| A BCP cannot be created before all departments have agreed on the __________ | (BIA)Business Impact Analysis |
| What are the 3 parts of a BIA? | Component Priority. Component Reliance. Impact Report |
| Recovery Time objective (RTO) is a natural extention of _________? | (BIA)Business Impact Analysis |
| A disaster declaaration policy is needed to activate/trigger______ & ________ | Business Continuity Plan (BCP), Disaster Recover Plan (DRP) |
| What is a Disaster Recover Plan (DRP)? | The policies and documentations needed for an organization to recover after a disaster. |
| An ____________ is a group of people that effectively identify and confine incidents | Incident Response Team (IRT) |
| Give 4 examples of an incident(per PCI DSS). | Malicious code, Denial of Service (DOS), Unauthorized access/theft, Network Reconnaissance probe. |
| What are the 4 members of a typical Incident Response Team (IRT)? | ( SME ) Information technology subject matter expert. Information Security representative (HR) Human Resources Legal representative |
| The incident Report shall indicate the severity of the incident on a scale of 1 to 4. What are they? | Small number-probes-scans detected or isolated instance of virus. no unauthorized activity detected. Significant numbers-system probes-scans-detected or wide spread virus activity detected. |
| The incident Report shall indicate the severity of the incident on a scale of 1 to 4. What are 2 and 1 | A DoS attach detected w/limited impact disruption on operation. Successful penetration or DoS attack detected w/significant disruption of operation. |
| Implementing a successful security policy is mostly a matter of changing attitude? T or F | True |
| What are the 4 areas where organizations/management resist implementing security policies? | Accountability, Lack of budget, Lack of priority, Tight schedule |
| What are 4 of the human factors that contribute to security breaches? | Poor training and security awareness, Poor motivation, Deliberate acts, Poor management and user decisions |
| Conducting a Computer Based Training (CBT) can be an effective way to develop a ___________ | Security Awareness Policy |
| The ___________ gives the employers the right to monitor employees in the ordinary course of business | ECPA Electronic Communication Privacy Act |
| The ___________ represents the mininum security settings that must be applied | Baseline |
| _____________ can be used to regularly query systems to verify/track compliance? | Automated systems |
| In order to check vulnerabilities ___________ is used to manage Microsoft products. | Microsoft Baseline Security Analyzer (MBSA) |
| When it comes to IT security policy compliance monitoring, what are some of the best practices? | Start w/ a security policy. Create a baseline based of the security policy. Audit systems regularly. Automate checks as much as possible. Manage changes |
Created by:
570601977
Popular Computers sets