Chapter 4 - ITSY 1300The ISSP sets out the requirements that must be met by the information security blueprint or framework. The Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area. _________________________ Systems-specific security policies, commonly referred to as a fair and
responsible use policy, are used to control constituents' use of a particular resource, asset, or activity. _________________________ Incident _________ is the rapid determination of the scope of the breach of the confidentiality, integrity, and availability of information and information assets during or just following an incident. A(n) _________ is a document
containing contact information for the people to be notified in the event of an incident. Standards may be published, scrutinized, and ratified by a group, as in formal or ________standards. The operational plan documents the organization's intended
long-term direction and efforts for the next several years. _________________________ RAID is an acronym for a __________ array of independent disk drives that stores information across multiple units to spread out data and minimize the impact of a single drive failure. The spheres of security are the foundation of the security framework and illustrate how information is under attack from a variety of sources, with far fewer protection layers between the information and potential attackers on the __________ side of the o Many industry observers claim that ISO/IEC 17799, the precursor to ISO/IEC 27001, is not as complete as other frameworks. SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, provides best practices and
security principles that can direct the security team in the development of a security ________. __________ is a strategy for the protection of information assets that uses multiple layers and different types of controls (managerial, operational, and technical) to provide optimal protection. A fundamental difference between a BIA and
risk management is that risk management focuses on identifying the threats, vulnerabilities, and One of the basic tenets of security architectures is the layered implementation of security, which is called defense in redundancy. _________________________ _______ controls cover security processes that are
designed by strategic planners and implemented by the security administration of the organization. Within security perimeters the organization can establish security redundancies, each with differing levels of security, between which traffic must be screened. _________________________ The security model is the basis for the design,
selection, and implementation of all security program elements including such things as policy implementation and ongoing policy and program management. _________________________ The recovery point objective (RPO) is the point in time prior to a disruption or system outage to which mission/business process data can be recovered after an outage. _________________________ The policy administrator is
responsible for the creation, revision, distribution, and storage of the policy. Technical controls are the tactical and technical implementations of security in the organization. _________________________ A security ________ is an outline of the overall information security strategy for the organization and a roadmap for planned changes to the information security environment of the
organization. The security framework is a more detailed version of the security blueprint. Security training provides detailed information and hands-on instruction to employees to prepare them to perform their duties securely. To remain viable, security policies must have a responsible manager, a schedule
of reviews, a ?An attack, breach of policy, or other incident always constitutes a violation of law, requiring notification of law enforcement. ?Security __________ are the areas of trust within which users can freely communicate. NIST 800-14's Principles for Securing Information Technology Systems, can be used to make sure the needed key elements of a successful NIST Special Publication 800-18 Rev. 1, The Guide for Developing Security Plans for Federal Information Systems, includes templates for major application security plans, and provides detailed methods for assessing, designing, and implementing controls and You can create a single comprehensive ISSP document covering all information security issues. A(n) ________ plan is a plan for the organization's intended strategic efforts over the next several years. In early 2014, in response to Executive Order 13636, NIST published the Cybersecurity Framework that intends to allow organization to __________. c. The global information security community has
universally agreed with the justification for the code of practices as identified in the ISO/IEC 17799. The stated purpose of ISO/IEC 27002 is to "offer guidelines and voluntary directions for information security __________." Some policies may also need a(n) sunset clause indicating their expiration date.
_________________________ The key components of the security perimeter include firewalls, DMZs (demilitarized zones), Web servers, and IDPSs. _________________________ When BS 7799 first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems. Which of the following is NOT one of those problems b. __________ is a strategy of using multiple types of technology that prevent the failure of one system from compromising the security of information. According
to NIST SP 800-14's security principles, security should ________. The transfer of large batches of data to an off-site facility, usually through leased lines or services, is called ____. _________ controls address personnel security, physical security, and the protection of production inputs and outputs. _______often function as standards or procedures to be used when configuring or maintaining systems. The SETA program is a control measure
designed to reduce the instances of __________ security breaches by employees. The CPMT conducts the BIA in three stages. Which of the following is NOT one of those stages? c. Redundancy can be implemented at a number of points throughout the security architecture, such as in ________ The stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins, is to offer guidelines and voluntary directions for information security management. _________________________ To remain viable, security policies must have a responsible individual, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and planned revision date. A ____ site provides only rudimentary services and facilities. The ________is based on and directly supports the mission,
vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts. To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards. The process of examining an incident candidate and determining whether it constitutes an actual incident is called incident
classification. _________________________ |