This document provides a summary of key concepts relating to security management practices, including definitions of terms like accreditation, certification, benchmarking, baselining, recommended practices, best practices, standards of due care, and performance measurements. It also describes NIST SP 800-37 as a common risk management framework that takes a three-tiered approach focusing first on organizational aspects, then business processes, and finally information systems. The document quizzes readers with multiple choice questions to test their understanding of these security management terms and processes.
vCIO vCISO - Information Technology and Security Strategy.pptxArt Ocain
At Airiam, I act as Field CISO (vCISO) and Field CIO (vCIO) for clients. Sometimes, I handle both roles. This slide deck is my first meeting with my clients.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
The difference between Cybersecurity and Information SecurityPECB
Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of information technology (IT).
• The evolution of Cybersecurity
• Protecting Digital Assets
• Difference between Cybersecurity and Information Security
• Cybersecurity Objectives
• Future of Cybersecurity
Presenter:
Hafiz Adnan is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 11 years of significant, progressive experience in Information Technology field, focusing on Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service Management, Risk Management, Information Security & IT Service Management Audits, Software Project Management and Process Improvement.
Link of the recorded session published on YouTube: https://youtu.be/BA670iVPi5c
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
vCIO vCISO - Information Technology and Security Strategy.pptxArt Ocain
At Airiam, I act as Field CISO (vCISO) and Field CIO (vCIO) for clients. Sometimes, I handle both roles. This slide deck is my first meeting with my clients.
Understand and apply concepts of confidentiality, integrity and availability, Apply security governance principles,
Understand legal and regulatory issues that pertain to information security in a global context, Develop and implement documented security policy, standards, procedures, and guidelines, Understand business continuity requirements
Contribute to personnel security policies, Understand and apply risk management concepts, Understand and apply threat modeling, Integrate security risk considerations into acquisition strategy and practice, Establish and manage information security education, training, and awareness
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001PECB
This webinar gives an idea of what is the relation of ISO 27032 with ISO 55001, and how these two standards cover one another. Get more information on Cybersecurity as the importance is given more to the security industry nowadays.
Main points covered:
• Protection assets in Cyberspace
• Covering ISO 27032 in ISO 55001 and ISO 55001 in ISO 27032
• Sample of Cybersecurity Risks in Assets
• Highlights of the Implementation of the Cyber Security program Framework
Presenter:
This webinar was presented by PECB Partner and Trainer Mr. Claude Essomba, who is a Managing Director at GETSEC SARL, and has more than 9 years of experience in IT and Information Security.
Link of the recorded session published on YouTube: https://youtu.be/_280jG77iKY
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, renewed, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, nancial services, federal government, and defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and
targeted attacks?”
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
The difference between Cybersecurity and Information SecurityPECB
Cybersecurity is a growing and rapidly changing field, and it is crucial that the central concepts that frame and define this increasingly pervasive field are understood by professionals who are involved and concerned with the security implications of information technology (IT).
• The evolution of Cybersecurity
• Protecting Digital Assets
• Difference between Cybersecurity and Information Security
• Cybersecurity Objectives
• Future of Cybersecurity
Presenter:
Hafiz Adnan is an IT GRC, Security Consultant and Lead Auditor and a PECB Certified Trainer with over 11 years of significant, progressive experience in Information Technology field, focusing on Information Security, IT Governance, ISO Standards Implementation & Compliance, IT Service Management, Risk Management, Information Security & IT Service Management Audits, Software Project Management and Process Improvement.
Link of the recorded session published on YouTube: https://youtu.be/BA670iVPi5c
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
Econ 421Subsidies Problem SetSpring 20151. Suppose low-in.docxjack60216
Econ 421
Subsidies: Problem Set
Spring 2015
1. Suppose low-income people are given vouchers worth 200 dollars per month that they can use only to pay rent on housing.
a. Use indifference curve analysis to show how the person could be made as well off with a 200 dollar case transfer.
b. Would the consumer's choice of the amount of housing to rent be any different if he receives cash instead of housing vouchers?
c. Use indifference curve analysis to show under what circumstance the 200 dollar per month housing voucher would cause the recipient to increase the amount of housing rented compared to what would be rented if the recipient received 200 dollars in cash each month in lieu of the housing vouchers.
d. Would this recipient be as well off under the housing voucher scheme as he would be with a cash transfer of equal value?
2. A needy family consisting of a mother and three children currently receives cash benefits that average 12 dollars per day. The mother of this family is allowed to earn an average of 4 dollars per day before her benefits begin to decline. After that, for each dollar earned cash benefits decline by 67 cents.
a. Plot the recipients money income-leisure tradeoff (budget) line under these circumstances.
b. Assume that she can find work at 4 dollars per hour. How many hours will she have to work per day before her benefits are eliminated?
c. Assuming that her indifference curves for work and leisure are convex, show her equilibrium allocation of time between work and leisure per day. Show that it is possible to have more than one most preferred outcome.
3. Go to http://www.irs.gov to obtain the tables for the earned income tax credit (EITC) for the current year.
a. Explain how the program increases earnings for low-income workers and affects their incentives.
b. Draw a curve for single workers filing jointly, and single parents show how the EITC will vary with earnings.
c. Why does the EITC encourage low-income workers to work? Use indifference curve analysis to show the income and substitution effects results from the EITC up to the point at which the maximum credit level of earnings is reached.
4. Explain why the negative income tax plan is likely to be more expensive than the currnet system of assistance to the poor. What are the advantages of wage rate subsidies?
CDS344 & CIS344 FINAL
Chapter 6
1. What name is given to a method of developing software that is based on small project iterations, or sprints, instead of long project schedules?
A. baseline
B. waterfall model
C. agile development
D. sprint
2. What is meant by authorizing official (AO)?
A. An individual to enact changes in response to reported problems.
B. The process of managing changes to computer/device configuration or application software.
C. A senior manager who reviews a certification report and makes the decision to approve the system for implementation.
D. A mandated requirement for a hardware or software solution that is used t ...
Practical Measures for Measuring SecurityChris Mullins
Security is often a frustrating field for business and IT decision makers. It can be difficult to quantify, difficult to get visibility, and it’s difficult to know when you have “enough”. Do you really need that latest threat feed subscription or state of the art malware protection device? Do you need to add another security analyst to your team? And if so, how can you understand, in business terms, the value these investments bring to the business? This session will explore practical methods for the application of metrics in security to support business decision making, and provide a framework to implement straightforward security metrics, whether inside your wall or at a service provider.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Evaluate your CISA preparation. Attempt below 150 questions which are designed as per CISA exam pattern considering domain wise weightage.
http://datainfosec.blogspot.in/2016/04/cisa-mock-test-question-paper-1.html
Enhancing Incident Prevention and Performance with Process Safety Metricssoginsider
The article provides a comprehensive overview of process safety metrics, essential for evaluating Process Safety Management (PSM) programs across industries like chemical manufacturing, oil and gas, and pharmaceuticals. It discusses leading indicators such as risk assessments, near-miss reports, and safety culture surveys, which proactively identify hazards, alongside lagging indicators like incident rates and compliance with safety regulations that analyze past incidents for improvement. The importance of defining relevant metrics, setting targets, data collection, analysis, and continuous improvement are emphasized, highlighting challenges like data accuracy and interpretation. The article also suggests leveraging tools like data management systems, automation, and safety management software for effective measurement and tracking of process safety metrics, ultimately aiming to enhance safety performance and prevent incidents.
Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Adv...CompTIA
- Closing the Gap for Advanced Enterprise Cybersecurity Skills with CompTIA Advanced Security Practitioner (CASP)
- Measuring CASP difficulty
- Why Hybrid Testing Approaches Work Best
- Mapping the NICE Cybersecurity Workforce Framework
CTFL-001 ExamArea Exam contains all the questions and answers to pass CTFL-001 IT Exam on first try. The Questions & answers are verified and selected by professionals in the field and ensure accuracy and efficiency throughout the whole Product .You will not need to collect additional questions and answers from any other source because this package contains every detail that you need to pass CTFL-001 Test.
Meeting the Cybersecurity Skills Challenge with CompTIA Security+CompTIA
In this document:
- Meeting the Cybersecurity Skills Challenge with CompTIA Security+
- Measuring CompTIA Security+ Difficulty
- Why Hybrid Testing Approaches Work Best
- Mapping the NICE Cybersecurity Workforce Framework
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...CompTIA
In this document:
- Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Analyst (CSA+)
- Measuring CompTIA CSA+ Difficulty
- Why Hybrid Testing Approaches Work Best
- Mapping the NICE Cybersecurity Workforce Framework
Similar to Chapter 09 security_management_practices (20)
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
1. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 1
1. Using a practice called baselining, you are able to develop policy based on the typical practices of the industry in which
you are working.
a. True
b. False
ANSWER: False
2. A company striving for ‘best security practices’ makes every effort to establish security program elements that meet
every minimum standard in their industry.
a. True
b. False
ANSWER: False
3. One question you should ask when choosing among recommended practices is “Can your organization afford to
implement the recommended practice?”
a. True
b. False
ANSWER: True
4. Performance measurements are seldom required in today’s regulated InfoSec environment.
a. True
b. False
ANSWER: False
5. Attaining certification in security management is a long and difficult process, but once attained, an organization
remains certified for the life of the organization.
a. True
b. False
ANSWER: False
6. One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is
measured. ____________
ANSWER: True
7.
The biggest barrier to baselining in InfoSec is the fact that many organizations do not share warnings with other
organizations. ____________
ANSWER: False - benchmarking
8. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a particular
set of requirements is known as accreditation. ____________
ANSWER: False - certification
9. Standardization is an an attempt to improve information security practices by comparing an organization’s efforts
against those of a similar organization or an industry-developed standard to produce results it would like to duplicate.
____________
ANSWER: False - Benchmarking
2. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 2
10. The authorization by an oversight authority of an IT system to process, store, or transmit information is known as
certification. ____________
ANSWER: False - accreditation
11. Recommended practices are those security efforts that seek to provide a superior level of performance in the
protection of information. ____________
ANSWER: True
12. A performance measure is an an assessment of the performance of some action or process against which
future performance is assessed. _____________
ANSWER: False - baseline
13. A standard of due process is a legal standard that requires an organization and its employees to act as a “reasonable
and prudent” individual or organization would under similar circumstances. ____________
ANSWER: False - care
14. Data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical and
managerial—implemented in the organization are known as program measurements. ____________
ANSWER: False - performance
15. Creating a blueprint by looking at the paths taken by organizations similar to the one whose plan you are developing is
known as which of the following?
a. benchmarking b. best practices
c. baselining d. due diligence
ANSWER: a
16. Which of the following is a possible result of failure to establish and maintain standards of due care and due
diligence?
a. Baselining b. Legal liability
c. Competitive disadvantage d. Certification revocation
ANSWER: b
17. Which of the following is NOT a consideration when selecting recommended best practices?
a. Threat environment is similar b. Resource expenditures are practical
c. Organization structure is similar d. Same certification and accreditation agency or standard
ANSWER: d
18. What are the legal requirements that an organization adopt a standard based on what a prudent organization should do,
and then maintain that standard?
a. Certification and accreditation b. Best practices
c. Due care and due diligence d. Baselining and benchmarking
ANSWER: c
19. Problems with benchmarking include all but which of the following?
a. Organizations don’t often share information on successfulattacks
b. Organizations being benchmarked are seldom identical
3. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 3
c. Recommended practices change and evolve, thus past performance is no indicator of future success
d. Benchmarking doesn’t help in determining the desired outcome of the security process
ANSWER: d
20. Which of the following is NOT a question to be used as a self-assessment for recommended security practices in the
category of people?
a. Do you perform background checks on all
employees with access to sensitive data,
areas, or access points?
b. Are the user accounts of former employees
immediately removed on termination?
c. Would the typical employee recognize a security
issue?
d. Would the typical employee know how to report a
security issue to the right people?
ANSWER: b
21. Which of the following terms is described as the process of designing, implementing, and managing the use of the
collected data elements to determine the effectiveness of the overall security program?
a. Performance management b. Baselining
c. Best practices d. Standards of due care/diligence
ANSWER: a
22. Which of the following is NOT one of the three types of performance measures used by organizations?
a. Those that determine the effectiveness of the execution of InfoSec policy
b. Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services
c. Those that evaluate the compliance of non-security personnel in adhering to InfoSec policy
d. Those that assess the impact of an incident or other security event on the organization
or its mission
ANSWER: c
23. Organizations must consider all but which of the following during development and implementation of an InfoSec
measurement program?
a. Measurements must yield quantifiable information
b. Data that supports the measures needs to be readily obtainable
c. Only repeatable InfoSec processes should be considered for measurement
d. Measurements must be useful for tracking non-compliance by internal personnel
ANSWER: d
24. Which of the following is NOT a factor critical to the success of an information security performance program?
a. Strong upper level management support
b. High level of employee buy-in
c. Quantifiable performance measurements
d. Results oriented measurement analysis
ANSWER: b
25. Which of the following is NOT a question a CISO should be prepared to answer, about a performance measures
program, according to Kovacich?
a. Why should these measurements be collected?
4. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 4
b. Where will these measurements be collected?
c. What affect will measurement collection have on efficiency?
d. Who will collect these measurements?
ANSWER: c
26. The InfoSec measurement development process recommended by NIST is is divided into two major activities. Which
of the following is one of them?
a. Regularly monitor and test networks b. Identification and definition of the current InfoSec program
c. Maintain a vulnerability management
program
d. Compare organizational practices against organizations of
similar characteristics
ANSWER: b
27. InfoSec measurements collected from production statistics depend greatly on which of the following factors?
a. Types of performance measures developed
b. Number of systems and users of those systems
c. Number of monitored threats and attacks
d. Activities and goals implemented by the business unit
ANSWER: b
28. Which of the following InfoSec measurement specifications makes it possible to define success in the security
program?
a. Development approach b. Establishing targets
c. Prioritization and selection d. Measurements templates
ANSWER: b
29. Which of the following is the first phase in the NIST process for performance measurement implementation?
a. Develop the business case b. Obtain resources
c. Prepare for data collection d. Identify corrective actions
ANSWER: c
30. Which of the following is the last phase in the NIST process for performance measures implementation?
a. Apply corrective actions b. Obtain resources
c. Document the process d. Develop the business case
ANSWER: a
31. In security management, which of the following is issued by a management official and serves as a means of assuring
that systems are of adequate quality?
a. Accreditation b. Certification
c. Performance measurement d. Testimonial
ANSWER: a
32. Which of the following is Tier 3 (indicating environment of operation) of the tiered risk management approach?
a. Mission/business process
b. Information system
c. Accounting/logistics
5. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 5
d. Organization
ANSWER: b
33. According to NIST SP 800-37, which of the following is the first step in the security controls selection process?
a. Categorize the information system and the information processed
b. Select an initial set of baseline security controls
c. Assess the security controls using appropriate assessment procedures
d. Authorize information system operation based on risk determination
ANSWER: a
34. The Authorize step of the NIST six-step approach to the risk management framework involves all but which of the
following tasks?
a. Prepare the plan of action and develop milestones b. Assemble the security authorization package
c. Determine if the cost/benefit ratio is acceptable d. Determine the risk to organizational operations
ANSWER: c
35. Best security practices balance the need for user _____________ to information with the need for adequate protection
while simultaneously demonstrating fiscal responsibility.
ANSWER: access
36. A practice related to benchmarking is ____________, which is a measurement against a prior assessment or an
internal goal.
ANSWER: baselining
baseline
37. ____________________ encompasses a requirement that the implemented standards continue to provide the required
level of protection.
ANSWER: due diligence
38. A goal of 100 percent employee InfoSec training as an objective for the training program is an example of a
performance __________.
ANSWER: target
measure
metric
39. The last phase in the NIST performance measures implementation process is to apply ______________ actions which
closes the gap found in Phase 2.
ANSWER: corrective
40. When choosing from among recommended practices, an organization should consider a number of questions. List
four.
ANSWER: Does your organization resemble the target organization of the recommended practice?
Are you in a similar industry as the target of the recommended practice?
Do you face similar challenges as the target of the recommended practice?
Is your organizational structure similar to the target of the recommended practice?
Can your organization expend resources at the level required by the recommended practice?
Is your threat environment similar to the one assumed by the recommended practice?
6. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 6
41. List the four factors critical to the success of an InfoSec performance program, according to NIST SP 800-55, Rev. 1.
ANSWER: Strong upper level management support
PracticalInfoSec policies and procedures
Quantifiable performance measurements
Results oriented measurement analysis
42. Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the
following questions posed by Kovacich. List four of these questions.
ANSWER: Why should these statistics be collected?
What specific statistics will be collected?
How will these statistics be collected?
When will these statistics be collected?
Who will collect these statistics?
Where (at what point in the function’s process) will these statistics be collected?
43. The process of implementing a performance measures program recommended by NIST involves six phases. List and
describe them.
ANSWER: Phase 1: Prepare for data collection; identify, define, develop, and select information security measures.
Phase 2: Collect data and analyze results; collect, aggregate, and consolidate metric data collection and
compare measurements with targets (gap analysis).
Phase 3: Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in
phase 2. This includes determining the range of corrective actions, prioritizing corrective actions based on
overall risk mitigation goals, and selecting the most appropriate corrective actions.
Phases 4: Develop the business case.
Phase 5: Obtain resources; address the budgeting cycle for acquiring resources needed to implement
remediation actions identified in phase 3.
Phase 6: Apply corrective actions; close the gap by implementing the recommended corrective actions in the
security program or in the security controls.
44. What are the two major activities into which the InfoSec measurement development process recommended by NIST is
divided?
ANSWER: 1. Identification and definition of the current InfoSec program
2. Development and selection of specific measurements to gauge the implementation, effectiveness,
efficiency, and impact of the security controls
45. On what do measurements collected from production statistics greatly depend? Explain your answer.
ANSWER: Measurements collected from production statistics depend greatly on the number of systems
and the number of users of those systems. As the number of systems changes and/or the number of users of
those systems changes, the effort to maintain the same level of service will vary.
46. Why it measurement prioritization and selection important? How can it be achieved?
ANSWER: Because organizations seem to better manage what they measure, it is important to ensure that individual
metrics are prioritized in the same manner as the processes that they measure. This can be achieved with a
simple low-, medium-, or high-priority ranking system or a weighted scale approach, which would involve
assigning values to each measurement based on its importance in the context of the overall InfoSec program
and in the overall risk-mitigation goals and criticality of the systems.
47. Why must you do more than simply list the InfoSec measurements collected when reporting them? Explain.
ANSWER: In most cases, simply listing the measurements collected does not adequately convey their meaning. For
example, a line chart showing the number of malicious code attacks occurring per day may communicate a
7. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 7
basic fact, but unless the reporting mechanism can provide the context —for example, the number of new
malicious code variants on the Internet in that time period—the measurement will not serve its intended
purpose. In addition, you must make decisions about how to present correlated metrics - whether to use pie,
line, bar, or scatter charts, and which colors denote which kinds of results.
48. Compare and contrast accreditation and certification.
ANSWER: In security management, accreditation is the authorization of an IT system to process, store, or transmit
information. Accreditation is issued by a management official and serves as a means of assuring that systems
are of adequate quality. It also challenges managers and technical staff to find the best methods to assure
security, given technical constraints, operational constraints, and mission requirements.
Certification is a comprehensive assessment of both technical and nontechnical protection strategies for a
particular system, as specified by a particular set of requirements. Thus, while systems may be certified as
meeting a specific set of criteria—like the PCI DSS—they must be accredited (or approved by an appropriate
authority) before being allowed to process a specific set of information (such as classified documents) at an
acceptable level of risk.
49. Describe the three tier approach of the RMF as defined by NIST SP 800-37.
ANSWER: NIST follows a three-tiered approach to risk management. Most organizations work from the top down,
focusing first on aspects affecting the entire organization, such as governance (tier 1). Then, after the more
strategic issues are addressed, they move toward more tactical issues around business processes (tier 2). The
most detailed aspects are addressed in tier 3, dealing with information systems.
a. accreditation
b. baseline
c. benchmarking
d. certification
e. due diligence
f. best security practices
g. recommended business practices
h. standard of due care
i. performance measurements
j. NIST SP 800-37
50. The actions that demonstrate that an organization has made a valid effort to protect others a requirement and that the
implemented standards continue to provide the required level of protection.
ANSWER: e
51. The authorization of an IT system to process, store, or transmit information.
ANSWER: a
52. A legal standard that requires an organization and its employees to act as a reasonable and prudent individual or
organization would under similar circumstances.
ANSWER: h
53. Those security efforts that are considered among the best in the industry.
ANSWER: f
8. Name: Class: Date:
Chapter 09 - Security Management Practices
Copyright Cengage Learning. Powered by Cognero. Page 8
54. A comprehensive assessment of a system’s technical and nontechnical protection strategies, as specified by a
particular set of requirements.
ANSWER: d
55. The data or the trends in data that may indicate the effectiveness of security countermeasures or controls—technical
and managerial—implemented in the organization.
ANSWER: i
56. A common approach to a Risk Management Framework (RMF) for InfoSec practice.
ANSWER: j
57. An attempt to improve information security practices by comparing an organization’s efforts against practices of a
similar organization or an industry-developed standard to produce results it would like to duplicate.
ANSWER: c
58. Those procedures that provide a superior level of security for an organization’s information.
ANSWER: g
59. An assessment of the performance of some action or process against which future performance is assessed.
ANSWER: b